Dedicated Android devices - Zero-touch enrollment

This page explains provisioning dedicated Android devices through zero-touch enrollment.BigFix Mobile supports zero-touch enrollment of dedicated Android devices. Android zero-touch enrollment offers seamless deployment of dedicated devices.

Before you begin

To apply zero-touch enrollment, the IT admin must have the following:

  • An Android device running Android 10.0 and above, purchased from a reseller partner.
  • Access to BigFix Mobile.
  • A zero-touch account created by an authorized reseller partner.
  • Enterprise must be registered to create zero-touch configurations.

About this task

Zero-touch applies to devices that are received by the user directly from the reseller. The IT admin, preconfigures and provisions the devices for enterprise management. After receiving the device, when the device user turns it on, connects it to the internet, and follows certain set up instructions, the device automatically gets enrolled to BigFix Mobile and pre-configured settings are applied. The device is listed in WebUI device list for further management. Once the device is enrolled, the user cannot unenroll the device. The IT admin can unenroll the device using the WebUI.

Zero-touch configuration can be applied in two ways; manual and automatic. Enterprise must be registered to create zero-touch configurations. The IT admin must request a token, upload the files (encrypted file in .enc format) and then register an enterprise in the enterprise registration portal. This step is mandatory to receive the DPC Extra value during manual configuration and perform other actions during automatic configuration.

Manual zero-touch configuration

To apply manual zero-touch configuration, the IT admin must have access to the reseller's zero-touch portal. To get access to the zero-touch portal, the IT admin must associate the corporate email ID with Google account and once approved by Google, the IT admin needs to share the Google email with the reseller. The reseller then provides access to the zero-touch portal (https://partner.android.com/zerotouch). Using the zero-touch portal, the IT admin can preconfigure the device.

Refer to Zero-touch enrollment for IT admins to know more about associating corporate email with Gmail.

The IT Admin can assign the configuration to all future devices or selected devices.

Steps to configure manual zero-touch enrollment:
  1. Associate a Google Account with your corporate email.
  2. Request your reseller to create a zero-touch account using the corporate Google account.
  3. Log in to Android zero-touch portal with the corporate Google account (https://partner.android.com/zerotouch).
  4. To add new zero-touch profile, navigate to configurations, click the + button.
  5. In the Add a new configuration window, enter the zero-touch profile name, company name, support email address, support phone number, and customized message.
  6. Select Android Device Policy as EMM DPC.
  7. In the DPC Extras field, enter the copied DPC Extras values.
    Note: The DPC Extras is available at BigFix MCM > Admin configurations > Zero Touch Configuration. In Zero Touch Configuration panel, select Manual and copy the DPC Extra value. If the DPC Extra field shows empty, the IT admin must request a token, upload the token file in the Manage Token page (by clicking Manage Token on the left panel) and register the token to BigFix Mobile. After performing this, the DPC Extra value appears.
  8. Under the Default configuration window, select the newly created profile and click Apply. When your reseller adds any new device into your account, this default configuration is applied to the devices.
  9. Click Add. The configuration appears in the Zero Touch Configuration window.
Apply the configuration to the devices:
  1. In the Zero Touch Configuration window, select the configuration and click Apply. The configuration becomes default for all upcoming devices.
  2. Go to Devices and select the device on which you the configuration needs to be applied.
  3. Select the configuration.
  4. In the Update device dialog box, click Update.

    Result: Once the device is turned on, connected to the Internet, the basic setup is completed, the message “the device will be managed...” appears. Once the user accepts the policy, a work profile in the device is created.

Automatic zero-touch enrollment

To apply automatic zero-touch configuration, the IT admin must configure the BigFix Mobile directly with the reseller's zero-touch portal.
  1. Log in to BigFix Mobile and select Admin Configurations > Zero Touch Configuration. The Zero Touch Configuration window appears.
  2. Select Automatic.
  3. Click Next and sign in to the Zero Touch portal account. If already signed in, then select the account.
  4. Select the listed devices to link with the BigFix Mobile.
  5. Click Link and click Next.
  6. Enter the configuration name, organization name, support email ID, support phone number, and custom message.
  7. Click Save.

    Result: Selected devices are linked to BigFix Mobile. The enrollment process is same as in case of manual zero-touch enrollment.

    Note: Click Unlink to unlink the devices. Once the account is unlinked, the zero-touch profile is removed. Click Link another account to link more accounts.