This feature is available with Cloud Identity Premium edition. Compare editions
As an administrator, you can set up Android devices with your organization’s policies already configured. When a user turns on their device, the device checks if a zero-touch configuration is assigned to it. If a configuration is assigned, the device downloads the Android Device Policy app and completes the setup of the device.
To create custom zero-touch configurations and apply them to devices, use the zero-touch enrollment portal. For details, go to Create custom zero-touch configurations for Android devices.
Before you begin
- We do not recommend using zero-touch enrollment for devices under basic management or for unmanaged devices. For those devices, the Android Device Policy app will not enforce policies, and users cannot uninstall the app. If you change your Google Workspace edition and no longer have advanced management, unlink your zero-touch account.
- (Google Workspace for Education editions) For the organizational unit or access group using zero-touch enrollment, be sure to select the All users are 18 or older age label. For details, go to Control access to Google services by age.
Step 1: Purchase zero-touch devices
You purchase zero-touch devices from an approved zero-touch reseller. The reseller sets up your zero-touch enrollment account. You'll need to provide your reseller with a Google Workspace account (associated with your corporate email). To find a reseller, go to Zero-touch resellers.
Devices must support a work profile and either have Android 9.0 Pie or later or Android 7.0 Nougat or later for Pixel devices. For a list of compatible devices, go to Android Enterprise Devices.
Step 2: Set up Google endpoint management
- Set up advanced mobile management for Android devices.
- Apply settings for Android mobile devices.
- (Optional, recommended for more management features) If your edition supports it, add devices to the company-owned inventory. If you don’t add devices to the company-owned inventory, Google endpoint management and Context-Aware Access classify them as user owned.
Step 3: Set up a device configuration
Use the Google Admin console to apply a default configuration to all your zero-touch devices in one place. The configuration contains an enrollment token that turns on device owner-management privileges and basic information including:
- The device policy controller (DPC) to install
- Enrollment options to apply
- Support information to help your users during setup
Before you begin: If this is your first time using zero-touch enrollment, open the zero-touch portal and accept the Terms of Service.
To set up a default configuration:
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu DevicesMobile & endpointsEnrollmentAndroid zero-touch.
- Click Manage zero-touch devices.
- Sign in using the Google account you provided to your reseller.
- Select the zero-touch accounts you want to link to your Google Workspace account and click Link.
- (Optional) To review the default configuration details that will apply to your zero-touch devices, click Configuration info. Learn more about configuration details.
- Click Next.
- Enter support information that is available to device users during setup:
- Company name–This is the name of your organization.
- Support email address –An email address users can contact to get help, such as your internal support email address. Users can't click the email address to send a message, so choose a short email address they can easily enter on another device.
- Support phone number–A phone number users can call from another device to get help, such as the phone number of your IT support team. Use the plus sign, hyphens, and parentheses to format the telephone number into a pattern that users recognize.
- Custom message–One to two sentences to help users contact support or give them more details about what’s happening to their device. This message is shown before the device is set up.
- Click Save.
Your default configuration is applied to zero-touch devices on first boot or the next factory reset. If a device is already in use when you apply a zero-touch configuration to it, the device is factory reset. The user gets a warning on the device an hour before reset. For more information, go to Zero-touch enrollment for IT admins.
Device administration
Review your zero-touch devicesYou can find a list of your zero-touch devices in the zero-touch portal:
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu DevicesMobile & endpointsEnrollmentAndroid zero-touch.
- Click Manage zero-touch devices.
- Click View devices in the zero-touch portal.
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu DevicesMobile & endpointsEnrollmentAndroid zero-touch.
- Click Manage zero-touch devices.
- Enter the new support information for your configuration.
- Click Save.
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu DevicesMobile & endpointsEnrollmentAndroid zero-touch.
- Click Manage zero-touch devices.
- Next to the zero-touch accounts you want to unlink from your Google Workspace account, click Unlink.