Android Enterprise zero-touch console administration guide

In order to gain access to the zero-touch console and configure devices, you must:

• Purchase zero-touch compatible devices from authorised resellers.
• Ensure the reseller creates a new zero-touch enrolment account on partner.android.com/zerotouch if you don't already have one. If you do, provide them with your customer number and allow them to add devices to your account by adding them under the resellers page.
• Ensure the reseller assigns your purchased devices to your portal.

Any of the above steps not completed will result in an inability to configure devices.

The simple zero-touch process

The zero-touch portal is designed with absolute simplicity in mind; much like the DEP portal (if you’ve ever used it) it’s basically there for you to infrequently log in, create or assign a config to managed devices and carry on with all other management via your normal EMM solution.

Once logged in, head over to Configurations to set one (or more) up, ready to assign to your devices:

Click the + icon on the right-hand side of Configurations to create a new configuration. This will open a pop-up.

To start, simply provide a configuration name, and then from the dropdown, a DPC (AKA EMM agent).

Following that is DPC extras, within this field you can paste in DPC-specific key-value pairs that add additional functionality. The key-value pairs differ by EMM, so it’s best to validate before pasting anything here. Leaving it blank is also fine. An example of what could go there for MobileIron Ivanti is as follows and more examples can be found on the zero-touch FAQ:

{
"android.app.extra.PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED":false,
"android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE":{
"server":"core.bayton.org",
"user":"zerotouchuser",
"quickStart":false
}
}

After which provide your company name, contact email, contact phone and an optional custom message. These will be presented to the end user while enrolling; particularly for support, having the contact name and telephone number of, perhaps, the IT Helpdesk could be quite useful.

When complete, click APPLY/Add to save the configuration and close out the pop-up.

Once you’ve created one or more configurations, you may wish for all devices added by a reseller to be given a configuration by default, thus avoiding having to sign in to the console every time a new device order is made. Above the list of configurations is a Default Configuration setting:

Click on Devices on the left-hand side. Once loaded you’ll be presented with a search area and a list of registered devices. As of the 2026 portal update, the search supports any device identifier - IMEI, MEID, serial number, or manufacturer serial number - without needing to select the identifier type first. Previously, administrators had to specify the search field before entering a value.

Confirm this selection when prompted. The device will now automatically enrol into the EMM of your choice when either first taken out of the box or on the next factory reset.

Be aware if the config is used for devices or as the Default configuration this will be removed, and revert to none. You will be required to assign new configs to the respective default or individual devices to restore ZT functionality to new/existing devices.

Should a device no longer require management, be that due to it being a parting gift for a leaving employee, device destruction or anything else, use the search area or scroll down the device list to locate the device on the Devices page. Once located, click UNREGISTER/Remove.

You’ll need to confirm this action, and please be aware this is not easily reversible! Once unregistered, you’ll need to contact your reseller to re-add the device back into your console manually; not an action to be taken on a whim.

The zero-touch console supports granular role-based access. As of 2026, five roles are available: Owner, Admin, Manager, Assigner, and Viewer - replacing the previous two-role (Owner/Admin) model. Roles can be changed at any time and should be granted with least privilege in mind; Owner and Admin roles in particular should only go to trusted IT staff.

Occasionally you may wish to change resellers when purchasing zero-touch compatible devices. While it’s perfectly acceptable to request the new reseller sets you up with an account, the more convenient option for managing all devices from within one console is to simply add the new reseller to the existing customer account. To do so, head over to Resellers.

Scroll through the list of Other Resellers to locate the one you wish to add, then click Enroll.

Click Enroll/CONFIRM on the pop-up.

In the background, this sends a request to the reseller to accept your customer account. The reseller must accept your account in order to add devices into your console! Resellers cannot add themselves to your account without you opting to enrol, and once enrolled the new reseller cannot see the existing devices on your console, only those they add themselves.

To remove a reseller, preferably (but not necessarily) after all existing devices are unregistered and the relationship with the reseller terminated, head over to Resellers.

Scroll through the list of Active Resellers to locate the one you wish to remove, then click Remove/DELETE.

Click Remove/CONFIRM on the pop-up.

This will prevent the now-removed reseller from adding (or re-adding) devices to your console.

When exporting device lists from the portal, the downloaded CSV now includes all device data fields plus the reseller name and reseller ID. The CSV format is unified between upload and download, making it straightforward to export a device list, modify configurations or assignments in a spreadsheet, and re-import the file. This is the easiest path for bulk device updates without using the API.

As of 2026, deleted zero-touch customer accounts can no longer be undeleted by the customer directly. If an account is deleted in error, recovery must go through the reseller that originally created the account. Take care before confirming account deletion.

The zero-touch portal now provides audit logs covering all actions that impact the customer account - user changes, device assignments, configuration updates, and so on. Logs are retained for a maximum of one year, and only actions from March 2025 onward are available.