×

Android enterprise zero-touch FAQ

Frequently asked questions

The following represent some of the most commonly asked questions around zero-touch.

What OEMS currently support zero-touch?

As of June 2018:

  • Sony
  • Huawei
  • HMD Global
  • Google
  • LG
  • Motorola
  • Sharp

The complete list of zero-touch devices can be found here.

Where are resellers located?

As of June 2018:

  • US/Canada
  • EU
  • APac

The complete list of resellers can be found here.

What happens if a fully set up device is added to the console?

Nothing until after the device is reset.

What happens if a user starts setting up a device before the config is applied?

The config won’t apply until after the device is reset. Anything after the “checking for updates” prompt is too late.

What happens if a config is removed from an enrolled device?

Nothing until the device is reset, at which point it will not be prompted to enrol into management.

What happens if a new config for a different EMM or server is applied to an enrolled device?

Nothing until the device is reset, at which point the new config will apply.

What happens if the device isn’t connected to a network (WiFi, 3/4G) during setup?

The device will allow normal setup, however once connected to a network will prompt the user to reset, or will reset automatically after an hour.

What happens if the device is reset?

It will be forced to enrol back into management automatically following the data erase, unless a config has not been applied, or has since been removed.

What happens if a device is unregistered from the zero-touch console?

This action results in the device being irreversibly removed from zero-touch management. Please contact the device reseller to add it back in. The IMEI will be required.

Can a device be OTA managed from the zero-touch console?

No, please use an EMM solution for day-to-day device management.

Does enrolling via zero-touch slow down or cause any delay to the setup process while it’s retrieving the zero-touch config?

No, it does this extremely quickly.

What deployment scenario will a zero-touch device enrol under?

Work-managed (including COSU) and work-managed work profile (fully managed work profile).

Can anyone add a device to the zero-touch console?

No, only authorised resellers.

Can anyone remove a device from the zero-touch console?

Yes, if they have been added into the console as an admin or owner.

Is it possible to set a default configuration?

Yes, however this only affects new devices added and not those already on the console.

Is it possible to bulk update devices?

Yes, via the CSV template provided.

Is it possible to change resellers?

Yes, either by requesting a new console from a new reseller, or adding a new reseller through the existing console.

No. While zero-touch is mandatory for Android Enterprise Recommended, devices that don’t meet Google’s requirements for storage or spec can and still do support provisioning via zero-touch.

What are DPC extras?

These are a selection of DPC-specific key-pairs which manipulate the enrolment experience. An example may be pre-populating the EMM server, or enabling system applications. They vary between EMMs so do validate before attempting to use one.

What should I put in DPC extras?

The following examples offer a complete DPC extra snippet that can be copied and pasted into the zero-touch configuration. The items in bold will need to be edited to suit your environment, though, otherwise the zero-touch process will fail.

Editing ADMIN EXTRAS BUNDLE

To be of value, the ADMIN_EXTRAS_BUNDLE should ideally at least include the server URL or identifier (where appropriate), however lines for username, password, and more can optionally be omitted to allow the config to remain generic.

JSON doesn’t leave room for error – the last line within ADMIN_EXTRAS_BUNDLE must not have a trailing comma “,”. See “user” in the MobileIron config has a comma, but “quickstart” does not? If you remove “quickstart”, you’d need to remove the comma from “user” as it then becomes the last line, otherwise it could throw up an error.

Usernames & passwords

Unless the username and password are stipulated for the purpose of staging, they should not be included at all due to the potential security risks associated. If an IMEI not belonging to an organisation is mistakenly added (typo, miscommunication, human error), the device will be able to enrol automatically and potentially gain access to corporate resources.

MobileIron

{
"android.app.extra.PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED":true/false,
"android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE":{
"server":"your.server.com",
"user":"user",
"quickStart":true/false
}
}

AirWatch / Workspace One UEM

{
"android.app.extra.PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED":true/false,
"android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE":{
"serverurl":"your.server.com",
"gid":"yourGroupID",
"un":"staginguser",
"pw":"example"
}
}

SOTI

{
"android.app.extra.PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED":true/false,
"android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE":{
"enrollmentId":"EnrollmentID"
}
}

MaaS360

{
"android.app.extra.PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED":true/false,
"android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE":{
"enrollment_corp_id”:”CorporateID”,
”enrollment_account_type":"userAccount",
"enrollment_domain":"domain",
"enrollment_username”:”staginguser”,
"enrollment_email":"emailaddress@email.com",
"enrollment_password”:”example”,
"enrollment_ownership":"Corporate Owned"
}
}

Codeproof EMM

{
"android.app.extra.PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED":true/false,
"android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE":{
"displayname":"devicename",
"userid":"staginguser".
"password":"example"
}
}

Intune

{
"android.app.extra.PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED":true/false,
"android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE":{
"com.google.android.apps.work.clouddpc.EXTRA_ENROLLMENT_TOKEN": "YourEnrollmentToken" 
}
}

Miradore

{ 
"android.app.extra.PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED":true/false,
"android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE": {
"RegistrationKey": "REGISTRATIONKEY",
"EnrollmentKey": "ENROLLMENTKEY",
"SiteIdentifier": "SITEIDENTIFIER"
}
}

Submit a question

Need something else answered? Comment below or tweet @jasonbayton. Questions may be republished on this document.

Comments

  1. It appears under ZT that there is no explicit opting into the Google Terms of Service or Privacy Statement. Is this somehow implicit? Is there a Google public statement regarding this? Thanks.

  2. Good question! It’s an all-or-nothing tied in with the terms provided by the organisation. No opt out as of right now. I’ll update when I know more.

Something to say?

Comment