For reference, see these Google articles:

Setting up Android for Work in Okta

A wizard guides you through setting up Android for Work in Okta. There are different setup flows depending on whether or not your enterprise already has a G-Suite app instance:

Enterprises with a G Suite app instance – If you have configured a G Suite app instance for your Okta admin dashboard and have already provisioned Google accounts to your end users, the setup wizard creates a a Google Accounts enterprise.

Enterprises without a G Suite app instance – If you have not configured a G Suite app instance for your Okta admin dashboard, the setup wizard automatically creates a Managed Google Play Account enterprise and links it to Okta. Okta uses this account to manage your Google Play Store accounts for you.

  1. In Okta, go to Devices > Mobile Policies.

  2. Click Android for Work Setup on the upper right of the Mobile Policies page.


  3. When the wizard launches, perform one of the following procedures as appropriate for your use case.
  4. If your enterprise does not have a G Suite app instance:

    Before you begin – If you have not done so already, create a dedicated Gmail account for administering the managed Google Play Accounts enterprise that the setup wizard will create in the following steps. Do not use any other Gmail account that may have already been set up for your enterprise.

    If your enterprise has a G Suite app instance:

  5. Enable Android for Work as an Allowed Device in a mobile policy:


  6. At a minimum, deploy the following types of apps to your users:
    • Browser (such as Chrome)
    • PDF reader (such as Adobe Acrobat Reader)
    • Image viewer (such as Google Photos)
    • Music player (such as Google Play Music)

  7. Generating a Google Token

    Before You Begin

    If you are setting up Android for Work with Okta, you only need to generate a Google token if your enterprise has G Suite app instance.

    If you are not a G Suite customer:

    Sign up for Android for Work with Google by going to https://www.google.com/a/signup/u/0/?enterprise_product=ANDROID_WORK

    If you are G Suite customer:

    1. Go to your G Suite Admin console (http://admin.google.com)

    2. In the right pane under Common tasks​, click Get more apps and services​:


    3. Under Android for Work, click Add It Now.

      Note: If Android for Work has already been added, it will not show up here. You can proceed to generate a token, as described below:


    1. Go to your G Suite Admin console (http://admin.google.com).
    2. Click Security:


    3. Click Show more.
    4. Click Manage EMM provider for Android.


    5. Click GENERATE TOKEN.


    6. Make a copy of your generated token to enter in Okta when enabling AfW (see above).
    7. When you navigate back to Security > Android for Work settings after generating a token, the option GENERATE TOKEN is replaced with information about your AfW settings:.