Zero-touch enrollment for IT admins

Zero-touch enrollment is a streamlined process for Android devices to be provisioned for enterprise management. On first boot, devices check to see if they’ve been assigned an enterprise configuration. If so, the device initiates the fully managed device provisioning method and downloads the correct device policy controller app, which then completes setup of the managed device.

Android zero-touch enrollment offers a seamless deployment method for corporate-owned Android devices making large scale roll-outs fast, easy and secure for organizations, IT and employees. Zero-touch makes it simple to configure devices online and have them shipped with enforced management so employees can open the box and get started.

Prerequisites

To use zero-touch enrollment, you’ll need the following:

  • A device running Android Pie (9.0) or later*, a compatible device running Android Oreo (8.0), or a Pixel phone with Android Nougat (7.0), purchased from a reseller partner

    Note: The device must be compatible with Google Mobile Services (GMS) and Google Play services must be enabled at all times for zero-touch enrollment to function correctly.

  • An enterprise mobility management (EMM) provider supporting fully managed devices

  • A zero-touch account created by an authorized zero-touch reseller partner

*Initially via selected reseller only.

Get started

Start by purchasing zero-touch enrollment devices. Your reseller sets up your zero-touch enrollment account when your organization first purchases devices registered for zero-touch enrollment.

You'll need to provide your reseller with a Google Account, associated with your corporate email, to enable them to create your zero-touch enrollment account. See Associate a Google Account below. Don't use your personal Gmail account with the portal.

Associate a Google Account

If you don't have a Google Account associated with your corporate email, follow the steps below:

  1. Go to Create your Google Account.

  2. Enter your name.

  3. Set Your email address to your corporate email. Don't click Create a new Gmail address instead.

  4. Complete the remaining account information.

  5. Click Next.

  6. Follow the on-screen instructions to finish creating your account.

When you sign in to the zero-touch enrollment portal, it's best to enable 2-Step Verification on an account like this that's used for administrative purposes. 2-step verification adds an extra layer of security to your account.

See the Google Account help center to help you and learn more about your new account.

Accessing the portal

Zero-touch iframe

Open the zero-touch iframe in your EMM console. For details on where to find the iframe, contact your EMM provider.

  1. On the landing page of the iframe, click Next.

  1. Log in with the Google account you provided to your reseller.
  2. Select the zero-touch account you wish to link to your enterprise and click Link.

  1. You will see a screen with basic information about the zero-touch configuration that your zero-touch enabled devices will use. If you want to add or update your EMM configurations, click Configuration info. After reviewing this information, click Next.

  1. Enter the support information that will be displayed to users during their device setup if they need assistance.

  1. Click Save.

Your zero-touch devices will be set to use the configuration supplied by your EMM called "Enterprise Default Profile". You can apply a different configuration to your devices by going to the zero-touch portal.

Customer portal guide

Open the portal and sign in with the Google account.

Navigation panel item

What you can do with this

Configurations

You can create, edit and delete EMM configurations here. You can also set a default configuration for any devices added to zero-touch enrollment going forward. See Configurations.

Devices

You can browse or search for devices and then apply your configurations to them. You can also deregister devices from zero-touch enrollment here. See Devices

Users

If you’re an account owner, you can add, edit, or delete users to manage portal access for your organization.

Resellers

You can add additional resellers here if you need to share your account with multiple resellers.

Customer details

You can view the customer name and customer ID and delete the account.

Note: Once the account is deleted, you will need to reach out to the reseller to create a new account.

For instructions for device users on how to use zero-touch enrollment, see the instructions for users.

Portal languages

You can use the portal in one of the following languages:

American English, British English, Danish, Dutch, French, German, Italian, Japanese, Norwegian, Polish, Portuguese, Spanish, or Swedish.

To change to another language, update the preferred language in your Google Account. For more help, follow the instructions in Change language.

Portal users

Your organization manages the users that have access to the portal.

Your organization's portal users can be owners or admins. Owners share the same access as admins and can manage your organization's users. The table below compares the capabilities of the owner and admin roles:

Role capabilities
Portal task Owner Admin
Add, edit, and assign Configuration
Add users 🚫
Edit user roles 🚫
Remove users 🚫
Import and export CSV files
Remove device

 

See your account's role

Follow the steps below to check your account's role:

  1. Open the portal.
  2. Click Users in the sidebar.
  3. Look in the Role column to see your account's role.

Add team members

Before you start, check your account role to ensure that it's Owner. You must be an owner to add team members. Give portal access to new team members by following the steps below:

  1. Ask your team member to associate a Google Account with their corporate email. Your team member can follow the instructions in Associate a Google Account.
  2. Open the portal.
  3. Click Users in the sidebar.
  4. Click Plus Add user.
  5. Set Email address to the team member's corporate email.
  6. Select a Role from the dropdown.
  7. Click Add.

The portal doesn't notify your team members that they have access so you must remember to inform them yourself.

Delete team members

Before you start, check your account role to ensure that it's Owner. You need to be an account owner to delete team members. To remove a team member's access to the portal, follow the steps below:

  1. Open the portal.
  2. Click Users in the sidebar.
  3. Hover over the row for the user you wish to remove
  4. Before you proceed, check that the account is correct.
  5. Select Delete. Before deletion is completed the portal provides a warning message to ensure you wish to go ahead with deletion. You must click the delete button again to confirm.

If you accidentally delete an account, re-add it by following the instructions in Add team members above.

Edit roles

Before you start, check your account role to ensure that it's Owner. You need to be an account owner to edit team members' roles. To change the role of a team member, follow the steps below:

  1. Open the portal.
  2. Click Users in the sidebar.
  3. Click Edit for the account you want to change.
  4. Select a Role from the dropdown.
  5. Click Save.
Note: You cannot edit your own user role, only another user with the ability to edit roles can do so for you.
Configurations

You set provisioning options for your devices using a configuration. Each configuration combines the following:

  • The EMM device policy controller (DPC) you want to install on the devices.

  • EMM policies you want to enforce on the devices.

  • Metadata that's displayed on the device to help your users during setup

Your organization can add more configurations as you need them.

Add a configuration

Before you add a configuration, check that you have access to your EMM console. You’ll need to copy and paste your mobile policy data from your EMM console to the portal. To add a configuration for your organization's devices, follow the steps below:

  1. Open the portal. You might need to sign in.

  2. Click Configurations in the navigation panel.

  3. Click Plus Add Configuration.

Use the notes below to help you complete the new configuration panel. Once you've created a configuration, we recommend you set a default configuration.

Name

Give your configuration a name that describes its purpose. Choose a short, descriptive name that's easy to find in a menu. For example, Sales team or Temporary employees.

EMM DPC

Select your EMM's DPC app. If you don't see your EMM's DPC listed, contact your EMM provider to confirm that they support zero-touch enrollment.

DPC extras

Set your organization's EMM policy data that's passed to the DPC. Copy the JSON-formatted text from your EMM console.

Company name

Set this to the name of your organization. Zero-touch enrollment shows this company name to your device users during device provisioning. Shorter names that are easily recognized by your organization's employees work best.

Support email address

Set this to an email address your device users can contact to get help. This is typically your internal support email address, for example, it-support@xyzcorp.com. Zero-touch enrollment shows this email address to device users before device provisioning. Because device users can see the email address but can't click it to send a message, choose a short email address which users can type on another device.

Support phone number

Set this to a telephone number your device users can call, using another device, to get help. This is typically the phone number of your IT support team. Zero-touch enrollment shows this number to your device users before device provisioning. Use the plus sign, hyphens, and parentheses to format the telephone number into a pattern that your users will recognize.

Custom Message

Optionally, add one or two sentences to help your users contact you or give them more details about what’s happening to their device. Zero-touch enrollment shows this message before the device is provisioned.

Assign a default configuration

Choose a default configuration that zero-touch enrollment applies to any new devices your organization purchases in the future. Follow the steps below:

  1. Open the portal. You might need to sign in.

  2. Click Configurations in the navigation panel.

  3. Click on the edit icon and select the configuration you want applied to new devices in the Default configuration panel.

  4. Click Save.

Devices

Use the portal to apply configurations to devices or deregister devices from zero-touch enrollment. After you apply a configuration to a device, the device automatically provisions itself on first boot, or next factory reset.

Apply a configuration to a single device

You can apply a configuration one device at a time by selecting devices in the portal. Follow the steps below:

  1. Open the portal. You might need to sign in.

  2. Click Devices in the navigation panel.

  3. Find the device you want to apply the configuration to—using its IMEI or serial number.

  4. Click on the Edit and select configuration you want to apply or select None to temporarily remove the device from zero-touch enrollment.

  5. Click Save.

Apply a configuration to many devices

You apply a configuration to devices by uploading a CSV file. A CSV text file represents a data table, and each line represents a row in that table. Commas separate the values in that row.

Each row in your CSV file lists the fields that include:

  • The ID of the configuration you want to apply.

  • A hardware identifier of the device you want to apply the configuration to.

Prepare a CSV file containing your device and configuration information. You can download a sample file and fill the profiletype and profileid field to get started. Alternatively, if you want to start with a blank file, learn about the fields needed by reading Device configuration CSV file format.

The largest CSV file you can upload to the portal is 50 MB. If you have more than 50 MB of data, consider splitting the file into smaller files. When you've prepared your CSV file, follow the steps below:

  1. Open the portal. You might need to sign in.

  2. Click Devices in the navigation panel.

  3. Click More More in the Devices table header.

  4. Click Apply configurations from .CSV.

  5. Select your CSV file from the file picker.

  6. Click Upload.

After the file uploads, the portal processes the data rows. When processing finishes, the portal shows a notification with an upload status. You also receive an email summarizing the processing of your CSV data. Click the See details button in the email to open a status page. The status page lists each device that wasn't assigned a configuration with a reason for the error.

If you close your browser window after the CSV file uploads, the backend server continues to process your data. To know when the portal finishes processing your data, check your email inbox for the status email. When you receive the processing summary email, check for any errors.

Device configuration CSV file format

To apply a configuration to devices, you upload a CSV file. The following snippet shows the CSV field format with example values to apply the configuration to a device identified by the IMEI number:

modemtype,modemid,manufacturer,profiletype,profileid IMEI,123456789012347,Google,ZERO_TOUCH,9876543210

To identify Wi-Fi-only devices, such as tablets, you can use the serial and model fields:

serial,model,manufacturer,profiletype,profileid ABcd1235678,VM1A,Honeywell,ZERO_TOUCH,9876543210

You can also register both types of devices from the same CSV file:

modemtype,modemid,serial,model,manufacturer,profiletype,profileid IMEI,123456789012347,,,Google,ZERO_TOUCH,9876543210
,,ABcd1235678,VM1A,Honeywell,ZERO_TOUCH,9876543210

The following table shows the field values you use in your CSV file:

Field

Example

Description

modemtype

IMEI

Set this value to IMEI using uppercase characters. Pair with modemid to match a cellular device.

modemid

123456789012347

Set this value to the device’s IMEI number. For dual-SIM devices, only use the first IMEI number. Pair with modemtype to match a cellular device.

To learn more about dual-SIM devices, see FAQs.

serial ABcd1235678 Set this value to the device's case-sensitive serial number. Pair with model to match a Wi-Fi-only device.
model VM1A Set this value to the device model name. You need to make sure this is one of the names listed in Models. Pair with serial to match a Wi-Fi-only device.

manufacturer

Google

Always set this value to the device manufacturer’s name. You need to make sure this is one of the names listed in Manufacturers. This field is used to match a device.

profiletype

ZERO_TOUCH

Always set this value to ZERO_TOUCH using uppercase characters.

profileid

54321

Always set this value to the numeric ID of the configuration you want to apply to the device. To see the ID for a configuration, check that the table's ID column in the Configurations page.

Deregister a device

You can deregister devices from zero-touch enrollment. You might need to deregister a device when you transfer ownership. You can deregister one device at a time by selecting devices in the portal.

After you deregister a device, you need to contact your reseller if you want to register the device into zero-touch enrollment again. Consider removing the configuration, if you want to temporarily exclude a device from zero-touch enrollment.
To deregister a device, follow the steps below:
  1. Open the portal. You might need to sign in.

  2. Click Devices in the navigation panel.

  3. Find the device you want to delete—using its IMEI or serial number.
  4. Click Remove in the device row.
  5. Click Remove in the confirmation panel.

Bulk deregister devices

Deregistering multiple devices in bulk can be done using a device configuration CSV file. To do this:

  1. Create a device configuration CSV file including every device you wish to deregister.
  2. Replace the 'profileid' column in this CSV file with a column titled 'owner', and set the values in this column to 0.
  3. Re-upload the CSV to your portal.
FAQs

Where can I purchase zero-touch devices?

Devices eligible for zero-touch enrollment need to be purchased directly from an enterprise reseller or Google partner and not through a consumer store. Reseller partners are listed in Android's Enterprise Solutions Directory.

Which Android devices are supported?

Supported devices vary by reseller. From September 2020, selected resellers can offer any Android device with zero touch, with other resellers continuing to offer zero-touch on a selected number of devices. The ability to assign any device running Android Pie (9.0) or later for zero-touch enrollment will expand to all resellers by the end of 2020.

Which EMMs support zero-touch enrollment?

Most EMM providers (for Android) support zero-touch enrollment. A list of compatible EMMs can be found in the Android site's Partners list.

Many EMMs also implement the zero-touch iframe to simplify the process of setting up zero-touch devices after you purchase them from a reseller. To see if this feature is available, contact your EMM provider.

What if my device reseller is not an authorized zero-touch reseller?

You can request your device reseller to register for the Android Enterprise Partner Program where they can then apply to become a zero-touch reseller.

What if my device is registered with zero-touch and Samsung Knox Mobile Enrollment?

If a device is registered and configured in both Knox Mobile Enrollment and zero-touch, the device will enroll using Knox Mobile Enrollment and apply the configuration defined in that service. To ensure that a Samsung device enrolls using zero-touch, remove any configuration assigned to the device in the Knox Mobile Enrollment portal.

How do I use zero-touch enrollment?

You manage zero-touch enrollment for your organization from an online portal in your web browser. We call this the zero-touch enrollment portal, or often just the "portal" when describing zero-touch enrollment. Use this document, and your EMM’s documentation, to help you complete the following steps:

  1. Purchase your devices from a reseller who sets up a zero-touch enrollment account for your organization.

  2. Create a configuration in the portal that consists of your EMM choice and mobile policies.

  3. Link your enterprise to your zero-touch account using the zero-touch iframe, or, use the zero-touch console to either set a default configuration or manually apply your configuration to a range of devices .

You can also use the portal to:

  • Activate and deactivate the resellers from whom your organization purchases devices.

  • Control access to the portal for users in your organization.

What is a Dual-SIM device?

Dual-SIM devices

A dual-SIM device includes two discrete modems and has two IMEI numbers. It’s recommended for the resellers to register dual-SIM devices with the numerically lowest IMEI number. Upon device boot up, the device gets detected by Zero-touch, initiating the enrollment process. If your dual-SIM device has issues being detected by Zero-touch, please confirm with your reseller that they have registered the numerically lowest IMEI number.

Note: Registered dual-SIM devices that are pre-installed with a version of Google Play Services prior to 24.07.12 will undergo a factory reset if not provisioned by Zero-touch during initial setup. Upon the next device setup, Zero-touch will be provisioned.

For information on dual-sim issues and their resolutions regarding zero-touch devices, please read known issues.

Troubleshooting

The device doesn’t provision itself out of the box

First, check that the device is registered for zero-touch enrollment using the portal. Find the device using the hardware identifier, such as the IMEI number. If you don’t find the device, contact the device reseller and ask them to register the device.

Next, confirm that you applied a configuration to the device. Find the device using the portal, and check that the Configuration column of the table isn’t listed as No config. Devices without a configuration aren’t provisioned through zero-touch enrollment and boot unmanaged.

If you make either of the changes above, you’ll need to factory reset the device so that zero-touch enrollment provisions it.

Finally, check that the device has a working data connection when it's being set up. Zero-touch enrollment needs a connection to Google servers. The connection can be ethernet, Wi-Fi, or cellular data. If you're using cellular data when roaming, note that the setup wizard blocks the use of roaming data by default.

If there's no data connection, or if the connection blocks traffic to Google servers, then the zero-touch enrollment flow is skipped. If zero-touch enrollment is skipped but the device has a configuration, then the device resets itself after the first connection to Google servers. The system warns the person using the device one hour before the reset.

The device shouldn’t be included in zero-touch enrollment

When your device is registered for zero-touch enrollment, it starts up and shows the Your device at work panel explaining the device is managed. Even after a factory reset.

First, confirm that the device isn’t registered with your organization for zero-touch enrollment. Find the device in the portal using a hardware identifier, such as the IMEI number. If you find the device, click Deregister.

Next, contact the organization that’s attempting to enroll the device. Start by following the steps below:

  1. Factory reset the device.

  2. Click the link to contact your device’s provider in the Your device at work screen.

  3. Make a note of the telephone number, email address, and the identifiers in Device information.

Ask the organization to deregister the device from zero-touch enrollment. Include the identifiers you noted previously. You might want to include a link to this page.

If you're just starting out on zero-touch enrollment, read our resource guide on the Android Enterprise Community.

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Google apps
Main menu