With the recent security announcement from Google coming in the form of auto-enabling MDM management (link here) to on as default in the G Suite for Work admin console, however having turned on the full iOS MDM management in testing it soon became apparent for mobile devices that are already managed via another MDM, i.e. jamf Pro that this didn’t play ball as you can’t have two MDM profiles managing one device.

So another facility that was available by Google was the ability to manage iOS devices without pushing an MDM profile to the device itself, link here, this provides basic capabilities such as passcode enforcement, view device information and the ability to wipe the account only from devices.

On a side note that devices that use this method are auto approved when set to “Basic” level rather than an admin having to approve the device in the admin console.

With that being said here’s what we did…

  1. Made a separate Google OU called “jamf Pro – iOS MDM Users”
    Screen Shot 2018-04-08 at 22.53.58 copyScreen Shot 2018-04-08 at 22.53.58 copy
  2. Then head to Device Management > Setup > Mobile Management
    Screen Shot 2018-04-08 at 22.56.38Screen Shot 2018-04-08 at 22.56.38
    Screen Shot 2018-04-08 at 22.57.18Screen Shot 2018-04-08 at 22.57.18
    Screen Shot 2018-04-08 at 22.58.08Screen Shot 2018-04-08 at 22.58.08
  3. Set the iOS Management to “Advanced” in your root level OU (or where all your users are located), then hit Save.
    Screen Shot 2018-04-08 at 22.59.34 copyScreen Shot 2018-04-08 at 22.59.34 copy
  4. Then in the new OU you created earlier set the iOS Management to “Basic” then hit Save.
    Screen Shot 2018-04-08 at 23.01.55 copyScreen Shot 2018-04-08 at 23.01.55 copy
  5. Now, move any users that have an iOS device that is managed with jamf Pro to the new “jamf Pro – iOS MDM Users” Google OU.
    Screen Shot 2018-04-08 at 23.05.00 copyScreen Shot 2018-04-08 at 23.05.00 copy

This now means the user will have the iOS Sync enforced when downloading or signing into any Google iOS Apps, i.e. Docs, Sheets, Drive etc… but the Google Administrator retains the ability to wipe this account from the device, and leaving any further device administration, such as Remote Wipe, Lock Device, iCloud Bypass etc in the control of the MDM, i.e. jamf Pro, and both work cohesively together.

Screen Shot 2018-04-08 at 23.05.00 copyScreen Shot 2018-04-08 at 23.05.00 copy
Screen Shot 2018-04-08 at 23.10.41 copyScreen Shot 2018-04-08 at 23.10.41 copy

Bare in mind this only applies to users that are placed inside the OU you created, any users that are not in this OU would get the full iOS MDM management whether they sign into their account from a personal or non-personal device, and would require an MDM profile installing on the device and approving within the Google Admin console.

Let me know how you get on in the comments below.

Stay secure!

Sachin