Zero-touch enrollment for IT admins

 

What is zero-touch enrollment?

Zero-touch enrollment is a streamlined process for Android devices to be provisioned for enterprise management. On first boot, devices check to see if they’ve been assigned an enterprise configuration. If so, the device initiates the fully managed device provisioning method and downloads the correct device policy controller app, which then completes setup of the managed device.

Android zero-touch enrollment offers a seamless deployment method for corporate-owned Android devices making large scale roll-outs fast, easy and secure for organizations, IT and employees. Zero-touch makes it simple to configure devices online and have them shipped with enforced management so employees can open the box and get started.

Prerequisites

To use zero-touch enrollment, you’ll need the following:

  • A device running Android Pie (9.0) or later*, a compatible device running Android Oreo (8.0), or a Pixel phone with Android Nougat (7.0), purchased from a reseller partner

  • An enterprise mobility management (EMM) provider supporting fully managed devices

  • A zero-touch account created by an authorized zero-touch reseller partner

*Initially via selected reseller only.

Where can I purchase zero-touch devices? 

Devices eligible for zero-touch enrollment need to be purchased directly from an enterprise reseller or Google partner and not through a consumer store. Reseller partners are listed in Android's Enterprise Solutions Directory.

Which Android devices are supported?

Supported devices vary by reseller. From September 2020, selected resellers can offer any Android device with zero touch, with other resellers continuing to offer zero-touch on a selected number of devices. The ability to assign any device running Android Pie (9.0) or later for zero-touch enrollment will expand to all resellers by the end of 2020.

Which EMMs support zero-touch enrollment?

Most EMM providers (for Android) support zero-touch enrollment. A list of compatible EMMs can be found in the Android site's Partners list.

Many EMMs also implement the zero-touch iframe to simplify the process of setting up zero-touch devices after you purchase them from a reseller. To see if this feature is available, contact your EMM provider.

What if my device reseller is not an authorized zero-touch reseller?

You can request your device reseller to register for the Android Enterprise Partner Program where they can then apply to become a zero-touch reseller.

Devices with zero-touch and Samsung Knox Mobile Enrollment

If a device is registered and configured in both Knox Mobile Enrollment and zero-touch, the device will enroll using Knox Mobile Enrollment and apply the configuration defined in that service. To ensure that a Samsung device enrolls using zero-touch, remove any configuration assigned to the device in the Knox Mobile Enrollment portal.

How to use zero-touch enrollment

You manage zero-touch enrollment for your organization from an online portal in your web browser. We call this the zero-touch enrollment portal, or often just the "portal" when describing zero-touch enrollment. Use this document, and your EMM’s documentation, to help you complete the following steps: 

  1. Purchase your devices from a reseller who sets up a zero-touch enrollment account for your organization.

  2. Create a configuration in the portal that consists of your EMM choice and mobile policies.

  3.  Link your enterprise to your zero-touch account using the zero-touch iframe, or, use the zero-touch console to either set a default configuration or manually apply your configuration to a range of devices .

You can also use the portal to:

  • Activate and deactivate the resellers from whom your organization purchases devices.

  • Control access to the portal for users in your organization.

Get started

Start by purchasing zero-touch enrollment devices. Your reseller sets up your zero-touch enrollment account when your organization first purchases devices registered for zero-touch enrollment.

You'll need to provide your reseller with a Google Account, associated with your corporate email, to enable them to create your zero-touch enrollment account. See Associate a Google Account below. Don't use your personal Gmail account with the portal.

Associate a Google Account

If you don't have a Google Account associated with your corporate email, follow the steps below: 

  1. Go to Create your Google Account.

  2. Enter your name.

  3. Set Your email address to your corporate email. Don't click Create a new Gmail address instead.

  4. Complete the remaining account information.

  5. Click Next.

  6. Follow the on-screen instructions to finish creating your account. 

When you sign in to the zero-touch enrollment portal, it's best to enable 2-Step Verification on an account like this that's used for administrative purposes. 2-step verification adds an extra layer of security to your account. 

See the Google Account help center to help you and learn more about your new account.

Zero-touch iframe

Open the zero-touch iframe in your EMM console. For details on where to find the iframe, contact your EMM provider.

 
  1. On the landing page of the iframe, click Next.
  2. Log in with the Google account you provided to your reseller.
  3. Select the zero-touch account you wish to link to your enterprise and click Link.
  4. You will see a screen with basic information about the zero-touch configuration that your zero-touch enabled devices will use. Click Next after reviewing this information.
  5. Enter the support information that will be displayed to users during their device setup if they need assistance.
  6. Click Save.
 

Your zero-touch devices will be set to use the configuration supplied by your EMM. You can still change this configuration by going to the zero-touch portal.

Zero-touch enrollment portal

Open the portal. Sign in using the Google Account created earlier.

Navigation panel item

What you can do with this

Configurations

You can create, edit and delete EMM configurations here. You can also set a default configuration for any devices added to zero-touch enrollment going forward. See Configurations

Devices

You can browse or search for devices and then apply your configurations to them. You can also deregister devices from zero-touch enrollment here. See Devices

Users

If you’re an account owner, you can add, edit, or delete users to manage portal access for your organization.

Resellers

You can add additional resellers here if you need to share your account with multiple resellers.

For instructions for device users on how to use zero-touch enrollment, see the instructions for users.

Configurations

You set provisioning options for your devices using a configuration. Each configuration combines the following:

  • The EMM device policy controller (DPC) you want to install on the devices.

  • EMM policies you want to enforce on the devices.

  • Metadata that's displayed on the device to help your users during setup

Your organization can add more configurations as you need them. However, zero-touch enrollment helps you most when you set a default configuration that's applied to any new devices your organization purchases.

Add a configuration

Before you add a configuration, check that you have access to your EMM console. You’ll need to copy and paste your mobile policy data from your EMM console to the portal. To add a configuration for your organization's devices, follow the steps below:

  1. Open the portal. You might need to sign in.

  2. Click Configurations in the navigation panel.

  3. Click Add Plus in the Configurations table. 

Use the notes below to help you complete the new configuration panel.

Configuration name

Give your configuration a name that describes its purpose. Choose a short, descriptive name that's easy to find in a menu. For example, Sales team or Temporary employees.

EMM DPC

Select your EMM's DPC app. If you don't see your EMM's DPC listed, contact your EMM provider to confirm that they support zero-touch enrollment.

DPC extras

Set your organization's EMM policy data that's passed to the DPC. Copy the JSON-formatted text from your EMM console.

Company name

Set this to the name of your organization. Zero-touch enrollment shows this company name to your device users during device provisioning. Shorter names that are easily recognized by your organization's employees work best. 

Support email address

Set this to an email address your device users can contact to get help. This is typically your internal support email address, for example,  it-support@xyzcorp.com. Zero-touch enrollment shows this email address to device users before device provisioning. Because device users can see the email address but can't click it to send a message, choose a short email address which users can type on another device.

Support phone number

Set this to a telephone number your device users can call, using another device, to get help. This is typically the phone number of your IT support team. Zero-touch enrollment shows this number to your device users before device provisioning. Use the plus sign, hyphens, and parentheses to format the telephone number into a pattern that your users will recognize.

Custom Message

Optionally, add one or two sentences to help your users contact you or give them more details about what’s happening to their device. Zero-touch enrollment shows this message before the device is provisioned.

Now that you've created a configuration, we recommend you set a default configuration.

Assign a default configuration

Choose a default configuration that zero-touch enrollment applies to any new devices your organization purchases in the future. Follow the steps below:

  1. Open the portal. You might need to sign in.

  2. Click Configurations in the navigation panel.

  3. Select the configuration you want applied to new devices in the Default configuration panel.

  4. Click Apply.

Devices

Use the portal to apply configurations to devices or deregister devices from zero-touch enrollment. After you apply a configuration to a device, the device automatically provisions itself on first boot, or next factory reset.

Apply a configuration to a single device

You can apply a configuration one device at a time by selecting devices in the portal. Follow the steps below: 

  1. Open the portal. You might need to sign in.

  2. Click Devices in the navigation panel.

  3. Find the device you want to apply the configuration to—using its IMEI or serial number.

  4. Set Configuration to the configuration you want to apply or select No config to temporarily remove the device from zero-touch enrollment.

Apply a configuration to many devices

You apply a configuration to devices by uploading a CSV file. A CSV text file represents a data table, and each line represents a row in that table. Commas separate the values in that row.

Each row in your CSV file lists the fields that include:

  • The ID of the configuration you want to apply.

  • A hardware identifier of the device you want to apply the configuration to.

Prepare a CSV file containing your device and configuration information. You can download a sample file (by following steps 1 – 4 below) to help you get started. Alternatively, if you want to start with a blank file, learn about the fields needed by reading Device configuration CSV file format.

The largest CSV file you can upload to the portal is 50 MB. If you have more than 50 MB of data, consider splitting the file into smaller files. When you've prepared your CSV file, follow the steps below:

  1. Open the portal. You might need to sign in.

  2. Click Devices in the navigation panel.

  3. Click More More in the Devices table header.

  4. Click Upload batch configurations.

  5. Select your CSV file from the file picker.

  6. Click Upload.

After the file uploads, the portal processes the data rows. When processing finishes, the portal shows a notification with a link to an upload status page. You also receive an email summarizing the processing of your CSV data. Click the See details button in the email to open a status page. The status page lists each device that wasn't assigned a configuration with a reason for the error. 

If you close your browser window after the CSV file uploads, the portal continues to process your data. To know when the portal finishes processing your data, check your email inbox for the status email. When you receive the processing summary email, check for any errors.

Device configuration CSV file format

To apply a configuration to devices, you upload a CSV file. The following snippet shows the CSV field format with example values to apply the configuration to a device identified by the IMEI number:

modemtype,modemid,manufacturer,profiletype,profileid IMEI,123456789012347,Google,ZERO_TOUCH,9876543210

To identify Wi-Fi-only devices, such as tablets, you can use the serial and model fields:

serial,model,manufacturer,profiletype,profileid ABcd1235678,VM1A,Honeywell,ZERO_TOUCH,9876543210

You can also register both types of devices from the same CSV file:

modemtype,modemid,serial,model,manufacturer,profiletype,profileid IMEI,123456789012347,,,Google,ZERO_TOUCH,9876543210
,,ABcd1235678,VM1A,Honeywell,ZERO_TOUCH,9876543210

The following table shows the field values you use in your CSV file:

Field

Example

Description

modemtype

IMEI

Set this value to IMEI using uppercase characters. Pair with modemid to match a cellular device.

modemid

123456789012347

Set this value to the device’s IMEI number. For dual-SIM devices, only use the first IMEI number. Pair with modemtype to match a cellular device.
serial ABcd1235678 Set this value to the device's case-sensitive serial number. Pair with model to match a Wi-Fi-only device.
model VM1A Set this value to the device model name. You need to make sure this is one of the names listed in Models. Pair with serial to match a Wi-Fi-only device.

manufacturer

Google

Always set this value to the device manufacturer’s name. You need to make sure this is one of the names listed in Manufacturers. This field is used to match a device.

profiletype

ZERO_TOUCH

Always set this value to ZERO_TOUCH using uppercase characters.

profileid

54321

Always set this value to the numeric ID of the configuration you want to apply to the device. To see the ID for a configuration, check that the table's ID column in the Configurations page.

Dual-SIM devices

A dual-SIM device includes two discrete modems and has two IMEI numbers. Use the first hardware ID because zero-touch enrollment identifies devices by modem 1. If you mistakenly claim a device using another IMEI or MEID number, the portal shows a new, separate device. However, zero-touch enrollment doesn't provision the new device.

For information on dual-sim issues and their resolutions regarding zero-touch devices, please read known issues.

Deregister a device

You can deregister devices from zero-touch enrollment. You might need to deregister a device when you transfer ownership. You can deregister one device at a time by selecting devices in the portal. 

After you deregister a device, you need to contact your reseller if you want to register the device into zero-touch enrollment again. Consider removing the configuration, if you want to temporarily exclude a device from zero-touch enrollment.
To deregister a device, follow the steps below:

  1. Open the portal. You might need to sign in.

  2. Click Devices in the navigation panel.

  3. Find the device you want to deregister in the Devices table.

  4. Click Deregister in the device row.

  5. Click Deregister in the confirmation panel.

Bulk deregister devices

Deregistering multiple devices in bulk can be done using a device configuration CSV file. To do this: 

  1. Create a device configuration CSV file including every device you wish to deregister.
  2. replace the 'profileid' column in this CSV file with a column titled 'owner', and set the values in this column to 0
  3. Re-upload the CSV to your portal. 

Portal languages

You can use the portal in one of the following languages:

American English, British English, Danish, Dutch, French, German, Italian, Japanese, Norwegian, Polish, Portuguese, Spanish, or Swedish.

To change to another language, update the preferred language in your Google Account. For more help, follow the instructions in Change language.

Troubleshooting

The device doesn’t provision itself out of the box

First, check that the device is registered for zero-touch enrollment using the portal. Find the device using the hardware identifier, such as the IMEI number. If you don’t find the device, contact the device reseller and ask them to register the device. 

Next, confirm that you applied a configuration to the device. Find the device using the portal, and check that the Configuration column of the table isn’t listed as No config. Devices without a configuration aren’t provisioned through zero-touch enrollment and boot unmanaged.

If you make either of the changes above, you’ll need to factory reset the device so that zero-touch enrollment provisions it.

Finally, check that the device has a working data connection when it's being set up. Zero-touch enrollment needs a connection to Google servers. The connection can be ethernet, Wi-Fi, or cellular data. If you're using cellular data when roaming, note that the setup wizard blocks the use of roaming data by default.

If there's no data connection, or if the connection blocks traffic to Google servers, then the zero-touch enrollment flow is skipped. If zero-touch enrollment is skipped but the device has a configuration, then the device resets itself after the first connection to Google servers. The system warns the person using the device one hour before the reset.

The device shouldn’t be included in zero-touch enrollment

When your device is registered for zero-touch enrollment, it starts up and shows the Your device at work panel explaining the device is managed. Even after a factory reset.

First, confirm that the device isn’t registered with your organization for zero-touch enrollment. Find the device in the portal using a hardware identifier, such as the IMEI number. If you find the device, click Deregister.

Next, contact the organization that’s attempting to enroll the device. Start by following the steps below:

  1. Factory reset the device.

  2. Click the link to contact your device’s provider in the Your device at work screen.

  3. Make a note of the telephone number, email address, and the identifiers in Device information.

Ask the organization to deregister the device from zero-touch enrollment. Include the identifiers you noted previously. You might want to include a link to this page.

Was this helpful?
How can we improve it?

Need more help?

Try these next steps:

Post to the help community Get answers from community members
true
Search
Clear search
Close search
Google apps
Main menu
false
Search Help Center
true
true
true
true
true
108584