Zero-Touch Enrollment for Android Devices

As described in Android Enterprise Help, Zero-touch enrollment is a streamlined process for Android devices to be provisioned for enterprise management. On first boot, devices check to see if they’ve been assigned an enterprise configuration. If so, the device initiates the fully managed device provisioning method and downloads the MobiLock MDM agent, which then completes setup of the managed device.

Android zero-touch enrollment offers a seamless deployment method for corporate-owned Android devices making large scale roll-outs fast, easy and secure for organizations, IT and employees.

This document guides on how-to setup MobiLock Dashboard to be used in conjunction with Zero-Touch devices. We would highly recommend referring to original Android Zero-Touch help document here before you start setting up zero-touch in MobiLock Dashboard.

Note: Zero-Touch enrollment is supported only on selected Android 8.0 or higher devices and Google Pixel with Android 7.0 purchased from a zero-touch reseller partner.

Before You Begin

  1. Procure a Zero-Touch portal account from a reseller partner. Find the list here.
  2. Compatible Zero-Touch device from the list in Android Zero-Touch site.
  3. A valid MobiLock account.
  4. Complete Android for Work setup, Create a Device Profile and QR Code configuration.

Visual Guide

You can watch our video guides to get yourself acquainted with the steps to configure Zero-Touch enrollment.

Part 1 - Zero-Touch setup on Mobilock Dashboard

Part 2 - Zero-Touch Enrollment on Android Device

Coming Soon!!

Zero-Touch Setup on Mobilock Dashboard

Zero-Touch streamlines the enrollment process of devices and makes MobiLock android client the device owner right on the first boot. Since it automatically enrolls the device, certain steps in Dashboard are mandatory before you proceed with the Zero-Touch.

Steps on MobiLock Dashboard

The steps below refer to other help documents for mandatory steps, so that the focus is on Zero-Touch setup.

  1. Sign In to MobiLock Dashboard.
  2. Setup Android for Work.
  3. Create a Device Profile for your zero-touch devices.
  4. Create a Device Enrollment Configuration (a.k.a QR Code) that can be used for zero-touch enrollment as well.
  5. Navigate to Mission Control > Android for Work Setup
  6. Click on the ZERO TOUCH SETUP tab.
  7. Click on CREATE CONFIGURATION to start creating a configuration,

  8. In the configuration creator window enter a name for your configuration, select a QR Code configuration and click on SAVE


  9. Once the configuration is created it will be shown in the list of configurations, click on it to expand it. This expanded view guides on the next 3 steps,
    1. Copy Configuration: Click on the Copy icon to copy the configuration.
    2. Learn Next Steps: Links to this help document and video to guide any admin in your dashboard on how to use.
    3. Complete Setup: From this point you would have to navigate to Android's Zero-Touch portal to finish setup.
  10. Once you have copied the configuration as shown above, click on the Complete Setup step. Click on the Sign In link to navigate to zero-touch portal. Follow the steps in section below to complete the setup.
Steps on Zero-Touch Portal
  1. Once you Sign-In to the zero-touch portal, click on Configurations tab on the side bar. Click on the + symbol to create a new configuration.
  2. The configuration creator in zero-touch portal offers you the settings mentioned below. Once you have filled in all fields, click ADD to add the configuration.
    1. Configuration Name: Give your configuration a name that describes its purpose. Choose a short, descriptive name that's easy to find in a menu. For example, Sales team or Temporary employees.
    2. EMM DPC: Select your MobiLock Pro - MDM & Kiosk Lockdown Agent from this list.
    3. DPC Extras: Paste the configuration payload that you copied in Step 9.
    4. Company Name: Set this to the name of your organization. Zero-touch enrollment shows this company name to your device users during device provisioning. Shorter names that are easily recognized by your organization's employees work best. 
    5. Support Email Address: Set this to an email address your device users can contact to get help. This is typically your internal support email address, for example,  it-support@xyzcorp.com. Zero-touch enrollment shows this email address to device users before device provisioning. Because device users can see the email address but can't click it to send a message, choose a short email address which users can type on another device.
    6. Support Phone Number: Set this to a telephone number your device users can call, using another device, to get help. This is typically the phone number of your IT support team. Zero-touch enrollment shows this number to your device users before device provisioning. Use the plus sign, hyphens, and parentheses to format the telephone number into a pattern that your users will recognize.
    7. Custom Message: Optionally, add one or two sentences to help your users contact you or give them more details about what’s happening to their device. Zero-touch enrollment shows this message before the device is provisioned.

      The following image shows a reference configuration,
  3. Click on the Devices tab to see the list of devices and assign the configuration to them.
    1. Select a Configuration: From the drop down select the newly created configuration.
    2. Confirm the action: Click on UPDATE to confirm the action.
  4. This completes the steps on Zero Touch portal. Now you can power on the device to complete the steps on device.

Steps on Zero-Touch Device
  1. Once you power on the device that has a zero-touch configuration assigned as described above, it will download the MobiLock android client and enroll into MobiLock.
  2. Users would see the MobiLock permission screen and once the permissions are given the device will be locked to MobiLock home screen.

Frequently Asked Questions

Question: Why are we shown an error when we click on CREATE CONFIGURATION in Zero Touch Setup tab in MobiLock?

Answer: There are two cases, when you might see an error,

  • You have not created a QR Code with an Android Kiosk Device Profile.
  • You have already created zero-touch configuration using all the QR Code configurations that you have created.

Question: How many zero-touch configurations can we create in MobiLock?

Answer: You can create as many QR Code configs and/or Android Kiosk Device Profiles you have.

Question: We have created the configuration, but nothing happens on the device?

Answer: Make sure that you have complete the steps on Android Zero Touch portal and assigned a configuration to the device. Also make sure that you copied the configuration from MobiLock properly.

Question: Do we need to still give permissions to MobiLock during setup, if we are using Zero Touch?

Answer: Yes. For some of the MobiLock features that go beyond basic managements, these permissions are mandatory. Hence we mandate it during setup. However we are coming up with changes that would let an IT Admin make these permissions optional if they do not want the associated features.

Question: Do we need to manually assign configurations to each device one-by-one in Zero-Touch portal?

Answer: No. You can make one configuration as the default configuration for all your new/subsequent zero-touch devices. The option to make a configuration default is available in the Configuration section of Android zero-touch portal. For all the existing devices, you can upload a CSV. Refer to the Assigning a configuration sections here.

Question: What happens if we do not provide a SIM/Wi-Fi network when the device is powered on for the first time?

Answer: The device boots as a normal device. However once the device connects to network, it prompts the users to setup the device to be used for Android for Work. It gives the users a one hour grace period, before an automatic hard reset is done and the device reboots to download MobiLock.

References

Some of the documentation in this guide has been verbatim copied from Android Enterprise Help for zero-touch here.


How did we do?