Skip to main content

Connect Google MDM Using Self Managed Setup

Set up advanced Google MDM integration with full Google Workspace control. Complete guide for Self Managed Android Enterprise setup.

Prerequisites

  • Required permissions: Google Workspace administrator access or Google Cloud Console access

  • Google account requirements: Google Workspace account with domain admin permissions

  • Supported platforms: Android devices

  • Time estimate: 20-30 minutes

  • Additional requirements: Ability to verify domain ownership, active internet connection

Before You Start

Self Managed setup provides advanced Android Enterprise configuration through your own Google Workspace domain. This method gives you complete control over Google Cloud project settings, service accounts, and OAuth configuration.

This connection method requires manual configuration of Google Cloud Console, including project creation, service account setup, API enablement, and OAuth consent screen configuration. You'll generate and manage your own authentication credentials.

Advanced users and large organizations typically choose Self Managed setup for enhanced security control and custom Google Workspace integration.

Step 1: Access Self-Managed Setup

  1. Navigate to Fleet > MDM Setup

  2. Click the Google tab

  3. Locate the Self-Managed section

  4. Click Connect

  5. Expected result: "Connect to Google (Self-Managed)" setup wizard opens

If you see "Connected" status: Your Self-Managed integration is already active. Connection management options are available through the three-dot menu.

Step 2: Create a Google Project

  1. Click Go to Google Admin Console or visit https://console.cloud.google.com/

  2. Sign in with your Google Workspace admin credentials

  3. At the top-left, click Select a project, then choose New project

  4. Expected result: "New Project" dialog appears

Configure Project Details

  1. In Project name field, enter a descriptive name (e.g., "Trio")

  2. Optional: Edit Project ID if needed (cannot be changed later)

  3. Select an appropriate Location (No organization or choose your organization)

  4. Click Create

  5. Expected result: Project created, and you're redirected to the project dashboard

Troubleshooting this step:

  • Issue: Cannot access Google Cloud Console → Solution: Verify Google Workspace admin permissions

  • Issue: Project creation fails → Solution: Check organization policies or quotas

Verify Project Creation

  1. Click Select project in the notification bar to open your new project

  2. Note your project name and ID for later steps

  3. Click Next in the Trio setup wizard

  4. Expected result: Step 1 shows a green checkmark, Step 2 becomes active

Step 3: Create a Service Account

  1. From the sidebar, go to IAM & Admin > Service Accounts

  2. Click Create Service Account

  3. Expected result: Service account creation form appears

Configure Service Account

  1. Fill in the account name and description, then click Create and Continue

  2. In Step 2: Grant access, choose the role Owner

  3. Optional: In Step 3, add additional users who can manage this service account

  4. Skip Step 3 and click Done

  5. Expected result: Service account created and listed

Generate Service Account Key

  1. Select your created service account. Go to the Keys tab

  2. Click Add Key > Create New Key

  3. Choose JSON key type and click Create

  4. Expected result: JSON file automatically downloads. Save it securely

Common mistake: Losing the JSON file → Prevention: Download immediately and store in secure location

Verify Service Account Creation

  1. Return to Trio setup wizard

  2. Click Next

  3. Expected result: Step 2 shows green checkmark, Step 3 becomes active

Step 4: Set Up OAuth Consent

  1. From the sidebar, go to API & Services, and select OAuth consent screen. Select Clients, then click Get Started

  2. Expected result: OAuth consent screen configuration appears

Configure Application Information

  1. In Project Configuration, provide app information and a support email

  2. Expected result: Basic app information configured

Set Audience Type

  1. In the next step, select the audience (Internal / External)

  2. Expected result: Audience configured based on organization type

Note: Internal option only available for Google Workspace organizations. Personal Google accounts must use External.

Complete Contact Information

  1. Enter the required contact information and then finish by agreeing to the Google terms checkbox. Then click Create

  2. Expected result: OAuth consent screen configured

Create OAuth Client

  1. From the OAuth Overview, select Create OAuth client

  2. Expected result: OAuth client creation form appears

Configure OAuth Client

  1. Choose Web Application as the application type

  2. Expected result: Web application configuration options appear

Add Authorized Redirect URI

  1. Under Authorized redirect URIs, add: https://business.trio.so/console/oauth_callback

  2. Expected result: Redirect URI added to authorized list

Generate OAuth Credentials

  1. Click Create, then Download JSON and save it with your service account key

  2. Expected result: OAuth Client JSON file downloads

Verify OAuth Setup

  1. Return to Trio setup wizard

  2. Click Next

  3. Expected result: Step 3 shows green checkmark, Step 4 becomes active

Step 5: Enable Required APIs

  1. Click on the Audience. Click Publish app and confirm

  2. Expected result: App publishing confirmation dialog appears

Enable Android Management API

  1. Search for Android Management API, click it, and then click Enable

  2. Expected result: Android Management API enabled for your project

Enable Google Play EMM API

  1. Repeat the process for Google Play EMM API and enable it as well

  2. Expected result: Google Play EMM API enabled for your project

Important: Both Android Management API and Google Play EMM API are required for full Android Enterprise functionality.

erify APIs Enabled

  1. Return to Trio setup wizard

  2. Click Next

  3. Expected result: Step 4 shows green checkmark, Step 5 becomes active

Step 6: Upload and Connect

  1. Upload OAuth Client JSON: Drag your OAuth Client JSON file to the first upload area or click to upload

  2. Upload Service Account JSON: Drag your Service Account JSON file to the second upload area or click to upload

  3. Expected result: Both files show as uploaded with file names

Troubleshooting this step:

  • Issue: File upload fails → Solution: Verify JSON file format and size, try different browser

  • Issue: Wrong file type error → Solution: Ensure you're uploading the correct JSON files from Google Cloud Console

Complete Connection

  1. Click Connect to Google

  2. Expected result: Connection process initiates

Verify Successful Connection

  1. Expected result: "Success" notification appears: "You can now start enrolling Android devices"

  2. Expected result: Self Managed section shows Connected status with green indicator

  3. Review connection details:

    • Domain Name

    • Admin Email

    • Last Synced

    • Connection Expires

Next Steps

Immediate actions:

  • Begin enrolling Android devices through available enrollment methods

  • Configure device policies based on your organization's Google Workspace settings

Related configurations:

  • Set up AutoPilots for automated device management based on Google organizational units

  • Create security and configuration policies aligned with Google Workspace policies

  • Configure user directory synchronization with Google Workspace

Advanced Options

Domain Synchronization: User and device policies sync automatically based on your Google Workspace configurations

Google Workspace Integration: Leverages existing organizational structure and user management from Google Workspace Admin Console

Enhanced Security: Full control over authentication credentials and Google Cloud project settings

Troubleshooting

Service Account Creation Fails:

  • Symptoms: Cannot create service account or insufficient permissions error

  • Cause: Inadequate Google Cloud Console permissions

  • Solution: Verify Google Workspace admin access and project owner permissions

OAuth Client Setup Issues:

  • Symptoms: Cannot configure OAuth consent screen or create OAuth client

  • Cause: Missing project configuration or API access

  • Solution: Ensure project is properly selected and OAuth consent screen is fully configured

API Enablement Problems:

  • Symptoms: Cannot find or enable Android Management API or Google Play EMM API

  • Cause: API access restrictions or billing requirements

  • Solution: Verify project billing setup and API library access permissions

File Upload Errors:

  • Symptoms: JSON files fail to upload or show an invalid format error

  • Cause: Incorrect file format or corrupted download

  • Solution: Re-download JSON files from Google Cloud Console, verify file integrity, and try a a different browser

Related Articles
Google Cloud Console Setup for Trio Panel Integration
Connect Google MDM Using Trio Managed Setup
Cloud Directory Configuration: Google Workspace
Did this answer your question?