Installation

All references to Device Guardian within this guide also apply to Device Guardian Access Management, unless explicitly stated otherwise.

Overview

Device Guardian (DG) and Device Guardian Access Management (DGAM) are cloud-based solutions that consist of:

• A cloud-based server, hosted and managed by Zebra
• Client software designed for Zebra Android devices

DGAM enhances DG’s core capabilities by introducing additional features such as kiosk management and local device monitoring.

To enable communication between devices and the server, the client app must be installed and devices must be enrolled with the server. This setup is required for enabling device tracking and functionality. For installation guidance, refer to the section specific to your Enterprise Mobility Management (EMM) platform.

---

Requirements

Management System Requirements

• Enterprise Mobility Management (EMM) System: Configuration requires an EMM that supports Managed Configurations (also known as Managed App Configurations), such as Zebra DNA Cloud, Microsoft Intune, SOTI MobiControl, Workspace ONE UEM, or 42Gears SureMDM.

Device Requirements

• Supported Devices - Refer to the Zebra support portal for compatible hardware for both devices and kiosks (DGAM-specific).
  Important: The WS50, as a non-GMS device, does not support:
  • Map-based Locationing (due to the lack of Location Services API support)
  • Tracking of Bluetooth Scanner Accessories
• Operating System - Refer to the Zebra support portal for compatible Android versions and LifeGuard updates for both devices and kiosks (DGAM-specific).
• Bluetooth and Location Services - Must be enabled for device tracking. For kiosks, only Bluetooth is required.
• Wi-Fi - Devices and kiosks must connect to a Wi-Fi network with cloud server access.
• Mobility DNA Enterprise License - Required for Zebra Professional-series devices with Android 15 or higher when using the Virtual Tethering feature, which provides proximity warnings for paired Bluetooth scanners from their host devices.
• Enrollment via XML or Barcode: Enrolling devices to DG/DGAM using an XML file or StageNow barcode requires specific Android versions and minimum LifeGuard (LG) Updates. These requirements vary by the device's platform; see Zebra Device Platform to identify the platform for the device model. The minimum supportede BSP for each platform is available for download from the Zebra support portal:

  Android Version	Device Platform	Minimum LifeGuard Update
  Android 11	SD660	July 2025 LG
  Android 13	QC6490	August 2025 LG
  	QC4490	August 2025 LG
  	SM6375	August 2025 LG
  Android 14	QC4490	October 2025 LG
  	QC6490	October 2025 LG
  	SM6375	October 2025 LG
  	SD660	August 2025 LG

• Optional: Secondary BLE allows a device to be located even if it loses battery power or is powered off. This feature is available on select hardware with secondary BLE capability; see compatible hardware. Refer to the Secondary BLE Configuration guide for setup instructions.

Permissions

This section applies to DGAM Only.

DGAM requires the following permissions to be granted for both kiosks and devices:

• Camera Permission - Required to scan the registration QR code, essential for registering the device with a kiosk.
• Location Permission - Enables location-based services and GPS-related functionalities.
• Music and Audio Permission - Allows the app to play or manage audio, such as alarms or sound notifications.
• Notifications Permission - Allows the application to send important updates or alerts to the user.
• Files and Media Permission - Specific to Android 11, required to read or write to device storage, adhering to Android 11’s scoped storage policies.

---

Network Requirements

To ensure seamless communication between the client app and cloud server, the following network configurations are required:

• Open HTTPS Port - Port 443 is typically used for HTTPS communication. Ensure this port is open, though it may vary based on network configurations.
• Web Portal Access - Allow the web portal URL (supplied by Zebra during onboarding) through the firewall or proxy for administrators and managers to access the dashboard.
• Email Addresses:
  • Emails are sent from zdtrksupport@zebra.com for reporting or password resets.
  • Emails are sent from NPDVIQFNoReply@zebra.com for email notifications.
• Firewall/Proxy Allowlist - Ensure the following domain names are allowed for web portal access and communication between the device client app and the cloud server.

If wildcards are supported:

• connectivitycheck.gstatic.com
• *.googleapis.com
• *.firebaseio.com
• *.cloudfunctions.net
• *.swengagement.zebra.com
• [ProjectID].firebaseapp.com ¹
• [Web portal URL] (supplied by Zebra during onboarding)

If wildcards are not supported, add these specific domains:

• connectivitycheck.gstatic.com
• www.googleapis.com
• firestore.googleapis.com
• firebasestorage.googleapis.com
• cloudfunctions.googleapis.com
• content.swengagement.zebra.com
• data.swengagement.zebra.com
• us-central1-[ProjectID].cloudfunctions.net ¹
• [ProjectID].firebaseio.com ¹
• [ProjectID]-default-rtdb.firebaseio.com ¹
• *.firebaseio.com ²
• [ProjectID].firebaseapp.com
• [Web portal URL] (supplied by Zebra during onboarding)

¹[ProjectID] is included in the welcome email sent by Zebra services during the onboarding process.

² For the Device Guardian client to communicate with the Cloud, *.firebaseio.com must be accessible. It is required to allow this URL in your Firewall or Proxy settings. If your Firewall or Proxy policy does not support wildcard entries, follow these steps to obtain the specific URL:

1. Open the link in your browser ([ProjectID] is provided during onboarding): https://[ProjectID]-default-rtdb.firebaseio.com/.settings/owner.json
2. Copy the URL displayed on the web page and add it to your firewall or proxy settings.
3. Important Note: Repeat steps 1 and 2 periodically, as Google's server resource allocation may cause the URL to change.

---

Web Portal Requirements

The web portal URL (supplied by Zebra during onboarding) is accessible via the following supported browsers:

• Chrome
• Edge
• Safari (v14.0 and later)

First-time use: Administrators must set their password by clicking Forgot Your Password on the login page and entering the registered email address. An email with a reset link will be sent.

If using single sign-on (SSO), see SSO for procedures on configuring SSO.

---

Licenses

End-user licenses are required for Device Guardian and Device Guardian Access Management to operate. Ensure the appropriate licenses are procured:

• Device Guardian License: Required for basic functionality.
• Device Guardian Access Management License: Required for advanced features like kiosk integration.

---

Installation & Setup

Setting up Device Guardian (DG) and Device Guardian Access Management (DGAM) involves ensuring all prerequisites are met, installing the required components, and configuring devices. Make sure to review the Requirements section and refer to the Installation Notes section for important information.

For a comprehensive guide on deployment and management of Device Guardian (DG) and Device Guardian Access Management (DGAM), refer to the Administrator Guide.

---

Installation Notes

• Important for Android 11: For Android 11 devices, Device Guardian must be launched after installation to apply the configurations.
• Google Play Services update - During an update, the Android system automatically stops Device Guardian. After the update is complete, relaunch the Device Guardian app or reboot the device to resume device tracking.
• Config Service Notification - When configuring Device Guardian client for the first time, a notification appears indicating the Config Service is running. This notification disappears following a subsequent device reboot.
• Compatibility with Device Tracker - The Device Guardian server is backward compatible with Device Tracker client apps. However, the Device Tracker client app cannot be upgraded to the Device Guardian client app; a new installation of the Device Guardian client is required.
• Application Installation - Zebra Android devices include pre-installed "stubs" of Identity Guardian and Device Guardian applications. For full functionality, these stubs must be upgraded by installing the full applications from one of the following sources:
  • Managed Google Play
  • Zebra support portal
    • Device Guardian download
    • Identity Guardian download

---

Using ZDNA Cloud

Follow these steps to install Device Guardian via Managed Configurations with ZDNA Cloud and apply a policy that enrolls the device with the Device Guardian cloud server.

Part I: Enroll Device to ZDNA

Create and apply the StageNow barcode for device enrollment in ZDNA Cloud:

1. Log in to ZDNA web portal. In the left menu, click New Device Setup.
2. From the top-right, click Set Up Device.
3. Configure the device for enrollment. Enter the appropriate internet settings, then click Next.
4. Optionally, select the service for device enrollment. Click Next.
5. Enter the properties and select the barcode type. Click Next.
6. Review the information and click Next.
7. The barcode is created. Click Done.
8. The new setup is listed. Click View Barcode.
9. For new enrollments, factory reset the device. Open StageNow and scan the barcode.
10. After staging is complete, in ZDNA Cloud, click on My Devices and verify that the the enrolled device is listed.
11. Allocate the license for the enrolled device. Click Licensing from the left menu. Under DNA CLoud License, click Allocate.
12. Select the target device(s) to allocate the license to and click Allocate.

Part II: Install DG/DGAM

Install DG/DGAM:

1. In Zebra DNA Cloud, go to My Apps and click on My Collection tab. Click Add App.
2. Enter the server URL where the DG/DGAM .apk is hosted. Click Upload.
3. From the table, expand Device Guardian. Locate the app version uploaaded and click Setup.
4. Click Next.
5. Select No, then click Next.
6. Enter a name and description (optional) for the installation setup. Click Next.
7. Click Apply Now.
8. Select the target devices, then click Apply.

Part III: Enroll Device to DG/DGAM

Choose one of these methods to enroll devices in DG/DGAM:

• Option 1: StageNow Barcode: Enroll device with the scan of a barcode using StageNow.
• Option 2: XML File Use Microsoft Intune to deploy XML settings.
• Option 3: Managed .Config File: Deploy settings through Intune's Managed Configuration framework.

Option 1: StageNow Barcode

Use this method to enroll a device with the DG/DGAM server by scanning a barcode.

1. Download the device enrollment barcode .pdf file from the Download Kit.
2. Launch the StageNow client on the device.
3. Scan the barcode.
4. If applicable, repeat these steps for the following:
   • Kiosk - Use the enrollment barcode for kiosk
   • Device Tracker - For devices with Device Tracker, use the Device Tracker enrollment barcode for device. Repeat this for Kiosks if needed.

Option 2: XML File

Use this method to deploy the enrollment settings via XML (with OEMConfig) through ZDNA Cloud. This enrolls the device with the DG/DGAM server.

1. Download the XML Configuration for Device .xml file from the Download Kit.
2. In the ZDNA Cloud console, navigate to Device Settings and click Create New Setting (Advanced).
3. Under Mobility Extensions (Mx), select System Configuration. Enable Pass Through Command. Copy the contents of the downloaded device .xml file and paste it into the command field, then click Next.
4. If desired, enter the a description for the setting, then click Next.
5. Click Apply Now.
6. Select the target device(s) to deploy the settings to, then click Apply.
7. Create separate settings for any additional components. If applicable, repeat steps 1 to 6 to create new, separate settings for the following files from the Download Kit:
   • XML Configuration for Kiosk - For standard kiosk enrollment.
   • Device Tracker XML Configuration for Device - For transitioning devices from a previous Device Tracker installation.
   • Device Tracker XML Configuration for Kiosk - For transitioning kiosks from a previous Device Tracker installation.

Option 3: Managed .Config File

Use this method to deploy the enrollment settings via Managed Configurations in ZDNA Cloud. This enrolls the device with the DG/DGAM server.

Create and apply a Device Guardian Managed Configurations policy, which installs Device Guardian on the device and enrolls it in the Device Guardian server:

1. Download the .config file from the Download Kit. Its contents is required for a later step.
2. In the ZDNA Cloud web portal, click My Apps.
   • If adding Device Guardian for the first time, click Add App.
   • If a new Device Guardian app version is needed, click Add Version.
3. Select the appropriate hosting location, provide the details, and click Upload.
4. The application version is added. Click Setup.
5. Click Next.
6. Click Yes to configure the app.
7. Select or enter the required Device Guardian Managed Configurations; for information on these settings, see Managed Configurations. If using the Managed Configuration method, ensure the following Server Connectivity settings are configured before clicking Next:
   • Server Connectivity Settings: [Copy and paste the content from the Managed Configurations .config file from Part II (Method 2).]
8. Enter a description for the setup and click Next.
9. Review the settings and click Apply Now.
10. Select the target device(s). Click Apply.
11. The device(s) is listed under the App Setup tab with the status of applying the configuration. Once complete, "Success" is displayed as the status.

Part IV: Send Intents (Android 11 Only)

For Android 11 devices, intents must be sent to grant the necessary permissions and start Device Guardian, allowing the configurations to be applied:

1. Download the DeviceGuardian.xml file, which will be needed in a later step.
2. In the ZDNA Cloud web portal, go to Device Settings. Click New Setting, then Create New Setting (Advanced).
3. Select System Configuration. Enable Pass-Through Command and paste the content from DeviceGuardian.xml into the text field. Click Next.
4. Enter a Device Settings Name and Description, if needed, then click Next.
5. Review the configuration settings. Click Apply Now.
6. Select the target device(s) to apply the configuration. Click Apply.

Part V: Install & Configure Identity Guardian (DGAM Only)

Identity Guardian is required for user authentication when using DGAM. When adding device users via Bulk Upload, follow these steps.

1. Create an App Setup Profile for Identity Guardian.
2. Select Yes when prompted to Configure App.
3. In the Usage Mode section, Select AUTHENTICATION.
4. In the Authentication Configuration section, select the following:
   • Comparison Source: CLOUD
   • Primary Authentication Factor: CLOUD_PASSCODE
   • Fallback Authentication Method: ADMIN BYBASS PASSCODE
   • Select the remaining options as desired.
5. Deploy the Profile to the target device(s).

After deployment, the device user experiences the following screen progression when logging in:

Identity Guardian login process

Part VI: Install & Configure the ZDNA Cloud Client App (DGAM Only)

The Zebra DNA Cloud client is required to add device users in DGAM.

1. Download the ZDNA Config Token:
   • In the web portal, navigate to User Management > Device Users.
   • Click ZDNA Config Token to download the file.
   • Open the file and copy its contents.
2. Apply the Token & Deploy the App via EMM: The general steps are provided below. For detailed instructions, see the Configure for a Mixed Population section within the ZDNA Cloud Setup guide and follow steps 1 to 3:
   • Paste the copied token into Managed Configuration settings in ZDNA Cloud.
   • Install and launch the app via EMM using one of these sources:
     • Google Play
     • Zebra.com

---

Using Microsoft Intune

Follow these steps to use Microsoft Intune to install Device Guardian from the Google Play Store and apply a policy that enrolls the device with the Device Guardian server.

Screen Variations Note: The screen UI may vary depending on the EMM version in use. Refer to your EMM user guide for additional guidance.

Part I: Enroll Device in Intune

Enroll the device in Microsoft Intune using the standard EMM procedure.

Part II: Install DG/DGAM

Install DG/DGAM via Google Play:

1. In the Microsoft Intune web console, in Apps click Android.
2. Click Create.
3. From the dropdown, select Managed Google Play app, then click Select.
4. Search for the Device Guardian app and click on it.
5. Click Select, then click Sync.
6. The Device Guardian app is added to the Play Store. Click on the app in the list.
7. Click on Properties and Edit near the Assignments section.
8. Under the Required section, click Add group.
9. Choose the group to install the app and click Select.
10. Update the priority. Click Default under the Update Priority column.
11. For the Update Priority dropdown, select High Priority. Click OK.
12. The group is added with the updated priority. Click Review + save.
13. Click Save. The app is installed in the devices.

Part III: Enroll Device in DG/DGAM

Choose one of the following methods to enroll devices in DG/DGAM:

• Option 1: StageNow Barcode: Enroll device with the scan of a barcode using StageNow.
• Option 2: XML File Use Microsoft Intune to deploy XML settings.
• Option 3: Managed .Config File: Deploy settings through Intune's Managed Configuration framework.

Option 1: StageNow Barcode

Use this method to enroll a device with the DG/DGAM server by scanning a barcode.

1. Download the device enrollment barcode .pdf file from the Download Kit.
2. Launch the StageNow client on the device.
3. Scan the barcode.
4. If applicable, repeat these steps for the following:
   • Kiosk - Use the enrollment barcode for kiosk
   • Device Tracker - For devices with Device Tracker, use the Device Tracker enrollment barcode for device. Repeat this for Kiosks if needed.

Option 2: XML File

Use this method to deploy the enrollment settings via XML (with OEMConfig) through Microsoft Intune. This enrolls the device with the DG/DGAM server.

1. Download the XML Configuration for Device file from the Download Kit. The contents of this file is needed in a later step.
2. In Microsoft Intune, navigate to Devices > Configuration. Click Create > New Policy.
3. Under Create a profile, configure the following and click Create:
   • Platform: Android Enterprise
   • Profile type: Templates
   • Template name: OEMConfig
4. Perform the following, then click Next:
   • Name: [Enter a name]
   • Description: [(Optional) Enter a description]
   • Select an OEMConfig app: [Select "Zebra OEMConfig Powered by..." then click Select]
5. Click Configure next to System Configuration.
6. Copy the contents from the .xml file downloaded earlier. Paste the copied text into the Pass-Through Command field. Click Next.
7. Click Next.
8. Under Included Groups, click Add Groups.
9. Search for the group to assign the profile. When found, choose the group and click Select.
10. Click Next.
11. Review the values and click Create.
12. When successful, a message appears showing the status and the profile is applied to the devices in the group.

Different Enrollment Scenarios: To enroll kiosks or transition devices from a previous installation, create a separate profile for each case. Use the corresponding .xml file from the Download Kit:

• For Kiosk Enrollment: Use XML Configuration for Kiosk.
• For Device Tracker Transition (Device): Use Device Tracker XML Configuration for Device.
• For Device Tracker Transition (Kiosk): Use Device Tracker XML Configuration for Kiosk.

Option 3: Managed .Config File

Use this method to deploy the enrollment settings via Managed Configurations in Microsoft Intune. This enrolls the device with the DG/DGAM server.

1. Download the .config file from the Download Kit. This .config file containing the Managed Configuration settings is required for a later step.
2. In Microsoft Intune, create a profile to enroll the device to Device Guardian. From the left menu, click Apps > Configuration. Click Create and select Managed devices.
3. Enter or select the following, then click OK.
   • Name: [Enter a name for the policy]
   • Platform: Android Enterprise
   • Profile Type: Fully Manged, Dedicated, and Corporate-Owned Work Profile Only
   • Targeted App: Device Guardian
4. Click Save.
5. In the Settings screen, for Configuration settings format select Use configuration designer. Click Next.
6. Select all the configuration keys and click OK.
7. If using the Managed Configuration method from Part II (Method 2), copy and paste the content from the Managed Configurations .config file into Server Connectivity Settings. Click Next.
8. Under Included groups, click Add groups.
9. Choose the group to apply the policy and click Select.
10. Click Next.
11. Review the configuration and click Create. Device Guardian is enrolled to the server.

Part IV: Send Intent (Android 11 Only)

For Android 11 devices, an intent must be sent to start Device Guardian, allowing the configurations to be applied:

1. In the Microsoft Intune web console, go to Apps and select Android.

2. Click Create.

3. For App type, select Managed Google Play app and click Select.

4. Search for Zebra OEMConfig app, then click on the app.

5. Click Select, then click Sync.

6. The Zebra OEMConfig app is added to the app list. Select the app.

7. Click Properties.

8. By Assignments, click Edit.

9. Under the Required section, click Add group.

10. Choose the required device group, then click Select.

11. The group is added. To enable automatic app installation, update the priority by setting it to high. Under Update Priority, click Default.

12. For Update Priority, select High Priority. Then, click OK.

13. Check that the device group is added to the list, then click Review and Save.

14. Click Save. The OEMConfig app gets installed to the assigned device group.

15. Configure the Device Guardian app to get enrolled to the server. Go to Devices and select Android.

16. Under Managed Devices, click Configuration. Click Create > New Policy.

17. Select the following and click Create: - Platform: Android Enterprise - Profile Type: OEMConfig

18. Enter a name, click Select an OEMConfig app and select Zebra OEMConfig Powered by MX. Click Select. When the app is added, click Next.

19. In Configuration settings, scroll down and select System Configuration.

20. Copy and paste the following text into the Pass-Through Command field, then click Next:

    <wap-provisioningdoc>
        <characteristic version="9.2" type="Intent">
            <parm name="Action" value="StartActivity"/>
            <parm name="ActionName" value="android.intent.action.MAIN"/>
            <parm name="Type" value="explicit"/>
            <parm name="Package" value="com.zebra.mdna.dg"/>
            <parm name="Class" value="com.zebra.mdna.dg.SplashActivity"/>
        </characteristic>
    </wap-provisioningdoc>
    

    

21. Click Next.

22. Under Included groups, click Add groups to assign the configurations to the devices.

23. Choose the device group and click Select.

24. The group is added. Click Next.

25. Review the changes and click Create. This launches Device Guardian, allowing the app configurations to be applied.

Part V: Install & Configure Identity Guardian (DGAM Only)

Identity Guardian is required for user authentication when using DGAM. When adding device users via Bulk Upload, follow these steps.

1. Create an App Setup Profile for Identity Guardian.
2. Select Yes when prompted to Configure App.
3. In the Usage Mode section, Select AUTHENTICATION.
4. In the Authentication Configuration section, select the following:
   • Comparison Source: CLOUD
   • Primary Authentication Factor: CLOUD_PASSCODE
   • Fallback Authentication Method: ADMIN BYBASS PASSCODE
   • Select the remaining options as desired.
5. Deploy the Profile to the target device(s).

After deployment, the device user experiences the following screen progression when logging in:

Identity Guardian login process

Part VI: Install & Configure the ZDNA Cloud Client App (DGAM Only)

The Zebra DNA Cloud client is required to add device users in DGAM.

1. Download the ZDNA Config Token:
   • In the web portal, navigate to User Management > Device Users.
   • Click ZDNA Config Token to download the file.
   • Open the file and copy its contents.
2. Apply the Token & Deploy the App via EMM: The general steps are provided below. For detailed instructions, see the Configure for a Mixed Population section within the ZDNA Cloud Setup guide and follow steps 1 to 3:
   • Paste the copied token into Managed Configuration settings in ZDNA Cloud.
   • Install and launch the app via EMM using one of these sources:
     • Google Play
     • Zebra.com

---

Using SOTI MobiControl

Follow these steps to use SOTI MobiControl to install DG/DGAM and apply a policy that enrolls the device with the DG/DGAM server.

Screen Variations Note: The screen UI may vary depending on the EMM version in use. Refer to your EMM user guide for additional guidance.

Part I: Enroll Device in MobiControl

Enroll the device in SOTI MobiControl using the standard EMM procedure.

Part II: Install DG/DGAM

Choose one of the following installation methods:

• Option A: Google Play
• Option B: Managed Config through EMM

Option A: Google Play

Use this procedure to install DG/DGAM through Google Play.

1. In the SOTI MobiControl web console, go to Apps > Policies. Click New App Policy.
2. Select Android Enterprise.
3. Enter an App Policy Name, then click the Apps tab.
4. Click +.
5. Select the following, then search for the Device Guardian app.
   • App Source: Managed Google Play
   • Select: Zebra Technologies
6. Click on the Device Guardian app.
7. Click Save and Assign.
8. When successful, a status message appears.
9. Select the device group of the target device. Click Assign.
10. When successful, a status message appears indicating the policy is assigned for app installation.

Option B: Managed Config through EMM

Use this procedure to install DG/DGAM from the EMM app store.

1. In the SOTI MobiControl web console, click Policies.
2. Click New App Policy.
3. Select Android and choose Android Enterprise.
4. Enter a policy name and click on the Apps tab.
5. Click +.
6. Click the dropdown by App Source and select Enterprise App Store.
7. Click the + icon.
8. Browse to the .APK file.
9. After the .APK is uploaded, click Save.
10. Click Add.
11. Search for the uploaded app, Device Guardian.
12. Select the app version and click Add.
13. The app appears in the list. Click Save and Assign.
14. Select the device group for the target devices and click Assign.
15. When successful, a status message appears indicating the policy is assigned to the devices.

Part III: Enroll Device in DG/DGAM

Choose one of the following methods to enroll devices in DG/DGAM:

• Option 1: StageNow Barcode: Enroll device with the scan of a barcode using StageNow.
• Option 2: XML File Use Microsoft Intune to deploy XML settings.
• Option 3: Managed .Config File: Deploy settings through Intune's Managed Configuration framework.

Option 1: StageNow Barcode

Use this method to enroll a device with the DG/DGAM server by scanning a barcode.

1. Download the device enrollment barcode .pdf file from the Download Kit.
2. Launch the StageNow client on the device.
3. Scan the barcode.
4. If applicable, repeat these steps for the following:
   • Kiosk - Use the enrollment barcode for kiosk
   • Device Tracker - For devices with Device Tracker, use the Device Tracker enrollment barcode for device. Repeat this for Kiosks if needed.

Option 2: XML File

Use this method to deploy the enrollment settings via XML (with OEMConfig) through SureMDM. This enrolls the device with the DG/DGAM server.

1. Download the XML Configuration for Device file from the Download Kit. The contents of this file is needed in a later step.
2. In the SOTI MobiControl web console, click Policies.
3. Click New App Policy.
4. Click Android, then click Android Enterprise.
5. Enter a name for the app policy, then click the APPS tab.
6. Click on the + icon.
7. Select Managed Google Play for the App Source and select Zebra OEMConfig Powered by MX. Click Add.
8. Click the options menu, then click Configure.
9. Click Managed App Config, then toggle Enable Managed App Config.
10. Scroll down and click System Configuration.
11. Copy the content from the .xml file downloaded earlier. Paste the copied text into the Pass-Through Command field. Click Save.
12. Zebra OEMConfig POwered by MX appears in the list. Click Save and Assign.
13. Select the device group for the target device. Click Assign to apply the policy.

Option 3: Managed .Config File

Use this method to deploy the enrollment settings via Managed Configurations in 42Gear SureMDM. This enrolls the device with the DG/DGAM server.

1. Download the .config file from the Download Kit. This .config file containing the Managed Configuration settings is required for a later step.
2. In the SOTI MobiControl web console, click Policies.
3. Click New App Policy.
4. Select Android and choose Android Enterprise.
5. Enter a policy name and click on the Apps tab.
6. Click +.
7. For the App Source dropdown, select Enterprise.
8. By default, Import is selected for the Source. Click Browse File and select the Device Guardian .apk file.
9. After the file is uploaded, click Configure.
10. The App Details are populated. Click Installation Options.
11. Deployment Type is set to Mandatory by default. Toggle to enable Launch App After Installation and click Managed App Config.
12. Toggle on Enable Managed App Config.
13. Tap Cancel when prompted to import config to create a new config.
14. If using the Managed Configuration method from Part II (Method 2), copy and paste the content from the Managed Configurations .config file into Server Connectivity Settings. Click Save.
15. Click Add.
16. The policy is created. Click Save and Assign.
17. Search for the enrolled device and select it. Click Assign.
18. Navigate to the Devices section.
19. Search for the enrolled device and select it.
20. Click the Configurations tab and verify that the policy is assigned, ensuring the device is installed and registered in Device Guardian.

Part IV: Install & Configure Identity Guardian (DGAM Only)

Identity Guardian is required for user authentication when using DGAM. When adding device users via Bulk Upload, follow these steps.

1. Create an App Setup Profile for Identity Guardian.
2. Select Yes when prompted to Configure App.
3. In the Usage Mode section, Select AUTHENTICATION.
4. In the Authentication Configuration section, select the following:
   • Comparison Source: CLOUD
   • Primary Authentication Factor: CLOUD_PASSCODE
   • Fallback Authentication Method: ADMIN BYBASS PASSCODE
   • Select the remaining options as desired.
5. Deploy the Profile to the target device(s).

After deployment, the device user experiences the following screen progression when logging in:

Identity Guardian login process

Part V: Install & Configure the ZDNA Cloud Client App (DGAM Only)

The Zebra DNA Cloud client is required to add device users in DGAM.

1. Download the ZDNA Config Token:
   • In the web portal, navigate to User Management > Device Users.
   • Click ZDNA Config Token to download the file.
   • Open the file and copy its contents.
2. Apply the Token & Deploy the App via EMM: The general steps are provided below. For detailed instructions, see the Configure for a Mixed Population section within the ZDNA Cloud Setup guide and follow steps 1 to 3:
   • Paste the copied token into Managed Configuration settings in ZDNA Cloud.
   • Install and launch the app via EMM using one of these sources:
     • Google Play
     • Zebra.com

Part VI: Install & Configure the ZDNA Cloud Client App (DGAM Only)

The Zebra DNA Cloud client is required to add device users in DGAM.

1. Download the ZDNA Config Token:
   • In the web portal, navigate to User Management > Device Users.
   • Click ZDNA Config Token to download the file.
   • Open the file and copy its contents.
2. Apply the Token & Deploy the App via EMM: The general steps are provided below. For detailed instructions, see the Configure for a Mixed Population section within the ZDNA Cloud Setup guide and follow steps 1 to 3:
   • Paste the copied token into Managed Configuration settings in ZDNA Cloud.
   • Install and launch the app via EMM using one of these sources:
     • Google Play
     • Zebra.com

---

Using Workspace ONE UEM

Follow these steps to use Workspace ONE UEM to install DG/DGAM and apply a policy that enrolls the device with the DG/DGAM server.

Screen Variations Note: The screen UI may vary depending on the EMM version in use. Refer to your EMM user guide for additional guidance.

Part I: Enroll Device in SureMDM

Enroll the device in Workspace ONE UEM using the standard EMM procedure.

Part II: Install DG/DGAM

Choose one of the following installation methods:

• Option A: Google Play
• Option B: Managed Config through EMM

Option A: Google Play

Use this procedure to install DG/DGAM through Google Play.

1. In the Workspace ONE UEM web console, go to Resources > Native. Click Public, then Add Application.
2. Enter the following, then click Search App Store.
   • Platform: Android
   • Name: [Enter a name for the application]
3. Search for Device Guardian app and click on the app.
4. Click Select.
5. Click on the app.
6. Click Edit.
7. Enter a name and click Save & Assign.
8. Click Add Assignment.
9. Enter a name for the assignment. Select the target device group. Select Auto for the App Delivery Method, then click Application Configuration in the left panel.
10. Click Create.
11. Click Save.
12. Click Publish.

Option B: Managed Config through EMM

Use this procedure to install DG/DGAM from the EMM app store.

1. In the Workspace ONE UEM web console, go to Resources > Native. Click Internal, then Add, and select Application File.
2. Click Upload.
3. Click Choose File. Select the Device Guardian .APK file to upload, then click Save.
4. The Application File is populated with the file name. Click Continue.
5. Enter the application name and version. Click Save and Assign.
6. From the left menu, click Application Configuration. Ensure that Managed Access and Send Configuration remain disabled. Click Create.
7. Click Save.
8. Click Publish.

Part III: Enroll Device in DG/DGAM

Choose one of the following methods to enroll devices in DG/DGAM:

• Option 1: StageNow Barcode: Enroll device with the scan of a barcode using StageNow.
• Option 2: XML File Use Microsoft Intune to deploy XML settings.
• Option 3: Managed .Config File: Deploy settings through Intune's Managed Configuration framework.

Option 1: StageNow Barcode

Use this method to enroll a device with the DG/DGAM server by scanning a barcode.

1. Download the device enrollment barcode .pdf file from the Download Kit.
2. Launch the StageNow client on the device.
3. Scan the barcode.
4. If applicable, repeat these steps for the following:
   • Kiosk - Use the enrollment barcode for kiosk
   • Device Tracker - For devices with Device Tracker, use the Device Tracker enrollment barcode for device. Repeat this for Kiosks if needed.

Option 2: XML File

Use this method to deploy the enrollment settings via XML (with OEMConfig) through SureMDM. This enrolls the device with the DG/DGAM server.

1. Download the XML Configuration for Device file from the Download Kit. The contents of this file is needed in a later step.
2. In the Workspace ONE UEM web console, go to Resources > Native Apps. Search for the group with the target devices enrolled, then select the group.
3. Click Public, then click Add Application.
4. Select Android for the Platform, then enter a name for the app (e.g., "zebra oemconfig"). Click Search.
5. Select Zebra OEMConfig.
6. Click Select.
7. Go to Resources > Native Apps. Click on the Public tab, then click Add Application.
8. Search for the Zebra OEMCOnfig app. When it's displayed, click its edit icon.
9. Click Save & Assign.
10. Click Add Assignment.
11. Enter a name for the assignment. Select the assignment group. Select Auto for the App Delivery Method. Click Application Configuration.
12. Enable Managed Access and Send Configuration. Scroll down.
13. Click Configure next to System Configuration.
14. Copy the content from the .xml file downloaded earlier. Paste the copied text into the Pass-Through Command field. Click Save.
15. Click Save.
16. Click Publish to deploy.

Part IV: Send Intents (Android 11 Only)

For Android 11 devices, follow these steps to send intents that grant the necessary permissions and start Device Guardian:

1. Download the DeviceGuardian.xml file, which will be needed in a later step.
2. In the Workspace ONE UEM web console, go to Orchestration > File Actions. Click Add Files/Actions.
3. Select Android.
4. Enter a name for the File/Action and click the Files tab.
5. Click Add Files.
6. Choose the DeviceGuardian.xml downloaded from step 1 and click Save.
7. Enter /sdcard for the Download Path, and enter the version if needed. Click Save.
8. The file is added. Click the Manifest tab.
9. Under Installation Manifest, click Add Action.
10. Select the following, then click Save.
    • Action(s) To Perform: Apply Custom Settings
    • File: DeviceGuardiana.xml
11. The manifest is added. Click Save.
12. The File/Action is created. Next, apply it to the device(s). Go to Orchestration > Product. Click Add Product.
13. Select Android.
14. Enter a name and assign it to the appropriate Smart Groups. Click the Manifest tab.
15. Click Add.
16. Select the following options and click Save:
    • Action(s) To Perform: Application - Install
    • Application: Device Guardian
17. The application is added to the manifest. Click Add again to include the XML file.
18. Enter the following, then click Save:
    • Action(s) To Perform: File/Action - Install
    • Application: [Nme of XML file added]
19. Click Save.
20. Click Activate. The policy is applied to the selected device(s).

Part V: Install & Configure Identity Guardian (DGAM Only)

Identity Guardian is required for user authentication when using DGAM. When adding device users via Bulk Upload, follow these steps.

1. Create an App Setup Profile for Identity Guardian.
2. Select Yes when prompted to Configure App.
3. In the Usage Mode section, Select AUTHENTICATION.
4. In the Authentication Configuration section, select the following:
   • Comparison Source: CLOUD
   • Primary Authentication Factor: CLOUD_PASSCODE
   • Fallback Authentication Method: ADMIN BYBASS PASSCODE
   • Select the remaining options as desired.
5. Deploy the Profile to the target device(s).

After deployment, the device user experiences the following screen progression when logging in:

Identity Guardian login process

Part VI: Install & Configure the ZDNA Cloud Client App (DGAM Only)

The Zebra DNA Cloud client is required to add device users in DGAM.

1. Download the ZDNA Config Token:
   • In the web portal, navigate to User Management > Device Users.
   • Click ZDNA Config Token to download the file.
   • Open the file and copy its contents.
2. Apply the Token & Deploy the App via EMM: The general steps are provided below. For detailed instructions, see the Configure for a Mixed Population section within the ZDNA Cloud Setup guide and follow steps 1 to 3:
   • Paste the copied token into Managed Configuration settings in ZDNA Cloud.
   • Install and launch the app via EMM using one of these sources:
     • Google Play
     • Zebra.com

---

Using 42Gears SureMDM

Follow these steps to use 42Gears SureMDM to install DG/DGAM and apply a policy that enrolls the device with the DG/DGAM server.

Screen Variations Note: The screen UI may vary depending on the EMM version in use. Refer to your EMM user guide for additional guidance.

Part I: Enroll Device in SureMDM

Enroll the device in 42Gears SureMDM using the standard EMM procedure.

Part II: Install DG/DGAM

Choose one of the following installation methods:

• Option A: Google Play
• Option B: Managed Config through EMM

Option A: Google Play

Use this procedure to install DG/DGAM through Google Play.

1. In the 42Gears SureMDM web console, click on Profiles > Application Policy and click Add.
2. For the Application Source, select Play For Work.
3. Search for Device Guardian and click on the app.
4. Click Select.
5. Click both Configured buttons to de-select them.
6. Enter a name for the configuration and click Save.
7. Click Next.
8. Click Grant All and click Save.
9. Click Save.
10. A success message confirms a successful operation.
11. Click Home. Select the target device group from the left panel. Select the target devices from the list displayed. Click Apply.
12. Select the job created earlier and click Apply.

Option B: Managed Config through EMM

Use this procedure to install DG/DGAM from the EMM app store.

1. In the 42Gears SureMDM web console, go to the Android App Store and click Add New App.
2. Select Upload Apk.
3. Upload the Device Guardian .APK.
4. Enter the required information. Click Add.
5. Create the application policy. Click Profiles and Add.
6. Select Primary Profile for the Profile Type.
7. Click Configure.
8. Click Add.
9. Select SureMDM App Store.
10. From the dropdown, select the Device Guardian app uploaded. Click Next.
11. Enable Skip Configuration and click Done.
12. Enable Launch App Upon Installation and click Add.
13. The policy details are displayed in the table. Enter a name for the profile and click Save.
14. A success message confirms a successful operation. Thew created profile is added to the table.
15. From the top menu, click Home. Select the target device group from the left panel. Select the target devices from the list displayed. Click Apply.

Part III: Enroll Device in DG/DGAM

Choose one of the following methods to enroll devices in DG/DGAM:

• Option 1: StageNow Barcode: Enroll device with the scan of a barcode using StageNow.
• Option 2: XML File Use Microsoft Intune to deploy XML settings.
• Option 3: Managed .Config File: Deploy settings through Intune's Managed Configuration framework.

Option 1: StageNow Barcode

Use this method to enroll a device with the DG/DGAM server by scanning a barcode.

1. Download the device enrollment barcode .pdf file from the Download Kit.
2. Launch the StageNow client on the device.
3. Scan the barcode.
4. If applicable, repeat these steps for the following:
   • Kiosk - Use the enrollment barcode for kiosk
   • Device Tracker - For devices with Device Tracker, use the Device Tracker enrollment barcode for device. Repeat this for Kiosks if needed.

Option 2: XML File

Use this method to deploy the enrollment settings via XML (with OEMConfig) through SureMDM. This enrolls the device with the DG/DGAM server.

1. Download the XML Configuration for Device file from the Download Kit. The contents of this file is needed in a later step.
2. In the 42Gears SureMDM web console, select Jobs from the top menu and click New Job > New Job.
3. Select Android.
4. Select Install Application.
5. Enter a name for the job nad click Add App.
6. Enter/select the following, then click Next.
   • Apps: OEMConfig
   • App Version: [Select the latest version]
   • Device Path: /sdcard/
   • Install After File Transfer: [Check to enable]
7. Select System Configuration.
8. Copy the content from the .xml file downloaded earlier. Paste the copied text into the Pass-Through Command field. Click Next.
9. Click OK.
10. Acknowledge the security warning and click OK to continue.
11. Click Save.
12. When successful, a message appears showing the status and the job is added to the list.
13. From the top menu, click Home. Select the target device group from the left panel. Select the target devices from the list displayed. Click Apply.
14. Select the job and click Apply.

Option 3: Managed .Config File

Use this method to deploy the enrollment settings via Managed Configurations in 42Gear SureMDM. This enrolls the device with the DG/DGAM server.

1. Download the .config file from the Download Kit. This .config file containing the Managed Configuration settings is required for a later step.
2. In the 42Gears SureMDM web console, go to the Android App Store and click Add New App.
3. Select Upload Apk.
4. Upload the Device Guardian .APK.
5. Enter the required information. Click Add.
6. Create the application policy. Click Profiles and Add.
7. Select Primary Profile for the Profile Type.
8. Click Configure.
9. Click Add.
10. Select SureMDM App Store.
11. From the dropdown, select the Device Guardian app uploaded. Click Next.
12. Select or enter the required Device Guardian Managed Configurations; for information on these settings, see Managed Configurations. Ensure the following Server Connectivity settings are configured before clicking Done:
    • Server Connectivity Settings: [Copy and paste the content from the Managed Configurations .config file from the earlier step.]
13. Select any desired options, then click Add.
14. Select the app policy created, enter a profile name and click Save.
15. From the top-right hamburger menu, select Assign Profile to Group.
16. Select the group and click OK. The policy is applied to the device.

Part IV: Install & Configure Identity Guardian (DGAM Only)

Identity Guardian is required for user authentication when using DGAM. When adding device users via Bulk Upload, follow these steps.

1. Create an App Setup Profile for Identity Guardian.
2. Select Yes when prompted to Configure App.
3. In the Usage Mode section, Select AUTHENTICATION.
4. In the Authentication Configuration section, select the following:
   • Comparison Source: CLOUD
   • Primary Authentication Factor: CLOUD_PASSCODE
   • Fallback Authentication Method: ADMIN BYBASS PASSCODE
   • Select the remaining options as desired.
5. Deploy the Profile to the target device(s).

After deployment, the device user experiences the following screen progression when logging in:

Identity Guardian login process

Part V: Install & Configure the ZDNA Cloud Client App (DGAM Only)

The Zebra DNA Cloud client is required to add device users in DGAM.

1. Download the ZDNA Config Token:
   • In the web portal, navigate to User Management > Device Users.
   • Click ZDNA Config Token to download the file.
   • Open the file and copy its contents.
2. Apply the Token & Deploy the App via EMM: The general steps are provided below. For detailed instructions, see the Configure for a Mixed Population section within the ZDNA Cloud Setup guide and follow steps 1 to 3:
   • Paste the copied token into Managed Configuration settings in ZDNA Cloud.
   • Install and launch the app via EMM using one of these sources:
     • Google Play
     • Zebra.com

---

Managed Configurations

Managed configurations are standardized features developed by Google and the Android community, enabling remote configuration of applications and devices through an Enterprise Mobility Management (EMM) system, such as Zebra DNA Cloud, that supports this specification.

App features that can be managed using Managed Configurations are defined in the its schema. For Device Guardian, the schema becomes available once the APK is uploaded to the EMM, either as an Enterprise app or through its app store. The schema defines the app's configurable features and provides the necessary information to present the app's management interface in the EMM console. This data-driven interface allows new features and their corresponding UI attributes to be delivered as soon as they become available. The interface may vary slightly depending on the EMM system in use.

This section discusses the Managed Confgurations available for Device Guardian, as seen in your supported EMM, and serves as an extension to the Installation procedure for your specific EMM.

Managed Configuration Options:

Name	Description	Value(s)
Server Connectivity Settings	Enter the server configuration data.	[Copy and paste the content from the Managed Configurations .config file available in the Device Enrollment Download Kit]
Kiosk Mode	Enable or disable kiosk mode. Enable this option if the device is a kiosk.	Enable Disable
Enable Logging	Enable or disable logging feature. Log messages are directed to Android Debug Bridge (adb).	Enable Disable
KioskName or Kiosk’s DisplayName	Registers the device to the specified kiosk.	[Enter string]
BT Range Tuning	Adjust the Received Signal Strength Indicator (RSSI) threshold to control the Bluetooth range between a device and the kiosk. This enables devices to automatically log out when placed in a powered cradle within the kiosk's range and triggers an alarm if the device is moved out of range while the user is still logged in. Default value: 75.     • Prerequisite: The Bluetooth Proximity setting must be enabled during site creation.     • Adjustment Options: Increasing this value extends the Bluetooth detection range from the kiosk. Decreasing the value reduces the range, limiting the detection radius. Caution: Various factors can affect beacon signal strength, such as environmental conditions and device placement. It is essential to manually fine-tune this setting to align with your specific environment and meet your business requirements.	[Integer value]

---

Prevent Play Store Updates

By default, Device Guardian, along with other Google Play apps, is set to update automatically. However, administrators managing Android devices may prefer to prevent Device Guardian from updating automatically via the Google Play Store. To manage updates, follow one of these options:

• Disable Automatic Updates - Submit the Disable_AutoUpgrade_DG.xml through your EMM platform.
• Enable Automatic Updates - Submit the Enable_AutoUpgrade_DG.xml through your EMM platform.

For alternative methods, refer to the blog post Preventing Play Store Apps from Updating Automatically.

---

Uninstallation

To uninstall Device Guardian from the device, remove the Device Guardian client app manually or through an EMM.

Server Termination

To terminate the Device Guardian cloud server, contact Zebra services. This removes the cloud server instance and deletes all data stored.

---

See Also

• About Device Guardian + Access Management
• Admin Guide
• Configuration
• Device Use
• Dashboard
• APIs
• Secondary BLE
• Licensing
• FAQ