Zero-touch enrollment

BigFix Mobile supports zero-touch enrollment of company-owned Android devices. Android zero-touch enrollment is a deployment method suitable for corporate-owned Android devices. Zero-touch enrollment is a simple, fast, and secure way to configure management settings online. Organizations can get the associated devices shipped with enforced management settings, so that employees can get started immediately on booting up the devices.

Before you begin

The following are the pre-requisites to apply zero-touch provisioning:
  • The devices must be company-owned Android devices
  • The devices must be running Android 10.0 and above
  • The devices must be purchased from a reseller partner
  • A zero-touch account must be created by an authorized reseller partner
  • Enterprise must be registered to create zero-touch configurations

Supported management modes
  • Corporate-Owned Fully-managed devices - Device Owner
  • Corporate-Owned Single-Use (COSU) devices - Dedicated Device

About this task

Zero-touch enrollment is a streamlined process to provision Android devices for enterprise management. In this method, IT admin preconfigures and provisions the Android devices for enterprise management. Once the configuration is done, when the device user turns on the device for the first time and connects to the Internet, the device checks if it is assigned with an enterprise configuration. If yes, the device initiates the fully-managed or dedicated device provisioning method as per the configuration and downloads the correct device policy controller app. The device automatically gets enrolled to BigFix Mobile and receives pre-configured settings. After successful enrollment, the device is listed in the WebUI device list for further management.
Note: Once the device is enrolled, the user cannot unenroll the device. Only the IT admin can unenroll the device using the WebUI.

To configure and enroll Android devices through zero-touch enrollment method, complete the following steps:

A. Get access to a zero-touch account

Procedure

  1. Associate a Google Account with your corporate email. To get access to the zero-touch portal, the IT admin must associate the corporate email ID with Google account. Refer to Zero-touch enrollment for IT admins to know more about associating corporate email with G-mail.
  2. Once approved by Google, to create a zero-touch account using the corporate Google account, share the mail ID with the reseller. The reseller then provides access to the zero-touch portal (https://partner.android.com/zerotouch).

B. Configure through zero-touch portal

Procedure

Using the zero-touch portal, preconfigure the device.

C. Configure zero-touch method through Admin Configuration

Procedure

  1. Log in to Admin Configuration page.
  2. Configure zero-touch method.
    MethodDescription
    Manual zero-touch configuration without user authentication
    • Manually associate the devices and the profile via zero-touch portal.
    • User is not authenticated on enrolling the device
    Manual zero-touch configuration with user authentication
    • Manually associate the devices and the profile via zero-touch portal
    • User is authenticated via single-sign on URL while enrolling the device.
    Automatic zero-touch configuration without user authentication
    • Directly associate the zero-touch account to BigFix Mobile
    • User is not authenticated on enrolling the device
    Automatic zero-touch configuration with user authentication
    • Directly associate the zero-touch account to BigFix Mobile
    • IT admin can configure a sign-in URL, to authenticate device user to proceed with enrollment. Unauthorized users are restricted to proceed with device enrollment.
  3. If you have selected manual configuration, ensure the configurations are applied. In case of automatic configuration, ensure your zero-touch account is linked to BigFix Mobile.
  4. Verify the associated enrollment profile, devices, and other enrollment information.

Enroll the device

Before you begin

Zero-touch configuration must be ready.

About this task

Once the IT admin completes the zero-touch configuration, device users can enroll Android devices.

To enroll an Android device through zero-touch enrollment, complete the following steps.

  1. Turn on the device and perform the basic device settings.

  2. Connect to the Internet.
    • The device starts to receive updates and other information.
    • The device displays a message stating that the device will be managed by your organization. It also displays the configured support information and custom message.
  3. Proceed with the flow and accept the terms and conditions when prompted. The enrollment process starts and the device gets registered.
  4. In case of user authenticated zero-touch enrollment, sign-in URL is displayed. Enter valid credentials to proceed with the enrollment process.

Results

On successful completion of the enrollment, you can see the notification about the enrollment. The device is set up with all apps, profile, and other configurations according to the associated enrollment profile.