Dale Riechert

September 27, 2021

Behind Android’s power can be complexity, but also flexibility. A great example – the process of provisioning Android-based devices onto the Esper platform. Enrollment puts the devices in a state where Esper can manage them. There are many ways to enroll Android devices, but a given device will have a scoped set of options driven by the Android OS version and flavor (e.g. GMS versus AOSP) as well as supported hardware.

Since there are so many ways to provision onto Esper, let’s take a tour together! Feel free to jump to any particular method from below:

  • Seamless
  • 6 Tap QR Code
  • Android for Work
  • Google Zero-Touch Enrollment
  • Knox Mobile Enrollment
  • Esper Device Provisioner
  • NFC
  • Manual Installation

Other Enrollment Considerations

  • Android Enterprise
  • Google Services
  • Device-Specific Setup
  • Authentication
  • Permissions
  • Google Play Protect
  • Knox License Activation

Seamless

In the perfect situation you are able to ship devices directly to the end deployment sites without needing to do any setup. A person powers on the device and the device is automatically enrolled into Esper in seconds without touching anything else. Unfortunately, this is not available for most devices. It’s possible, but in order to enable a seamless experience like this devices need to be preloaded with our Esper Enhanced Android, or have the same functionality custom-added to their AOSP build. This option is not available for GMS devices.

Summary:

  • Esper Enhanced Android/Custom Android Firmware required
  • True no-touching enrollment, deliverable straight to end-user
  • Pre-configured Wi-Fi connection (optional)

Here we discuss our seamless provisioning further. If you are interested in Esper Enhanced Android, or have an AOSP build you are able to modify to support Seamless provisioning, please contact us at support@esper.io.

6 Tap QR Code

Our next-best solution, available for most new off-the-shelf phones and tablets. The user enrolling devices will power on the device, tap several times on the welcome screen backdrop, scan a QR code, and they’re already nearly done. If you include staging Wi-Fi access point credentials it will be delivered via the QR code, no user input required. With a few more quick screen presses, the device is ready to go into the field.

Summary:

  • Requires Android 7.0+
  • Google Mobile Services (GMS) devices only
  • Camera required
  • Pre-configured Wi-Fi connection (optional)
  • Few interactions but still very fast
  • Widely available

Android for Work

For slightly older devices, devices without a camera, or users looking to avoid scanning a QR code, they can utilize Android’s own Android For Work enrollment method. The user follows the normal Android setup process which includes manually connecting to a network, but then they will enter “afw#esper” in the Google email address field. This will tell the device to install Esper. While it is then possible to scan a QR code to associate Esper with a provisioning template, they can also have Esper automatically enroll the device using its serial or IMEI number.

Summary:

  • Android 6.0+
  • Google Mobile Services (GMS) devices only
  • Camera or IMEI/Serial required
  • Manually-configured Wi-Fi connection (for devices without cellular or ethernet)

Google Zero-Touch Enrollment (ZTE)

This is Google’s solution for automatically enrolling devices as they first come online during normal setup. Contrary to its name, this setup is far from truly “zero-touch” on the device, as the user still has to first connect the device to Wi-Fi if it is a non-cellular or ethernet device, and then proceed through normal setup. To utilize this method you will need to download the provisioning template’s config.json and have it added to Google’s Zero-Touch portal. Devices must support ZTE, and be purchased from an authorized ZTE reseller.

Zero-touch enrollment for IT admins – Android Enterprise Help

Requirements

  • Android 9.0+, Android 8.0+ (select devices), or Android 7.1+ (Pixel only)
  • Google Mobile Services (GMS) devices only
  • Purchased from select resellers
  • Manually-configured Wi-Fi connection (for devices without cellular or ethernet)

Knox Mobile Enrollment (KME)

This is Samsung’s own automatic enrollment process, similar to Google’s. Samsung also has options beyond using the device Serial or IMEI with an app that allows the same enrollment to occur over Bluetooth, NFC, or a Wi-Fi Direct connection with a separate dedicated enrollment device. Esper supports KME using either a serial or IMEI number.

Knox Mobile Enrollment | Enterprise bulk device enrollment

Requirements

  • Android 6.0+
  • Samsung Knox 2.6+
  • Purchased from select resellers for automatic uploading of device identifiers to KME
  • Options for Bluetooth, NFC, Wi-Fi Direct (Knox 2.8+)

Esper Device Provisioner

For AOSP devices (e.g. devices without Google Mobile Services (GMS)), Pre-Android 6.0 GMS devices, or new GMS devices without a camera required to scan a QR code, Esper provides the Device Provisioner software. This software runs on either a Windows, Mac, or Linux PC and can enroll devices over a USB connection or over a secure network connection (Ethernet or Wi-Fi).

Requirements

  • Android 4.4+
  • Android Open Source Project (AOSP) or Google Mobile Services (GMS) devices
  • Windows, Linux, or Mac PC required
  • Android Debug Bridge (ADB) connection over USB or network (Ethernet or Wi-Fi)

NFC

Esper has an app on the Play Store that allows you to scan a provisioning template QR code with a secondary device and then write that template to an NFC tag, or scan that secondary device directly with the device to be enrolled. You must scan an old-style Esper QR code.

Requirements

  • Android 6.0+
  • Google Mobile Services (GMS) devices only
  • NFC required
  • Pre-configured Wi-Fi connection (optional)
  • Second Android device with NFC required

Manual Installation

If you have the Esper APK or find it on the Play Store you can manually install it on an Android device. This approach requires one additional step (Android 5.0+) using ADB to set Esper as the device owner in order to take control of it. Once that is done, launch the Esper Device Management app to begin provisioning with either a provisioning template QR code or a serial and IMEI provisioning template association.

adb install -r -t shoonya_dpc.apk
adb shell dpm set-device-owner io.shoonya.shoonyadpc/com.shoonyaos.shoonyadpc.receivers.AdminReceiver

Requirements

  • Android 4.4+
  • Android Open Source Project (AOSP) or Google Mobile Services (GMS) devices
  • Camera or IMEI/Serial required
  • Android Debug Bridge (ADB) connection over USB or network (Ethernet or Wi-Fi)

Other Enrollment Considerations

In many cases devices that have been factory reset will have additional setup screens that need to be interacted with before provisioning can complete.

  • Android Enterprise
    • This device belongs to your organization
    • Let’s set up your work device
    • This device isn’t private
  • As part of Android Enterprise enrollment there are a few screens informing the user of this process.
  • Google Services
    • Use location
    • Allow scanning
    • Send usage and diagnostic data

GMS devices request that the user enable location and data sharing, as well as agree to the use of Google’s services. The former options are not necessary for Esper to function and can be safely disabled to prevent additional resource usage and unwanted behavior.

  • Device-Specific Setup
    • Terms and conditions, privacy policy
    • Protect your device/Setup lock screen
    • Choose navigation method
    • Etc.

As it is possible for device makers to customize setup on Android hardware, some may have additional setup steps outside of what your provisioning template covers. If you have any questions about choices to be made when experimenting with provisioning on a new model, don’t hesitate to contact us.

  • Authentication

By default, provisioning onto Esper via a device’s serial or IMEI number will require the user on the device to pass authentication before the device will continue. This authentication uses the same passcode that is used for Esper Settings in the provisioning template, even if Esper Settings itself is disabled. If no passcode is set, then the user just needs to hit “CONTINUE”.

  • Permissions
  • Gather statistics/usage access
  • Modify system settings
  • Draw over other apps (excluding Android 10+ Go Edition devices)

Starting with Android 6.0, some devices require the user to manually grant three device permissions to Esper when it is unable to do so automatically. The provisioning process will notify and direct the user to each of the corresponding permission settings pages to make this process easy. On other devices, these permissions are able to be automatically obtained.

  • Google Play Protect

Google Mobile Services (GMS) devices that have the Google Play Store enabled and are up to date with the latest Google Play services will by default also have Google Play Protect enabled. This feature may prevent the installation of apps unless manual approval is granted or the feature is disabled completely by the user. Given the device is locked down with Esper and you control which apps are being installed, having this enabled is typically unnecessary. 

  • Knox License Activation

On Samsung Knox devices a prompt will appear regarding Knox’s license. If the prompt does not automatically appear it can be triggered from the corresponding notification in the notification drawer. Accepting this prompt is necessary to enable features such as Remote Control.

Conclusion

We hoped you enjoyed this tour of available enrollment and provisioning options available with Esper. If you haven’t already, sign up for our free trial and give Esper a try!