/work/android/community?hl=en
This content is likely not relevant anymore. Try searching or browse recent questions.
Understanding Android Enterprise fully managed provisioning methods 2 Recommended Answers 0 Relevant Answers 5 Replies 10 Upvotes
1 Recommended Answer
$0 Recommended Answers
1 Relevant Answer
$0 Relevant Answers
Android Enterprise offers several options for provisioning devices out of the box. The following is a brief run-down of each - 

NFC 

Introduced in Android Lollipop (5.0), NFC offers the ability to tap a device against an NFC tag (or another Android device prior to Android 10) from the setup wizard in order to begin fully managed device provisioning. NFC is particularly useful for bulk, close-proximity device provisioning such as locally preparing devices to be deployed into a warehouse, or where staging is part of the typical device deployment flow. 

NFC supports DPC extras.

DPC identifier

Introduced in Android Marshmallow (6.0), this may also be referred to by ecosystem partners as "EMM token", and is a shortcode entered in place of a Google account during device wizard setup. Eg: 

​afw#setup ​(Android Management API)

Following which, the device will be pushed into fully managed provisioning. DPC identifier is useful for devices that either aren't in proximity of an NFC tag/capable device or cannot leverage newer provisioning methods (below). Managed Google accounts (G Suite) undergo a similar flow, pushing a device into fully managed provisioning if so desired by the G Suite administrator after inputting the managed Google account ID. 

DPC identifier does not support DPC extras

QR code

Introduced in Android 7.0, later improved in Android 9, QR code provisioning allows for tapping 6x on the welcome screen of the setup wizard in order to invoke a scanner to scan an EMM-provided QR code. Prior to Android 9 the scanner will be downloaded on invocation, from 9 the scanner is baked in.

QR codes can be persistent or temporary. Single or multi-use. They're extremely useful for provisioning remotely, or providing as a static asset on a shared location (such as intranet) for simple setup.

QR code supports DPC extras

Zero-touch

Introduced in Android 8, zero-touch allows for a full out-of-box-experience to be configured and deployed by IT without having to interact with the device in any way. When devices are purchased from authorised resellers, they can be added to a zero-touch customer account and through a default configuration, benefit from zero-touch provisioning for administrators. More details about zero-touch can be found here.

Zero-touch supports DPC extras

Others

Outside of the core provisioning methods offered by Google, OEMs can and do also leverage their own provisioning solutions; popular examples include Samsung Knox Mobile Enrollment (link) and Zebra Stage Now (link). Depending on the hardware, other such examples of user-invoked provisioning include scanning a barcode (not a QR code), "listening" for an audio sample, hardware key combinations and more. Reach out to your OEM to understand if any such non-standard provisioning methods are supported on your hardware, and for details on how to leverage them.

What are DPC extras?

DPC extras for supported provisioning methods allow for the pre-configuration of various native and EMM-based variables. An admin can for example configure the EMM server URL, an enrollment ID, device locale, usernames/passwords (though not recommended) and more. 

An example may look like this: 

{
"android.app.extra.PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED":true/false, "android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE":{ "com.google.android.apps.work.clouddpc.EXTRA_ENROLLMENT_TOKEN": "YourEnrollmentToken"
}

Reach out to your EMM vendor to understand the DPC extras available to be configured with your EMM. 

Fully managed provisioning methods for work profile deployments

From Android 10 it's possible to deploy a work profile on a corporate device through both zero-touch and QR code provisioning. NFC and DPC identifier are not supported. In Android 11, the provisioning flow allows for the inflation of the new work profiles on company-owned devices, the enhanced solution for the previous work profiles on fully managed devices. Both provide a COPE experience, Android 11 however dramatically improves end-user privacy. 

Additional reading

Bayton - What are DPC extras? 

NB: Google incorrectly states NFC requires 6+ as of writing in the above links, when in fact Lollipop is indeed supported.
Most Relevant Answer Most Relevant Answers (0)
All Replies (5)
Most Relevant Answer
Great tip Jason!
marked this as an answer
Most Relevant Answer
How to get a work profile off phone
marked this as an answer
Most Relevant Answer
Zero Touch itself is somewhat of a misnomer that I think deserves some clarification. The "Zero Touch" descriptor refers to the minimal amount of touches required for an IT admin since the device can auto-enroll into an EMM environment from a remote site after being managed appropriately in the portal. There is still management of this process in the ZT portal AND 10-15 taps and touches required on the devices themselves. As an IT admin that has to touch a lot of devices I usually prefer OEM specific offerings like Zebra StageNow as they allow you to perform the complete enrollment process, including connecting to local wifi with 1-3 scan trigger pulls.
marked this as an answer
This question is locked and replying has been disabled.
Discard post? You will lose what you have written so far.
Write a reply
10 characters required
Failed to attach file, click here to try again.
Discard post?
You will lose what you have written so far.
Personal information found

We found the following personal information in your message:

This information will be visible to anyone who visits or subscribes to notifications for this post. Are you sure you want to continue?

A problem occurred. Please try again.
Create Reply
Edit Reply
Delete post?
This will remove the reply from the Answers section.
Notifications are off
Your notifications are currently off and you won't receive subscription updates. To turn them on, go to Notifications preferences on your Profile page.
Report abuse
Google takes abuse of its services very seriously. We're committed to dealing with such abuse according to the laws in your country of residence. When you submit a report, we'll investigate it and take the appropriate action. We'll get back to you only if we require additional details or have more information to share.

Go to the Legal Help page to request content changes for legal reasons.

Reported post for abuse
Unable to send report.
Report post
What type of post are you reporting?
Google takes abuse of its services very seriously. We're committed to dealing with such abuse according to the laws in your country of residence. When you submit a report, we'll investigate it and take the appropriate action. We'll get back to you only if we require additional details or have more information to share.

Go to the Legal Help page to request content changes for legal reasons.

Reported post for abuse
Unable to send report.
This reply is no longer available.
/work/android/threads
//accounts.google.com/ServiceLogin
You'll receive email notifications for new posts at
Unable to delete question.
Unable to update vote.
Unable to update subscription.
You have been unsubscribed
Deleted
Unable to delete reply.
Removed from Answers
Marked as Recommended Answer
Removed recommendation
Undo
Unable to update reply.
Unable to update vote.
Thank you. Your response was recorded.
Unable to undo vote.
Thank you. This reply will now display in the answers section.
Link copied
Locked
Unlocked
Unable to lock
Unable to unlock
Pinned
Unpinned
Unable to pin
Unable to unpin
Marked
Unmarked
Unable to mark
Reported as off topic
/work/android/profile/0?hl=en