Device Owner Zero Touch Provisioning
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-18-2024 09:07 AM
Hello there,
I hope you're doing well.
According to the documentation for Device Owner at this link, it's not possible to provision devices using Zero Touch along with Device Owner. Our business requires persistent enrollment, and Zero Touch would be ideal for our case.
However, due to the reduction in daily quotes with a new limit of 500 devices per project, it's no longer feasible to enroll all our devices using Zero Touch as we did before (due to changes in Google API quotas). Because of this, we have opted to switch to using Device Owner. However, with QR code enrollment, persistence is not guaranteed. Do you have any workarounds for this, or do you plan to launch Zero Touch provisioning with Device Owner in the future?
Thank you !
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-18-2024 09:17 AM
Howdy,
It's possible to use ZT with a custom DPC, but you'll need to apply to have it listed. Perhaps @Lizzie can advise on the process of this and if it's still open to all?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-18-2024 11:57 PM
Correct me if I'm wrong but any device enrolled using ZTP, is enrolled as device owner. So you have full control about your device (depending if it's enrolled as a COBO or COPE with more or less permissions) but needs to be enrolled during first steps.
Only if you want to have BYOD devices, those can't be enrolled using ZTP but via a link (or QR) provided to the end-user and limited access/possibilitys for management for the device itself as the employee is the owner of it and no need to wipe it before.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-19-2024 10:21 AM
Hello Moombas and Jason,
Thank you for your reply.
The Device Owner app that we have designed is not within the Play Store so the QR provisioning configuration is similar to this one :
{
"android.app.extra.PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME":
"com.emm.android/com.emm.android.DeviceAdminReceiver",
"android.app.extra.PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM":
"gJD2YwtOiWJHkSMkkIfLRlj-quNqG1fb6v100QmzM9w=",
"android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION":
"https://path.to/dpc.apk",
"android.app.extra.PROVISIONING_SKIP_ENCRYPTION": false,
"android.app.extra.PROVISIONING_WIFI_SSID": "GuestNetwork",
"android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE": {
"dpc_company_name": "Acme Inc.",
"emm_server_url": "https://server.emm.biz:8787",
"another_custom_dpc_key": "dpc_custom_value"
}
}
We want to implement a similar configuration for Zero Touch. However, it's not possible due to my understanding that Zero Touch automatically downloads the DPC (Device Policy Controller) or DO (Device Owner) controller from the Play Store. This process requires an EMM (Enterprise Mobility Management) token for configuration, which means the device will be counted as one device. This easily leads us to exceed the quotas established by the Android Management API. Is there any way to utilize a configuration similar to the one used for QR provisioning, but for Zero Touch instead?
Thank you !
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-19-2024 11:58 PM - edited 03-19-2024 11:59 PM
Just to the configuration:
As i understand it, you should be able to use the same configuration from the QR in the Zero-Touch portal 1:1.
I did the same in the past, so i took the configuration from the ZTP and created an enrollment QR or changed that configuration to test the enrollment via QR before pasting the exact same code to the ZTP as a configuration.
And yet it worked well.
And as you see here in the collection of @jasonbayton : https://bayton.org/android/android-enterprise-zero-touch-dpc-extras-collection/ there are several different things in extras for the relevant MDM/DPC app.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-20-2024 12:49 AM
You'll need to upload the app to Google play, and it has been previously possible to register a custom DPC with ZT for selection from the list of available EMMs, I'm just not sure of the exact process ( @Lizzie again).
You can stop worrying about AMAPI, a custom DPC has nothing to do with it, AMAPI doesn't support using your own DPC so with it you'll only be leveraging the on-device APIs of Android enterprise since PlayEMM APIs are no longer available to new vendors also.
A little guidance from Google will help here, but getting the basics sorted like where the DPC is hosted will help
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-20-2024 07:00 AM
Thanks @jasonbayton, we'll come back on this as soon as we can. Great to meet you @Stygia.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-20-2024 09:05 AM
Hello everyone,
Thank you in advance for your help and for your assistance !
Nice to meet you too @Lizzie 🙂
Please let me know if you need anything from my end. If you think it's necessary, we can discuss any further commercial agreements to restart the business.
Best Regards,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-02-2024 06:54 AM
Hello @Lizzie ,
I hope you're doing well.
I'm circling back to see if you have any further updates regarding this thread. Your assistance on this matter is highly appreciated.
Thank you in advance !
- Samsung devices getting stuck during enrolment when using zero-touch or QR in Germany in General discussions
- QR Code provisioning in General discussions
- Enroll Device Using Qr Code in General discussions
- WPCO Enrollment into Google Workspace using Zero Touch in General discussions
- Not all devices in Zero Touch Portal are forcing a fully managed profile. in General discussions