Android Zero-Touch Enrollment is a (free) service to automate and enforce MDM enrollments for Android devices running Android 9 or higher, independent of device manufacture. It offers end-to-end security because the MDM enrollment cannot be skipped by the user. The first time the user tuns on the device, clear instructions will be displayed to start the enrollment. All policies and applications that are assigned in Microsoft Intune will be automatically provisioned on the device.
It is recommended to use Zero-Touch solutions like Android Zero-Touch Enrollment for enrolling corporate owned devices into Microsoft Intune (and not personally owned). If your company only use Samsung devices running Android you can also take a look at the somewhat similar Zero-Touch solution Samsung Knox Mobile Enrollment, which is only available for Samsung Android devices.
In this blog
In this blog post I will show you step-by-step how to setup Android Zero-Touch Enrollment with Microsoft Endpoint Manager – Microsoft Intune. I will do this with the following steps:
- Required Microsoft Intune configuration
- Activate the Zero-Touch portal and create a new Configuration
- Enroll an Android device with Android Zero-Touch
Prerequisites
Before you start with Android Zero-Touch Enrollment with Microsoft Intune, make sure you have the following in place:
- A Microsoft Intune environment up-and-running with at least one Corporate-owned enrollment profile enabled (dedicated devices, fully managed user devices or corporate-owned devices with work profile)
- Android devices running Android 9.x or higher (or compatible devices running Android 8.0 or a Pixel phone running Android 7.0)
- Have an official Android Zero-Touch partner that can activate your portal and add new and existing devices.
Step 1 : Required Microsoft Intune configuration
Before you can enroll Android devices with Android Zero-Touch, some configurations within Microsoft Intune have to be made first. The first step is to enable Managed Google Play.
I will not cover the steps to enable Managed Google Play in this blog. However, you can check step 1 of this blog for step-by-step instructions.
Next to the Managed Google Play configuration, a corporate-owned device enrollment profile must have been created.
You need this token code later in step 2 of this blog when creating a Configuration (profile) in the Android Zero-Touch portal.
Step 2 : Activate the Zero-Touch portal and create a new Configuration
Navigate to the Android Zero-Touch portal : https://partner.android.com/zerotouch
If this is the first time you are using the Zero-Touch portal and you don’t have a Managed Google account for this service, you need to create a new account first. Create a new account with your existing business email address. Once created, let your authorized Zero-Touch partner know that you want to start using this service. Your Zero-Touch partner can activate the portal for you.
Once your portal is activated select I accept the Terms of Service (if you do) and click Accept
Open the Configurations tab and click the “+” sign.
Fill in a Configuration name. Select Microsoft Intune as EMM DPC.
In the DPC extras field. Past the code below. Replace the “XXXXXXXX” part with the Intune device enrollment profile token.
{
"android.app.extra.PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME": "com.google.android.apps.work.clouddpc/.receivers.CloudDeviceAdminReceiver",
"android.app.extra.PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM": "I5YvS0O5hXY46mb01BlRjq4oJJGs2kuUcHvVkAPEXlg",
"android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION": "https://play.google.com/managed/downloadManagingApp?identifier=setup",
"android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE": {
"com.google.android.apps.work.clouddpc.EXTRA_ENROLLMENT_TOKEN": "XXXXXXXX"
}
}
Scroll down
Fill in the Company name, Support email address, Support phone number and optionally the Custom message. Click Add.
You can set this Configuration profile to the default so that this profile will be applied to any new devices that is added to your portal. Keep in mind that you need your authorized Zero-Touch partner to add the Android devices to your portal.
Open the Devices tab and make sure to assign the Configuration profile to existing devices.
Step 3 : Enroll an Android device with Android Zero-Touch
In this step I will show you what the user experience looks like when you enroll a Samsung Android device with Microsoft Intune that is enabled for Android Zero-Touch enrollment. A Microsoft Intune “Corporate-owned with work profile” is used for this Zero-Touch enrollment. In this case a Work Profile will be created and the user will be prompted to add a private Google Account for the private part of the device. This will not be the case if using any other Microsoft Intune Android corporate-owned enrollment profile.
Left : Select your language and press the blue arrow
Right : Select End User License Agreement and press Next
Left : Connect with your Wi-Fi network and press Next
Right : Press Don’t copy
Left : Press Next
Right : Press Accept & continue
Left : Press Next
Right : Press More and then Next
Left : Press Done
Right : Press Accept & continue
Left : Press Set up
Right : Press Set up and configure the screen lock
Left : Press Start to Encrypt your device (will only be displayed when needed)
Right : Press Install
Left : Press Next
Right : Press Set up
Left : Press Sign in
Right : Enter your password
Left : Press Register
Right : Press Next
Left : Press Done
Right : Press Next
Left : Press Next
Right : Enrollment is now completed and assigned policies and applications will be applied/installed.
Left : Open the Personal tab for the personal installed applications
Right : Open the Work tab for the installed business applications