Deploy devices with zero-touch enrollment

Supported editions for this feature: Enterprise; Education Standard and Plus; Cloud Identity Premium. Compare your edition

As an administrator, you can configure company-owned Android devices online and deploy them with your organization’s policies already enforced. When a user turns on their device, the device checks for an enterprise configuration. If an enterprise configuration is assigned to it, the device downloads the Android Device Policy app and completes the setup of the device.

Device requirements

  • You need to purchase zero-touch devices directly from an enterprise reseller or Google partner (not through a consumer store). The reseller sets up your zero-touch enrollment account when your organization first purchases devices. To find a reseller, see Zero-touch resellers.
  • Devices must have Android 8.0 Oreo or later, or Pixel phone with Android 7.0 Nougat or later.
  • Device must support work profiles.
  • You can find a list of compatible devices at Android Enterprise.

Set up zero-touch enrollment

Open all   |   Close all

Step 1: Sign in to the zero-touch enrollment portal

Manage zero-touch enrollment for your organization from the zero-touch enrollment portal in your web browser.

  1. Open the portal.
  2. Sign in using your administrator account (does not end in
Step 2: Add a device configuration

You set provisioning options for your devices using a configuration. You can create, edit, and delete configurations in the portal. We recommend that you set a default configuration that’s applied to new zero-touch devices.

Each configuration combines:

  • The device policy controller (DPC) you want to install on the devices
  • Enrollment options you want to apply to the devices
  • Information that's displayed on the device to help your users during setup

Add a new configuration

  1. Open the portal. You might need to sign in.
  2. At the left, click Configurations.
  3. In the Configurations section, click Add "".
  4. Enter the details for your configuration. For details, see the following table.
  5. Click Add.
  6. (Optional) In the Default configuration section, select the configuration you addedand thenApply.

Configuration details

Field Description
Configuration name Give your configuration a name that describes its purpose. Choose a short, descriptive name that's easy to find in a menu. For example, Sales team or Temporary employees.
EMM DPC Select Android Device Policy.
DPC extras (optional)

To force devices to enroll only with user accounts in your organization, enter the following configuration. Replace domain-name with your organization’s domain name.

{"": {"": "[\"domain-name\"]"}}

Company name (optional) Enter the name of your organization. This company name is shown to users during device provisioning.
Support email address (optional) Add an email address users can contact to get help. Typically, this is your internal support email address, for example, This email address is shown to users before device provisioning. Users can see the email address but can't click it to send a message. Choose a short email address that they can easily enter on another device.
Support phone number (optional) Add a phone number that device users can call (using another device) to get help. Typically, this is the phone number of your IT support team. This number is shown to users before device provisioning. Use the plus sign, hyphens, and parentheses to format the telephone number into a pattern that users recognize.
Custom message (optional) Add one or 2 sentences to help your users contact you or give them more details about what’s happening to their device. This message is shown before the device is provisioned.
Step 3: Apply a configuration to devices
When you apply a configuration to a device, the device automatically provisions itself on first boot or next factory reset.

Apply a configuration to a single device

You can apply a configuration one device at a time by selecting devices in the portal. Follow these steps:
  1. Open the portal. You might need to sign in.
  2. At the left, click Devices.
  3. Find the device you want to apply the configuration to (using its IMEI or serial number).
  4. Choose an option:
    • Set Configuration to the configuration you want to apply.
    • Select No config to temporarily remove the device from zero-touch enrollment.

Apply a configuration to many devices

You apply a configuration to devices by uploading a CSV file. A CSV text file represents a data table, and each line represents a row in that table. Commas separate the values in that row. You can download a template CSV file to help you get started. Or, you can start with a blank file. For details, see Device configuration CSV file format.

Each row in your CSV file lists the fields that include:

  • The ID of the configuration you want to apply
  • A hardware identifier of the device you want to apply the configuration to

The largest CSV file you can upload to the portal is 50 MB. If the file is more than 50 MB, consider splitting the file. When your CSV file is ready, follow these steps:

  1. Open the portal. You might need to sign in.
  2. At the left, click Devices.
  3. Next to Devices, click More "".
  4. (Optional) To download a template CSV file, click Download example CSV.
  5. Click Upload batch configurations.
  6. Select your CSV file from the file picker.
  7. Click Upload.

After processing, the portal shows a notification with a link to an upload status page. You also receive an email summary. In the email, click See details to open a status page. Any device not assigned a configuration appears, with a reason for the error.

Dual-SIM devices

A dual-SIM device includes 2 modems and has 2 IMEI or MEID numbers. Use the first hardware ID because zero-touch enrollment identifies devices by modem 1. If you mistakenly claim a device using another IMEI or MEID number, the portal shows a new, separate device that zero-touch enrollment doesn't recognize or provision.

Step 4: (Optional) Deregister a device

You might need to deregister a device if you transfer its ownership. You can do one at a time by selecting devices in the portal.

After you deregister a device, if you want to register it into zero-touch enrollment again, contact your reseller. To temporarily exclude a device from zero-touch enrollment, consider removing the configuration instead.

Deregister a device

  1. Open the portal. You might need to sign in.
  2. At the left, click Devices.
  3. In the Devices section, find the device you want to deregister.
  4. Click Deregisterand thenDeregister.

Portal languages

You can use the portal in one of the following languages:

American English, British English, Danish, Dutch, French, German, Italian, Japanese, Norwegian, Polish, Portuguese, Spanish, or Swedish.

To change to another language, update the preferred language in your Google Account. For more help, follow the instructions in Change language.


The device doesn’t provision itself out of the box

  1. Check that the device is registered for zero-touch enrollment using the portal.
    • Find the device using the hardware identifier, such as the IMEI number.
    • If you don’t find the device, factory reset it and contact the device reseller to ask them to register the device.
  2. Confirm that you applied a configuration to the device.
    1. Find the device using the portal, and check that the Configuration isn’t listed as “No config.” (Devices without a configuration aren’t provisioned through zero-touch enrollment and boot unmanaged.)
    2. Factory reset the device so that zero-touch enrollment provisions it.
  3. Check that the device has a working data connection during setup.

    Zero-touch enrollment needs an Ethernet, Wi-Fi, or mobile data connection to Google servers. The Setup Wizard blocks the use of roaming data by default.

If there's no data connection, or if the connection blocks traffic to Google servers, then the device skips zero-touch enrollment. If this happens even though the device has a configuration, then the device resets itself after the first connection to Google servers. The system warns the user 1 hour before the reset

The device doesn't belong in zero-touch enrollment

When your device is registered for zero-touch enrollment, it starts up and shows “Your device at work”, explaining the device is managed. This is the case even after a factory reset.
  1. Confirm that the device isn’t registered with your organization for zero-touch enrollment.
    1. Find the device in the portal using a hardware identifier, such as the IMEI number.
    2. If you find the device, click Deregister.
  2. Contact the organization that’s attempting to enroll the device.
    1. Factory reset the device.
    2. In the Your device at work screen, click the link to contact your device’s provider.
    3. In Device information, find and record the telephone number, email address, and identifiers.
    4. Ask the organization to deregister the device from zero-touch enrollment.

      Include the identifiers you noted and a link to this page.

Related topics

Was this helpful?
How can we improve it?

Need more help?

Sign in for additional support options to quickly solve your issue