Silent Deployment of Mobile Endpoint Agent on Android Devices using Mobile Device Management (MDM)
This guide explains how to deploy MEPA on Android devices using Mobile Device Management (MDM) solutions, following best practices for silent and scalable installation. It covers configuration through popular MDM platforms such as Microsoft Intune, emphasizing managed Google Play deployment for consistent device settings, automatic updates, and secure enrollment.
Silent Deployment Configuration Matrix
To get started with the right configuration for installing the MEPA on your Mobile Device Management (MDM) solution, this guide provides a clear, silent deployment matrix. It ensures that regardless of the MDM, (Enterprise Mobility Management)EMM or (Unified Endpoint Management)UEM platform you use—such as Microsoft Intune, SOTI or Omnissa—or the device type, including Samsung, Zebra, Honeywell, Lenovo or Motorola, you will know the exact configurations, permissions, and system-level permissions required. By following these steps, you can achieve a seamless, automated installation process that grants necessary permissions, applies critical settings, and enables automatic registration with the ThousandEyes platform, minimising user interaction and administrative effort.
ACCESS_BACKGROUND_LOCATION Location Access - Background
MDM/UEM/EMM
Permission
Enables background location updates. It is needed for rough approximate geo-location data, along with Wi-Fi & Cellular metrics.
ACCESS_BACKGROUND_LOCATION Location Access - Coarse
MDM/UEM/EMM
Permission
Allows access to approximate device location. Used to associate network performance metrics (Wi-Fi, cellular) with a general geographic area.
ACCESS_BACKGROUND_LOCATION Location Access - Fine
MDM/UEM/EMM
Permission
Allows access to precise device location and Wi-Fi identifiers, including SSID and BSSID. Required for accurate Wi-Fi visibility, roaming analysis, and correlation of performance issues to specific sites or environments.
READ_PHONE_STATE
MDM/UEM/EMM
Permission
Used to access network state or SIM info as well as cellular telemetry reporting.
TERMS_OF_SERVICE
MDM/UEM/EMM
Boolean
Used by administrators of corporate-owned devices to automatically accept Cisco’s Terms of Service.
CONNECTION_STRING
MDM/UEM/EMM
String
Used as a token to accurately identify the account group where the agent should be installed.
DEVICE_NAMING
MDM/UEM/EMM
Variable
Allows administrators to define a device naming convention. If left blank, a device name string is automatically generated.
DEVICE_REGISTRATION_AUTO_LAUNCH
MDM/UEM/EMM
Boolean
Used to auto launch the app to register the device with ThousandEyes.
CLOSE_APP_AFTER_INSTALL
MDM/UEM/EMM
Boolean
Used to close the app once the device has registered with ThousandEyes.
REQUEST_IGNORE_BATTERY_OPTIMIZATIONS
OEM Config
Special Permission
Required to run the app in the background.
SCHEDULE_EXACT_ALARM
OEM Config
Special Permission
Required to run scheduled periodic check-ins, tests and configuration.
APP_AUTO_LAUNCH
OEM Config
Special Permission
Required to auto launch the app to complete the installation and registration of the agent.
This approach supports Android Enterprise Managed Configurations and leverages managed Google Play for consistent device settings, automatic updates, and secure enrollment. It includes creating device groups by manufacturer, approving required apps from managed Google Play, assigning apps for automatic installation, and applying OEM-specific configuration policies to exempt the agent from battery optimizations and enable scheduled alarms. Additionally, app configuration policies deliver account settings and runtime permissions to the agent. This comprehensive setup ensures reliable and scalable deployment across diverse environments.
By using this matrix, IT teams can confidently deploy MEPA with the right permissions and configurations, regardless of the MDM solution or device manufacturer, enabling efficient monitoring of mobile network and application performance with minimal overhead.
As an example, the following sections explain how to use the above matrix to install your Android devices (Samsung, Zebra and Honeywell) using Microsoft Intune.
Prerequisites
Admin access to your Microsoft Intune portal.
Your target devices (Honeywell, Samsung, or Zebra) enrolled in Intune as Android Enterprise Fully Managed or Dedicated.
Your ThousandEyes account Connection String.
For Samsung devices only: Knox Platform for Enterprise Standard Edition License
Mobile Endpoint Agent v-1.5.1 or higher *Access to the ThousandEyes platform Microsoft Intune tenant connected and integrated with your managed Google Play account Devices enrolled and managed in Microsoft Intune Android Devices running version 11 or higher
The following steps should be performed in the sequence provided. The Intune and Android Enterprise systems rely on a specific order of operations for app assignments and policy application. Following this guide in order will ensure a successful and predictable deployment.
Step 1 - Verify Device Enrollment and Grouping
Ensure your devices are properly enrolled and organized into a dedicated group. This allows you to target policies precisely.
A. Verify Device Enrollment
In Microsoft Intune, navigate to Devices > Android.
Find your target device(s) in the list.
Confirm that the Ownership column shows
Corporateand the OS isAndroid (fully managed).
If your devices are not enrolled: Please follow the official Microsoft documentation for Enrollment.
In environments where devices use a personally owned work profile (BYOD), administrators have less control compared to fully managed, corporate-owned devices. For example, certain permissions—such as location access—cannot be automatically granted on BYOD devices. In these cases, users must manually approve location permissions.
You can’t install raw APK files directly on Android Enterprise enrolled devices—including work profile, fully managed, COPE, or dedicated devices. Apps must be deployed through Managed Google Play.
#### B. Create a Dynamic Device Group for Your Devices
This is a best practice that automatically groups all your devices from a specific manufacturer.
Navigate to Groups > New group.
Group type: Security
Group name: [Manufacturer Name] Android Devices (e.g., Honeywell Android Devices, Samsung Android Devices, Zebra Android Devices)
Membership type: Dynamic Device
Click Add dynamic query.
Create a rule with the following syntax, replacing [Manufacturer Value] with the appropriate value:
Property: deviceManufacturer
Operator: Equals
Value:
For Honeywell: Honeywell
For Samsung: Samsung
For Zebra: Zebra Technologies
Click Save, then Create. The group will automatically populate with all devices from the specified manufacturer in your tenant.
Step 2: Add Required Apps from Managed Google Play
Before you can configure or assign apps, Intune must be made aware of them.
Navigate to Apps > Android.
Click + Create and select Managed Google Play app.
Search and Approve the following two applications:
ThousandEyes Endpoint Agent
Add one or all of the following, depending on your device manufacturer:
For Honeywell: Honeywell UEMConnect
For Samsung: Knox Service Plugin
For Zebra: Zebra OEMConfig (by Zebra Technologies)
After approving/selecting both, click the Sync button at the top of the Android apps page to force Intune to update its app catalog immediately.
Step 3: Assign Apps for Automatic Installation
Assign both apps to your device group so they install automatically on the devices.
In the Apps > Android list, click on ThousandEyes Endpoint Agent.
Navigate to Properties > Assignments > Edit.
Under the Required section, click + Add group and select your [Manufacturer Name] Android Devices group.
Click Review + Save.
Repeat these same steps for the OEM-specific apps you approved in Step 2:
For Honeywell: Honeywell UEMConnect
For Samsung: Knox Service Plugin
For Zebra: Zebra OEMConfig
Step 4 - Create and Assign the OEMConfig Policy
This policy is used to exempt the agent from battery optimization and allows Scheduling Exact Alarms. The specific OEMConfig app and JSON will vary by manufacturer.
Create a Device configuration by going to Devices > Configuration > Create.
Platform: Android Enterprise
Profile Type: Templates > OEMConfig
Apply the profile information:
Name: [Manufacturer Name] OEM Config (e.g., Honeywell OEM Config, Samsung OEM Config, Zebra OEM Config)
Description: Device configuration used to control sensitive permissions and make the app exempt from battery optimisations for [Manufacturer Name] devices.
Select an OEMConfig app:
For Honeywell: Honeywell UEMConnect
For Samsung: Knox Service Plugin
For Zebra: Zebra OEMConfig Powered by MX
Configure settings with: JSON editor.
Apply the following JSON, specific to your device manufacturer:
For Samsung Devices
Replace YOUR_LICENSE_KEY with your actual Samsung Knox License key.
For Zebra Devices
For Honeywell Devices:
To register with ThousandEyes, the mobile agent needs to launch automatically. We recommend that administrators temporarily set up the mobile agent in Kiosk mode and remove this setting after registration. You can also use any other auto-launch method supported by your MDM.
7. **Assignments Tab**: Assign this policy to your [Manufacturer Name] Android Devices group. 8. Click **Review + Save**.
Step 5 - Create and Assign the App Configuration Policy (Permissions & Settings)
This policy delivers your account settings to the ThousandEyes app and uses standard Android Enterprise commands to grant the required runtime permissions.
Navigate to Apps> Manage apps > Configuration.
Click** + Create > Managed devices**.
Basics Tab:
Name: ThousandEyes - App Permissions and Settings
Targeted app: Click Select app and choose ThousandEyes Endpoint Agent.
Settings Tab:
Auto-Grant the following permissions:
READ_PHONE_STATEACCESS_BACKGROUND_LOCATIONACCESS_COARSE_LOCATIONACCESS_FINE_LOCATION
Configuration settings format: Choose Use JSON editor.
Paste the following JSON, replacing
YOUR_CONNECTION_STRINGwith your actual ThousandEyes account Connection String.
**Generating Device Name Automatically**
If your MDM system doesn’t provide a device name or if the parameter is left blank, the app creates one for you. The name is based on:
The first four letters of the device manufacturer’s name (with ‘X’ added if needed)
The first four letters of the device model name (with ‘X’ added if needed)
A randomly generated 16-character ID
For Example: Manufacturer: Google Model: Pixel 9 Generated device name: GOOGPIXE-3F4A7D9C1B2E5F60
Assignments Tab: Assign this policy to your [Manufacturer Name] Android Devices groups.
Click Review + Save.
Step 6 - Trigger Agent Registration and Start Services
After all required policies are deployed and show as successfully applied to your devices, you can start the agent registration process and enable agent services.
Verify policy adoption
Go to Devices > Managed devices > Configuration.
Select the policy you created.
Open Device/User status.
Confirm that the deployment status for your target devices is Successful.
Restart devices to trigger registration
Go to Devices > Android devices > Bulk device actions.
For OS, select **Android **(fully managed / work profile).
For Device action, select Restart.
Choose the devices you want to restart.
Select** Next**, then select Create.
After the devices restart, the ThousandEyes Endpoint Agent will automatically complete registration and start its background services.
Step 7 - Verifying the Agent Installation
After the device syncs, the entire process will complete automatically.
To verify the installation on Intune: Check the status of both configuration policies for a target device.
To verify that the agent is registered to your ThousandEyes organization, go to Endpoint Experience > Agent Settings in the ThousandEyes UI. The newly installed agent should appear in the list, confirming successful registration and connection to your organization.
Additional Resources
You can install, configure, and deploy the agent on the following MDM platforms:
Cisco Meraki Systems Manager - Learn more about installing and managing the agent in this video. You may need to provide your business email address to request access.
Omnissa’s WorkspaceOne - Please refer to the manufacturer documentation on how to Deploy Public Apps and Android Profiles - Custom DPC Permissions.
SOTI - Please refer to the manufacturer documentation on how to deploy the ThousandEyes Mobile Endpoint Agent.
Last updated