ANDROID ZERO-TOUCH Enrollment

The provisioning of company devices can involve a lot of effort for the IT department and a considerable error rate when hundreds of smartphones are registered manually. However, technology should not be an obstacle, but should empower, inspire and support us in our daily work. We have already described how this can affect employees, especially on their first day at the company, in our article “Onboarding 2020 - modern working right from the start”.

In this article, we look at the technical details of automatic provisioning and contactless configuration of Android devices.

To use contactless enrolment of Android devices, they must be purchased from an authorized reseller and linked to a configuration in the Zero-Touch Enrollment Portal. It is not possible to add existing devices. It is therefore very important to develop a strategy for mobile devices within the company at an early stage.

HOW IT WORKS
When starting a new Android device, a network connection is established via WLAN or the mobile network after the language has been selected. This connection is used to check for updates. In the same step, Google checks whether a configuration exists. The IMEI of the device is transmitted for this purpose.

The manual assignment of an enrollment profile in the Zero-Touch Enrollment Portal can be done individually for each device or collectively via a CSV file. However, it is recommended to control the automatic assignment via the “Default EMM” configuration. This ensures that every device is covered by the EMM (Enterprise Mobility Management) or Unified Endpoint Management (UEM) system.

A message on the device always informs the user that the smartphone in question is a company device. Once this information has been confirmed, the device receives a provisioning profile from the UEM. The device is then registered directly in the company via the setup wizard.

Google offers two different modes for managing company devices. Company-owned devices that may be used privately (Corporated Owned Personally Enabled - COPE) and those that are to be used exclusively for business purposes (Corporated Owned Business Only - COBO). The video example shows the registration of a COBO device.

At the beginning, the information appears that the IT administration can exercise full control over the device. In contrast to COPE, no two areas (business & private) are created on the device. However, control also has its limits on a COBO device so that privacy can be maintained. For example, no content can be read from applications.

Once the initial configuration has been completed, company apps can be downloaded from the Enterprise App Store (e.g. Play Store for Business). As shown in the video, this can be done, for example, via an app that is automatically available to every registered device. After registration, all user-specific settings are set and predefined apps are installed.