“Stupid is as stupid does” — Forrest Gump
You are a big trucking company, with thousands of trucks and other vehicles on the road, everyday, 365 days a year. Your government has mandated that you set up a monitoring system .. make sure that the drivers (and trucks as well) get at least so and so hours of rest and other rules. You have noticed it is really helpful, you can monitor all trucks real time and know if there are any incidents (like braking hard, leaks etc) which the drive may have failed to report. You have got your gps devices fitted and tested and tweaked on a couple trucks with a (lets say, Android) tab fetching the data from the devices and sending the data in a centralised location to the server. To set the device up, you have followed the steps provided by your MDM provider, you have scanned a QR code to activate the device and followed another 20 steps. You have also negotiated with the network service provider, and you got a very good deal. Every month you will get 2000 devices across the country and you plan to hand them over to the truckers once they drop by. Time to roll out the devices. But before that you have to “provision” the device, install the correct version of the latest tested application in all the devices before all are ready to be shipped. Easy, right ? Really ? You have to do that for ALL the devices ? Thats stupid. You do not want to do that, do you?
So how do you “provision” the devices ? Make sure all the devices run the exact software that you want to, to start with and you do not have to worry about the rest ? Would it not be nice if you just had to turn on the devices and the devices “just start working” with almost no touches at all ? If you do, then please read on.
Well, sometimes, wishes do come true. Are your devices setup with a SIM (or your network provider has made sure all the devices have a working SIM card installed) so that the moment you power on the devices, the mobiles are ON the network ? Then this is what you need. This article talks about details of Android EMM Device enrolment process i.e Zero Touch provision. Google has addressed this problem by supporting exactly this feature for devices running on Android 8.0 or greater.
Ok, now we know about Zero Touch Enrollment process, you got to know it is the super easy process to light-up the device, but what is it? It is a hassle free for the end user to setup the devices with very minimal user interaction. The rest of the article discusses the technical nitty-gritties of how Google (and of course WeGuard) manages this.
Google allows MDM providers (like us, WeGuard, AirWatch etc), to register/certify with Google as Zero Touch partners. This allows us, the partners, to consume the Google APIs through which MDM providers can offer this solution. You have to register the unique device id on the console provided by the MDM partner. Please note that all Android devices may not support this feature. Note, the OEM provider must be one of the Zero touch OEM partners with Google to have this capability. Once the device is accepted and approved by the system, all you need to do is unbox the device (first time, or have to factory reset if the device is already used) and make sure the device is on a packet network after booting up.
Through a customer portal provided by your MDM partner, you set configurations to the devices. These “configurations” are properties of the devices that you want the devices to have right from the moment installation of MDM software is complete. There are a limited set of features which you can have in the configurations like enabling system apps. DPC extras will be given as per the EMM/MDM providers. Once you are done with the configurations from the MDM console and provided the unique device id, you are are all set to provision your first device.
At a high level you would set the configuration as shown in the following picture:
- Pick/Choose the EMM ZeroTouch support provider like WeGuard. (WeGuard has support for Zero Touch)
- Create a Configuration with given EMM provider.
This is the template that MDM provider needs to upload to MDM console so that Zero touch is enrolled when the device is factory reset/started first time.
These are some details that MDM providers take care and customers typically do not need to bother themselves on the complete list of steps mentioned in the diagram above.
Profile ID is Configuration ID that we get it from step 1
- Once it is done reseller will approve the devices and they are ready for enrolment.
- Once the device is turned on or boot up.
- From the welcome screen Zero Touch will be triggered.
A simplified flow is demonstrated here.
To un-enroll a device, customer needs to use the MDM portal to detach the device from the profile. The actions post this action (example device restart/wipe/factory reset) is defined by MDM implementation.
In summary, Zero Touch is very useful for the Bulk and large scale device enrolment process for the enterprises on device running on 8.0+ for which the OEM provider is listed in Zero Touch partners list. Check your device manufacturer’s name on the “OEM Partners” list in the reference provided below.
Samsung has a very unique and seamless experience in Bulk provision/Bulk Enrolment and as of writing this article, in our opinion, Samsung has the edge over Google in the number of features that can be controlled on their devices.
ZeroTouch is available only on Google approved OEMs, and here is the link for a complete list of supported OEMs : https://www.android.com/enterprise/management/zero-touch/
Samsung Bulk enrolment will be covered soon.
