Help Center
14 DAY FREE TRIAL
Search Close Search
Search result for "aa"
View all results

No Search Results

14 DAY FREE TRIAL
  1. Help Center
  2. Enrolling Devices
  3. iOS

Category filter

Google Workspace Enrollment for iOS Devices

Jump To

Seamlessly assign iOS devices to corporate identities by integrating Hexnode UEM with Google Workspace (formerly G Suite). This guide outlines the configuration process using Google Service Accounts to synchronize users and enforce authenticated enrollment for iOS fleets, ensuring a secure and streamlined onboarding experience.

Prerequisites

Before starting the integration, ensure you have the following:

  • Google Workspace Account: An active account with administrator privileges.
  • Hexnode UEM Portal: Access to the admin console.
  • Google Cloud Console Access: Ability to create projects and service accounts.

Step-by-Step Configuration Guide

Phase 1: Configure Google Workspace

This phase involves creating a service account in Google Cloud and granting it the necessary permissions to communicate with Hexnode.

Step 1.1: Create a Service Account

  1. Log in to the Google Cloud Console using your Google Workspace admin credentials.
  2. Click on the project dropdown (top left) and select New Project.
    • Project Name: Enter a recognizable name (e.g., Hexnode-MDM-Integration).
    • Click Create.
  3. Navigate to APIs & Services > Credentials from the left sidebar.
  4. Click + CREATE CREDENTIALS and select Service account.
  5. Fill in the details:
    • Service account name: e.g., hexnode-service-account.
    • Service account ID: Auto-generated.
    • Description: “Service account for Hexnode UEM integration.”
  6. Click Create and Continue.
  7. (Optional) Grant access to the project: Select Service Accounts > Service Account Admin. Click Continue and then Done.
  8. Click on the newly created service account email address to edit it.
  9. Go to the Keys tab.
  10. Click Add Key > Create new key.
  11. Select JSON as the key type and click Create.

    Note:


    A JSON file will automatically download to your computer. Keep this file safe; it is required for Step 2.

Step 1.2: Enable Admin SDK API

  1. In the Google Cloud Console, go to APIs & Services > Enabled APIs & services.
  2. Click + ENABLE APIS AND SERVICES.
  3. Search for “Admin SDK API”.
  4. Select it and click Enable.

Step 1.3: Manage API Client Access (Domain-Wide Delegation)

  1. Log in to the Google Admin Console.
  2. Navigate to Security > Access and data control > API controls.
  3. Under Domain Wide Delegation, click Manage Domain Wide Delegation.
  4. Click Add new.
  5. Client ID: Open the JSON file downloaded in Step 1.1 and copy the client_id value. Paste it here.
  6. OAuth Scopes: Copy and paste the following scopes (comma-separated) into the field.
    7. Scope URL Description Status
    https://www.googleapis.com/auth/admin.directory.user Allows Hexnode to sync individual users. Mandatory
    https://www.googleapis.com/auth/admin.directory.group Allows Hexnode to sync user groups. Mandatory
    https://www.googleapis.com/auth/admin.directory.domain Allow Hexnode to fetch domain information. Mandatory
  7. Click Authorize.

Phase 2: Integrate with Hexnode UEM Server

Connect your Hexnode portal to the configured Google Workspace account.

  1. Log in to your Hexnode UEM portal.
  2. Navigate to Admin > Google Workspace.
  3. Enter the Google Workspace Admin Email (the email address of the Super Admin used to create the service account).
  4. Google Workspace Key: Upload the JSON file downloaded in Phase 1.
  5. EMM Token: In the Google Admin Console, go to Security > Manage EMM provider for Android. Generate the Token and paste it into the Hexnode portal.
  6. Click Next.
  7. Configure the synchronization settings:
    8. Setting Description
    Sync across all domains If checked, users/groups from all domains are synced.
    Choose Domain(s) Allows manual selection of specific domains to sync.
    Scheduled Scan Set a frequency (Daily/Weekly) for auto-sync.
  8. Click Save.

Phase 3: Enroll iOS Devices

Once integrated, you can enroll devices using Google Workspace authentication.

  1. Navigate to Enroll > Platform-Specific > iOS > Email/SMS.
  2. Switch the authentication mode to Authenticated Enrollment.
  3. Enrollment Category:
    • Enrollment Request: Select Google User. Hexnode will send an automated email or SMS containing the server address and detailed enrollment instructions.
    • Self Enrollment: Select Google User. No automated request is sent; users proceed using their dedicated credentials.
  4. Modify the device Ownership (Corporate or Personal) if required.
  5. Click Next.

If you opted for Enrollment Request, complete these additional steps:

  • Select the delivery medium: Email or SMS.
  • Change the Domain setting from Local to your specific Google Workspace domain.
  • Select the target users from the list and click Save.

Phase 4: On-Device Enrollment Process (User Actions)

  1. Access Portal: Open Safari and go to https://portalname.hexnodemdm.com/enroll/.
  2. Agreement: Enable the checkbox for Terms and Conditions and click Enroll.
  3. Authentication: Click Authenticate with Google and enter Google Workspace credentials.
  4. Profile Download: Allow the configuration profile to download.
  5. Installation:
    • iOS 15+: Settings > General > VPN & Device Management.
    • Below iOS 15: Settings > General > Profile.
  6. Trust: Click Install, then click Trust for Remote Management.
  7. Hexnode App: Once “Done” is clicked, the Hexnode UEM app will install. Open it and Allow permissions for Location and Notifications.

Troubleshooting

  1. Error: “Invalid Input” during Workspace Configuration

    Possible Cause: This could happen if any of the steps went wrong while configuring Google Workspace.

    Solution: Go through the steps and ensure that the below-mentioned ones are carried out properly.

    • JSON Key Verification: The JSON file must be downloaded from the corresponding Service account in the Google Developers Console.
    • Role Configuration: Ensure that Service Account Admin is chosen as the Service Account role.
    • Domain-Wide Delegation: The Enable Google Workspace Domain-wide Delegation option under the created Service Account must be checked.
    • API Activation: Ensure that APIs and services (such as the Admin SDK) are enabled.
    • Client Authorization: In the Google Admin Console, ensure that API clients are correctly authorized to facilitate the syncing of users and user groups.

    While integrating with the Hexnode console:

    • Ensure that the Google Workspace account’s Admin email is provided.
    • A proper Domain name is provided.
    • The correct JSON file is uploaded.
    • The correct Token is provided.
    • Once these details are provided, the integration will be completed automatically.
  2. Error: “Failed Sync” shown after configuration

    Possible Causes: User and/or group scope was not provided during the initial setup.

    Solution: Ensure User and group scopes are added before configuring Google Workspace. If the scope to sync groups is not provided, the table displays “Sync failed” after configuration. This sync failure does not necessarily mean users are not synced, but indicates that groups could not be successfully synchronized.

  3. Error: “Google Workspace could not be configured, ensure that necessary OAuth scopes are provided”

    Possible Causes:

    • Any of the OAuth scopes are missing while configuring Google Workspace.
    • Admin SDK is not enabled.

    Solution: Ensure the necessary scopes are added correctly under the SHOW DOMAIN-WIDE DELEGATION dropdown menu in the Google Admin account:

    If the issue persists after adding the correct OAuth scopes, verify if the Admin SDK is enabled for the corresponding account:

    1. Sign in to the Google Admin Account.
    2. Navigate to Security > API reference.
    3. Check the Enable API access option.
    4. Press Save.

Frequently Asked Questions (FAQs)

  1. Why does the error “Google Workspace domain names could not be retrieved” appear?

    This typically happens if the Domain Scope (https://www.googleapis.com/auth/admin.directory.domain) is missing from the API Client Access settings in the Google Admin Console. Ensure all three scopes listed in Table 1 are added correctly.

  2. Can multiple domains be synced?

    Yes. In the Hexnode integration settings, the “Sync across all domains” option can be selected to automatically include sub-domains or secondary domains associated with the Google Workspace account.

  3. Is the JSON key file important?

    Yes, the JSON key file contains the private key credentials for the service account. If lost, you cannot recover it; you must generate a new key in the Google Cloud Console and re-upload it to Hexnode.

  4. Does this method support Two-Factor Authentication (2FA)?

    Yes, since the user authenticates directly through Google’s login page during enrollment, any 2FA policies enforced by Google Workspace will be active.

Need more help?
Image of Raise a Ticket Raise a Ticket
Image of Ask Community Ask Community
Image of Chat With us Chat With us
Enrolling Devices
Managing iOS Devices