What is Android zero-touch enrolment?
Zero-touch enrolment enables out-of-box EMM enrolment, without the manual processes traditionally associated with Android provisioning, for devices running Android 8.0 where the OEM has opted in, or all GMS certified devices running 9.0 or above. If you're familiar with Samsung's KNOX Mobile Enrolment or Apple's Device Enrolment Programme, Android's zero-touch enrolment will not be a new concept.
Zero-touch as a solution has been available since the original Pixel, with documentation referencing it as far back as Android 7.1 launched at the end of 2016. With only the original Pixel supporting it however, it failed to make any significant impact on the industry (and I can personally attest to how difficult getting any official information on it had been before the wider launch for 8.0+ devices).
With zero-touch, organisations purchase their Android 8.0+ devices from an authorised reseller. After which, the reseller creates a zero-touch console customer accounts for the organisation and imports the devices. From there, the organisation can then log into the console and associate these devices to one of any of the EMMs that currently support a fully managed deployment scenario (Device Owner mode) via a configuration. These configurations also support DPC extras, which allow organisations to pre-configure items like server URL and username.
The DPC (EMM Agent) will be pulled down automatically along with any defined configurations when the device first boots or is factory reset, as demonstrated in the above GIF.
As well as being an Android Enterprise Recommended requirement with devices running 8.0+ (and generally a decent benchmark to align to for device selection), from late 2020 zero-touch is available on all GMS certified devices running 9.0+. Prior to the announcement of global availability, Google had partnered with almost all popular OEMs to have the functionality implemented - Huawei, Sony, HTC, HMD Global (Nokia), and more already supported zero-touch from 8.0.
Once a zero-touch supported device is identified, organisations need only select a zero-touch enrolment reseller to purchase the devices from. With global availability, should the device not be Android Enterprise Recommended, it is advised to validate the model correctly supports Android Enterprise ahead of purchasing in bulk.
On the EMM side, there's not a considerable amount of work to be done - for EMMs that do already support fully managed deployments it's basically ready to go. For EMMs that don't yet support it, more information on allowing support can be found here.
Resellers are being actively engaged, with already a number across the world already available. The resellers - aside from selling the devices - will also be responsible for setting customers up with a zero-touch portal account where, as mentioned above, the DPC and configurations are set. Once access is provided however, organisations can manage which resellers are associated with the portal themselves should it ever need to be changed.
The below demonstrates zero-touch configured on a new, out-of-the-box Sony Xperia XZ1 enrolling into MobileIron Core: