Android Zero Touch Enrollment

What is Zero Touch Enrollment?

When you have a whole lot of corporate-owned devices to be enrolled in bulk, Zero-Touch Enrollment (ZTE) is the best way to go. Android ZTE is a one-time process for the secure deployment of corporate-owned devices without manually configuring each of them.
It is an out-of-box enrollment method where the devices will be enrolled in the MDM once it is powered on and connected to the network. It prevents unauthorized devices from joining your MDM environment, thus enhancing your security.

What are the key features of Zero Touch Enrollment?

1. One-time setup: It is a one-time setup where the end-user needs to just power on the device and connect to the network to get enrolled with MDM.
2. Bulk enrollment of devices: It allows large scale roll-out of corporate-owned devices without physically accessing any of them.
3. Enrolled as Device Owner or WP-C: Devices enrolled through ZTE will be provisioned as Android Enterprise-enabled devices, configured either as Device Owner or Work Profile on Company Owned Device (WP-C).
4. Allows resellers to add devices to the portal.

What are the requirements for Zero Touch Enrollment?

Before starting the enrollment process, the following pre-requisites are to be met.

• Devices should be purchased directly either from a Zero touch reseller partner / Google partner and not from a consumer store. ZTE extended the support for all devices including Samsung devices running on Android 9.0 and above. For Samsung devices running on lower OS versions, you need to use the Samsung Knox Mobile Enrollment (KME) to enroll such devices in the Hexnode UEM portal.
• Phones/tablets running Android 9.0 and above.
• Ensure that your device is compatible with ZTE from the list of Android Zero Touch Devices.
• A Google account associated with corporate email. Ensure that you don’t use your personal Gmail account.

Configure Zero Touch Enrollment

There are four steps by which you can complete Zero Touch Enrollment:

1. Associate a Google Account.
2. Setup Zero Touch enrollment portal.
3. Add MDM Configuration.
4. Apply MDM Configuration to devices.
Note:


Before configuring Android Zero-touch enrollment, make sure you have enrolled your organization in the Android Enterprise program.

Associate a Google Account

You need a Google account associated with your corporate email to set up the Zero touch portal.

1. Navigate to Create your Google Account.
2. Provide your name.
3. Provide your corporate email in the field Your email address. Ensure that you don’t click on Create a Gmail account instead.
4. Provide other requisite details and follow the on-screen instructions to complete the account creation process.

Setup Zero Touch Enrollment Portal

1. Sign in to Zero Touch Portal using the Google account linked to the corporate email.

Add MDM Configuration

1. Sign in to Zero Touch Portal.
2. Navigate to Configurations.
3. Click on the Add button to add a new configuration.
4. You will have the following options to be configured.

Settings	Description
Name	Provide a suitable name to identify your configuration.
EMM DPC	Select Hexnode For Work app from the list of EMM apps.
DPC extras	Provide the JSON data here. JSON data is available under Enroll > Platform – Specific > Android > Android Zero-Touch. Select the JSON file based on whether the device is managed in ‘Device Owner’ or ‘Work Profile on Company-Owned Device (WP-C)’ mode and create a configuration. Notes: Leave the username and password fields of the JSON file empty for open enrollments and authenticated enrollments via Active Directory (AD), Microsoft Entra ID, Google, and Okta directory services. That is, the JSON file should be of the form: Sample JSON file MS DOS { "android.app.extra.PROVISIONING_LOCALE": "en_GB", "android.app.extra.PROVISIONING_TIME_ZONE": "Europe/London", "android.app.extra.PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED": true,"android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE": { "serverUri": "portalname", "username": "", "password":"" } } 1 { "android.app.extra.PROVISIONING_LOCALE": "en_GB", "android.app.extra.PROVISIONING_TIME_ZONE": "Europe/London", "android.app.extra.PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED": true,"android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE": { "serverUri": "portalname", "username": "", "password":"" } } Devices enrolled via Open enrollment will be assigned to the Default User selected under Enroll > Settings > No Authentication. Leaving the username and password fields of the JSON file empty for self-enrollment (local) cases will prompt the local users to authenticate with their local user credentials to enroll in MDM. You can also skip the authentication process by assigning devices directly to local users while enrolling devices via self-enrollment. In that case, provide the email address and password in the ‘username’ and ‘password’ fields respectively of the JSON file. Here, the JSON file will be of the format: Sample JSON file MS DOS { "android.app.extra.PROVISIONING_LOCALE": "en_GB", "android.app.extra.PROVISIONING_TIME_ZONE": "Europe/London", "android.app.extra.PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED": true,"android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE": { "serverUri": "portalname", "username": "emailaddress", "password":"password" } } 1 { "android.app.extra.PROVISIONING_LOCALE": "en_GB", "android.app.extra.PROVISIONING_TIME_ZONE": "Europe/London", "android.app.extra.PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED": true,"android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE": { "serverUri": "portalname", "username": "emailaddress", "password":"password" } }
Company Name	Provide the name of your organization. This name will be shown on the user’s device during enrollment.
Email address	Provide your organization’s IT admin email address here. This will be displayed on the user’s device during enrollment, and it can be used to contact the IT admin in case of any issues with enrollment.
Phone Number	Provide your organization’s IT support phone number here. This will be displayed on the user’s device during enrollment, and it can be used to contact the IT admin in case of any issues with enrollment.
Custom Message	Provide an optional message to be displayed on the device screen during enrollment.

Apply MDM Configurations to devices

Once the configurations are created, you need to associate them with the devices. You can apply the configuration to a single device or multiple devices.

Apply configuration to a single device

1. Sign in to Zero Touch Portal.
2. Navigate to Devices.
3. Select the devices to which configurations are to be applied.
4. Under Configurations against the selected devices, select the configuration which you have created previously.
5. If you need to temporarily remove the device from the ZTE, select No config under Configurations.

Apply configuration to multiple devices

Configurations can be applied to multiple devices by using a CSV file.

CSV file should be in the following format.

Once the CSV file is prepared, you can upload the file to the Zero touch portal.

1. Sign in to Zero Touch Portal.
2. Navigate to Devices and click on the ellipsis (3 dots) icon in the table header.
3. Select Upload Batch Configuration.
4. Upload the CSV file.
5. All the devices in the CSV file will now be assigned to the specific configuration.

Remove the devices from Zero Touch Portal

You can remove the devices from the Zero Touch Portal through the de-registering process.

Follow the steps to deregister the device,

1. Sign in to Zero Touch Portal.
2. Navigate to Devices.
3. Select the device you want to remove and click on the Deregister option against the devices.
4. Click on Deregister in the confirmation panel.