By downloading an XML file from Umbrella and adding this file to your MDM system, your MDM system is able to push configuration information to both Cisco Secure Client and Umbrella so that your Android device is registered with Umbrella. The result is that your Android device is protected by Umbrella.

For information about configuring your specific MDM system, see your MDM system’s documentation.

Prerequisites

• An Android Enterprise compatible device deployment. The legacy Device Admin (DA) system is not supported at this time
• Android mobile devices running Android OS version 6.0.1 and above. Devices examples are Samsung, Google, and Motorola. FireOS devices and other Android forks are not supported.
• An MDM for deploying the software. The following MDMs have been tested, and you should be able to use any MDM:
  • MobileIron
  • Meraki
  • VMWare WorkspaceOne (Airwatch)
  • Microsoft InTune
  • Samsung Knox
  • Google Admin Console (Google Workspace)
• Access to an Umbrella subscription including mobile device coverage
• A network meeting access requirements
  • Access over UDP 53 and UDP 443 to 208.67.222.222 from the device.
• For on-network scenarios, Trusted Network Detection (TND) may also be used to disable the client on network and pass traffic to a Virtual Appliance. The following prerequisites apply:
  • All VAs in use are defined by FQDN (IPs entered will not allow the client to go into trusted network mode) in the umbrella_va_fqdns configuration property.
    • The format for this field is comma separated, for example, (va1.domain.com, va2.domain.com)
  • VAs must be registered to the same Umbrella organization as the Android devices
  • HTTPS mode for user events enabled on the Virtual Appliance
    • If the VA’s FQDN is not publicly signed, the self-signed root certificate for the VA domain used for HTTPS mode on the VA must also be pushed to the Android device to sign the connection.
    • VA certificates should contain Subject Alternate Name (SAN) matching the VA’s configured domain to successfully communicate with the VA over HTTPS mode
    • For more information on how to configure HTTPS mode on the VA, see Umbrella Virtual Appliance: Receiving User-IP mappings Over a Secure Channel.

Procedure

1. In the Umbrella dashboard, navigate to Deployments > Core Identities > Mobile Devices and click Manage.

2. In the Managed Mobile Clients modal, click Android.

3. Click Android Config.

This file contains details that is required to enable Umbrella security on your Android device. For example, it includes the organization ID and unique registration token associated with your Umbrella organization.
{"organizationInfo":{"Value":{"organizationID":<orgid>,"regToken":"<reg token>"}}}
Only one administrator is required to download the config file.

4. Save the file securely; you will use it in deploying your mobile device manager (MDM).
   Follow the link matching your MDM:
   Cisco Meraki MDM
   MobileIron MDM
   VMware Workspace ONE
   Microsoft Intune MDM
   Samsung Knox MDM

Fail Close/Open Scenario

In Mobile Device Settings, select either of the options available for iOS and Android devices:

• Fail-Open
• Fail-Close
  To adjust the notifications on the device, select one of the user notifications on the device.

Note: The Mobile Device Settings are the only settings applicable for Android devices under the Umbrella Security Settings.

In case of internal errors, such as the Umbrella Resolver is not reachable or the DNSCrypt Certificate is not available, the Umbrella UI displays the following:

Deploy the Android Client < Android Configuration Download > Cisco Meraki MDM