Create custom zero-touch configurations for Android devices

This feature is available with Cloud Identity Premium edition. Compare editions 

As an administrator, you can deploy Android devices with your organization’s policies already enforced. When a user turns on their device, the device checks for an enterprise device configuration. If a device configuration is assigned to it, the device downloads the Android Device Policy app and completes the setup of the device.

Zero-touch enrollment is supported by many Android EMMs. This page focuses on managing devices in your Google Admin console with Google endpoint management. For more information about zero-touch enrollment in general, see Zero-touch enrollment for IT admins.

Device requirements

  • Purchase zero-touch devices directly from an approved zero-touch reseller. The reseller sets up your zero-touch enrollment account when your organization first purchases devices. To find a reseller, see Zero-touch resellers.  If your preferred reseller isn’t in the list, you can suggest they join the Android Enterprise Partners Program.
  • Devices must have Android 9.0 Pie or later, or Pixel phone with Android 7.0 Nougat or later.
  • Devices must support work profiles.
  • You can find a list of compatible devices at Android Enterprise.

Step 1: Set up Google endpoint management

  1. Set up advanced mobile management for Android devices.
  2. Apply settings for Android mobile devices.
  3. (Optional, recommended for more management features) If your edition supports it, add devices to the company-owned inventory. If you don’t add devices to the company-owned inventory, Google endpoint management and Context-Aware Access classify them as user owned.

Step 2: Set up a device configuration

The device configuration sets how a zero-touch enrollment device provisions itself. You set up and manage device configurations in the zero-touch enrollment portal in your browser.

We recommend that you set a default configuration that’s applied to new zero-touch devices.

The device configuration specifies:

  • The device policy controller (DPC) to install
  • Enrollment options to apply
  • Support information to help your users during setup

Create a configuration

  1. Open the portal.
  2. Sign in using your administrator account (does not end in @gmail.com).
  3. At the left, click Configurations.
  4. In the Configurations section, click Add .
  5. Enter the details for your configuration:
    1. Configuration name–Enter a short, descriptive name that describes the configuration's purpose and is easy to find in a menu, for example, Sales team or Temporary employees.
    2. EMM DPC–Select Android Device Policy.
    3. DPC extras (optional)–To force devices to enroll only with user accounts in your organization, enter the following configuration:

      {"android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE": {"com.google.android.apps.work.clouddpc.EXTRA_FORCED_DOMAINS": "[\"your-company.com\",\"other-company.com\"]"}}

    4. Company name (optional)–Enter the name of your organization. This company name is shown to users during device provisioning.

    5. Support email address (optional)–Enter an email address users can contact to get help, such as your internal support email address. This email address is shown to users before device provisioning. Users can't click the email address to send a message, so choose a short email address they can easily enter on another device.

    6. Support phone number (optional)–Enter a phone number users can call from another device to get help, such as the phone number of your IT support team. This number is shown to users before device provisioning. Use the plus sign, hyphens, and parentheses to format the telephone number into a pattern that users recognize.

    7. Custom message (optional)–Enter 1–2 sentences to help users contact support or give them more details about what’s happening to their device. This message is shown before the device is set up.

  6. Click Add.
  7. (Optional) In the Default configuration section, select the configuration you addedand thenApply.

Step 3: Apply the configuration to devices

When you apply a configuration to a device, the device automatically configures itself on first boot or next factory reset. You can apply configurations manually or in bulk.

Apply a configuration to a single device

  1. Open the portal. You might need to sign in.
  2. At the left, click Devices.
  3. Find the device you want to apply the configuration to using its IMEI or serial number.
  4. Choose an option:
    • Set Configuration to the configuration you want to apply.
    • Select No config to temporarily remove the device from zero-touch enrollment.

Apply a configuration to many devices

To apply a configuration to many devices at once, upload a CSV file that lists the configuration ID and hardware identifiers for each device. You can download a CSV template from the portal to get started. For details, see Device configuration CSV file format.

Important:

  • The CSV file can't be more than 50 MB. If it's larger, you can split the file into multiple uploads.
  • To set up a dual-SIM device, use the first hardware ID because zero-touch enrollment identifies devices by modem 1. A dual-SIM device includes 2 modems and has 2 IMEI or MEID numbers. If you set up a dual-SIM device using another IMEI or MEID number, the portal shows a new, separate device that zero-touch enrollment doesn't recognize or set up.

To download a template and upload a completed CSV file:

  1. Open the portal. You might need to sign in.
  2. At the left, click Devices.
  3. Next to Devices, click More .
  4. (Optional) To download a template CSV file, click Download example CSV.
  5. Click Upload batch configurations.
  6. Select your CSV file.
  7. Click Upload.

After processing, the portal shows a notification with a link to an upload status page. You also receive an email summary. In the email, click See details to open a status page. Any device not assigned a configuration is listed with a reason for the error.

Device administration

Transfer a zero-touch enrollment device to another user (deregister)

To transfer ownership of a device, you need to deregister the device in the zero-touch enrollment portal.

After you deregister a device, to register it into zero-touch enrollment again, contact your reseller.

Deregister a device

  1. Open the portal. You might need to sign in.
  2. At the left, click Devices.
  3. In the Devices section, find the device you want to deregister.
  4. Click Deregister>Deregister.
Temporarily exclude a device from zero-touch enrollment

To prevent a device from enrolling automatically on startup, remove the zero-touch configuration in the zero-touch enrollment portal:

  1. Open the portal. You might need to sign in.
  2. At the left, click Devices.
  3. Find the device you want to remove the configuration from. You can find it by its IMEI or serial number.
  4. For Configuration, select No config.

Troubleshooting

The device doesn’t provision itself
  1. Check that the device is registered for zero-touch enrollment using the portal:
    • Find the device using the hardware identifier, such as the IMEI number.
    • If you don’t find the device, factory reset it and contact the device reseller to ask them to register the device.
  2. Confirm that you applied a configuration to the device.
    1. Find the device in the portal and check that Configuration isn’t set to No config.
    2. If it is, select a configuration. Then factory reset the device so that zero-touch enrollment sets it up.
  3. Check that the device has a working data connection during setup.

    Zero-touch enrollment needs an Ethernet, Wi-Fi, or mobile data connection to Google servers. The Setup Wizard blocks the use of roaming data by default. If there's no data connection, or if the connection blocks traffic to Google servers, then the device skips zero-touch enrollment.

    To correct, provide a working data connection. The device resets itself after the first connection to Google servers. The system warns the user 1 hour before the reset.

The device doesn't belong in zero-touch enrollment

When a device is registered for zero-touch enrollment, it starts up and shows “Your device at work”, explaining that the device is managed.

If a device shouldn't automatically enroll:

  1. Confirm that the device isn’t registered with your organization for zero-touch enrollment.
    1. Find the device in the portal using a hardware identifier, such as the IMEI number.
    2. If you find the device, click Deregister.
  2. Contact the organization that’s attempting to enroll the device.
    1. Factory reset the device.
    2. In the Your device at work screen, click the link to contact your device’s provider.
    3. In Device information, find and record the telephone number, email address, and identifiers.
    4. Ask the organization to deregister the device from zero-touch enrollment.

      Include the identifiers you noted and a link to this page.

Related topics

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Main menu
8028055806334280335
true
Search Help Center
true
true
true
false
false