WPCO Enrollment into Google Workspace using Zero Touch
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-21-2024 02:13 AM
Hi there!
I am implementing Zero Touch enrollment for our newly purchased Android devices. It is working well and our testing devices end up in "Fully Managed" state after enrollment.
I have been wondering if the enrollment could be adjusted so the device ends up in "Work profile on corporate-owned" (WPCO) state instead. I have done a little research and Android spec should allow a device to end up in WPCO state after it is enrolled via Zero Touch.
Is this end result achievable with following combination?
- Device: Samsung with Android 14
- Enrollment: Zero Touch during device setup
- EMM: Google Workspace
Google Workspace AFAIK does not have any switch for this in UI.
Could the management mode be configured during Zero Touch by using DPC extras set in Zero Touch portal?
Developer oriented documentation suggests this is governed by EXTRA_PROVISIONING_MODE.
I have tried following Custom Configurations in Google Zero Touch portal so far (all targeting com.google.android.apps.work.clouddpc) :
{
"android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE": {
"com.google.android.apps.work.clouddpc.EXTRA_FORCED_DOMAINS": "[\"mycompany.com\"]",
"PROVISIONING_MODE": "MANAGED_PROFILE"
}
}
and
{
"android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE": {
"com.google.android.apps.work.clouddpc.EXTRA_FORCED_DOMAINS": "[\"company.com\"]"
},
"android.app.extra.PROVISIONING_MODE": "2"
}
and
{
"android.app.extra.PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME": "com.google.android.apps.work.clouddpc/.receivers.CloudDeviceAdminReceiver",
"android.app.extra.PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM": "<SIG-CHECK>",
"android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION": "https://play.google.com/managed/downloadManagingApp?identifier=setup",
"android.app.extra.PROVISIONING_ROLE_HOLDER_SIGNATURE_CHECKSUM": "<SIG-CHECK>",
"android.app.extra.PROVISIONING_ROLE_HOLDER_PACKAGE_DOWNLOAD_LOCATION": "https://play.google.com/managed/downloadManagingApp?identifier=setup",
"android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE": {
"com.google.android.apps.work.clouddpc.EXTRA_ENROLLMENT_TOKEN": "<TOKEN>",
"com.google.android.apps.work.clouddpc.EXTRA_FORCED_DOMAINS": "[\"company.com\"]",
"PROVISIONING_MODE": "MANAGED_PROFILE"
}
}
In all three case the devices goes trough Zero Touch enrollment. Device Policy is installed. User is required to log in with a Google Account with company.com account. The device ended up in "Fully Managed" state in all three cases...
- Labels:
-
Enrolment
-
Work Profile
-
Zero-touch
- MDM get Customers and Devices Api Access issue in General discussions
- Managed Google Play Android enrollment by intune.microsoft.com in General discussions
- Securing your Business: Checklist for Android device offboarding in Tips & guides
- No longer able to enrol Android phones into Intune after our managed google play account was restored in General discussions