Overview

Zero-touch enrollment lets organizations preconfigure the enterprise devices they purchase. Preconfigured devices provision themselves out-of-the-box, enabling organizations to streamline their device deployments. Additional advantages of zero-touch enrollment include:

  • Customer IT admins don't need to provision individual devices because a config can be automatically set for purchased devices in bulk.
  • Customers stay in control of their devices at all times—even after factory resets.
  • End users, after receiving a boxed device, just need to sign in.

Key stakeholders

Device resellers

As part of their sales fulfillment process, approved device resellers assign devices (using a serial number, hardware ID, and other device identifiers) to their customers' zero-touch enrollment accounts. Approved zero-touch resellers can claim devices with additional device protection service. See Device protection for details.

Enterprise customers

Enterprise customers (also called customers or companies) with Android devices use their zero-touch enrollment accounts to access the zero-touch enrollment portal. Within the portal, customers can:

  • View the devices assigned to them by their reseller(s).
  • Create, edit, and delete device configurations.
  • Apply configurations to devices.
  • Select a default configuration for any devices added to zero-touch enrollment going forward.
  • Manage portal access.
  • Add or remove resellers.

After a device is assigned a configuration, the device can provision itself out-of-the-box:

  1. The device downloads and installs the customer's chosen device policy controller (DPC) app.
  2. The DPC app, using the customer's config data, provisions the device.

If you're part of an enterprise interested in purchasing and configuring devices through zero-touch enrollment, see the help center for enterprise customers.

Enterprise customers with ChromeOS devices do not use the zero-touch enrollment portal. Instead they can configure the management of their devices in the Google Admin Console.

Enterprise mobility management (EMM) providers

EMMs can add some of the features available in the zero-touch enrollment portal to their consoles to provide their customers with a single point for managing devices. These features include:

  • Create, edit, and delete device configurations.
  • Apply configurations to devices.
  • Select a default configuration for any devices added to zero-touch enrollment going forward.

For details on how to support these zero-touch enrollment features as an EMM, see how the Customer API works.


Example zero-touch enrollment workflow

ZTP flow for customer purchasing devices from reseller

  1. Customers purchase devices from resellers.
  2. Resellers create new customer zero-touch enrollment accounts.*
  3. Resellers assign devices to customers.
  4. Customers create EMM configs for their enterprise.*
  5. Customers map purchased devices to EMM configs.*
  6. Resellers ship the devices to end user locations.
  7. End users turn on their new device.

* - not required for ChromeOS devices.


Option 1: Integrate with zero-touch enrollment and the Knox Deployment Program

The Common Android Reseller Library supports enrolling Android devices from these manufacturers as well as Samsung. We recommend using the library if:

  • Your organization hasn't integrated with Samsung's KDP or zero-touch enrollment, AND
  • Your organization sells or plans to sell Samsung devices.

Non-Samsung devices: Library and zero-touch enrollment portal

As a reseller, your organization can use the Common Android Reseller Library or the portal to support zero-touch enrollment for devices from these manufacturers. You might use one or both depending on your organization's needs.

The web portal allows you to manage your customers and their zero-touch enrollment devices. With the library, you can integrate zero-touch enrollment into your organization's existing sales or service tools. The following table compares tasks you might perform using the portal and API.

Reseller task Portal Library
Add, edit, and claim devices
Add customers
Add vendors
Integrate with existing tools
Import and export CSV files
Manage your organization's users
Add, edit, and delete device metadata

Your customers also use the same portal to map their purchased devices to EMM configs. To learn more about how to complete the tasks listed in the table, read How it works or the Reseller portal guide.

Launch portal

Samsung devices: Library and Knox portals

The Common Android Reseller Library provides a single integration for zero-touch enrollment and, for Samsung devices, KDP. Resellers belonging to KDP can use the library to add Samsung devices and assign them to enterprise customers, using their customers’ Knox Customer IDs.

Your customers use the KME portal to create device configurations and apply them to the Samsung devices assigned to them. To learn more, read How it works.

Option 2: Integrate with zero-touch enrollment

Reseller API and zero-touch enrollment portal

This Reseller API and the zero-touch enrollment portal supports enrolling Android devices from these manufacturers as well as compatible ChromeOS devices and is recommended if:

  • Your organization has already integrated with the Samsung Knox Deployment Program (KDP) to support Knox Mobile Enrollment (KME), OR
  • Your organization doesn’t sell or plan to sell Samsung devices, OR
  • Your organization sells or plans to sell both Android and ChromeOS devices.

As a reseller, your organization can use the Reseller API or the portal to support zero-touch enrollment for devices from these manufacturers. You might use one or both depending on your organization's needs.

The web portal allows you to manage your customers and their zero-touch enrollment devices. With the API, you can integrate zero-touch enrollment into your organization's existing sales or service tools. The following table compares tasks you might perform using the portal and API.

Reseller task Portal API
Add, edit, and claim devices
Add customers
Add vendors
Integrate with existing tools
Import and export CSV files
Manage your organization's users
Add, edit, and delete device metadata

Your customers use the customer portal to map their purchased devices to EMM configs. To learn more about how to complete the tasks listed in the table, read the Reseller portal guide or the How it works Reseller API guide.

Launch portal


Reseller onboarding

The three stages below list what you can expect to complete as your organization onboards into zero-touch enrollment.

Stage 1: prepare

  • Sign the zero-touch enrollment reseller agreement.
  • Get leadership approval and train your customer support team.
  • Decide with Google on a launch date.
  • Plan co-marketing opportunities.

Stage 2: integrate

  • Include zero-touch enrollment in your sales and customer support processes.
  • Integrate point of sale (POS) systems with zero-touch enrollment reseller APIs to automatically claim devices for customers.

Stage 3: launch

  • Run a pilot launch with 2 customers.
  • Offer zero-touch enrollment to all your customers.

Visit the Android Enterprise Partner Portal to get started with zero-touch enrollment.


Learn more

To learn more about fully managed Android devices, see Fully managed device. Learn more about enterprise management for ChromeOS. If you're not a reseller, see the Android Enterprise Help for more information.