Search
Clear search
Close search
Google apps
Main menu

Zero-touch enrollment for IT admins

What is zero-touch enrollment?

Zero-touch enrollment is a streamlined process for Android devices to be provisioned for enterprise management. On first boot, devices check to see if they’ve been assigned an enterprise configuration. If so, the device initiates the device owner provisioning method and downloads the correct device policy controller app, which then completes setup of the managed device.

Android zero-touch enrollment offers a seamless deployment method for corporate-owned Android devices making large scale roll-outs fast, easy and secure for organizations, IT and employees. Zero-touch makes it simple to configure devices online and have them shipped with enforced management so employees can open the box and get started.

Prerequisites

To use zero-touch enrollment, you’ll need the following:

  • A compatible device running Android Oreo (8.0) or Pixel phone with Android Nougat (7.0), purchased from a reseller partner

  • An enterprise mobility management (EMM) provider supporting device owner mode

Which Android devices are supported?

Zero-touch enrollment can be used with the following devices: 

  • Pixel by Google

  • Huawei Mate 10

  • Sony Xperia XZ1 and XZ1 Compact

Which resellers offer this?

Zero-touch enrollment is supported on compatible devices purchased from the following resellers:

  • USA and Canada: Verizon, AT&T, T-Mobile, Sprint

  • Europe: EE/BT, Deutsche Telekom

  • Asia-Pacific: Softbank, Telstra


Which EMMs support zero-touch enrollment?

Most EMM providers (for Android) support zero-touch enrollment. A list of compatible EMMs can be found in the Android site's Partners page.

What if I want to purchase zero-touch devices? 

Contact a reseller from the list above. Devices eligible for zero-touch enrollment need to be purchased directly from an enterprise reseller or Google partner and not through a consumer store. Want to be connected to an authorized reseller? Please contact our sales team.

How to use zero-touch enrollment

You manage zero-touch enrollment for your organization from an online portal in your web browser. We call this the zero-touch enrollment portal, or often just portal when describing zero-touch enrollment. Use this document, and your EMM’s documentation, to help you complete the following steps: 

  1. Purchase your devices from a reseller who sets up a zero-touch enrollment account for your organization.

  2. Create a configuration in the portal that consists of your EMM choice and mobile policies.

  3. Set the default configuration or manually apply your configuration to a range of devices.

 

You can also use the portal to:

  • Activate and deactivate the resellers from whom your organization purchases devices.

  • Control access to the portal for users in your organization.

Get started

Start by purchasing zero-touch enrollment devices. Your reseller sets up your zero-touch enrollment account when your organization first purchases devices registered for zero-touch enrollment.

You'll need a Google Account, associated with your corporate email, to use the portal. See Associate a Google Account below. Don't use your personal Gmail account with the portal.

Associate a Google Account

If you don't have a Google Account associated with your corporate email, follow the steps below: 

  1. Go to Create your Google Account.

  2. Enter your name.

  3. Set Your email address to your corporate email. Don't click I would like a new Gmail address.

  4. Complete the remaining account information.

  5. Click Next step.

  6. Follow the on-screen instructions to finish creating your account. 

See the Google Account help center to help you and learn more about your new account.

Zero-touch enrollment portal

Open the portal. Sign in using the Google Account created earlier.

Navigation panel item

What you can do with this

Configurations

You can create, edit and delete EMM configurations here. You can also set a default configuration for any devices added to zero-touch enrollment going forward. See Configurations

Devices

You can browse or search for devices and then apply your configurations to them. You can also unregister devices from zero-touch enrollment here. See Devices

Manage People

If you’re an account owner, you can add, edit, or delete users to manage portal access for your organization.

Resellers

You can add additional resellers here if you need to share your account with multiple resellers.

For instructions for device users on how to use zero-touch enrollment, see the instructions for users.

Configurations

You set provisioning options for your devices using a configuration. Each configuration combines the following:

  • The EMM device policy controller (DPC) you want to install on the devices.

  • EMM policies you want to enforce on the devices.

  • Metadata that's displayed on the device to help your users during setup

Your organization can add more configurations as you need them. However, zero-touch enrollment helps you most when you set a default configuration that's applied to any new devices your organization purchases.

Add a configuration

Before you add a configuration, check that you have access to your EMM console. You’ll need to copy and paste your mobile policy data from your EMM console to the portal. To add a configuration for your organization's devices, follow the steps below:

  1. Open the portal. You might need to sign in.

  2. Click Configurations in the navigation panel.

  3. Click Add Add in the Configurations table. 

Use the notes below to help you complete the new configuration panel.

Name

Give your configuration a name that describes its purpose. Choose a short, descriptive name that's easy to find in a menu. For example, Sales team or Temporary employees.

EMM DPC

Select your EMM's DPC app. If you don't see your EMM's DPC listed, contact your EMM provider to confirm that they support zero-touch enrollment.

DPC extras

Set your organization's EMM policy data that's passed to the DPC. Copy the JSON-formatted text from your EMM console.

Company Name

Set this to the name of your organization. Zero-touch enrollment shows this company name to your device users during device provisioning. Shorter names that are easily recognized by your organization's employees work best. You can use uppercase or lowercase letters (without accents) and spaces.

Contact E-mail

Set this to an email address your device users can contact to get help. This is typically your internal support email address, for example,  it-support@xyzcorp.com. Zero-touch enrollment shows this email address to device users before device provisioning. Because device users can see the email address but can't click it to send a message, choose a short email address which users can type on another device.

Contact Phone

Set this to a telephone number your device users can call, using another device, to get help. This is typically the phone number of your IT support team. Zero-touch enrollment shows this number to your device users before device provisioning. Use the plus sign, hyphens, and parentheses to format the telephone number into a pattern that your users will recognize.

Custom Message

Optionally, add one or two sentences to help your users contact you or give them more details about what’s happening to their device. Zero-touch enrollment shows this message before the device is provisioned.

Now that you've created a configuration, we recommend you set a default configuration.

Assign a default configuration

Choose a default configuration that zero-touch enrollment applies to any new devices your organization purchases in the future. Follow the steps below:

  1. Open the portal. You might need to sign in.

  2. Click Configurations in the navigation panel.

  3. Select the configuration you want applied to new devices in the Default Configuration panel.

  4. Click Apply.

Devices

Use the portal to apply configurations to devices or unregister devices from zero-touch enrollment. After you apply a configuration to a device, the device automatically provisions itself on first boot, or next factory reset.

Apply a configuration to a single device

You can apply a configuration one device at a time by selecting devices in the portal. Follow the steps below: 

  1. Open the portal. You might need to sign in.

  2. Click Devices in the navigation panel.

  3. Find the device you want to apply the configuration to—using its IMEI or serial number.

  4. Set Configuration to the configuration you want to apply or select No config to temporarily remove the device from zero-touch enrollment.

Apply a configuration to many devices

You apply a configuration to devices by uploading a CSV file. A CSV text file represents a data table, and each line represents a row in that table. Commas separate the values in that row.

Each row in your CSV file lists the fields that include:

  • The ID of the configuration you want to apply.

  • A hardware identifier of the device you want to apply the configuration to.

Prepare a CSV file containing your device and configuration information. You can download a sample file (by following steps 1 – 4 below) to help you get started. Alternatively, if you want to start with a blank file, learn about the fields needed by reading Device configuration CSV file format.

The largest CSV file you can upload to the portal is 50 MB. If you have more than 50 MB of data, consider splitting the file into smaller files. When you've prepared your CSV file, follow the steps below:

  1. Open the portal. You might need to sign in.

  2. Click Devices in the navigation panel.

  3. Click More More in the Devices table header.

  4. Click Upload batch config updates.

  5. Select your CSV file from the file picker.

  6. Click Upload.

After the file uploads, the portal processes the data rows. When processing finishes, the portal shows a notification with a link to an upload status page. You also receive an email summarizing the processing of your CSV data. Click the See details button in the email to open a status page. The status page lists each device that wasn't assigned a configuration with a reason for the error. 

If you close your browser window after the CSV file uploads, the portal continues to process your data. To know when the portal finishes processing your data, check your email inbox for the status email. When you receive the processing summary email, check for any errors.

Device configuration CSV file format

To apply a configuration to devices, you upload a CSV file. The snippet below shows the CSV field format with example values:

modemtype,modemid,manufacturer,profiletype,profileid IMEI,123456789012347,Google,ZERO_TOUCH,9876543210

The following table shows the field values you use in your CSV file:

Field

Example

Description

modemtype

IMEI

Always set this value to IMEI using uppercase characters.

modemid

123456789012347

Set this value to the device’s IMEI number This field is used to match a device.

manufacturer

Google

Set this value to the device manufacturer’s name. You need to make sure this is one of the names listed in Manufacturer names. This field is used to match a device.

profiletype

ZERO_TOUCH

Always set this value to ZERO_TOUCH using uppercase characters.

profileid

54321

Set this value to the numeric ID of the configuration you want to apply to the device. To see the ID for a configuration, check that the table's ID column in the Configurations page. Set this value to 0 (zero) to remove the device from zero-touch enrollment.

Unregister a device

You can unregister devices from zero-touch enrollment. You might need to unregister a device when you transfer ownership. You can unregister one device at a time by selecting devices in the portal. 

After you unregister a device, you need to contact your reseller if you want to register the device into zero-touch enrollment again. Consider removing the configuration, if you want to temporarily exclude a device from zero-touch enrollment.
To unregister a device, follow the steps below:
  1. Open the portal. You might need to sign in.

  2. Click Devices in the navigation panel.

  3. Find the device you want to unregister in the Devices table.

  4. Click Unregister in the device row.

  5. Click Confirm in the confirmation panel.

Troubleshooting

The device doesn’t provision itself out of the box

First, check that the device is registered for zero-touch enrollment using the portal. Find the device using the hardware identifier, such as the IMEI number. If you don’t find the device, contact the device reseller and ask them to register the device. 

Next, confirm that you applied a configuration to the device. Find the device using the portal, and check that the Configuration column of the table isn’t listed as No config. Devices without a configuration aren’t provisioned through zero-touch enrollment and boot unmanaged.

If you make either of the changes above, you’ll need to factory reset the device so that zero-touch enrollment provisions it.

The device shouldn’t be included in zero-touch enrollment

When your device is registered for zero-touch enrollment, it starts up and shows the Your device at work panel explaining the device is managed. Even after a factory reset.

First, confirm that the device isn’t registered with your organization for zero-touch enrollment. Find the device in the portal using a hardware identifier, such as the IMEI number. If you find the device, click Unregister.

Next, contact the organization that’s attempting to enroll the device. Start by following the steps below:

  1. Factory reset the device.

  2. Click the link to contact your device’s provider in the Your device at work screen.

  3. Make a note of the telephone number, email address, and the identifiers in Device information.

Ask the organization to unregister the device from zero-touch enrollment. Include the identifiers you noted previously. You might want to include a link to this page.

Was this article helpful?
How can we improve it?