02-21-17 01:39 PM
58 123
tools
  1. MrEvets's Avatar
    So I had a really big fight trying to find out information on how Android for Work actually works on the Priv and BES12. I thought I would share some of my frustrations and answers to questions that not even Google could answer for me at times.

    Q: Do I have to have a specific version of BES to use AFW?
    A:
    Yes you must be on BES 12.2 or higher to use AFW.

    Q: Is there a BlackBerry article on how to set up AFW?
    A:
    http://support.blackberry.com/kb/art...mber=000037748

    Q: Where do sign up for my Google For Work Domain so we can use AFW?
    A: https://www.google.com/a/signup/?ent...t=ANDROID_WORK no idea why but its hard to find this link!!

    Q: Why do I have to sign my company domain up for a google for Work Domain?
    A: This is like asking do i have to sign up to Google to use Google Drive or Gmail. You have to have a Google account to use their services including AFW. What you are doing by creating an Admin account on Google for you domain is so BES can create users on it to use Google Services using their work email address. Kind of like if you wanted to use Google Drive personally you would have to sign up for the service, if you already have a Google account you just use that address and add the service, if you didn't have a Google account yet you would sign up for one then and then add the service to your account. Having a Google for Work Domain is doing the same thing but for your work email and giving your IT admins access to help you if you forget your password or push out Google apps to you if your company uses Google Apps for Work!

    Q: Simply, how does the process work to setup AFW on a device?
    A: Sign up for a Google Domain using the link above, Get BES server to talk to your Google domain, Make IT policy if you want different for Android, Create an activation policy that includes AFW, Approve apps for installing on Device, install AFW app and BES12 Client App, Activate the Device! ITS JUST THAT SIMPLE LOL

    Q: Can I use AFW if we are hosting our own email system or do we have to have email hosted with Google to use AFW?
    A: You are not required to use any Google service to use AFW, you can use your own internally or externally hosted Exchange server and use it with AFW.

    Q: Will my work email and my personal email show up in the same HUB just like it used to in BB10?
    A: Yes with AFW you will be able to see your work email on the HUB just like in BB10 with the proper setting. You will have to push down an email profile and have it state that it can be shared with the personal side of the device. This requires that you install the HUB application on the work side of the device though or else you will get errors when you click an email.

    Q: Do I need to push down an email profile for AFW to work in the HUB?
    A: No you are not required to push down an email profile for AFW to work in the HUB. If you allow it VIA IT policy the user can add their account manually that they wish to the work side of the device. Settings > Accounts > you will see at the bottom a "Work" profile you can add account under. Any account created under this "Work" section will be removed when you remove the work side of the device from BES. Pushing down a profile will just allow the user to easily setup their work email account by only needing to enter their password.

    Q: How does the Google Play Store work on the work side of the device?
    A: The BES administrator must search for and add approved apps to the BES server and then place them in a Folder that is approved for AFW and assign that to the user. The user will then see only apps that are approved to be installed on the work side of the device.

    Q: What is BlackBerry Secure Connect Plus (BSCP)?
    A: This is an app that is installed on the work side of your device that creates a persistent connection back to the BES12 server. Kind of like what we had on BB10 OS and MDS. This will force all work apps to use this tunnel before going out to the web. If you are not at work , and you install Google Chrome in AFW and you go to myipaddress.com you will notice it will come out as the same IP as the BES server would if it talked to the internet. If you do the same on your personal Google Chrome you will get the IP address from your carrier or the ISP the WiFi is connected to. All traffic will proxy through your BES12 server for all work apps. This allows for custom apps to be installed that need to be inside the work network or VPN to function to now seemlesly work. If there are certain site that are only accessible from inside your work then the AFW browser would allow you to access those sites.

    Q: What kid of licensing do I need to use AFW?
    A: There are two different ways of using AFW, with and withouth BSCP (BlackBerry Secure Connect Plus). If you want the secure connection back to the BES server then you need to use Gold - Flex license, If you want to just use AFW with out BSCP it requires just a simple Silver license.

    Q: Can the work side of my device see the personal side of my device or vice versa?
    A: From what I can tell, No! Testing with ES File Explorer I create a test folder in the "Downloads" root folder on the internal memory from the personal side and the work side could not see it. When I saved a file in the work's "Downloads" folder the personal side could not see it. This is complete separation of church and state so to speak! All data saved on the work side of the device is removed when work side is deleted.

    Q: Can you have the same app installed on the work side of the device as the personal side of the device?
    A: Yes it is possible to have the same app installed twice. For instance I have two version of Google Chrome installed. This allows Apps on the work side to interact with work data and work networks. This also means that you can have BBM for work and for personal!!

    Q: Does AFW cost anything?
    A: AFW is free for any enterprise to use. The only thing that costs money is if you want to use Google Apps for Work which there are costs per user to use their applications like Google Drive, Gmail etc...

    Q: What process does activation require for AFW?
    A: You will need to download AFW app form the Google Play Store. You would then download the BES12 Client. You activate the user by entering their email and BES12 password, after this the AFW setup will take over. It will create an account for the user on the Google service and give them a temporary Google password via email. After this all your IT policy information will be applied to the device. it is quite painless then. If you look in the App Drawer you will now see some apps with briefcases on them.

    Q: If a user has a paid app on the personal side can they install it on the work side for free?
    A: The Google Play for Work is tied to your work email address so if you paid for your app using your personal email address there is no way for Google to know you have already paid for the app. You will need to pay for it again for use on the work side of your device.

    Q: What does the "Divide Productivity" app do?
    A: Divide Productivity is an app from Google that they recently acquired this year, It is just a suite of work apps that give you email, calendar, notes, contacts, etc that are supplied from Google.

    Q: Do I have to install Divide Productivity?
    A: They suggest this app when you need to have a work apps to do all your day to day work stuff. These apps are the same as the built in apps to a native Android OS like Nexus use. So if you are very familiar with those apps and like them then this app would be good for you. If you use the HUB and the built in BlackBerry apps for managing email, contacts, calendar, etc then you do not need to install this app. It is more meant for people that don't have default set of apps.

    Q: None of the Apps I have approved are showing up for the users in Google Play for Work?
    A: Go to http://play.google.com/work log in with your admin account, ook at the Apps for my organization. If you see your apps listed there then they are approved buy might not be provisioned properly on BES to the user. Go to BES12. Check under the "Apps" section that your apps have been added to a folder that is approved for Android for Work (you should see a little briefcase on the folder) They must be under a folder from what I have seen. Check the user to see what apps have been applied to them to ensure the user has access to the apps. I create 2 folders normally once called mandatory AFW Apps and Optional AFW apps this way apps that have to be installed are and they are give the option for there rest!

    Q: After installing Android for Work I cannot seem to open Attachments, is there a reason for this?
    A: The point of Android for Work is to create a separation of personal data and work data. Really what you are doing when you install AFW is creating a brand new blank install of Android with 0 apps installed. So if you can imagine installing Windows and then going to Gmail and trying to open a Word doc you would be faced with the same issue. You will have to install apps on the work side of your device to handle the extensions that you want to open. This is by design! I normally install the BlackBerry apps for Calendar, Notes, Tasks etc

    Q: I am not getting Calendar reminders or task reminders?
    A: You will have to install apps on the work side of your device to handle these work tasks. I normally install the BlackBerry apps for Calendar, Notes, Tasks etc

    If there are any other question you have to help you with deciding if Android for Work is right for you. I will add any good question to this original post as I found it so hard to find someone else that had setup AFW on the Priv.
    Last edited by MrEvets; 02-03-16 at 09:14 PM.
    01-25-16 10:45 AM
  2. zocster's Avatar
    01-25-16 11:09 AM
  3. fritzbocks's Avatar
    Thanks for the really nice write-up. I'm hoping you can expand a little more on the AFW issue, as I am still quite unsure how I am supposed to start the whole process, especially the Google registration.

    Some background information: We have a BES12 installation that is connected to a IBM Domino server via IBM Traveler (ActiveSync protocol). All the connections are local only, we do not expose the ActiveSync/SSL ports to the internet. Currently we're using only BB10 devices, they access their work email through the Blackberry infrastructure (Silver licenses).
    Now we have to connect a PRIV to this setup, with the aim that the user can access his work email just like he did on BB10, preferably in the Hub.
    We do not have any accounts at Google, other than the one created on the PRIV to access the Play store.

    Q: What process does activation require for AFW?
    A: You will need to download AFW app form the Google Play Store or you can force it download by all users in your BES server using Android. You would then download the BES12 Client. You would activate the user by entering their email and BES12 password, after this the AFW setup will take over. It will create an account for the user on the Google service and give them a temporary Google password via email. After this all your IT policy information will be applied to the device. it is quite painless then. If you look in the App Drawer you will now see some apps with briefcases on them.
    I did install the AFW app and the BES12 app and have seemingly successfully activated the device with the BES activation password.
    Unlike in your description though, the AFW client didn't "take over" at any time.
    Under "Assigned profiles" the BES client does show an "Exchange ActiveSync" profile with the proper mail address and username as well as the (internal) mail server address. There is a button "configure mail account" which offers a choice of various account types, of which the two most likely seem to be:
    1. BlackBerry Hub account - automatic configuration fails, manual configuration (Exchange ActiveSync) fails with "server unavailable", which makes kind of sense since as said above we don't expose SSL to the Internet and at the same time there isn't any kind of VPN connection from the Priv to the mail server's local network.
    2. Managed account (red briefcase) - selecting this only shows the message "this account type is managed by your organisation"

    I assume I'm missing the part about creating a "Google for Work domain" for our organisation and then configuring BES12 for that domain, like being described in most other AFW/Priv guides.
    But all I can find at the various Google sites is a 30-day trial for Google Apps for Work.
    Could someone please point me to a site where I can register our organisation for an "Android for Work" or "Google for Work" domain that doesn't incur montly license fees?

    And generally, is it at all possible to achieve the same mail flow with the Priv/Android as with the BB10 devices, i.e. using only the BlackBerry infrastructure between the device and the BES?

    Thanks a lot,
    fb
    02-03-16 11:56 AM
  4. MrEvets's Avatar
    Okay so i will need to add a new FAQ to the list because of this but great questions:

    First you have to be on BES 12.2 or newer to use AFW.

    You will have to first setup your enterprise to use AFW. This requires that you go to Google and sign up for their service at this link https://www.google.com/a/signup/?ent...t=ANDROID_WORK this will ask you a few questions about your company and domain. You will have to go through a process of authenticating that you own the domain. once you have done all the steps they require you can manage your company at admin.google.com using the account you used to set it all up with. This is what is required when BES says"Verify that you have a Google for Work or Google Apps for Work domain" you are creating a Google for Work domain. and remember this is free and $0 cost to do.

    You then have to go through the process on the BES to allow it to talk to your Android for Work domain. you go to Settings > External Integration > Android for Work. You will have to follow all the steps to a T on that page to get your BES12 server to talk to the Google domain for your work. When asked you do want BES to create and delete users for you on Google. If you don't do this you will have to manually create each user each time you want to provision AFW for a device. Its much easier to get BES to do it for you. once this is all done your BES server should be connected to your AFW Domain. You will then have to have a user with an activation profile that allows for "Work and personal - user privacy (Android for Work - Premium)" and you have to have a gold flex license to do this the premium is what gives you the Secure Connect Plus to get you back to your network like it does on BB10 devices. once you have that activation profile on the user you can then provision the device. these steps have to be done and cannot be skipped. and then you will have to assign what ever apps you want to the work side of the device. When you provision the device you have to have Android for Work installed first form the Google Play Store, you install the BES12 client and activate again the BES server as you normally would. BES will create your Google account for you and then send the user an email with your temp google password once the AFW activation takes over you will need that password to activate AFW on the google servers. So its like you are activating twice. once that is done all policies will be pushed down to the device.

    Please ask any questions about if you don't understand anything! Glad to help others where took me weeks of calling to figure out!!
    02-03-16 12:15 PM
  5. fritzbocks's Avatar
    Thank you so much for that ANDROID_WORK link! Like you say, for whatever reason that link was never mentioned in any of the AFW guides I found.
    The remaining steps seem almost child's play now.

    Edit:
    Feeling a little stupid now, but apparently that link is indeed listed in the official documentation in the Overview section (http://support.blackberry.com/kb/art...mber=000037748).
    I must have been blind, or it was added just recently.
    Last edited by zocster; 02-11-16 at 11:20 AM.
    02-03-16 05:04 PM
  6. MrEvets's Avatar
    Is it LOL I never read that DOC
    02-03-16 09:02 PM
  7. MrEvets's Avatar
    That doc was also last modified 3 days ago it's a living document. I was talking to support while doing this saying why is there no a link to the google sign up page for all I know they went and added this after. I'm going to add that link to my FAQ above
    02-03-16 09:07 PM
  8. CNX66's Avatar
    Q: What is BlackBerry Secure Connect Plus (BSCP)?
    A: This is an app that is installed on the work side of your device that creates a persistent connection back to the BES12 server. Kind of like what we had on BB10 OS and MDS. This will force all work apps to use this tunnel before going out to the web. If you are not at work , and you install Google Chrome in AFW and you go to myipaddress.com you will notice it will come out as the same IP as the BES server would if it talked to the internet. If you do the same on your personal Google Chrome you will get the IP address from your carrier or the ISP the WiFi is connected to. All traffic will proxy through your BES12 server for all work apps. This allows for custom apps to be installed that need to be inside the work network or VPN to function to now seemlesly work. If there are certain site that are only accessible from inside your work then the AFW browser would allow you to access those sites.

    Q: What kid of licensing do I need to use AFW?
    A: There are two different ways of using AFW, with and withouth BSCP (BlackBerry Secure Connect Plus). If you want the secure connection back to the BES server then you need to use Gold - Flex license, If you want to just use AFW with out BSCP it requires just a simple Silver license.

    - Thanks for your information!
    - Is this possible on BES12 Cloud or only on-premise?
    02-06-16 05:38 AM
  9. MrEvets's Avatar
    Great question! One that I don't have an answer to. I know the cloud service is on a different development schedule then the stand alone, meaning some times feature exist in the stand alone but not in cloud and some times some features exist in the cloud version but not the stand alone. The only way to know for sure is if someone has a cloud account, if they could look in the settings section for an Android external setup option. If it's there then you can do it. If someone can confirm that then I can updated the FAQ to include that question. There should be no reason why you can't do it it's just a matter of if the cloud has the feature available for admins
    02-06-16 08:56 AM
  10. CNX66's Avatar
    Great question! One that I don't have an answer to. I know the cloud service is on a different development schedule then the stand alone, meaning some times feature exist in the stand alone but not in cloud and some times some features exist in the cloud version but not the stand alone. The only way to know for sure is if someone has a cloud account, if they could look in the settings section for an Android external setup option. If it's there then you can do it. If someone can confirm that then I can updated the FAQ to include that question. There should be no reason why you can't do it it's just a matter of if the cloud has the feature available for admins
    I found i myself; answer is that BES 12 Cloud does not support Blackberry Secure Connection: https://help.blackberry.com/en/bes12...omparison.html
    02-06-16 09:36 AM
  11. Freakster1's Avatar
    First off I have to say this a great thread!

    I do have one question. I am trying to set up an Android for work account and am wondering what it means when asking for a domain name. Im assuming that isn't your email address... I have always used a hotmail email address for my business email for BB10 BES12 Cloud devices but am a bit confused as to what a domain name is to finish setting up my AFW account. Any help would be appreciated.
    02-13-16 02:21 PM
  12. MrEvets's Avatar
    The domain it is asking for is your work email domain. So if your work email address is user@domain1.com then you need to set this as your AFW domain. You will then have to prove you own the domain by adding HTML page to the site or add a record to your DNS . What you are basically doing is telling Google you want to allow (or prevent) users under this domain to use Google services. So if someone at work decides they want to sign up for Google drive with their work account you will be able to manage the user and help them if they forget their password. You are signing up this domain and saying I want to be an admin of any users under this domain that use Google services. This is a must step, you have to allow your domain to use Google services to use AFW. Once you get BES setup it will create users automatically in Google so they can use AFW service. This does not mean you are giving your domain or email to Google in anyway, this scared me also.. It's only to prove you manage the domain so you can manage all users in that domain that use Google services.
    02-13-16 02:31 PM
  13. Freakster1's Avatar
    So if I use a Hotmail email address what would the domain be? (This is under the About your business part of the sign up process)
    hotmail.com?

    Posted via the CrackBerry App for Android
    02-13-16 04:01 PM
  14. MrEvets's Avatar
    To sign up for AFW you can use a different email address then the one for your domain but I would recommend using an email address from your domain that you are setting up. This account will become the admin of your domain on Google services so to use an outside address if that person leaves the company you could be locked out of administrating your services. If you use a email inside your domain and that user leaves then you can always redirect their email to your account to reset the password and get into google services. You can always add more email address that are allowed to administer your admin site for Google Services but you don't have to. Right now we use a generic distrobution email address to administer google services that goes to our whole IT team (3 of us)
    02-13-16 04:22 PM
  15. Freakster1's Avatar
    Ok so lets say my email is xxxx@hotmail.com I can use that for my domain name and as my personal non work email address I can just use a different hotmail email address?
    02-13-16 05:43 PM
  16. Freakster1's Avatar
    Ill be honest here... I am confused... lol
    Using a bb10 phone I just use one email address to send the activation code to, I try to set that email address up on my phone, it then sets up my work side. Easy as that..
    I am one person with two devices I want a work side on. One BB10 and one AFW. The email I have set up on BES12 Cloud is a hotmail one(this is pushed to the phone and used as the work side email). I just want to set up my Priv with a work side with the same email address Im already using on BB10. If you could tell me step by step how to do this I will be a happy camper... lol
    02-13-16 05:51 PM
  17. CNX66's Avatar
    Ok so lets say my email is xxxx@hotmail.com I can use that for my domain name and as my personal non work email address I can just use a different hotmail email address?
    You do need a work domain like company.com or you need the login credentials of the Hotmail.com domain...

    Posted via the CrackBerry App for Android
    02-13-16 05:53 PM
  18. MrEvets's Avatar
    I think I understand his confusion, Android for Work is for corporations only, and for Android devices, not BlackBerry 10 devices AFW is not for personal use, it is designed to separate work and personal! It has to be setup by an administration of your work domain!!
    02-13-16 05:56 PM
  19. CNX66's Avatar
    Ill be honest here... I am confused... lol
    Using a bb10 phone I just use one email address to send the activation code to, I try to set that email address up on my phone, it then sets up my work side. Easy as that..
    I am one person with two devices I want a work side on. One BB10 and one AFW. The email I have set up on BES12 Cloud is a hotmail one(this is pushed to the phone and used as the work side email). I just want to set up my Priv with a work side with the same email address Im already using on BB10. If you could tell me step by step how to do this I will be a happy camper... lol
    You can use the Priv with you Hotmail.com email account MDM regulated without AFW or you need a email account with a domain which you have the credentials from.

    Posted via the CrackBerry App for Android
    02-13-16 05:58 PM
  20. Freakster1's Avatar
    Ok so I actually need to basically rent/buy a domain then use that... Otherwise I cannot get the work side on my Priv to work?
    02-13-16 06:04 PM
  21. Freakster1's Avatar
    You can use the Priv with you Hotmail.com email account MDM regulated without AFW or you need a email account with a domain which you have the credentials from.

    Posted via the CrackBerry App for Android
    Do you mean I can just set the hotmail account up normally? Can I still make it so it still separates work/personal on the phone?
    02-13-16 06:05 PM
  22. MrEvets's Avatar
    Okay let's take one step back here, why are you looking to add a work side to your Priv?
    02-13-16 06:07 PM
  23. Freakster1's Avatar
    I just want to separate everything from personal. I don't want to see my emails/contacts unless I unlock the work side. If I let somebody use my phone I don't want them to be able to access work side information either.
    02-13-16 06:11 PM
  24. MrEvets's Avatar
    Okay so your work email address, are you the IT admin for work? Or are you just a worker and you want to add your work email address to your personal phone?
    02-13-16 06:13 PM
  25. Freakster1's Avatar
    I am the admin. I have a Cloud account and two licenses to use for myself. Like a 1 man show. I just like to have my work info locked until I need it.

    Posted via the CrackBerry App for Android
    02-13-16 06:36 PM
58 123

Similar Threads

  1. If Android is a surveillance tool for Google, and governments, why do BlackBerry users want it?
    By CrackBerry Question in forum General BlackBerry Discussion
    Replies: 190
    Last Post: 05-18-16, 11:20 AM
  2. Android apps on Z30 better than Z10?
    By vjvj in forum BlackBerry Z30
    Replies: 5
    Last Post: 01-27-16, 11:29 AM
  3. I loved my Blackberry Travel app and now I have switched over to PRIV.
    By CrackBerry Question in forum Ask a Question
    Replies: 8
    Last Post: 01-27-16, 07:53 AM
  4. Will Z30 Sprint not-unlocked will work well in Korea?
    By CrackBerry Question in forum BlackBerry Z30
    Replies: 9
    Last Post: 01-25-16, 10:08 PM
LINK TO POST COPIED TO CLIPBOARD