Our environment has been configured for use with Android Enterprise on our top-level OG with G Suite integration for user accounts instead of Managed Play Accounts. This is so when the users log into their Google Account during enrolment, it utilises our third-party SSO provider (ADFS) we've got configured with G Suite so that it utilises the users AD credentials, but also so we can utilise some G Suite connected services (such as Cloud Print, Hangouts Chat etc). This configuration works well if the user has an AD account.
However, we've had a new requirement come across the board to set up a suite of devices for us to give to customers which will not have AD accounts created, as they are to be enrolled as service accounts. With our current configuration with G Suite, we've got the issue that you now can't enrol the devices unless the user has a valid AD account, which our security team is not keen on us generating hundreds of AD accounts that aren't actually for a person.
Our thought was to configure one of our sub OG's to use Managed Play Accounts for Android Enterprise (as these devices don't need G Suite Connected Services), but it seems that since Android Enterprise was configured at the top level OG for G-Suite, we can't override the configuration for any sub OG's that inherit from it.
Does anyone know if this is possible without deleting our current Android Enterprise configuration and reconfiguring it? I don't really want to do this as we have about 1000 Android Enterprise enrolled devices and we are concered this will need all these devices to be re-enrolled (they are in Work Managed Device mode, so would require factory resetting).
Any ideas?
