Android Zero Touch Enrollment(ZTE)

Android Zero Touch Enrollment or Android Zero Touch Provisioning(ZTP), is an enrollment method provided by Google for streamlined and easy deployment of organization-owned devices in bulk. It is an easy and secure out-of-the-box enrollment method whereby the devices gets enrolled with MDM MSP, when activated by downloading the ME MDM app which initiates the enrollment.

Advantages of Zero Touch Enrollment

Pre-requisites

Steps for configuring Zero Touch Enrollment

Associating Google account

You require a Google account(assoicated with your corporate e-mail), to setup the Android Zero Touch Portal. To do that, follow steps below:

Go to this link and provide the requisite details.
Ensure you provide your corporate e-mail address for Your e-mail address. Do not click on I would like a new Gmail address.
Follow the on-screen instructions to complete the account creation.

Setup Zero Touch portal

You then need to setup the Zero Touch portal, which will facilitate the ZTP. To do that, follow steps below:

Login here, with the Google account associated with your corporate e-mail, if need be.
After logging in, there are multiple sections shown. You can know more about them from the table below:

PARAMETER	DESCRIPTION
Configurations	You add, modify and delete the MDM MSP configurations here. You can also chose to assign MDM MSP configurations by default, to the devices being added to the account.
Devices	You can view the list of devices added to the account, here. You can select devices and assign the created configurations to these devices. Additionally, you can also choose to delete the added devices here.
Manage People	You can add, modify and delete the users, who can manage and access the portal, here.
Resellers	You can choose to add additional reseller details here

Add MDM MSP configuration

The device will use this MDM MSP configuration, to initiate zero-touch enrollment. To setup MDM MSP configurations, follow the steps below:

Login here, with the Google account associated with your corporate e-mail, if need be.
Click on Configurations present in the navigation panel and click on the Add button, to add a new configuration.
To create a new configuration, you need to specify the data for the requisite parameters. To know more about the parameters, refer the table below:

PARAMETER	DESCRIPTION
Name	Provide the name used to refer the created MDM MSP configuration.
EMM DPC	Select ME MDM app, from the given list of EMM apps.
DPC Extras	Copy the JSON data present under the field JSON Data, available by navigating to Enrollment -> Zero Touch Enrollment(under Android), on the MDM MSP server and paste it here.
Company Name	Provide the name of your organization. This will be displayed on the device screen, during the enrollment.
Contact E-mail	Provide the your e-mail address or the e-mail address of the IT admin, in your organization. This will be displayed on the device screen, during the enrollment and can be utilized by the devices users to contact the IT admin, in case of any issues with the enrollment.
Contact Phone	Provide the contact number of the internal IT team, in your organization. This will be displayed on the device screen, during the enrollment and can be utilized by the devices users to contact the internal IT team, in case of any issues with the enrollment.
Custom Message	Provide an optional message specifying details regarding the enrollment, to the users. This will also be displayed on the device screen

Associate MDM MSP configuration to devices

The last step in the portal is to associate the created MDM MSP configuration to the devices. To do that, follow the steps given below:

Login here, with the Google account associated with your corporate e-mail, if need be.
Click on Devices from the left pane and select the device, to which you want apply the MDM MSP configuration to. Once done, go to Configuration present against the device and select the created MDM MSP configuration, from the dropdown.
To associate the MDM MSP configuration to multiple devices,
Click on the ellipsis(three dots) icon present on the right and select Upload batch config updates.Create a CSV based on specifications given here and add it by clicking on Upload. All the devices listed in the CSV, are assigned the specified MDM MSP configuration.
To automate the process of assigning MDM MSP configuration,
Click on Configurations on the left pane and under Default Configuration, select the configuration, which is to be automatically applied to the added devices. Now, click on Apply, to finish selecting the default configuration.

Device configuration CSV file format

The CSV file to be uploaded on the portal, should be as specified in the table below:

COLUMN HEADER	DESCRIPTION	EXAMPLE
modemtype	The parameter to be used for identification. The parameter is always IMEI and it should always be in uppercase.	IMEI
modemid	The value corresponding to the specified modemtype parameter, which is always the IMEI number.	150520043826120
manufacturer	The name of the device maker/manufacturer(Original Equipment Manufacturer: OEM).	Google
profiletype	The objective of assigning the profile to the device, which in this case is always zero touch enrollment. The parameter is always ZERO_TOUCH and it should always be in uppercase	ZERO_TOUCH
profileid	The ID corresponding to the MDM MSP configuration, to be assigned to the devices. To view the configuration ID, select Configurations from the left pane in the zero touch portal. The number sequence present under ID is the configuration ID for the particular configuration.	036180

Assign Users

The devices get enrolled through Zero Touch enrollment, either during device activation (in case of new devices) or factory reset (in case of devices in use). Now the device must be assigned to a user. You can choose to manually assign users to devices or automate it by allowing users to complete the assignment by entering their directory service credentials. You can additionally add the devices to multiple groups to automate the distribution of profiles, apps and documents to devices. To do that, follow the steps given below:

On the MDM MSP server, click on Enrollment from the top menu and select Zero Touch Enrollment, from the left pane.
Here all the devices enrolled via zero touch enrollment but yet to be assigned users are listed.
You can assign users on a device-to-device basis, by clicking on the Assign User option present under Action. You can also assign users in bulk, by click on the Assign Users button, present above the table and uploading a CSV file, based on the specifications given here.

Automate User Assignment

The user assignment can be automated by enabling the users to enter their directory service credentials upon device activation

Select User for the option Device to ba activated by.
If you haven't configured a directory service, you'll be prompted to configure one. Mobile Device Manager Plus MSP supports multiple directory services:
- Active Directory
- Azure AD
- Gsuite
If you are using MDM MSP Cloud, Zoho Accounts is the default directory services used for authentication. You can also choose to configure Active Director or Azure AD for authentication.
You can optionally also select a Group to which the devices will be added upon enrollment. This will help automate the distribution of apps, documents and profiles to devices.

Sample CSV Format

SERIAL_NUMBER,USER_NAME,DOMAIN_NAME,EMAIL_ADDRESS,GROUP_NAME

C07Q853LG9RM,ANDREW,,andrew@zylker.com,zylker_drivers

NOTE:

The fields Serial Number, User Name, Email Address and Group Name are mandatory. All the other fields are optional. Ensure the specified group name is already created in the MDM MSP server. If values are not provided, default values will be taken.
The default values for various non-mandatory fields are:
Domain Name -- MDM MSP
Owned By -- Corporate
If multiple groups are specified, the group names must be separated with a slash (/)
The first line of the CSV is the column header and the columns can be in any order.
Blank column values should be comma separated.
If the column value contains comma, it should be specified within quotes.

Removing devices from Zero Touch portal

You can remove devices from Zero Touch portal, ensuring these devices cannot be enrolled via Zero Touch Enrollment. You can remove the device by unregistering the device from the portal. It is to be noted that once unreigstered, the device can be added back only by the reseller. To temporarily remove the device from ZTP, it is recommended to remove the configuration associated with the device. To unregister a devices, follow the steps given below:

Login here, with the Google account associated with your corporate e-mail, if need be.
Click on the Devices button from the left pane. Select the device you want to unregister.
Click on the Unregister button present against the device, you want ti unregister.
Click on Confirm to unregister the selected device.

Click here to know about the ports to be opened for managing mobile devices.

Zero Touch Enrollment(ZTE)

Overview