Forum Discussion

Stygia's avatar
Stygia
Level 1.5: Cupcake
12 months ago

Device Owner Zero Touch Provisioning

Hello there,

I hope you're doing well.

According to the documentation for Device Owner at this link, it's not possible to provision devices using Zero Touch along with Device Owner. Our business requires persistent enrollment, and Zero Touch would be ideal for our case.

However, due to the reduction in daily quotes with a new limit of 500 devices per project, it's no longer feasible to enroll all our devices using Zero Touch as we did before (due to changes in Google API quotas). Because of this, we have opted to switch to using Device Owner. However, with QR code enrollment, persistence is not guaranteed. Do you have any workarounds for this, or do you plan to launch Zero Touch provisioning with Device Owner in the future?


Thank you !

  • jasonbayton's avatar
    jasonbayton
    Level 4.0: Ice Cream Sandwich
    12 months ago

    Howdy, 

     

    It's possible to use ZT with a custom DPC, but you'll need to apply to have it listed. Perhaps Lizzie can advise on the process of this and if it's still open to all?

  • Moombas's avatar
    Moombas
    Level 4.1: Jelly Bean
    11 months ago

    Correct me if I'm wrong but any device enrolled using ZTP, is enrolled as device owner. So you have full control about your device (depending if it's enrolled as a COBO or COPE with more or less permissions) but needs to be enrolled during first steps.

     

    Only if you want to have BYOD devices, those can't be enrolled using ZTP but via a link (or QR) provided to the end-user and limited access/possibilitys for management for the device itself as the employee is the owner of it and no need to wipe it before.

  • Stygia's avatar
    Stygia
    Level 1.5: Cupcake
    11 months ago

    Hello Moombas and Jason,

    Thank you for your reply.

    The Device Owner app that we have designed is not within the Play Store so the QR provisioning configuration is similar to this one :

    {
    "android.app.extra.PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME":
    "com.emm.android/com.emm.android.DeviceAdminReceiver",

    "android.app.extra.PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM":
    "gJD2YwtOiWJHkSMkkIfLRlj-quNqG1fb6v100QmzM9w=",

    "android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION":
    "https://path.to/dpc.apk",
            "android.app.extra.PROVISIONING_SKIP_ENCRYPTION": false,
            "android.app.extra.PROVISIONING_WIFI_SSID": "GuestNetwork",
            "android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE": {
                "dpc_company_name": "Acme Inc.",
                "emm_server_url": "https://server.emm.biz:8787",
                "another_custom_dpc_key": "dpc_custom_value"
            }
    }

    We want to implement a similar configuration for Zero Touch. However, it's not possible due to my understanding that Zero Touch automatically downloads the DPC (Device Policy Controller) or DO (Device Owner) controller from the Play Store. This process requires an EMM (Enterprise Mobility Management) token for configuration, which means the device will be counted as one device. This easily leads us to exceed the quotas established by the Android Management API. Is there any way to utilize a configuration similar to the one used for QR provisioning, but for Zero Touch instead?



    Thank you !

     

    • Moombas's avatar
      Moombas
      Level 4.1: Jelly Bean
      11 months ago

      Just to the configuration:

      As i understand it, you should be able to use the same configuration from the QR in the Zero-Touch portal 1:1.

      I did the same in the past, so i took the configuration from the ZTP and created an enrollment QR or changed that configuration to test the enrollment via QR before pasting the exact same code to the ZTP as a configuration.

      And yet it worked well.

      And as you see here in the collection of jasonbayton : https://bayton.org/android/android-enterprise-zero-touch-dpc-extras-collection/ there are several different things in extras for the relevant MDM/DPC app.

    • jasonbayton's avatar
      jasonbayton
      Level 4.0: Ice Cream Sandwich
      11 months ago

      You'll need to upload the app to Google play, and it has been previously possible to register a custom DPC with ZT for selection from the list of available EMMs, I'm just not sure of the exact process ( Lizzie again). 

       

      You can stop worrying about AMAPI, a custom DPC has nothing to do with it, AMAPI doesn't support using your own DPC so with it you'll only be leveraging the on-device APIs of Android enterprise since PlayEMM APIs are no longer available to new vendors also.

       

      A little guidance from Google will help here, but getting the basics sorted like where the DPC is hosted will help 

      • Lizzie's avatar
        Lizzie
        Google Community Manager
        11 months ago

        Thanks jasonbayton, we'll come back on this as soon as we can. Great to meet you Stygia