Radha Kiwalkar

October 06, 2021

There are many reasons Esper stands out from the crowd of device management platforms. One of the differentiators we’re most proud of is how easy it is to enroll devices onto our platform through the several provisioning methods we support. Along with supporting traditional provisioning methods like the Android-for-Work and the 6-Tap QR Code, our clients can use the Google Zero-touch Enrollment (ZTE) method for provisioning device fleets onto the Esper platform. 

Traditional provisioning methods need IT admin intervention to onboard a device. For example, when using the 6-Tap QR code method, you need to scan the QR code on the device to start provisioning. Similarly, with the Android-for-Work method, the afw#esper account needs to be specified in order to enroll a device. The Zero-touch Enrollment method is a fuss-free method as the configurations can be pre-provisioned into the portal and applied to the device as it boots. 

Although initially designed for corporate Bring Your Own Device (BYOD) situations, the Zero-touch Enrollment method can be extended to dedicated devices scenarios. In this blog, along with the benefits of Zero-touch Enrollment, we will be discussing the process for signing up and provisioning a device on the Esper platform using ZTE.

What is Google Zero-touch Enrollment?

Google’s Zero-Touch Enrollment method is an alternative way to provision Android devices for enterprise management. It works best for bulk enrollment as IT Admins don’t set up each device manually. Using the zero-touch portal, it’s easy to configure devices during staging and enforce an Enterprise Mobility Management (EMM) solution. The end-user can just open the box and start working. The Zero-touch Enrollment portal takes care of the device set up for you, streamlining the deployment process.  yet requiring configuration by the end-user. It is zero-touch from the IT admin perspective on the console and not the device.

Which devices can use Zero-touch Enrollment?

Not all devices are enabled for Zero-touch Enrollment. The devices must be purchased directly from an enterprise reseller or Google partner and not through a consumer store or other reseller. If you have a Samsung device that is set up for both Knox Mobile Enrollment and Zero-Touch Enrollment, then Knox Mobile Enrollment gets the priority and the provisioning will proceed following the Knox Mobile Enrollment path. If you want the devices to follow ZTE, you need to remove any configuration assigned to the device in the Knox Mobile Enrollment portal.

Why Use the Zero-touch Enrollment Method?

Avoid Personal Use 

With the traditional provisioning methods — AfW or the 6-Tap QR Code — the devices can still potentially be redeployed for an unintended purpose. For example, if you use Android for Work to enroll your devices and someone in the field factory resets it, they can then enroll it onto another MDM of their choice. While you can use Factory Reset Protection to prevent another Google account from being used, the device may potentially be bricked as a part of your fleet and require a support incident or truck roll to rectify. 

Devices enabled for Zero-touch Enrollment can only boot using the assigned EMM platform. During the setup process, the device checks and installs the specified device controller application. The device thus gets locked and assigned a particular system and reboots into the same one even after factory reset. So, if you provision a device onto Esper with ZTE, you have full control over the device, and it will stay on Esper.

With Zero-touch Enrollment, you can avoid the situation where the devices are re-deployed for an unintended purpose. When the devices are in the field — for example, a kiosk or a shared device — if the end-user finds a way to factory reset, the device will be forced to re-provision into Esper using ZTE. This greatly restricts using the corporate-owned device for any personal use. 

Easy Setup

Zero-touch Enrollment is a hassle-free provisioning method to onboard specific devices to the Esper platform. Once you specify all configurations into the zero-touch portal, it simplifies the staging operation so it can run without technical knowledge. These factors greatly reduce room for error and the work is done quickly — saving time and reducing cost.

 Zero-touch Enrollment opens doors for numerous use cases. For example, shipping devices ready-to-use to your customers. With the knowledge that the devices will be forced to onboard to Esper (and protected from tampering), it’s much easier to have the end-user boot the device and begin using it in the field.

OEM Agnostic 

With ZTE is a Google method, you have a large number of Android devices to choose from. Compared to Samsung Knox Mobile Enrollment, which is a similar automated enrollment method, restricts you to only Samsung devices. With the diversity of devices available with ZTE, you can have different types of use cases and work with different OEMs — giving you a lot more flexibility.   

Using Google Zero-Touch Enrollment can be thought of as a two-step process:

  1. Signing up for the Zero-touch portal.
  2. Configuring the device to onboard the Esper platform.

How to Sign-up for the Zero-touch Portal?

The reseller sets up the Zero-touch Portal for the devices purchased. The customer should provide a corporate Gmail account to the ZTE reseller, a member email account (it can be the same as the manager email), and a customer name. 

Note: If the customer already has a ZTE account, they simply add a new reseller to their existing account. For example, you have a ZTE with Samsung and you buy new Lenovo devices. All you need to do is add the reseller who provided the Lenovo devices as an additional reseller into your existing ZTE account. 

The reseller then creates a portal for the customer. Once the ZTE reseller loads serial numbers of purchased devices into their reseller portal, the devices are bound to the customer’s Google account. The serial numbers are now available in the customer’s ZTE enrollment portal. 

The customers can then obtain the JSON code to set up the device to the customer’s endpoint with the provisioning template they intend to use. From there, turn on devices, connect to the Internet, and zero-touch enrollment takes over. 

Note: It’s not completely touchless but still very smooth, especially with cellular devices.

How to Configure Devices to Onboard the Esper Console?

As we discussed, the IMEI/Serial numbers will be accessed from the zero-touch portal. Once you have the devices available in the portal, you need to configure the devices to run Esper. As the device starts, it looks for the Esper Agent. This Agent requires JSON code with the specific template details to onboard a device into Esper. Here are the 3 ways to provide the template information to the Esper Agent:

  1. You can specify the template details (JSON code block) into the Zero-touch enrollment portal.
    Create a template using Esper Console. Now click the ellipsis and choose the ‘Download Config’ option from the menu.

    Copy the DPC-EXTRA_BUNDLE from the downloaded config file into the Zero-Touch enrollment portal. Once the details are specified, you don’t have to worry about onboarding the device fleet as Google ZTE does it for you. When the Android device is restarting, since the device is already enabled for ZTE, the Google service downloads the Esper Agent and onboards the device to the Esper Console.

    The Esper team will not have access to this Zero-Touch enrollment portal, and hence we recommend you to use the next discussed method so we are in the best position to support you. 
  1. Create a template with the required settings on the Esper Console. Now, using Esper Console upload the IMEI/Serial numbers for all the devices you want to onboard. When the Esper Agent is installed on the device using the Zero-touch method, it will read the template details and configure the device to run on Esper. 

    The Console user with the Enterprise Admin user role will be able to upload the CSV file with IMEI numbers to the Esper Console. 

    Tip: Suppose while adding the devices through the ZTE portal, you do not add the JSON code block and the serial number, then during the device booting process, the Esper agent does not find the JSON code. The Esper agent does not know what template to use to map the device. The device then displays a QR code scanning window. At this point, you can scan the QR code to provision the device to the Esper platform. 

Since this process requires you to manually scan the QR code, it no longer remains a touch-free process.  

Summary

  1. Zero-touch Enrollment (ZTE) is a provisioning method suited for bulk enrollment especially when the devices are in the field. 
  2. ZTE works on devices running Android 9.0 or later, a compatible device running Android 8.0, or a Pixel phone with Android 7.0, that are purchased from a reseller partner. 
  3. Esper recommends using ZTE for onboarding a device via the Esper Console to configure the device to the Esper platform. This is beneficial when you have devices in the field since it is fairly a touchless method. 
  4. ZTE has an edge over other methods in the scenarios where you want to force the end-user to re-provision only to Esper or you want to ship a ready-to-use device to a non-technical end-user in the field. 

To onboard a large number of devices using the Zero-touch Enrollment method get in touch with the Esper support team today.