What is Android Zero-Touch Enrollment?
Zero-touch enrollment is a streamlined, one time set up for Android devices to be provisioned for enterprise management. This enables devices to be enrolled and be work-ready out of the box. It permits IT, without having to manually set up each new device, to deploy corporate-owned devices in bulk. It reduces the user-caused risks due to incorrect information entry or configuration of wrong settings. It also prevents unauthorized devices from joining your MDM environment thereby enhancing your security.
Once an android enterprise configuration is applied, the Device Owner mode is activated and an MDM agent like Hexnode MDM is downloaded and the rest of the setup is completed by the agent on the managed device.
Made available by Google since 2017, it started off as an onboarding method for original Pixel devices. As the smartphone environment expanded Google kept adding new vendors who were compatible with ZTE. Presently Android Zero-Touch supports a huge fleet of devices running Android 8.0 or later, including LG, Zebra, HTC, Google, and more.
Requirements for Zero-Touch Enrollment
If your organization is interested in deploying devices with the help of Android Zero Touch deployment, then these are the requirements to be fulfilled.
- Devices compatible with Android Zero-Touch enrollment
Devices running Android 8.0 or upwards or Pixel Devices running Android 7.0 are compatible with Android Zero-Touch enrollment. You can get the current list of all compatible devices in Google’s Enterprise Directory.
- Devices Purchased via Authorized reseller
New devices purchased from a Google Authorized reseller can only be used for Zero Touch enrollment. Details about the resellers in you are can be found in Google’s Reseller List.
- A device management solution that supports Zero-Touch Enrollment
Android Zero-Touch enrollment only works in tandem with a device management solution (MDM/ EMM/ UEM) which supports Zero Touch enrollment. Hexnode MDM provides such device management capabilities with its solution.
- A Google account
A Google account associated with the business corporate account. It is important that you use a corporate account and not a personal account.
Benefits of using Android Zero-Touch Enrollment
Android zero-touch enrollment offers a streamlined deployment method for corporate Android devices and Android enterprise devices that facilitates quick, simple, and stable large-scale roll-outs for enterprises, IT, and employees. Beyond that, these are the benefits Android Zero-Touch enrollment offers to both admins and users.
Android zero-touch enrollment removes the need for individual devices to be manually configured. In this way, the IT department can roll out large numbers of devices in no time. Through ZTE, mobile device admins can ensure that all the correct configurations are in place for their users as soon as they turn on, remotely.
Also, with the automatic installation of the device management solution. The admin can assume full control over the device. This includes app installations, removals, policies, profiles, etc.
Employees can easily unbox their new device, and instantly get going. All pre-assigned apps and configurations, such as for e-mail, WiFi, and VPN use, are instantaneously accessible to the user after starting and logging on to the new device.
Configuring Android Zero-Touch Enrollment with Hexnode
Hexnode has fully integrated Android Zero-Touch enrollment to its device management solution. You can configure Zero-Touch Enrollment in your organization by following these steps.
- Associate a Google Account.
- Setup the Zero Touch enrollment portal.
- Add MDM Configuration.
- Apply MDM Configuration to devices.
Associate a Google account
The first step to configure Zero-touch enrollment is by associating a Google account. You can create a new Google account if you want to. The Google account should be associated with your corporate email, that is important. Here are the steps to associate a Google account.
- Go to Create your Google Account
- Enter your name.
- Provide your email in the Your Email Address area. Make sure you don’t instead click on Create a Gmail account.
- Provide additional information needed, and follow the on-screen instructions to complete the account creation process.
Setup a Zero Touch portal
You can sign in to the Zero Touch Portal using your corporate Google account you associated with before. After logging in you will see multiple sections there.
Configurations: You can create, modify and delete MDM configurations here. You may set default MDM configurations to apply to the devices added to the portal, if necessary.
Devices: The devices which are added to the account are listed here. The configurations can be assigned to selected devices. If not needed, the devices can even be removed from here.
Users: The users who can access and manage the portal can be added, modified, or deleted here.
Resellers: If required, additional resellers can be added here, so that multiple resellers can share your account.
Add MDM configurations
These MDM configurations are used by the device to initiate the Zero-Touch Enrollment process. Once you are signed into the Zero Touch Portal follow these steps.
- Go to Configurations
- Click on the “+” button to add a new configuration
- Configure the following to continue.
Configuration Name: The name you can provide to identify this particular configuration.
EMM DPC: Device Policy Controller, is the MDM agent that would be installed in the target device. Select Hexnode for Work.
DPC extras: You can provide JSON data here, this is available in the Hexnode MDM console. Follow this path
Enroll > Platform — Specific > Android > Android Zero-Touch.
JSON data communicates basic configurations such as time zone, language, app bundles etc from the Zero Touch web portal to the device.
Company Name: Provide the name of your organization. This name will be displayed when enrolling on the user’s screen. Email ID Provide the IT Admin email address for your company here. This will be displayed on the user’s device during enrollment and can be used to contact the IT admin regarding any enrollment issues.
Phone Number: Similar to the Email ID, provide it in case there is any requirement during the enrollment phase.
Custom Message: You can provide an optional message here to welcome the user.
Apply MDM configurations to Devices
Now, since the configurations are ready, you can start applying these to devices. These can be applied one at a time or in bulk using a CSV file.
For single devices, these are the steps
- Sign in to Zero Touch Portal.
- Go to Devices.
- Select the devices that you want to configure.
- Under Configurations against the selected devices, select the configuration which you have created previously.
- If you need to temporarily remove the device from the ZTE, select No config under Configurations.
For multiple devices, you can apply configurations using a CSV file. Here are the fields required in the CSV file you can use for this purpose.
modemtype: The parameter in this field should be always set as IMEI in uppercase character.
modemid: Provide the IMEI number of the device.
serial: Provide the serial number of the device.
model: Provide the model name of the device.
manufacturer: Provide the name of the device manufacturer.
profiletype: The parameter in this field should always be set as ZERO_TOUCH in uppercase characters.
profileid: Provide the ID corresponding to the configuration to be applied to the devices.
- Sign in to Zero Touch Portal.
- Under Configuration > choose the required configuration to be applied.
- The number sequence present under ID is the required profileid.
If you want to remove any device you can go ahead and select the deregister option right next to the device details.
Should you opt for it?
On paper Android Zero-Touch enrollment looks like the ideal deployment method. If your organization wants to manage devices that are issued to your employees as a device owner through Android Enterprise, I.e, total control over the device, then zero-touch enrollment would be a viable option. It helps provision multiple devices at the same time in device owner mode and is essentially a streamlined method to issue multiple devices in such a manner.
So, if your organization is considering to issue a set of android devices in which BYOD is not allowed, Android Zero-Touch enrollment is the way to go.