Installation

All references to Device Guardian also apply to Device Guardian Access Management within this guide, unless otherwise specified.

Overview

Device Guardian and Device Guardian Access Management is a cloud-based solution that consists of:

• A cloud-based server, hosted and managed by Zebra
• Client software designed for Zebra Android devices

To enable communication between the device and the server, the client app must be installed and the device enrolled with the server. This allows for device tracking through the Device Guardian solution.

This section discusses the process to install Device Guardian and enroll those devices with the server. Device Guardian licenses are required for use.

Device Guardian Access Management (DGAM) follows the same installation and enrollment process as Device Guardian but requires a DGAM license instead of the Device Guardian license, with additional steps for setup that are detailed in the Access Management section.

Important for Android 11: For Android 11 devices, Device Guardian must be launched after installation to apply the configurations.

---

Installation Notes

• Google Play Services update - During an update, the Android system automatically stops Device Guardian. After the update is complete, relaunch the Device Guardian app or reboot the device to resume device tracking.
• Config Service Notification - When configuring Device Guardian client for the first time, a notification appears indicating the Config Service is running. This notification disappears following a subsequent device reboot.
• Compatibility with Device Tracker - The Device Guardian server is backward compatible with Device Tracker client apps. However, the Device Tracker client app cannot be upgraded to the Device Guardian client app; a new installation of the Device Guardian client is required.

---

Requirements

Device Requirements

Requirements for Device Guardian client on the device:

• Licenses - Device Guardian and Device Guardian Access Management require device licenses to operate. Contact a Zebra reseller to procure the licenses.
• Supported Devices - Check the Zebra support portal for compatible hardware.
  Important: The WS50, as a non-GMS device, does not support:
  • Map-based Locationing (due to the lack of Location Services API support)
  • Tracking of Bluetooth Scanner Accessories
• Operating System - Check the Zebra support portal for compatible Android versions and LifeGuard updates.
• Single Sign-On - To enable single sign-on (SSO) for user accountability, Identity Guardian v2.0 or higher must be installed separately on devices and configured with SSO Authentication Configuration.
• Optional: Secondary BLE allows a device to be located even if it loses battery power or is powered off. This feature is available on select hardware with secondary BLE capability; see compatible hardware. Refer to the Secondary BLE Configuration guide for setup instructions.

---

Network Requirements

Network requirements for the web portal and communication between the device client app and the cloud server:

• Open HTTPS port. By default, port 443 is typically used for HTTPS communication. However, this may vary based on network configuration.

• For administrators and managers to access the web portal (supplied by Zebra during onboarding), allow the web portal URL through the firewall or proxy.

• An email is sent from zdtrksupport@zebra.com if reporting is enabled and if the password is reset.

• For web portal access and communication between the device client app and the cloud server, specific domain names must be allowed through the firewall or proxy.

  If the firewall or proxy supports wildcards, add the following domain names to the allow list:

  • connectivitycheck.gstatic.com
  • *.googleapis.com
  • *.firebaseio.com
  • *.cloudfunctions.net
  • [ProjectID].firebaseapp.com ¹
  • [Web portal URL] (supplied by Zebra during onboarding)

  If the firewall or proxy does not support wildcards, add the following domain names to the allow list:

  • connectivitycheck.gstatic.com
  • www.googleapis.com
  • firestore.googleapis.com
  • firebasestorage.googleapis.com
  • cloudfunctions.googleapis.com
  • us-central1-[ProjectID].cloudfunctions.net ¹
  • [ProjectID].firebaseio.com ¹
  • [ProjectID]-default-rtdb.firebaseio.com ¹
  • *.firebaseio.com ²
  • [ProjectID].firebaseapp.com
  • [Web portal URL] (supplied by Zebra during onboarding)

¹[ProjectID] is included in the welcome email sent by Zebra services during the onboarding process.

² For the Device Guardian client to communicate with the Cloud, *.firebaseio.com must be accessible. It is required to allow this URL in your Firewall or Proxy settings. If your Firewall or Proxy policy does not support wildcard entries, follow these steps to obtain the specific URL:

1. Open the following link in your browser ([ProjectID] is provided during onboarding): https://[ProjectID]-default-rtdb.firebaseio.com/.settings/owner.json
2. Copy the URL displayed on the web page and add it to your Firewall or Proxy settings.
3. Important Note: The URL from step 2 may change periodically due to Google’s server resource allocation. Steps 1 and 2 may need to be repeated regularly to retrieve the latest URL.

---

Web Portal Requirements

The web portal allows adminstrators to (1) configure Device Guardian, (2) manage users, (3) manage access points, sites, and devices, (4) automate workflows, (5) generate reports, and (6) view licenses. The web portal URL is supplied by Zebra during onboarding.

To access the web portal, in a supported browser enter the web portal URL. The supported browsers are:

• Chrome
• Edge
• Safari (v14.0 and later)

For first-time use, the administrator must set their password. Click Forgot Your Password in the web portal and enter the administrator email address, which is registered as a user in the system during onboarding. An email will be sent to the administrator with a link to set the password in order for the administrator to login.

If using single sign-on (SSO), see SSO for procedures on configuring SSO.

---

Licenses

End-user licenses are required for Device Guardian and Device Guardian Access Management to operate. Additionally, separate BLE licenses are required for secondary BLE operation, allowing devices to be tracked even after losing battery power. See Licensing.

---

Using ZDNA Cloud

Follow these steps to install Device Guardian via Managed Configurations with ZDNA Cloud and apply a policy that enrolls the device with the Device Guardian cloud server.

Part I: Enroll Device

Create and apply the StageNow barcode for device enrollment in ZDNA Cloud:

1. Log in to ZDNA web portal. In the left menu, click New Device Setup.
2. From the top-right, click Set Up Device.
3. Configure the device for enrollment. Enter the appropriate internet settings, then click Next.
4. Optionally, select the service for device enrollment. Click Next.
5. Enter the properties and select the barcode type. Click Next.
6. Review the information and click Next.
7. The barcode is created. Click Done.
8. The new setup is listed. Click View Barcode.
9. For new enrollments, factory reset the device. Open StageNow and scan the barcode.
10. After staging is complete, in ZDNA Cloud, click on My Devices and verify that the the enrolled device is listed.
11. Allocate the license for the enrolled device. Click Licensing from the left menu. Under DNA CLoud License, click Allocate.
12. Select the target device(s) to allocate the license to and click Allocate.

Part II: Download Config File

Download the required configuration file from the Device Guardian web portal:

1. In the left menu of the Device Guardian web portal, go to Settings > Device Enrollment. Click on Download Kit.
2. Download the file and extract its contents. The Managed Configurations .CONFIG file is required for a later step.

Part III: Create and Apply Policy

Create and apply a Device Guardian Managed Configurations policy, which installs Device Guardian on the device and enrolls it in the Device Guardian server:

1. In the ZDNA Cloud web portal, click My Apps.
   • If adding Device Guardian for the first time, click Add App.
   • If a new Device Guardian app version is needed, click Add Version.
2. Select the appropriate hosting location, provide the details, and click Upload.
3. The application version is added. Click Setup.
4. Click Next.
5. Click Yes to configure the app. Enable Server Connectivity Settings and copy and paste the content from the Managed Configurations .CONFIG file from step II.2, then click Next.
6. Enter a description for the setup and click Next.
7. Review the settings and click Apply Now.
8. Select the target device(s). Click Apply.
9. The device(s) is listed under the App Setup tab with the status of applying the configuration. Once complete, "Success" is displayed as the status.

Part IV: Send Intents (Android 11 Only)

For Android 11 devices, intents must be sent to grant the necessary permissions and start Device Guardian, allowing the configurations to be applied:

1. Download the DeviceGuardian.xml file, which will be needed in a later step.
2. In the ZDNA Cloud web portal, go to Device Settings. Click New Setting, then Create New Setting (Advanced).
3. Select System Configuration. Enable Pass-Through Command and paste the content from DeviceGuardian.xml into the text field. Click Next.
4. Enter a Device Settings Name and Description, if needed, then click Next.
5. Review the configuration settings. Click Apply Now.
6. Select the target device(s) to apply the configuration. Click Apply.

---

Using Microsoft Intune

Follow these steps to use Microsoft Intune to install Device Guardian from the Google Play Store and apply a policy that enrolls the device with the Device Guardian server.

Screen Variations Note: The screen UI may vary depending on the EMM version in use. Refer to your EMM user guide for additional guidance.

Part I: Enroll Device

Enroll the device in Microsoft Intune using the standard EMM procedure.

Part II: Download Config File

Download the required configuration file from the Device Guardian web portal:

1. In the left menu of the Device Guardian web portal, go to Settings > Device Enrollment. Click on Download Kit.
2. Download the file and extract its contents. The Managed Configurations .CONFIG file is required for a later step.

Part III: Create and Apply Policy

Create and apply a policy to install Device Guardian and enroll it in the Device Guardian server:

1. In the Microsoft Intune web console, in Apps click Android.
2. Click Create.
3. From the dropdown, select Managed Google Play app, then click Select.
4. Search for the Device Guardian app and click on it.
5. Click Select, then click Sync.
6. The Device Guardian app is added to the Play Store. Click on the app in the list.
7. Click on Properties and Edit near the Assignments section.
8. Under the Required section, click Add group.
9. Choose the group to install the app and click Select.
10. Update the priority. Click Default under the Update Priority column.
11. For the Update Priority dropdown, select High Priority. Click OK.
12. The group is added with the updated priority. Click Review + save.
13. Click Save.
14. Create a profile to enroll the device to Device Guardian. From the left menu, click Apps > Configuration. Click Create and select Managed devices.
15. Enter or select the following, then click OK.
    • Name: [Enter a name for the policy]
    • Platform: Android Enterprise
    • Profile Type: Fully Manged, Dedicated, and Corporate-Owned Work Profile Only
    • Targeted App: Device Guardian
16. Click Save.
17. In the Settings screen, for Configuration settings format select Use configuration designer. Click Next.
18. Select all the configuration keys and click OK.
19. For Server Connectivity Settings, copy and paste the content from the Managed Configurations .CONFIG file from step II.2. Click Next.
20. Under Included groups, click Add groups.
21. Choose the group to apply the policy and click Select.
22. Click Next.
23. Review the configuration and click Create. Device Guardian is installed and the devices are enrolled to the server.

Part IV: Send Intent (Android 11 Only)

For Android 11 devices, an intent must be sent to start Device Guardian, allowing the configurations to be applied:

1. In the Microsoft Intune web console, go to Apps and select Android.

2. Click Create.

3. For App type, select Managed Google Play app and click Select.

4. Search for Zebra OEMConfig app, then click on the app.

5. Click Select, then click Sync.

6. The Zebra OEMConfig app is added to the app list. Select the app.

7. Click Properties.

8. By Assignments, click Edit.

9. Under the Required section, click Add group.

10. Choose the required device group, then click Select.

11. The group is added. To enable automatic app installation, update the priority by setting it to high. Under Update Priority, click Default.

12. For Update Priority, select High Priority. Then, click OK.

13. Check that the device group is added to the list, then click Review and Save.

14. Click Save. The OEMConfig app gets installed to the assigned device group.

15. Configure the Device Guardian app to get enrolled to the server. Go to Devices and select Android.

16. Under Managed Devices, click Configuration. Click Create > New Policy.

17. Select the following and click Create:

    • Platform: Android Enterprise
    • Profile Type: OEMConfig

18. Enter a name, click Select an OEMConfig app and select Zebra OEMConfig Powered by MX. Click Select. When the app is added, click Next.

19. In Configuration settings, scroll down and select System Configuration.

20. Copy and paste the following text into the Pass-Through Command field, then click Next:

    <wap-provisioningdoc>
        <characteristic version="9.2" type="Intent">
            <parm name="Action" value="StartActivity"/>
            <parm name="ActionName" value="android.intent.action.MAIN"/>
            <parm name="Type" value="explicit"/>
            <parm name="Package" value="com.zebra.mdna.dg"/>
            <parm name="Class" value="com.zebra.mdna.dg.SplashActivity"/>
        </characteristic>
    </wap-provisioningdoc>
    

    

21. Click Next.

22. Under Included groups, click Add groups to assign the configurations to the devices.

23. Choose the device group and click Select.

24. The group is added. Click Next.

25. Review the changes and click Create. This launches Device Guardian, allowing the app configurations to be applied.

---

Using SOTI MobiControl

Choose one of two methods to install Device Guardian and enroll devices to the server using SOTI MobiControl:

• Google Play Store
• Managed Configurations

Screen Variations Note: The screen UI may vary depending on the EMM version in use. Refer to your EMM user guide for additional guidance.

---

Google Play

Follow these steps to use SOTI MobiControl to install Device Guardian from the Google Play Store and apply a policy that enrolls the device with the Device Guardian server.

Part I: Enroll Device

Enroll the device in SOTI MobiControl using the standard EMM procedure.

Part II: Download Config File

Download the required configuration file from the Device Guardian web portal:

1. In the left menu of the Device Guardian web portal, go to Settings > Device Enrollment. Click on Download Kit.
2. Download the file and extract its contents. The Managed Configurations .CONFIG file is required for a later step.

Part III: Create and Apply Policy

Create and apply a policy to install Device Guardian and enroll the device in the Device Guardian server:

1. In the SOTI MobiControl web console, go to Apps > Policies. Click New App Policy.
2. Select Android Enterprise.
3. Enter an App Policy Name, then click the Apps tab.
4. Click +.
5. Select the following, then search for the Device Guardian app.
   • App Source: Managed Google Play
   • Select: Zebra Technologies
6. Click on the Device Guardian app.
7. Click on the options menu and select Configure.
8. The application details are populated. Click Installation Options.
9. In Installation Options, set the Priority to High Priority and enable Launch App After Installation. This step is particularly important for Android 11 devices. Then, click Managed App Config.
10. Toggle to Enable Managed App Config. Enter the following, then click Save:
    • Server Connectivity Settings: [When a prompt appears to import the config from a previous version, click Cancel and enter copy/paste the content from the Managed Configurations .CONFIG file from step II.2.]
    • Kiosk Mode: [Toggle to enable if the device is a kiosk.]
11. Select the new policy created.
12. Click on the Assign icon, the second icon from the top menu.
13. Search for the enrolled device, select the device, and click Assign. This applies the policy to the device.

---

Managed Configurations

Follow these steps to install Device Guardian via Managed Configurations with SOTI MobiControl and apply a policy that enrolls the device with the Device Guardian server.

Part I: Enroll Device

Enroll the device to SOTI MobiControl using the standard EMM procedure. After enrollment is complete, verify that the device has been added to the system.

Part II: Download Config File

Download the required configuration file from the Device Guardian web portal:

1. In the left menu of the Device Guardian web portal, go to Settings > Device Enrollment. Click on Download Kit.
2. Download the file and extract its contents. The Managed Configurations .CONFIG file is required for a later step.

Part III: Create and Apply Policy

Create and apply a Device Guardian Managed Configurations policy, which installs Device Guardian on the device and enrolls it in the Device Guardian server:

1. In the SOTI MobiControl web console, click Policies.
2. Click New App Policy.
3. Select Android and choose Android Enterprise.
4. Enter a policy name and click on the Apps tab.
5. Click +.
6. For the App Source dropdown, select Enterprise.
7. By default, Import is selected for the Source. Click Browse File and select the Device Guardian .APK file.
8. After the file is uploaded, click Configure.
9. The App Details are populated. Click Installation Options.
10. Deployment Type is set to Mandatory by default. Toggle to enable Launch App After Installation and click Managed App Config.
11. Toggle on Enable Managed App Config.
12. Tap Cancel when prompted to import config to create a new config.
13. For Server Connectivity Settings, copy and paste the content from the Managed Configurations .CONFIG file from step II.2. Click Save.
14. Click Add.
15. The policy is created. Click Save and Assign.
16. Search for the enrolled device and select it. Click Assign.
17. Navigate to the Devices section.
18. Search for the enrolled device and select it.
19. Click the Configurations tab and verify that the policy is assigned, ensuring the device is installed and registered in Device Guardian.

Part IV: Send Intents (Android 11 Only)

For Android 11 devices, intents must be sent to grant the necessary permissions and start Device Guardian, allowing the configurations to be applied:

1. Download the DeviceGuardian.xml file, which will be needed in a later step.

2. Create a file named DG_XML_SOTI.CMD with the following content and place this file in the same folder as the .XML file:

   mxconfig /sdcard/DeviceGuardian.xml
   

3. In the SOTI MobiControl web console, click Packages from the left menu.

4. Click Download Package Studio.

5. MobiControl Package Studio MCStudio.exe is downloaded. Execute to launch this app.

6. Create a new package file for Device Guardian .XML. Click File > Create New Package File.

7. Enter the following and click Next:

   • Project Name - [Enter a name for the project]
   • Project Location - [Browse to the folder location to save the project]
   • Platform - Android

8. Click Post-Install, browse to DG_XML_SOTI.CMD created in step 2 and click Next.

9. Click Add. Click Add Files and browse to add DeviceGuardian.xml.

10. Leave the default destination as %sdcard%/. Click OK.

11. The file is added. Click Next, then click Finish.

12. A popup message appears indicating that the package is created. Click Build Package Now.

13. When complete, the output window displays the folder path with the package (.PCG file) is created. Record this folder path.

14. Upload the .PCG file to Soti MobiControl. In the SOTI MobiControl web console, click Packages and Add Package.

15. Click Import.

16. Select Android.

17. Browse to the package file (.PCG) folder path from step 13 and click Upload.

18. The new created package is listed.

19. Create a profile containing this package to deploy to devices. From the left menu, click Profiles.

20. Click Add Profiles, select Android, and select Work Managed.

21. In the General tab, enter the Profile Name and then click the Packages tab.

22. Click "+"

23. Search for the package just created, select it, and click Add to Profile.

24. Click Save and Assign.

25. Search for the device(s) to deploy the policy and click Assign.

---

Using Workspace ONE UEM

Choose one of two methods to install Device Guardian and enroll devices to the server using Workspace ONE Unified Endpoint Management (UEM), formerly known as AirWatch:

• Google Play Store
• Managed Configurations

Screen Variations Note: The screen UI may vary depending on the EMM version in use. Refer to your EMM user guide for additional guidance.

---

Google Play

Follow these steps to use Workspace ONE UEM to install Device Guardian from the Google Play Store and apply a policy that enrolls the device with the Device Guardian server.

Part I: Enroll Device

Enroll the device in Workspace ONE UEM using the standard EMM procedure. After enrollment is complete, go to Devices > List View in the web console to verify that the device is listed.

Part II: Download Config File

Download the required configuration file from the Device Guardian web portal:

1. In the left menu of the Device Guardian web portal, go to Settings > Device Enrollment. Click on Download Kit.
2. Download the file and extract its contents. The Managed Configurations .CONFIG file is required for a later step.

Part III: Create and Apply Policy

Create and apply a policy to install Device Guardian and enroll the device in the Device Guardian server:

1. In the Workspace ONE UEM web console, go to Resources > Native. Click Public, then Add Application.
2. Enter the following, then click Search App Store.
   • Platform: Android
   • Name: [Enter a name for the application]
3. Search for Device Guardian app and click on the app.
4. Click Select.
5. Click on the app.
6. Click Edit.
7. Enter a name and click Save & Assign.
8. Click Add Assignment.
9. Enter or select the following, then click Application Configuration:
   • Name: [Enter an assignment name]
   • Assignment Groups: [Enter group to assign the app]
   • App Delivery Method: Auto
   • Auto Update Priority: High priority
10. Enable Managed Access and Send Configuration. For Server Connectivity Settings, copy and paste the content from the Managed Configurations .CONFIG file from step II.2. Click Save.
11. Click Publish.
12. From the left menu, click Groups & Settings > Assignment Groups. Click on the assignment group created.
13. Add the configured device(s) and click Next.
14. Check for the assigned app and click Publish.

Part IV: Send Intent (Android 11 Only)

For Android 11 devices, an intent must be sent to start Device Guardian, allowing the configurations to be applied:

1. In the Workspace ONE UEM web console, go to Orchestration > File Actions. Click Add Files/Actions.

2. Select Android.

3. Enter a name for the file/action and click on the Manifest tab.

4. Under Installation Manifest, click Add Action.

5. Enter or select the following, then click Save.

   • Action(s) To Perform: Run Intent

   • Command Line and Arguments to run: [Copy and paste the text below.]

     mode=explicit,broadcast=false,action=android.intent.action.MAIN,package=com.zebra.mdna.dg,class=com.zebra.mdna.dg.SplashActivity 
     

   • TimeOut: [Enter any timeout value.]

6. Click Save. The file/action is created.

7. Create a product using the file/action just created. Go to Orchestration > Products and click Add Product.

8. Select Android.

9. Enter a name, assign a Smart Group, and click on the Manifest tab.

10. Click Add.

11. Select the following and click Save.

    • Action(s) To Perform: File/Action - Install

12. Files/Actions: [Select the File/Action created from step 6.]

13. Click Activate.

14. The assigned devices are listed. Click Activate. This sends the intent, launching Device Guardian on the devices for the configurations to be applied.

---

Managed Configurations

Follow these steps to install Device Guardian via Managed Configurations with Workspace ONE Unified Endpoint Management (UEM) and apply a policy that enrolls the device with the Device Guardian server.

Part I: Enroll Device

Enroll the device in Workspace ONE UEM using the standard EMM procedure. After enrollment is complete, go to Devices > List View in the web console to verify that the device is listed.

Part II: Download Config File

Download the required configuration file from the Device Guardian web portal:

1. In the left menu of the Device Guardian web portal, go to Settings > Device Enrollment. Click on Download Kit.
2. Download the file and extract its contents. The Managed Configurations .CONFIG file is required for a later step.

Part III: Create and Apply Policy

Create and apply a Device Guardian Managed Configurations policy, which installs Device Guardian on the device and enrolls it in the Device Guardian server:

1. In the Workspace ONE UEM web console, go to Resources > Native. Click Internal, then Add, and select Application File.
2. Click Upload.
3. Click Choose File. Select the Device Guardian .APK file to upload, then click Save.
4. The Application File is populated with the file name. Click Continue.
5. Enter the application name and version. Click Save and Assign.
6. In the Assignment screen, enter the information prompted. From the left menu, click Restrictions.
7. Enable Managed Access. From the left menu, click Application Configuration.
8. Enable Send Configuration. For Server Connectivity Settings, copy and paste the content from the Managed Configurations .CONFIG file from step II.2. Select the target device(s). Click Save.
9. Preview the assigned device group and click Publish.
10. Navigate to Groups & Settings > Assignment Groups. Select the group to apply the policy.
11. Select the device(s) to configure, then click Next.
12. Verify the assigned applications and click Publish. The policy is applied to the device.

Part IV: Send Intents (Android 11 Only)

For Android 11 devices, follow these steps to send intents that grant the necessary permissions and start Device Guardian:

1. Download the DeviceGuardian.xml file, which will be needed in a later step.
2. In the Workspace ONE UEM web console, go to Orchestration > File Actions. Click Add Files/Actions.
3. Select Android.
4. Enter a name for the File/Action and click the Files tab.
5. Click Add Files.
6. Choose the DeviceGuardian.xml downloaded from step 1 and click Save.
7. Enter /sdcard for the Download Path, and enter the version if needed. Click Save.
8. The file is added. Click the Manifest tab.
9. Under Installation Manifest, click Add Action.
10. Select the following, then click Save.
    • Action(s) To Perform: Apply Custom Settings
    • File: DeviceGuardiana.xml
11. The manifest is added. Click Save.
12. The File/Action is created. Next, apply it to the device(s). Go to Orchestration > Product. Click Add Product.
13. Select Android.
14. Enter a name and assign it to the appropriate Smart Groups. Click the Manifest tab.
15. Click Add.
16. Select the following options and click Save:
    • Action(s) To Perform: Application - Install
    • Application: Device Guardian
17. The application is added to the manifest. Click Add again to include the XML file.
18. Enter the following, then click Save:
    • Action(s) To Perform: File/Action - Install
    • Application: [Nme of XML file added]
19. Click Save.
20. Click Activate. The policy is applied to the selected device(s).

---

Using 42Gears SureMDM

Choose one of two methods to install Device Guardian and enroll devices to the server using 42Gears SureMDM:

• Google Play Store
• Managed Configurations

Screen Variations Note: The screen UI may vary depending on the EMM version in use. Refer to your EMM user guide for additional guidance.

---

Google Play

Follow these steps to use 42Gears SureMDM to install Device Guardian from the Google Play Store and apply a policy that enrolls the device with the Device Guardian server.

Part I: Enroll Device

Enroll the device in 42Gears SureMDM using the standard EMM procedure.

Part II: Download Config File

Download the required configuration file from the Device Guardian web portal:

1. In the left menu of the Device Guardian web portal, go to Settings > Device Enrollment. Click on Download Kit.
2. Download the file and extract its contents. The Managed Configurations .CONFIG file is required for a later step.

Part III: Create and Apply Policy

Create and apply a policy to install Device Guardian and enroll the device in the Device Guardian server:

1. In the 42Gears SureMDM web console, click on Profiles > Application Policy and click Add.
2. For the Application Source, select Play For Work.
3. Search for Device Guardian and click on the app.
4. Click Select.
5. Enter the following, then click Save:
   • Configuration Name: [Enter a name]
   • Server Connectivity Settings: [Copy and paste the content from the Managed Configurations .CONFIG file from step II.2.]
   • Kiosk Mode: [Toggle to enable if the device is a kiosk]
6. Enter or select the following for the application policy, then click Next.
   • Install Silently: [Toggle to enable]
   • Allow in Kiosk Mode: [Toggle to enable if the device is a kiosk]
   • App Update Mode: High Priority Mode
7. Grant all permissions, then click Finish.
8. Enter a profile name and click Save.
9. From the options menu click Assign Profile to Group.
10. Select the device group(s) to apply the profile. Click OK.

Managed Configurations

Follow these steps to install Device Guardian via Managed Configurations with 42Gears SureMDM and apply a policy that enrolls the device with the Device Guardian server.

Part I: Enroll Device

Enroll the device in 42Gears SureMDM using the standard EMM procedure. After enrollment is complete, verify that the device has been added to the system.

Part II: Download Config File

Download the required configuration file from the Device Guardian web portal:

1. In the left menu of the Device Guardian web portal, go to Settings > Device Enrollment. Click on Download Kit.
2. Download the file and extract its contents. The Managed Configurations .CONFIG file is required for a later step.

Part III: Create and Apply Policy

Create and apply a Device Guardian Managed Configurations policy, which installs Device Guardian on the device and enrolls it in the Device Guardian server:

1. In the 42Gears SureMDM web console, go to the Android App Store and click Add New App.
2. Select Upload Apk.
3. Upload the Device Guardian .APK.
4. Enter the required information. Click Add.
5. Create the application policy. Click Profiles and Add.
6. Select Primary Profile for the Profile Type.
7. Click Configure.
8. Click Add.
9. Select SureMDM App Store.
10. From the dropdown, select the Device Guardian app uploaded. Click Next.
11. For Server Connectivity Settings, copy and paste the content from the Managed Configurations .CONFIG file from step II.2. If the device is a kiosk, enable Kiosk Mode. Click Done.
12. Select any desired options, then click Add.
13. Select the app policy created, enter a profile name and click Save.
14. From the top-right hamburger menu, select Assign Profile to Group.
15. Select the group and click OK. The policy is applied to the device.

---

Prevent Play Store Updates

By default, Device Guardian, along with other Google Play apps, is set to update automatically. However, administrators managing Android devices may prefer to prevent Device Guardian from updating automatically via the Google Play Store. To manage updates, follow one of these options:

• Disable Automatic Updates - Submit the Disable_AutoUpgrade_DG.xml through your EMM platform.
• Enable Automatic Updates - Submit the Enable_AutoUpgrade_DG.xml through your EMM platform.

For alternative methods, refer to the blog post Preventing Play Store Apps from Updating Automatically.

---

Uninstallation

To uninstall Device Guardian from the device, remove the Device Guardian client app manually or through an EMM.

Server Termination

To terminate the Device Guardian cloud server, contact Zebra services. This removes the cloud server instance and deletes all data stored.

---

See Also

• About Device Guardian + Access Management
• Quick Start
• Configuration
• Device Use
• Dashboard
• Access Management
• APIs
• Secondary BLE
• Licensing
• FAQ