Enroll Devices with Android Enterprise Enrollment Method

Android enterprise is about managing Android devices in a way that allows enterprises to impose security policies and controls, and manage settings on every device to ensure enterprises' data security and enhance the employees' productivity. Let's talk about how to perform Android enterprise enrollment on your Android devices.

Part 1: Understanding of Android Enterprise

Android Enterprise is a platform provided by Google. It offers a set of APIs like Android Management API, Zero-Touch Enrollment API, and more to help enterprises and developers develop management features to manage mobile devices. In order to meet different management needs, Android Enterprise provides three different types, they are Work Profile, Fully Managed Device, and Dedicated Device. Here I will introduce the three types one by one:

Work Profile: It allows the admin to create a file to separate the personal data and enterprise data. Enterprise can only manage the enterprise part which not only protects the employee's privacy but also enhances the business data management. It is mainly suitable for the BYOD and COPE devices.

Fully Managed Device: It means that the admin can fully manage and control the devices. By using this type, the admin can access all the information and data of the devices. It is mainly suitable for the company-owned devices.

Dedicated Device: Dedicated device mode is also called kiosk mode. It means that devices have a specific use. For example, the food sector, advertising and public Digital Signage, and more. If you want to lock down your devices for a certain use, you can choose this mode.

Part 2: Android Enterprise Enrollment Methods

Now that we know what is Android Enterprise，we can have a deep look to learn Android Enterprise Enrollment. Erolling is the first step to configure and manage devices. Here we will introduce the 5 Android Enterprise Enrollment methods for you.

Note : Android Enterprise provides the framework and APIs that MDM providers can use to manage Android devices effectively. To enroll the devices with the Android Enterprise enrollment methods, you can integrate them with an MDM solution.

1NFC Enrollment

The NFC enrollment method allows users to enroll a device just with an NFC tag which makes it easy for users to complete the enrollment process. However, as the NFC enrollment method only supports enrolling the devices over a short distance, it is not suitable for big-scale enrollment needs.

The NFC enrollment method is only supported for fully managed device and dedicated device running Android versions 6.0+ with NFC capabilities.

To create a specially formatted NFC tag, you can use your own app or any NFC tag-generating tool. See Android Enterprise device enrollment with Google's Android Management API documentation for more information.

2Enroll by using an EMM token

Enrolling a device with an EMM token is the same to the DPC identifier method, It allows you to enroll a device with a unique code provided by EMM. Usually, the token is begun with awf# like awf#setup. So you will be curious about what the awf#setup really is. Here is a detailed explanation:

"afw#setup" refers to the process of setting up an Android device using the Android for Work (AfW) framework. Android for Work is a suite of tools and features designed to enhance the management, security, and productivity of Android devices in a business or enterprise environment.
The "afw#setup" is a special setup method that allows IT administrators or device managers to configure Android devices for work purposes, ensuring that they are properly managed and secured within the organization's network. This setup is particularly useful for businesses that provide employees with company-owned devices.
When an Android device is set up using "afw#setup," it is enrolled in the organization's mobile device management (MDM) system. This enables the IT team to apply security policies, manage apps, control access to company resources, and remotely configure the device to meet the organization's requirements. It also separates work-related apps and data from personal apps and data on the device, enhancing security and privacy.
To perform the "afw#setup," an administrator typically provides a setup URL or QR code to the user. The user then follows the provided instructions to complete the setup process. This method ensures that the device is properly integrated into the organization's mobile management infrastructure and adheres to corporate security policies.

When using the EMM token(afw#setup) enrollment method, the device must be brand new or factory reset. If the device is belongs to the Work Profile on company-owned devices, its system must be Android 8.0+.

[Video Tutorial] How to Set Up Android Enterprise Enrollment with MDM

3Enroll by using an qr code

To perform android enterprise QR code enrollment on Android devices, scan the QR code from the enrollment profile. You can get the QR code from the EMM/MDM third party applications.

The QR code method mainly suitable for the company owned devices that running Android 7.0 or later. And to perform the enrollment method, the devices also need be brand new or factory reset. Here are the steps to use the QR code enrollment method:

After factory reset the device, repeatedly tap the first screen six time you see to launch the QR reader.
On Android 8.0 devices, you'll be asked to install a QR reader. A QR reader is pre-installed on devices running Android 9 and later.
Scan the enrollment profile QR code with the QR reader, then follow the on-screen prompts to enroll.

4Enroll by using Google Zero Touch

Zero touch enrollment is a kind of automation enrollment method that allows you to pre-configure the devices. To use this method, devices must support zero-touch enrollment and be affiliated with a supplier that supports a part of the Android zero-touch enrollment service. See Zero-touch enrollment for IT admins for more information, including prerequisites, where to purchase devices, and how to link a Google Account to your corporate email (opens Android Enterprise Help docs). Below we describe how to perform Android enterprise zero-touch enrollment, using Intune as an example:

Create zero-touch configuration in admin center

Step1: Add required permission, add the app sync update permission.

Access the Microsoft Endpoint Manager Admin center.
Tenant administration > Roles should be chosen next.
Choose your role from the drop-down menu.
Click on "Properties".
Select Edit from the Permissions menu
Click on "Android for Work".
Select "Yes" next to Update app sync.
To review your changes, select Review + Save.
Click on "Save".

Step2: Enable enrollment for corporate-owned devices

Check that enrollment for corporate-owned, fully managed devices is enabled.

Navigate to Devices > Enroll devices in the admin center.
Click on "Android enrollment".
Select Corporate-owned, fully managed user devices from the Enrollment profiles drop-down menu.
Check that the Allow user to enroll corporate-owned user devices setting is set to Yes.

Step 3: Link zero-touch account to Intune

Connect your Microsoft Intune account to a zero-touch account. Intune creates a default zero-touch configuration after linking the account.

Navigate to Devices > Enroll devices in the admin center.
Click on "Android enrollment".
Click on "Zero-touch" enrollment under Bulk enrollment methods.
The iframe appears. To begin the setup process, click on "Next".
Sign in using the Google account you gave your reseller.
Choose the zero-touch account you want to link, and then click on "Link".
A default configuration is established. A screen with basic configuration information appears. Intune will apply the default configuration to any zero-touch-enabled device that does not already have one.
To proceed, click on "Next".
Add help documentation to assist device users during setup.
End up by clicking on "Save".

When you connect your account to Intune, the default configuration is implemented to zero-touch enabled devices that do not already have one. In the admin center, you can see the existing zero-touch configurations, edit and customize support information, unlink the account, and link other accounts.

Create configuration in zero-touch enrollment portal

In the zero-touch enrollment portal, add a zero-touch configuration. You can use the portal to manage configurations on its own or in conjunction with the zero-touch iframe. Configurations for fully managed and dedicated devices, as well as corporate-owned devices with a work profile, are supported by the portal.

Sign in with your Google account to the zero-touch enrollment portal.
Click the option to create a new configuration.
Fill in the information asked in the configuration panel.
As the EMM DPC app, select Microsoft Intune.
Copy and paste the JSON text below into the DPC extras field. YourEnrollmentToken should be replaced with the enrollment token you created as part of your enrollment profile. Make sure to use double quotes around the enrollment token.

{
"android.app.extra.PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME": "com.google.android.apps.work.clouddpc/.receivers.CloudDeviceAdminReceiver",
"android.app.extra.PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM": "I5YvS0O5hXY46mb01BlRjq4oJJGs2kuUcHvVkAPEXlg",
"android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION": "https://play.google.com/managed/downloadManagingApp?identifier=setup",
"android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE": {
"com.google.android.apps.work.clouddpc.EXTRA_ENROLLMENT_TOKEN": "YourEnrollmentToken"
}

Include your organization's name and support information, which will be displayed on the screen as users configure their devices.

See Zero-touch enrollment for IT admins for more information on assigning a default configuration or applying a configuration in the zero-touch portal (opens Android Enterprise Help docs).

5Enroll devices in Android enterprise using G suite

Enrolling devices using G suite (also know as Google Workplace) now means that you can also enroll the devices with the managed google accounts to apply the policies and controls to the devices

This method is mostly suitable for BYOD devices. To enroll the device with this method, the users must have managed google accounts within the enterprise. And the managed devices should be factory reset with Android Android 5.0 (Lollipop) or above.

Here is the general steps to enroll the devices with managed google accounts

Select Accounts from the Settings menu on your Android device (This option may vary depending on the type of device you are using).
Select Google accounts by clicking +Add account.
Enter your G Suite account's username and password.
Select I agree.
A prompt will appear to install the Hexnode for Work app.
Select Install.
The app will get downloaded and installed. Set up the work profile by following the on-screen instructions.
Enter the name of the portal where the device should be enrolled.
Your device will now get enrolled.

Part 3: Enroll Android devices with AirDroid MDM

Now, we know the different types of Android Enterprise methods, and we know that to enroll the devices, we need to integrate the methods with EMM, UEM, or MDM solutions. Here I will use the Airdroid Business application as an example to show you how to integrate an MDM solution and Android Enterprise to enroll and manage Android devices.

AirDroid Business MDM includes a number of alert functions, such as data usage, device offline, and so on. Once triggered, IT administrators will receive a notification and will be able to take preventative measures to resolve the issue. Here are the steps:

14-days Free Trial

Step 1.
You’ll need to navigate the Airdroid Business admin console and it will show you many enrollment options.
Pick "Android Enterprise Enrollment" then follow the instruction.
The specific action sequence should be: ‘Device’> ‘Device Enrollment’> ‘Android Enterprise Enrollment’.

Step 2.
(Skip if you have bind Gmail with AirDroid Business) Before proceeding further with the enrollment process, you must bind AirDroid Business with your Gmail. This account shall be the admin of all the managed devices, so use your company Gmail account.
Afterward, you must click the checkbox to agree to Google’s terms and conditions.
AirDroid will redirect you back to the admin interface once you successfully complete the account registration process.

Step 3.
At this point, you should see the "Enrollment Guide" is on. This will only happen after you successfully complete the prior steps. From here, you must follow the enrollment steps shown on the interface.

Step 4.
You’ll want to move to your Factory Reset device. Turn on the Wi-Fi on that device and wait for the startup sequence to kick in. This step is similar to how you usually turn on an Android device.
Do not put your email here once you get the prompt for entering the Gmail account. Instead, put the afw#setup tag in place of the Gmail account. Doing so will start enrollment and download the management app Daemon from the Play Store.

10 enter afwsetup on the Gmail sign in page

Step 5.
Now check the admin console of your AirDroid Business account. You should see the new device in the enrolled device list.

Owner and Admin accounts can view device and user activity logs to monitor device and user activities such as device enrollment, remote access usage, app publication, Admin Console login, and more. Break down silos and use modern log monitoring tools to improve operations and security while also gaining critical business insights. If you need MDM for Android device enrollment, AirDroid MDM is the best solution.

Part 4: FAQs about Android Enterprise Enrollment

How do I know if Android enterprise is installed?

The following steps will show you whether a device is capable of running Android Enterprise:

Open the Mobile@Work app on the device.
Select Settings > About > Product Details from the menu.
Confirm if Android Enterprise (AFW) Support has a value of Yes in it.

What is Android enterprise recommended?

Android Enterprise Recommended makes it easier for businesses to confidently choose, deploy, and manage Android devices and services that fulfill elevated enterprise requirements verified by Google

Is Android for work the same as Android enterprise?

Unlike Google TV, Android Auto, Android Automotive, WearOS, or other Android editions, Android for work and Android Enterprise are integrated solutions rather than separate products. Furthermore, managing Android Enterprise requires a contemporary EMM because it is a set of APIs rather than Android management in and of itself.

What is Android for Work Enrollment?

Android for Work Enrollment is a framework that allows organizations to manage Android devices for work-related tasks while keeping personal data separate. It provides a secure way to manage work apps, data, and policies on employee devices.

Conclusion

Android Enterprise is a Google-led initiative that allows Android devices and apps to be used in the workplace. The program provides APIs and other tools to developers so that they can integrate Android support into their enterprise mobility management (EMM) solutions. Android Enterprise Recommended enables businesses to confidently select, deploy, and manage Android devices and services that fulfill elevated enterprise requirements validated by Google.

How to Enroll Android Devices with Android Enterprise?