What is Android Enterprise Zero Touch Enrollment?
As workforces become progressively more remote, and demand for efficient, secure, and personalized devices grows, it's essential that corporate entities can govern their asset population with complete autonomy and assurance. In order to do this, an increasing number of companies are adopting the strategy of zero-touch enrolment, which ensures all devices can be managed through a centralized hub, with administration teams able to apply configurations, enforce security policies, and upload key information to company assets remotely.
The core objective of these efforts is to ensure employees remain productive, and are afforded ease of access to relevant channels, but also to help retain the integrity of sensitive data, and protect devices from external security threats.
Part 1: What is zero-touch enrolment?
The key concept of Android zero-touch enrolment is to equip businesses with a tool to manage all aspects relating to their respective device fleets. Through the mechanism of enterprise mobile management systems, which are deployed in company-wide contexts via zero-touch consoles, corporations can gain full control and transparency over device activity.
Indeed, whether it's configuring specific profiles to singular smartphones, uploading bulk default security settings to a select group of assets, or de-registering a device for the purposes of ownership transference, zero-touch enrolment helps deliver fully-managed solutions to enterprises across a range of sectors and industries.
The zero-touch console (or "portal") is established by authorized re-sellers, who are empowered to sell devices ready for out-of-box enrolment. Such devices can be provisioned using remote EMM solutions, as opp
Part 2: Advantages of zero-touch enrolment
There are a number of benefits for companies opting to embrace zero-touch capabilities to manage device populations.
- Enrolment is only required once; zero-touch consoles remain continually active.
- Enables companies to facilitate widespread and productive management of corporate devices.
- Allows mobile device management solutions, imperative to corporate security strategies, to be rolled out seamlessly.
- Provides ease of accessibility to re-sellers when integrating later purchased devices onto zero-touch consoles.
- Business admin teams are able to amend device profiles and security policies as necessary. Furthermore, providing default configurations have been set, new devices are automatically installed and aligned to the principles of the selected EMM approach.
Part 3: Zero-touch enrolment for IT teams
The set-up, organization, and maintenance of corporate devices are typically operated by business IT administration teams. The following considerations apply when presiding over the installation, utilization, and management of zero-touch enrolment-related practices:
In order for devices to be receptive to zero-touch and by extension EMM methodologies, they must be:
- Installed with an operating system of either Android Pie (9.0 or later), an appropriate device using Android Oreo (8.0), or a Pixel-operated smartphone with Android Nougat (7.0)
- Provided by an enterprise mobile management (EMM) supplier whose systems facilitate fully-managed device capabilities.
- Tethered to company-dedicated zero-touch portal accounts produced by an authorized zero-touch re-seller, present on the "Android Enterprise Recommended" re-seller list.
Where can zero-touch devices be purchased?
These devices can only be acquired directly through a re-selling partner, and therefore are not available through a digital store. Android offers a "Enterprise Solutions Directory",
which lists all approved zero-touch device re-sellers.
Which Android devices are available?
Specific re-sellers have particular agreements on which devices they can offer clients. As of September 2020, certain re-sellers were given the authorization to sell any asset receptive to zero-touch enrolment, whilst others were able to only trade within a pre-defined list of devices. From 2021, all re-sellers were given permission to trade any device fitted with the Android Pie (9.0 or later) operating system.
Which EMM's support zero-touch enrolment?
Android have devised a list of enterprise mobile management systems capable of facilitating devices readied for zero-touch enrolment (the "Partners" register). Many EMMs deploy the zero-touch "iframe" apparatus to help deliver an efficient zero-touch device enrolment procedure.
What to do if a device re-seller is not an authorized zero-touch re-seller
In order for device fleets to be successfully added to zero-touch consoles, re-sellers must be approved to provide this service. If a business discovers their re-seller is not authorized under these terms, they should request them to submit an application to change their re-selling status.
Devices with zero-touch and Samsung Knox mobile enrolment
If a specific device has received configuration uploads from both a zero-touch and Samsung Knox console, it will always default to its Knox-attributed profile. To prevent this from occurring, and therefore to align the device setting to the zero-touch managed program, admin teams must de-register the asset from the Knox mobile enrolment platform.
How to use zero-touch enrolment
The nucleus of any zero-touch governance system lies within its central console, which facilitates all actions taken by admin teams to regulate devices across their company estate.
Set-up and deployment guide for zero-touch enrolment portal:
- Procure the device from a trusted, authorized re-seller, who will create a dedicated, zero-touch enrolment account for the business.
- Develop an appropriate configuration in the zero-touch portal after gaining access through the re-seller-produced account. Involves the deployment of a suitable EMM strategy, tailored to the requirements and conditions of the business.
- Company to link their device population to zero-touch through three potential methods:
- Via "iframe"
- Via portal to deliver a business-broad, default configuration
- Via portal to deliver a manual application to select devices
The portal also enables administration personnel to
- Register and de-register re-seller partners
- Determine which company employees can access this console.
Getting the zero-touch portal
Re-sellers will automatically create a corporate entity zero-touch enrolment account. However, in order for this process to run smoothly, organizations should provide the re-seller with details of the business Google Account tethered to their corporate e-mail address.
Setting-up an associated Google Account
Process for establishing an associated Google Account:
- Create Google Account (business, not personal)
- Provide organization name
- Enter corporate e-mail address as default e-mail contact
- Provide further information as requested, pressing "next" when complete.
- Click through to confirm registration process.
It's highly recommended that admin teams optimize account security settings by implementing a two-step sign-in verification process when prompted.
Zero-touch portal account
The console contains a number of key features and support mechanisms integral for managing a corporate device fleet. Once an associated Google Account has been suitably administrated, IT teams will be able to access their company zero-touch portal.
There are a number of options within the console's navigation panel:
- Configurations: Used to produce, amend, and remove EMM configurations. Administrators will also be able to prepare default configurations for device roll-out.
- Devices: Option enables users to locate current and register new devices, and apply configurations on any company asset.
- Users: For admin teams to manage portal accessibility, adding, amending, and removing individuals with authorisation to enter console.
- Resellers: Add and remove re-seller partners tethered to business account.
Steps for configuring zero-touch enrolment
Configurations are vital for setting the conditions of device control. These are developed by taking three key actions:
- Selecting and installing an EMM device policy controller (DPC) on devices
- Selecting a set of EMM policies to impose on devices
- Producing a consistent Metadata displays, used to aid end-users during device installation.
To utilize zero-touch enrolment, admin teams must add a configuration. To do this:
- Set-up: Transfer EMM policies from enterprise mobile management portal to zero-touch console, then add this configuration using the following instructions: Navigation Panel > Configurations > Add + Then, enter:
- Configuration name: This should be easily memorable and accurate to department/business area it corresponds to.
- EMM DPC: Check details of business' EMM DPC application. If not present, administrators should reach out to EMM provider to sense check whether system facilitates zero-touch enrolment capabilities.
- DPC Extras: Confirm company's EMM policy position, ready for transference to DPC application.
- Company name: Enter business title. Displayed throughout end-user set-up processes – therefore needs to be accurate.
- Support e-mail address: Confirm point of contact for end-users to access support. Normal address for IT support team is advisable.
- Support phone number: Confirm point of contact for end-users to access support. Normal phone number for IT support team is advisable.
- Custom message: To aid end-user interactivity, troubleshooting or gain feedback, businesses can produce bespoke device support messages, displayed on-screen when required.
When a configuration has been successfully produced, it's widely seen as beneficial for companies to prepare a default configuration setting. This enables admin teams to apply EMM policies en masse, through their respective zero-touch enrolment accounts.
Assign a default configuration
To mobilize a default configuration for recently purchased devices:
Navigation Panel > Configurations > Select desired configuration in Default configuration tab > Apply.
Any newly applied configuration will provision itself onto devices out-of-box, or when a factory reset is processed on an existing asset.
Apply configuration to a single device
To do this:
Navigation Panel > Devices > Enter IMEI or Serial No. of device intended for configuration to locate on console > Select desired configuration > Apply
If the aim is to delete a device from the fully-managed network, click "No configuration" to temporarily suspend the device from zero-touch console actions.
Apply configuration to many devices
If the desire is to layer a configuration onto multiple devices, a CSV file must be uploaded onto the company's zero-touch enrolment account. A CSV file must carry a range of relevant data, as it's positioned to support sweeping configuration changes in one motion. Indeed, the CSV should harbor the ID of the selected configuration, and identify details of the devices due for an update.
After admin teams have readied the CSV file, it needs to then be delivered onto the zero-touch console for onwards roll-out. To do this:
Navigation Panel > Devices > More > Upload batch configurations > Highlight CSV file > Upload
Once this action has been processed, a notification will appear on-screen, which will contain a link to a status page (this will also be dually e-mailed to the company address provided). Here, IT teams will be able to review any device configurations which have proved unsuccessful, with any error explanation included.
Device configuration CSV file format
Appropriately produced CSV files contain representations of a number of tools used to identify devices. These include IMEI numbers ("modem type"), "modemid", "serial" and "model" values which are typically used to determine wi-fi exclusive devices (i.e., tablets), "manufacturer", "model type", "profile type", and "profiled".
This description refers to a device harnessing two modems, and two IMEI or MEID numbers. When configuring these devices, admin personnel should select the initial hardware identifier as zero-trust enrolment recognizes a device via its modem 1 setting.
De-register a device(s)
This process is required when re-assigning device ownership, which may be fairly routine in corporate contexts with a high turnover of staff. To deliver this action on an individual device:
Navigation Panel > Devices > Locate device intended for de-registration > Deregister (click on device line then confirm).
In order to de-register a number of devices simultaneously, a device configuration CSV file must once again be utilized. To do this:
- Produce a device configuration CSV file that incorporates relevant information on every device intended for de-registration
- Remove "profiled" column, and replace with self-produced "owner" column
- Figures in this newly-constructed column should all amount to 0
- Upload the CSV file to the zero-touch portal
Language preferences can be altered when visiting the company's associated Google Account. The zero-touch portal is typically available in the following languages:
American English, British English, Danish, Dutch, French, German, Italian, Japanese, Norwegian, Polish, Portuguese, Spanish, and Swedish.
The following developments are two of the most common-found issues relating to zero-touch enrolment setup and it's continued operation:
Device doesn't provision itself out-of-the-box
If admin teams discover that a device isn't conducive to actions delivered by a zero-touch enrolment account on initial set-up, they should:
- Firstly, sense check whether device is zero-touch enrolment capable.
- Head to the navigation panel on the company zero-touch account and try to locate device using a hardware identifier (i.e., IMEI number). If there is no trace of the device, the re-seller should be contacted to register the asset.
- Review whether an appropriate configuration has been applied. If the navigation panel denotes that this device has "no configuration" setting in play, zero-touch alignment will not have occurred and therefore no appropriate registration process has taken place.
- If either of the aforementioned issues is the reason for the failure, and is suitably addressed, a full factory reset will still need to be performed to provision the device accordingly.
- If the original set-up was executed without a data connection, the zero-trust enrolment feature will not have transpired, as the system requires a connection to Google Servers to function. In instances where the device carries a configuration, but the zero-touch enrolment process has been missed, the device will automatically re-set upon connection to Google Servers (end-user warned of re-set one hour prior to commencement).
Device shouldn't be included in zero-touch enrolment
Whenever a device is tethered to a zero-trust console, it displays a "Your device at work" message upon start-up, confirming that the asset is subject to fully-managed controls. Should a company wish to remove a device from the company estate, it should initially de-register it from the zero-touch portal (following the instructions provided earlier).
After this, admin teams should look to reach out to their employer's re-seller. Contact information for this organization(s) can be found by following these steps:
- Performing a factory reset on the device
- Clicking the link to contact your device's provider featured on the "Your device at work" message upon start-up
- This will produce a Device information tab, which holds details of the re-seller's phone number and e-mail address.
- Contact re-seller to request de-registration of device.
Part 4: Delete devices from zero-touch enrolment portal
If a device needs to be permanently cleared from a company's zero-touch enrolment account, IT teams can deliver a full deletion via the following steps:
Navigation panel > Devices > Select device for removal > Deregister > Deregister device? – prompt will appear > Confirm deregister
Part 5: What is AirDroid MDM?
AirDroid MDM is an mobile device management to help customers manage all kinds of Android devices to upgrade their business. Whether it's integrating mobile threat defence systems to bolster security mechanisms, embedding EMM policies to manage conditions for device activation and usage, or indeed ensuring labor forces maintain productivity levels by providing convenient access to relevant data, AirDroid MDM is equipped to empower businesses in these pursuits.
In specific relation to zero-touch enrolment, AirDroid MDM can support ensure all business Android devices are profiled, configured, and sustainably fully-managed to maximize asset performance, whilst mitigating the threat of external security risks.
Part 6: FAQs about Zero-touch enrollment
What is zero-touch deployment?
A process that allows businesses to manage their device fleets through a dedicated zero-touch enrolment account.
How does a business enrol an Android device?
The company's re-seller partner will automatically create a zero-touch enrolment account; however, companies must associate a business Google Account to link to this portal. From here, devices will be ready out-of-box or via factory resets to receive new configurations administered via the zero-touch console.
How do I register my Android device?
Any Android device suitable for zero-touch system capabilities should be registered automatically to a business' zero-touch enrolment account by the company's re-selling partner.
What is a zero-touch asset (laptop/Mac/tablet)?
An asset receptive to being provisioned through zero-touch portal activities
The information articulated in this article not only serves to offer guidance on how teams should implement, exploit, and sustain zero-touch ready devices across a company estate, but also highlight the critical nature of embedding fully-managed solutions (via the incorporation of EMM policies) by governing corporate assets through a zero-touch enrolment account.
In reality, given advancements in the way unsavory actors attempt to access business confidential data, and the growing requirement to offer remote workers convenient and safe access to company materials, the pressing need to embrace zero-touch capable devices, and therefore the use of zero-touch consoles to direct and manage asset populations, will only proliferate in years to come.
Leave a Reply.