Device Owner Zero Touch Provisioning

Stygia
Level 1.5: Cupcake

Hello there,

I hope you're doing well.

According to the documentation for Device Owner at this link, it's not possible to provision devices using Zero Touch along with Device Owner. Our business requires persistent enrollment, and Zero Touch would be ideal for our case.

However, due to the reduction in daily quotes with a new limit of 500 devices per project, it's no longer feasible to enroll all our devices using Zero Touch as we did before (due to changes in Google API quotas). Because of this, we have opted to switch to using Device Owner. However, with QR code enrollment, persistence is not guaranteed. Do you have any workarounds for this, or do you plan to launch Zero Touch provisioning with Device Owner in the future?


Thank you !

8 REPLIES 8

jasonbayton
Level 4.0: Ice Cream Sandwich

Howdy, 

 

It's possible to use ZT with a custom DPC, but you'll need to apply to have it listed. Perhaps @Lizzie can advise on the process of this and if it's still open to all?

Moombas
Level 4.0: Ice Cream Sandwich

Correct me if I'm wrong but any device enrolled using ZTP, is enrolled as device owner. So you have full control about your device (depending if it's enrolled as a COBO or COPE with more or less permissions) but needs to be enrolled during first steps.

 

Only if you want to have BYOD devices, those can't be enrolled using ZTP but via a link (or QR) provided to the end-user and limited access/possibilitys for management for the device itself as the employee is the owner of it and no need to wipe it before.

Stygia
Level 1.5: Cupcake

Hello Moombas and Jason,

Thank you for your reply.

The Device Owner app that we have designed is not within the Play Store so the QR provisioning configuration is similar to this one :

{
"android.app.extra.PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME":
"com.emm.android/com.emm.android.DeviceAdminReceiver",

"android.app.extra.PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM":
"gJD2YwtOiWJHkSMkkIfLRlj-quNqG1fb6v100QmzM9w=",

"android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION":
"https://path.to/dpc.apk",
   
"android.app.extra.PROVISIONING_SKIP_ENCRYPTION": false,
   
"android.app.extra.PROVISIONING_WIFI_SSID": "GuestNetwork",
   
"android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE": {
       
"dpc_company_name": "Acme Inc.",
       
"emm_server_url": "https://server.emm.biz:8787",
       
"another_custom_dpc_key": "dpc_custom_value"
   
}
}

We want to implement a similar configuration for Zero Touch. However, it's not possible due to my understanding that Zero Touch automatically downloads the DPC (Device Policy Controller) or DO (Device Owner) controller from the Play Store. This process requires an EMM (Enterprise Mobility Management) token for configuration, which means the device will be counted as one device. This easily leads us to exceed the quotas established by the Android Management API. Is there any way to utilize a configuration similar to the one used for QR provisioning, but for Zero Touch instead?

Stygia_0-1710868676991.jpeg

Thank you !

 

Moombas
Level 4.0: Ice Cream Sandwich

Just to the configuration:

As i understand it, you should be able to use the same configuration from the QR in the Zero-Touch portal 1:1.

I did the same in the past, so i took the configuration from the ZTP and created an enrollment QR or changed that configuration to test the enrollment via QR before pasting the exact same code to the ZTP as a configuration.

And yet it worked well.

And as you see here in the collection of @jasonbayton : https://bayton.org/android/android-enterprise-zero-touch-dpc-extras-collection/ there are several different things in extras for the relevant MDM/DPC app.

jasonbayton
Level 4.0: Ice Cream Sandwich

You'll need to upload the app to Google play, and it has been previously possible to register a custom DPC with ZT for selection from the list of available EMMs, I'm just not sure of the exact process ( @Lizzie again). 

 

You can stop worrying about AMAPI, a custom DPC has nothing to do with it, AMAPI doesn't support using your own DPC so with it you'll only be leveraging the on-device APIs of Android enterprise since PlayEMM APIs are no longer available to new vendors also.

 

A little guidance from Google will help here, but getting the basics sorted like where the DPC is hosted will help 

Lizzie
Google Community Manager
Google Community Manager

Thanks @jasonbayton, we'll come back on this as soon as we can. Great to meet you @Stygia



Welcome to the Community everyone!

Have a question or want to start a conversation, click here.

Stygia
Level 1.5: Cupcake

Hello everyone,

 

Thank you in advance for your help and for your assistance !

 

Nice to meet you too @Lizzie  🙂

 

Please let me know if you need anything from my end. If you think it's necessary, we can discuss any further commercial agreements to restart the business.

 

Best Regards,

Stygia
Level 1.5: Cupcake

Hello @Lizzie ,

I hope you're doing well.

I'm circling back to see if you have any further updates regarding this thread. Your assistance on this matter is highly appreciated.

Thank you in advance !