Zero-touch enrollment is a streamlined process for Android devices to be provisioned for enterprise management. On first boot, devices check to see if they’ve been assigned an enterprise configuration. If so, the device initiates the fully managed device provisioning method and downloads the correct device policy controller app, which then completes setup of the managed device.
Android zero-touch enrollment offers a seamless deployment method for corporate-owned Android devices making large scale roll-outs fast, easy and secure for organizations, IT and employees. Zero-touch makes it simple to configure devices online and have them shipped with enforced management so employees can open the box and get started.
Prerequisites
To use zero-touch enrollment, you’ll need the following:
-
A device running Android Pie (9.0) or later*, a compatible device running Android Oreo (8.0), or a Pixel phone with Android Nougat (7.0), purchased from a reseller partner
Note: The device must be compatible with Google Mobile Services (GMS) and Google Play services must be enabled at all times for zero-touch enrollment to function correctly.
-
An enterprise mobility management (EMM) provider supporting company-owned devices
-
A zero-touch account created by an authorized zero-touch reseller partner
*Initially via selected reseller only.
Get startedStart by purchasing zero-touch enrollment devices. Your reseller sets up your zero-touch enrollment account when your organization first purchases devices registered for zero-touch enrollment.
You'll need to provide your reseller with a Google Account, associated with your corporate email, to enable them to create your zero-touch enrollment account. See Associate a Google Account below. Don't use your personal Gmail account with the portal.
Associate a Google Account
If you don't have a Google Account associated with your corporate email, follow the steps below:
-
Go to Create your Google Account.
-
Enter your name.
-
Set Your email address to your corporate email. Don't click Create a new Gmail address instead.
-
Complete the remaining account information.
-
Click Next.
-
Follow the on-screen instructions to finish creating your account.
When you sign in to the zero-touch enrollment portal, it's best to enable 2-Step Verification on an account like this that's used for administrative purposes. 2-step verification adds an extra layer of security to your account.
See the Google Account help center to help you and learn more about your new account.
Zero-touch iframe
Open the zero-touch iframe in your EMM console. For details on where to find the iframe, contact your EMM provider.
- On the landing page of the iframe, click Next.
- Log in with the Google account you provided to your reseller.
- Select the zero-touch account you wish to link to your enterprise and click Link.
- You will see a screen with basic information about the zero-touch configuration that your zero-touch enabled devices will use. If you want to add or update your EMM configurations, click Configuration info. After reviewing this information, click Next.
- Enter the support information that will be displayed to users during their device setup if they need assistance.
- Click Save.
Customer portal guide
Open the portal and sign in with the Google account.
Navigation panel item |
What you can do with this |
---|---|
Configurations |
You can create, edit and delete EMM configurations here. You can also set a default configuration for any devices added to zero-touch enrollment going forward. See Configurations. |
Devices |
You can browse or search for devices and then apply your configurations to them. You can also deregister devices from zero-touch enrollment here. See Devices |
Users |
If you’re an account owner, you can add, edit, or delete users to manage portal access for your organization. |
Resellers |
You can add additional resellers here if you need to share your account with multiple resellers. |
Customer details |
You can view the customer name and customer ID and delete the account. Note: Once the account is deleted, you will need to reach out to the reseller to create a new account. |
For instructions for device users on how to use zero-touch enrollment, see the instructions for users.
Portal languages
You can use the portal in one of the following languages:
American English, British English, Danish, Dutch, French, German, Italian, Japanese, Norwegian, Polish, Portuguese, Spanish, or Swedish.
To change to another language, update the preferred language in your Google Account. For more help, follow the instructions in Change language.
Your organization manages the users that have access to the portal.
Your organization's portal users can be owners or admins. Owners share the same access as admins and can manage your organization's users. The table below compares the capabilities of the owner and admin roles:
Role capabilities | ||
---|---|---|
Portal task | Owner | Admin |
Add, edit, and assign Configuration | ✓ | ✓ |
Add users | ✓ | 🚫 |
Edit user roles | ✓ | 🚫 |
Remove users | ✓ | 🚫 |
Import and export CSV files | ✓ | ✓ |
Remove device | ✓ | ✓ |
See your account's role
Follow the steps below to check your account's role:
- Open the portal.
- Click Users in the sidebar.
- Look in the Role column to see your account's role.
Add team members
Before you start, check your account role to ensure that it's Owner. You must be an owner to add team members. Give portal access to new team members by following the steps below:
- Ask your team member to associate a Google Account with their corporate email. Your team member can follow the instructions in Associate a Google Account.
- Open the portal.
- Click Users in the sidebar.
- Click Add user.
- Set Email address to the team member's corporate email.
- Select a Role from the dropdown.
- Click Add.
The portal doesn't notify your team members that they have access so you must remember to inform them yourself.
Delete team members
Before you start, check your account role to ensure that it's Owner. You need to be an account owner to delete team members. To remove a team member's access to the portal, follow the steps below:
- Open the portal.
- Click Users in the sidebar.
- Hover over the row for the user you wish to remove
- Before you proceed, check that the account is correct.
- Select Delete. Before deletion is completed the portal provides a warning message to ensure you wish to go ahead with deletion. You must click the delete button again to confirm.
If you accidentally delete an account, re-add it by following the instructions in Add team members above.
Edit roles
Before you start, check your account role to ensure that it's Owner. You need to be an account owner to edit team members' roles. To change the role of a team member, follow the steps below:
- Open the portal.
- Click Users in the sidebar.
- Click Edit for the account you want to change.
- Select a Role from the dropdown.
- Click Save.
You set provisioning options for your devices using a configuration. Each configuration combines the following:
-
The EMM device policy controller (DPC) you want to install on the devices.
-
EMM policies you want to enforce on the devices.
-
Metadata that's displayed on the device to help your users during setup
Your organization can add more configurations as you need them.
Add a configuration
Before you add a configuration, check that you have access to your EMM console. You’ll need to copy and paste your mobile policy data from your EMM console to the portal. To add a configuration for your organization's devices, follow the steps below:
-
Open the portal. You might need to sign in.
-
Click Configurations in the navigation panel.
-
Click Add Configuration.
Use the notes below to help you complete the new configuration panel. Once you've created a configuration, we recommend you set a default configuration.
Name
EMM DPC
DPC extras
Company name
Support email address
Support phone number
Custom Message
Assign a default configuration
Choose a default configuration that zero-touch enrollment applies to any new devices your organization purchases in the future. Follow the steps below:
-
Open the portal. You might need to sign in.
-
Click Configurations in the navigation panel.
-
Click on the edit icon and select the configuration you want applied to new devices in the Default configuration panel.
-
Click Save.
Use the portal to apply configurations to devices or deregister devices from zero-touch enrollment. After you apply a configuration to a device, the device automatically provisions itself on first boot, or next factory reset.
Apply a configuration to a single device
You can apply a configuration one device at a time by selecting devices in the portal. Follow the steps below:
-
Open the portal. You might need to sign in.
-
Click Devices in the navigation panel.
-
Find the device you want to apply the configuration to—using its IMEI or serial number.
-
Click on the Edit and select configuration you want to apply or select None to temporarily remove the device from zero-touch enrollment.
-
Click Save.
Apply a configuration to many devices
You apply a configuration to devices by uploading a CSV file. A CSV text file represents a data table, and each line represents a row in that table. Commas separate the values in that row.
Each row in your CSV file lists the fields that include:
-
The ID of the configuration you want to apply.
-
A hardware identifier of the device you want to apply the configuration to.
Prepare a CSV file containing your device and configuration information. You can download a sample file and fill the profiletype and profileid field to get started. Alternatively, if you want to start with a blank file, learn about the fields needed by reading Device configuration CSV file format.
The largest CSV file you can upload to the portal is 50 MB. If you have more than 50 MB of data, consider splitting the file into smaller files. When you've prepared your CSV file, follow the steps below:
-
Open the portal. You might need to sign in.
-
Click Devices in the navigation panel.
-
Click More in the Devices table header.
-
Click Apply configurations from .CSV.
-
Select your CSV file from the file picker.
-
Click Upload.
After the file uploads, the portal processes the data rows. When processing finishes, the portal shows a notification with an upload status. You also receive an email summarizing the processing of your CSV data. Click the See details button in the email to open a status page. The status page lists each device that wasn't assigned a configuration with a reason for the error.
If you close your browser window after the CSV file uploads, the backend server continues to process your data. To know when the portal finishes processing your data, check your email inbox for the status email. When you receive the processing summary email, check for any errors.
Device configuration CSV file format
To apply a configuration to devices, you upload a CSV file. The following snippet shows the CSV field format with example values to apply the configuration to a device identified by the IMEI number:
You can also use the serial, manufacturer,
and model
fields:
You can also register both types of devices from the same CSV file:
The following table shows the field values you use in your CSV file:
Field |
Example |
Description |
---|---|---|
|
IMEI |
Set this value to IMEI using uppercase characters. Pair with |
|
123456789012347 |
Set this value to the device’s IMEI number. Pair with |
modemid2 |
234567890123454 | Set this value to the device’s second IMEI number. If provided, then modemid must also be provided. |
serial |
ABcd1235678 | Set this value to the device's case-sensitive serial number. Pair with model to match a Wi-Fi-only device. |
model |
VM1A | Set this value to the device model name. You need to make sure this is one of the names listed in Models. Pair with serial to match a Wi-Fi-only device. |
|
|
Always set this value to the device manufacturer’s name. You need to make sure this is one of the names listed in Manufacturers. This field is used to match a device. |
|
ZERO_TOUCH |
Always set this value to ZERO_TOUCH using uppercase characters. |
|
54321 |
Always set this value to the numeric ID of the configuration you want to apply to the device. To see the ID for a configuration, check that the table's ID column in the Configurations page. |
Deregister a device
You can deregister devices from zero-touch enrollment. You might need to deregister a device when you transfer ownership. You can deregister one device at a time by selecting devices in the portal.
-
Open the portal. You might need to sign in.
-
Click Devices in the navigation panel.
- Find the device you want to delete—using its IMEI or serial number.
- Click Remove in the device row.
-
Click Remove in the confirmation panel.
Bulk deregister devices
Deregistering multiple devices in bulk can be done using a device configuration CSV file. To do this:
- Create a device configuration CSV file including every device you wish to deregister.
- Replace the 'profileid' column in this CSV file with a column titled 'owner', and set the values in this column to 0.
- Re-upload the CSV to your portal.
Where can I purchase zero-touch devices?
Devices eligible for zero-touch enrollment need to be purchased directly from an enterprise reseller or Google partner and not through a consumer store. Reseller partners are listed in Android's Enterprise Solutions Directory.
Which Android devices are supported?
Supported devices vary by reseller. From September 2020, selected resellers can offer any Android device with zero touch, with other resellers continuing to offer zero-touch on a selected number of devices. The ability to assign any device running Android Pie (9.0) or later for zero-touch enrollment will expand to all resellers by the end of 2020.
Which EMMs support zero-touch enrollment?
Most EMM providers (for Android) support zero-touch enrollment. A list of compatible EMMs can be found in the Android site's Partners list.
Many EMMs also implement the zero-touch iframe to simplify the process of setting up zero-touch devices after you purchase them from a reseller. To see if this feature is available, contact your EMM provider.
What if my device reseller is not an authorized zero-touch reseller?
You can request your device reseller to register for the Android Enterprise Partner Program where they can then apply to become a zero-touch reseller.
What if my device is registered with zero-touch and Samsung Knox Mobile Enrollment?
If a device is registered and configured in both Knox Mobile Enrollment and zero-touch, the device will enroll using Knox Mobile Enrollment and apply the configuration defined in that service. To ensure that a Samsung device enrolls using zero-touch, remove any configuration assigned to the device in the Knox Mobile Enrollment portal.
How do I use zero-touch enrollment?
You manage zero-touch enrollment for your organization from an online portal in your web browser. We call this the zero-touch enrollment portal, or often just the "portal" when describing zero-touch enrollment. Use this document, and your EMM’s documentation, to help you complete the following steps:
-
Purchase your devices from a reseller who sets up a zero-touch enrollment account for your organization.
-
Create a configuration in the portal that consists of your EMM choice and mobile policies.
-
Link your enterprise to your zero-touch account using the zero-touch iframe, or, use the zero-touch console to either set a default configuration or manually apply your configuration to a range of devices .
You can also use the portal to:
-
Activate and deactivate the resellers from whom your organization purchases devices.
-
Control access to the portal for users in your organization.
What is a Dual-SIM device?
Dual-SIM devices
A dual-SIM device includes two discrete modems and has two IMEI numbers. It’s recommended for the resellers to register dual-SIM devices with the numerically lowest IMEI number. Upon device boot up, the device gets detected by Zero-touch, initiating the enrollment process. If your dual-SIM device has issues being detected by Zero-touch, please confirm with your reseller that they have registered the numerically lowest IMEI number.
Note: Registered dual-SIM devices that are pre-installed with a version of Google Play Services prior to 24.07.12 will undergo a factory reset if not provisioned by Zero-touch during initial setup. Upon the next device setup, Zero-touch will be provisioned.
For information on dual-sim issues and their resolutions regarding zero-touch devices, please read known issues.
The device doesn’t provision itself out of the box
First, check that the device is registered for zero-touch enrollment using the portal. Find the device using the hardware identifier, such as the IMEI number. If you don’t find the device, contact the device reseller and ask them to register the device.
Next, confirm that you applied a configuration to the device. Find the device using the portal, and check that the Configuration column of the table isn’t listed as No config. Devices without a configuration aren’t provisioned through zero-touch enrollment and boot unmanaged.
If you make either of the changes above, you’ll need to factory reset the device so that zero-touch enrollment provisions it.
Finally, check that the device has a working data connection when it's being set up. Zero-touch enrollment needs a connection to Google servers. The connection can be ethernet, Wi-Fi, or cellular data. If you're using cellular data when roaming, note that the setup wizard blocks the use of roaming data by default.
If there's no data connection, or if the connection blocks traffic to Google servers, then the zero-touch enrollment flow is skipped. If zero-touch enrollment is skipped but the device has a configuration, then the device resets itself after the first connection to Google servers. The system warns the person using the device one hour before the reset.
The device shouldn’t be included in zero-touch enrollment
When your device is registered for zero-touch enrollment, it starts up and shows the Your device at work panel explaining the device is managed. Even after a factory reset.
First, confirm that the device isn’t registered with your organization for zero-touch enrollment. Find the device in the portal using a hardware identifier, such as the IMEI number. If you find the device, click Deregister.
Next, contact the organization that’s attempting to enroll the device. Start by following the steps below:
-
Factory reset the device.
-
Click the link to contact your device’s provider in the Your device at work screen.
-
Make a note of the telephone number, email address, and the identifiers in Device information.
Ask the organization to deregister the device from zero-touch enrollment. Include the identifiers you noted previously. You might want to include a link to this page.