Create custom zero-touch configurations for Android devices

This feature is available with Cloud Identity Premium edition. Compare editions

As an administrator, you can deploy Android devices with your organization’s policies already enforced. When a user turns on their device, the device checks for an enterprise device configuration. If a device configuration is assigned to it, the device downloads the Android Device Policy app and completes the setup of the device.

Zero-touch enrollment is supported by many Android EMMs. This page focuses on managing devices in your Google Admin console with Google endpoint management. For more information about zero-touch enrollment in general, see Zero-touch enrollment for IT admins.

Device requirements

Purchase zero-touch devices directly from an approved zero-touch reseller. The reseller sets up your zero-touch enrollment account when your organization first purchases devices. To find a reseller, see Zero-touch resellers. If your preferred reseller isn’t in the list, you can suggest they join the Android Enterprise Partners Program.
Devices must have Android 9.0 Pie or later, or Pixel phone with Android 7.0 Nougat or later.
Devices must support work profiles.
You can find a list of compatible devices at Android Enterprise.

Step 1: Set up Google endpoint management

Set up advanced mobile management for Android devices.
Apply settings for Android mobile devices.
(Optional, recommended for more management features) If your edition supports it, add devices to the company-owned inventory. If you don’t add devices to the company-owned inventory, Google endpoint management and Context-Aware Access classify them as user owned.

Step 2: Set up a device configuration

The device configuration sets how a zero-touch enrollment device provisions itself. You set up and manage device configurations in the zero-touch enrollment portal in your browser.

We recommend that you set a default configuration that’s applied to new zero-touch devices.

The device configuration specifies:

The device policy controller (DPC) to install
Enrollment options to apply
Support information to help your users during setup

Create a configuration

Open the portal.
Sign in using your administrator account (does not end in @gmail.com).
At the left, click Configurations.
In the Configurations section, click Add .
Enter the details for your configuration:
1. Configuration name–Enter a short, descriptive name that describes the configuration's purpose and is easy to find in a menu, for example, Sales team or Temporary employees.
2. EMM DPC–Select Android Device Policy.
3. DPC extras (optional)–To force devices to enroll only with user accounts in your organization, enter the following configuration:
  {"android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE": {"com.google.android.apps.work.clouddpc.EXTRA_FORCED_DOMAINS": "[\"your-company.com\",\"other-company.com\"]"}}
4. Company name (optional)–Enter the name of your organization. This company name is shown to users during device provisioning.
5. Support email address (optional)–Enter an email address users can contact to get help, such as your internal support email address. This email address is shown to users before device provisioning. Users can't click the email address to send a message, so choose a short email address they can easily enter on another device.
6. Support phone number (optional)–Enter a phone number users can call from another device to get help, such as the phone number of your IT support team. This number is shown to users before device provisioning. Use the plus sign, hyphens, and parentheses to format the telephone number into a pattern that users recognize.
7. Custom message (optional)–Enter 1–2 sentences to help users contact support or give them more details about what’s happening to their device. This message is shown before the device is set up.
Click Add.
(Optional) In the Default configuration section, select the configuration you addedApply.

Step 3: Apply the configuration to devices

When you apply a configuration to a device, the device automatically configures itself on first boot or next factory reset. You can apply configurations manually or in bulk.

Apply a configuration to a single device

Open the portal. You might need to sign in.
At the left, click Devices.
Find the device you want to apply the configuration to using its IMEI or serial number.
Choose an option:
- Set Configuration to the configuration you want to apply.
- Select No config to temporarily remove the device from zero-touch enrollment.

Apply a configuration to many devices

To apply a configuration to many devices at once, upload a CSV file that lists the configuration ID and hardware identifiers for each device. You can download a CSV template from the portal to get started. For details, see Device configuration CSV file format.

Important:

The CSV file can't be more than 50 MB. If it's larger, you can split the file into multiple uploads.
To set up a dual-SIM device, use the first hardware ID because zero-touch enrollment identifies devices by modem 1. A dual-SIM device includes 2 modems and has 2 IMEI or MEID numbers. If you set up a dual-SIM device using another IMEI or MEID number, the portal shows a new, separate device that zero-touch enrollment doesn't recognize or set up.

To download a template and upload a completed CSV file:

Open the portal. You might need to sign in.
At the left, click Devices.
Next to Devices, click More .
(Optional) To download a template CSV file, click Download example CSV.
Click Upload batch configurations.
Select your CSV file.
Click Upload.

After processing, the portal shows a notification with a link to an upload status page. You also receive an email summary. In the email, click See details to open a status page. Any device not assigned a configuration is listed with a reason for the error.