What happens if a new config for a different EMM or server is applied to an enrolled device?

Nothing until the device is factory reset. Zero-touch configurations are only downloaded and applied during the setup wizard, so any change made in the zero-touch portal - whether it is editing DPC extras, switching EMM, or assigning an entirely different configuration - has no effect on a device that is already enrolled and in use.

When an administrator changes a zero-touch configuration in the zero-touch portal or via the customer API, the change is saved server-side. The enrolled device is not notified. The updated configuration is only fetched the next time the device goes through the setup wizard, which happens after a factory reset or on first boot of a new/reflashed device.

This applies equally regardless of what was changed:

• Switching the DPC to a different EMM
• Updating the DPC extras (e.g., a new enrolment token or server URL)
• Assigning a completely different configuration to the device
• Changing the configuration name or contact details

The currently enrolled EMM continues to manage the device as normal until the device is reset.

Unclaiming a device from the zero-touch portal is irreversible without reseller involvement. The reseller will need the IMEI (or serial number for Wi-Fi-only devices) to re-register it. See What happens if a device is unregistered from the zero-touch console? for more detail.

KME behaves similarly. Profile changes (including switching to a different EMM or updating enrolment settings) do not take effect on already-provisioned devices. The updated profile only applies after a factory reset. KME supports one profile per device, and assigning an updated profile completely replaces the previous settings - there is no merging.

The most common scenario is an EMM migration. When moving devices from one EMM to another, the typical workflow is:

1. Update the zero-touch configuration to point to the new EMM's DPC and enrolment token
2. Factory reset devices in a controlled, phased rollout
3. Devices automatically enrol into the new EMM on next setup

This is one of the key advantages of zero-touch and KME for fleet management - there are no QR codes to redistribute, no new provisioning instructions, and no manual intervention beyond triggering the reset.

Other scenarios include:

• Enrolment token refresh - AMAPI enrolment tokens can expire, requiring the DPC extras to be updated with a new token
• Server URL changes - if the EMM's enrolment endpoint changes
• Organisational restructuring - reassigning devices to different management tenants or policies
• Decommissioning - removing configs before reselling or repurposing hardware

• Update the zero-touch configuration before beginning resets - this ensures every device that resets picks up the new EMM automatically
• Do not delete or unlink the Android Enterprise bind from the old EMM before updating zero-touch configurations. Doing so may permanently impact andy zero-touch account association
• Test with a single device first before rolling out to the full fleet
• Monitor enrolment token expiry on the new EMM - an expired token means the device will fail provisioning after reset
• For more detail, see the EMM migration guide

• What happens if a zero-touch config is removed from an enrolled device?
• What happens if a zero-touch assigned device is reset?
• What happens if a device is unregistered from the zero-touch console?
• What are DPC extras?
• Zero-touch DPC extras collection
• EMM migration guide