Configure Zero-Touch Enrollment for Android

Zero-touch enrollment lets you remotely enroll and deploy new corporate Android devices without the need to handle and configure each device individually. This type of enrollment can save you time when you are deploying a large number of company-owned devices. For more information on Android's zero-touch portal, see Google’s Zero-touch enrollment for IT admins.

Zero-touch enrollment streamlines the procurement and enrollment process of corporate owned devices in four steps:

1. Your company purchases supported devices from a designated reseller.
2. The reseller sets up your company’s account within the Android zero-touch portal with your purchased devices. The devices are then shipped to your company.
3. You create EMM configurations within the zero-touch portal that will apply to the devices.
4. Your end users receive their devices, and the automated zero-touch flow ensures automatic enrollment and configuration of the device. 

Prerequisites:

• Check the list of compatible devices at Android Enterprise.
  • Android devices must run Android 9.0 or later.
  • Pixel devices must run Android 7.0 Nougat or later.
• Devices must be purchased directly from an approved zero-touch reseller.
  • To find a reseller, see the Android Enterprise Partners Device Resellers page.
  • If your preferred reseller isn’t on the list, you can suggest they join the Android Enterprise Partners Program.
• Devices must support work profiles.
• To deploy Android devices with zero-touch enrollment in the JumpCloud platform, Android EMM must be configured for your enterprise.
  • See Set up Android EMM.

Considerations:

• Organizations can only be linked to a single Android zero-touch account at a time. Multiple admins can access the same account only if the owner admin provides access.
• Before deleting your org from the Android zero-touch account, you should unlink your org from the account. If the zero-touch account is still linked to the org and the org is deleted, the zero-touch account becomes unrecoverable, preventing the ability to link that account to a new org.

Configuring Zero-Touch Enrollment

Once you have set up Android EMM, you will see an Android Zero-Touch Enrollment section, which includes a link to launch the Android zero-touch portal. To begin zero-touch enrollment, you will need a zero-touch enrollment token.

To generate a zero-touch enrollment token:

1. Log in to the JumpCloud Admin Portal.
2. Go to DEVICE MANAGEMENT > MDM and select Google.
3. Under Admin Android Configuration, select an enrollment type click Create Enrollment Token.
4. In the Create Enrollment Token editor, configure the following:
   
   • Name: Assign a name to the token so that it is identifiable to you.
   • Policy: Pre-filled based on the enrollment type selected previously.
   • Token Use: Choose whether the token will be single-use (individual) or multi-use (batch).
   • Token Expiration: Choose the duration for which the token will be valid. The default is 1 Hour. If Custom, configure the following:
     • Expires in: Enter a value that represents the length of time the enrollment token will be valid, from 1 to 10,000.
     • Duration: Select from Minutes, Hours, Days, or Years.
   • Use this token for zero-touch enrollment?: Select Yes.
5. Click Create Token.
6. Click Copy Zero-Touch Data. Alternatively, click Download Zero-Touch Data to save the data to your device. A success message appears. Continue with the steps below to configure the Android zero-touch portal with your zero-touch enrollment data.
   

To configure zero-touch enrollment in JumpCloud:

1. Under Android Zero-Touch Enrollment, click Launch Zero-Touch Portal to open the zero-touch portal embedded in JumpCloud.
2. Under Link your zero-touch account to your EMM provider, click Next.
   
3. Under Choose an account, select the Google account associated to your zero-touch portal in order to link to JumpCloud Android EMM. If your account is not available, click Use another account and enter the account information that was provided to you by your authorized reseller partner.
   
4. Under Choose accounts to link, you should see a list of zero-touch accounts. Select the account you want to link to JumpCloud Android EMM and click Link. Note: A zero-touch account can only be linked to one EMM tenant at a time.
   
5. Once the account is linked, verify that the configuration is using com.google.android.apps.work.clouddpc. Click Next on the Zero-touch account linked page. 
   
6. On the Add support info screen, enter your organization’s information that will be displayed to your end users during their zero-touch enrollment, and click Save.
   
7. Click View devices in the zero-touch portal to open your Android zero-touch account in Google. Leave this tab open, as you will be entering your configuration from JumpCloud here.
   

Creating a Device Configuration

Now that zero-touch is configured in JumpCloud, create a device configuration in the Android zero-touch portal to assign to your zero-touch devices.

To create a zero-touch device configuration:

1. In the zero-touch portal Configurations tab, click + to add a new configuration.
   
2. In the Add a new configuration modal, enter the details for your configuration:
   
   1. Configuration name: Enter a short, descriptive name that describes the configuration’s purpose and is easy to find in a menu. For example, “Sales team” or “Temporary employees”.
   2. EMM DPC (device policy controller): Select Android Device Policy.
   3. DPC extras: Set your organization’s EMM policy data that’s passed to the DPC. Paste Zero-Touch Enrollment Data you generated and copied from the Admin Portal above.
      • The configuration will force enroll the device(s) into a specific management mode (the enrollment type you configured earlier).
      • DPC extras are not customizable at this time.
      • DPC extras pasted from the JumpCloud Admin Portal contain a unique enrollment token with an expiration date set by you.
   4. Company name: Enter the name of your organization. This company name is displayed to end users during device provisioning.
   5. Support email address: Enter an email address that users can contact to get help, such as your internal support email address. This email address is shown to users before device provisioning. Users can’t click the email address to send a message, so choose a short email address they can easily enter on another device.
   6. Support phone number: Enter a phone number users can call from another device to get help, such as the phone number of your IT support team. This number is shown to users before device provisioning. Use the plus sign, hyphens, and parentheses to format the telephone number into a pattern that users recognize.
   7. (Optional) Custom message: Enter 1–2 sentences to help users contact support or give them more details about what’s happening to their device. This message is shown before the device is provisioned.
3. Click Add.
4. (Optional) In the Default configuration section, select the configuration you just added and click Apply. This default configuration will be applied to any new devices added to your account by your reseller.

Managing Device Configurations

Applying a Configuration to a Single Device

When you apply a configuration to a device, the device automatically provisions itself on first boot or next factory reset. You can apply configurations manually or in bulk.

To apply a single device configuration:

1. In the zero-touch portal, click the Devices tab.
2. Find the device you want to apply the configuration to using its IMEI or serial number.
3. Under Configuration, choose the configuration you want to apply.
   
4. Click Update.
5. The configuration will only apply on first boot of the device or when the device is factory reset.

Applying a Configuration to Multiple Devices

To apply a configuration to many devices at once, you can upload a CSV file that lists the configuration ID and hardware identifiers for each device. First, download the CSV template from the zero-touch portal to get started. For details, see Device configuration CSV file format.

To download a template and upload a completed CSV file:

1. In the zero-touch portal, click the Devices tab.
2. Next to Devices, click the three dots. A menu opens.
   
3. Click Upload batch configurations.
4. (Optional) In the Upload batch configurations modal, click Download example CSV to download an example file.
5. Click Upload and browse to your completed CSV file.
6. Click Upload.

After processing, the portal shows a notification with a link to an upload status page. You also receive an email summary. In the email, click See details to open the status page. Any device that was not assigned to a configuration is listed with a reason for the error.

Editing a Configuration

To edit a configuration:

1. In the zero-touch portal, click the Configurations tab.
2. Select the configuration you want to edit.
3. When you are finished with your desired edits, click ADD.

Deleting a Configuration

To delete a configuration, the configuration must be removed from all devices where it has been assigned. You will not be able to delete the configuration profile until you have removed the profile assignment from the device.

To delete a configuration:

1. In the zero-touch portal, click the Devices tab.
2. Find a device where the configuration is applied. Under Configuration, select No config.
3. In Update this device?, select UPDATE.
4. Repeat the previous steps for each device where the configuration is applied.
5. When the configuration is no longer assigned to any devices:
   • In the Zero-Touch Portal, click the Configurations tab.
   • Select EDIT next to the configuration you want to delete.
   • Within the configuration pane, select DELETE.

Managing Devices

Deregistering a Device

To transfer ownership of a device, you need to deregister the device in the zero-touch enrollment portal. To register a device into zero-touch enrollment again after you deregister it, you must contact your reseller.

To deregister a device:

1. In the zero-touch portal, click the Devices tab.
2. Locate the device you want to deregister using its IMEI or serial number.
3. Click Deregister > Deregister.

Temporarily Excluding a Device from Zero-Touch Enrollment

To prevent a device from enrolling automatically on startup, remove the zero-touch configuration in the zero-touch portal. This might be desirable if you want to keep a device separate for testing, for example.

To exclude a device:

1. In the zero-touch portal, click the Devices tab.
2. Locate the device you want to deregister using its IMEI or serial number.
3. Under Configuration, select No config.

Enrolling Devices (End Users)

Your device is pre-registered for zero-touch enrollment by your IT Admin. When you first turn on the device, follow the on-screen instructions to set it up. Once setup is complete, the device is managed by your organization.

1. Turn on the device.
2. Follow the on-screen instructions until the screen prompts you to transfer your old data to the device (e.g. Bring your old data for quicker setup or similar).
3. Select Skip this for now.
4. Click Next.
5. Continue following the on-screen instructions to set up the device.

Example Setup Workflow

1. Turn on the device. On the Welcome screen, tap Get started.
2. Select a network to connect your device to WiFi and enter your network credentials.
3. Your device will cycle through several loading screens, including:
   • Getting your phone ready…
   • Checking network info…
   • Checking info….
4. On the This device belongs to your organization screen, click Next.
   • Getting ready for work setup….
   • On the Let’s set up your work device screen, click Accept & continue .
5. Your device will cycle through more loading screens, including:
   • Keep your work apps at your fingertips –
   • (Privacy notice – This Pixel isn’t private) Click Next.
   • (Google services) – Click Accept.
   • (Warranty information) – Click Next.
6. Your device will cycle through several loading screens, including:
   • Updating device…
   • Checking code…
   • Registering device…

Troubleshooting