This content is likely not relevant anymore. Try searching or browse recent questions.
Understanding Android Enterprise fully managed provisioning methods 2 Recommended Answers 0 Relevant Answers 5 Replies 10 Upvotes
Android Enterprise offers several options for provisioning devices out of the box. The following is a brief run-down of each -
NFC
Introduced in Android Lollipop (5.0), NFC offers the ability to tap a device against an NFC tag (or another Android device prior to Android 10) from the setup wizard in order to begin fully managed device provisioning. NFC is particularly useful for bulk, close-proximity device provisioning such as locally preparing devices to be deployed into a warehouse, or where staging is part of the typical device deployment flow.
NFC supports DPC extras.
DPC identifier
Introduced in Android Marshmallow (6.0), this may also be referred to by ecosystem partners as "EMM token", and is a shortcode entered in place of a Google account during device wizard setup. Eg:
​afw#setup ​(Android Management API)Following which, the device will be pushed into fully managed provisioning. DPC identifier is useful for devices that either aren't in proximity of an NFC tag/capable device or cannot leverage newer provisioning methods (below). Managed Google accounts (G Suite) undergo a similar flow, pushing a device into fully managed provisioning if so desired by the G Suite administrator after inputting the managed Google account ID.
DPC identifier does not support DPC extras
QR code
Introduced in Android 7.0, later improved in Android 9, QR code provisioning allows for tapping 6x on the welcome screen of the setup wizard in order to invoke a scanner to scan an EMM-provided QR code. Prior to Android 9 the scanner will be downloaded on invocation, from 9 the scanner is baked in.
QR codes can be persistent or temporary. Single or multi-use. They're extremely useful for provisioning remotely, or providing as a static asset on a shared location (such as intranet) for simple setup.
QR code supports DPC extras
Zero-touch
Introduced in Android 8, zero-touch allows for a full out-of-box-experience to be configured and deployed by IT without having to interact with the device in any way. When devices are purchased from authorised resellers, they can be added to a zero-touch customer account and through a default configuration, benefit from zero-touch provisioning for administrators. More details about zero-touch can be found here.
Zero-touch supports DPC extras
Others
Outside of the core provisioning methods offered by Google, OEMs can and do also leverage their own provisioning solutions; popular examples include Samsung Knox Mobile Enrollment (link) and Zebra Stage Now (link). Depending on the hardware, other such examples of user-invoked provisioning include scanning a barcode (not a QR code), "listening" for an audio sample, hardware key combinations and more. Reach out to your OEM to understand if any such non-standard provisioning methods are supported on your hardware, and for details on how to leverage them.
What are DPC extras?
DPC extras for supported provisioning methods allow for the pre-configuration of various native and EMM-based variables. An admin can for example configure the EMM server URL, an enrollment ID, device locale, usernames/passwords (though not recommended) and more.
An example may look like this:
​{"android.app.extra.PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED":true/false,
"android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE":{
"com.google.android.apps.work.clouddpc.EXTRA_ENROLLMENT_TOKEN": "YourEnrollmentToken"} }Reach out to your EMM vendor to understand the DPC extras available to be configured with your EMM.
Fully managed provisioning methods for work profile deployments
From Android 10 it's possible to deploy a work profile on a corporate device through both zero-touch and QR code provisioning. NFC and DPC identifier are not supported. In Android 11, the provisioning flow allows for the inflation of the new work profiles on company-owned devices, the enhanced solution for the previous work profiles on fully managed devices. Both provide a COPE experience, Android 11 however dramatically improves end-user privacy.
Additional reading
Bayton - What are DPC extras?
NB: Google incorrectly states NFC requires 6+ as of writing in the above links, when in fact Lollipop is indeed supported.
NB: Google incorrectly states NFC requires 6+ as of writing in the above links, when in fact Lollipop is indeed supported.
Details
Recommended Answer Recommended Answers (2)
Recommended Answer
Most Relevant Answer
Got a question about this or any other Android Enterprise topic? Ask the community!
recommended this
marked this as an answer
Recommended by popular vote
Recommended Answer
Most Relevant Answer
Settings > Work Profile > Uninstall Work Profile on Samsung OneUI
Settings > Accounts > Remove work profile on most other devices.
recommended this
marked this as an answer
Recommended by popular vote
Most Relevant Answer Most Relevant Answers (0)
All Replies (5)
Recommended Answer
Most Relevant Answer
Got a question about this or any other Android Enterprise topic? Ask the community!
recommended this
marked this as an answer
Recommended by popular vote
Recommended Answer
Most Relevant Answer
Great tip Jason!
recommended this
marked this as an answer
Recommended by popular vote
Recommended Answer
Most Relevant Answer
How to get a work profile off phone
recommended this
marked this as an answer
Recommended by popular vote
Recommended Answer
Most Relevant Answer
Settings > Work Profile > Uninstall Work Profile on Samsung OneUI
Settings > Accounts > Remove work profile on most other devices.
recommended this
marked this as an answer
Recommended by popular vote
Recommended Answer
Most Relevant Answer
Zero Touch itself is somewhat of a misnomer that I think deserves some clarification. The "Zero Touch" descriptor refers to the minimal amount of touches required for an IT admin since the device can auto-enroll into an EMM environment from a remote site after being managed appropriately in the portal. There is still management of this process in the ZT portal AND 10-15 taps and touches required on the devices themselves. As an IT admin that has to touch a lot of devices I usually prefer OEM specific offerings like Zebra StageNow as they allow you to perform the complete enrollment process, including connecting to local wifi with 1-3 scan trigger pulls.
recommended this
marked this as an answer
Recommended by popular vote
This question is locked and replying has been disabled.
Link to post
Delete post?
This will remove the reply from the Answers section.
Notifications are off
Your notifications are currently off and you won't receive subscription updates. To turn them on, go to Notifications preferences on your Profile page.
This reply is no longer available.
Badges
Some community members might have badges that indicate their identity or level of participation in a community.
