Enroll and provision a device

The enrollment and provisioning process binds a device to an enterprise by creating a devices object. Depending on the use case, the process also sets a device up for management or creates a work profile on a device. Before you can enroll a device, you need to first create an enrollment token.

Create an enrollment token

Android Management overview.
Figure 1. Create a token that enrolls and applies "policy1" to devices. After 1800 seconds (30 minutes), the token expires.

You need an enrollment token for each device that you want to enroll (you can use the same token for multiple devices). To request an enrollment token, call enterprises.enrollmentTokens.create. Enrollment tokens expire after one hour by default, but you can specify a custom expiration time (duration) up to 30 days.

A successful request returns an enrollmentToken object containing an enrollmentTokenId and a qrcode that IT admins and end users can use to provision devices.

Specify a policy

You might also want to specify a policyName in the request to apply a policy at the same time a device is enrolled. If you don't specify a policyName, see Enroll a device without a policy.

Specify a user

The enrollmentTokens resource includes a userAccountIdentifier field. If you don't specify a userAccountIdentifier, the API will silently create a new, unique account each time a device is enrolled with the enrollment token.

If you specify a userAccountIdentifier that hasn't been activated on a device, the API will silently create a account for the identifier when a device is enrolled with the enrollment token.

If you specify a userAccountIdentifier that was previously activated on another device, the API will re-use the existing user and activate it on each device that is enrolled with the enrollment token. Best practice: An account should not be activated more than 10 devices.


Using QR codes

QR codes work as an efficient device provisioning method for enterprises that maintain many different policies. The QR code returned from enterprises.enrollmentTokens.create is made up of a payload of key-value pairs containing an enrollment token and all the information that’s needed for Android Device Policy to provision a device.

Example QR code bundle

The bundle includes the download location of Android Device Policy and an enrollment token.

{
    "android.app.extra.PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME": "com.google.android.apps.work.clouddpc/.receivers.CloudDeviceAdminReceiver",
    "android.app.extra.PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM": "I5YvS0O5hXY46mb01BlRjq4oJJGs2kuUcHvVkAPEXlg",
    "android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION": "https://play.google.com/managed/downloadManagingApp?identifier=setup",
    "android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE": {"com.google.android.apps.work.clouddpc.EXTRA_ENROLLMENT_TOKEN": "{enrollment-token}"}
}

You can use the QR code returned from enterprises.enrollmentTokens.create directly or customize it. For a full list of properties that you can include in a QR code bundle, see Create a QR code.

To convert the qrcode string into a scannable QR code, use a QR code generator such as ZXing.


Provisioning methods

The table below lists the available provisioning methods by minimum Android version and solution set. For more information on solution sets, see Develop your solution.

Provisioning method
Android version
Work profile
Fully managed device
Dedicated device
Add work profile from "Settings"
5.1+
star
remove_circle_outline
remove_circle_outline
Download Android Device Policy
5.1+
star
remove_circle_outline
remove_circle_outline
Enrollment token link
5.1+
star
remove_circle_outline
remove_circle_outline
Sign-in URL
5.1+
star
star
remove_circle_outline
QR code
7.0+
remove_circle_outline
star
star
NFC
5.1+
remove_circle_outline
star
star
DPC identifier
6.0+
remove_circle_outline
star
star
Zero-touch enrollment
8.0+ (Pixel 7.1+)
remove_circle_outline
star
star

The work profile provisioning methods create a work profile on a device. A work profile is a self-contained space that separates work apps from personal apps (see employee-owned devices for more information). On devices with work profiles:

The fully managed and dedicated device provisioning methods provide enterprises with full management control over a device:


Add work profile from "Settings"

To set up a work profile on their device, a user can:

  1. Go to Settings > Google.
  2. Tap Set up work profile.

These steps initiate a setup wizard that downloads Android Device Policy on the device. Next, the user will be prompted to scan a QR code or manually enter an enrollment token to complete the work profile setup.

Download Android Device Policy

To set up a work profile on their device, a user can download Android Device Policy from the Google Play Store. After the app is installed, the user will be prompted to QR code or manually enter an enrollment token to complete the work profile setup.

Using the enrollment token returned from entrollmentTokens.create or the enterprise's signinEnrollmentToken (see Sign-in URL below), generate a URL with the following format:

https://enterprise.google.com/android/enroll?et=<enrollmentToken>

You can provide this URL to IT admins, who can provide it to their end users. When an end user opens the link from their device, they will be guided through the work profile setup.

Sign-in URL

With this method, users are provided with a URL that prompts them for their credentials. Based on their credentials, you can calculate the appropriate policy for the user before proceeding with device provisioning. For example:

  1. Specify your sign-in URL in enterprises.signInDetails[]. Add the resulting signinEnrollmentToken as provisioning extra to a QR code, NFC payload, or Zero-touch configuration. Alternatively, you can provide the signinEnrollmentToken to users directly.
  2. Choose an option:
    1. Fully managed devices: After turning on a new or factory-reset device, pass the signinEnrollmentToken to the device (via QR code, NFC bump, etc.) or ask users need to enter the token manually. The device will open the sign-in URL specified in Step 1.
    2. Work profile devices: Ask users to add a work profile from “Settings”. When prompted, the user scans a QR code containing the signinEnrollmentToken or enters the token manually. The device will open the sign-in URL specified in Step 1.
    3. Work profile devices: Provide users with an enrollment token link, where the enrollment token is the signinEnrollmentToken. The device will open the sign-in URL specified in Step 1.
  3. Your sign-in URL should prompt users to enter their credentials. Based on their identity, you can determine the appropriate policy.

  4. Call enrollmentTokens.create, specifying the appropriate policyId based on the user's credentials.

  5. Return the enrollment token generated in Step 4 via URL redirect, in the form https://enterprise.google.com/android/enroll?et=<token>.

QR code method

To provision a fully managed or dedicated device, you can generate a QR code and display it in your EMM console:

  1. On a new or factory-reset device, the user (typically an IT admin) taps the screen six times in the same spot. This triggers the device to prompt the user to scan a QR code.
  2. The user scans the QR code that you display in your management console (or similar application) to enroll and provision the device.

NFC method

This method requires you to create an NFC programmer app that contains the enrollment token, initial policies and Wi-Fi configuration, settings, and all other provisioning details required by your customer to provision a fully managed or dedicated device. When you or your customer installs the NFC programmer app on an Android device, that device becomes the programmer device.

Detailed guidance on how to support the NFC method is available in the Play EMM API developer documentation. The site also includes sample code of the default parameters pushed to a device on an NFC bump. To install Android Device Policy, set the download location of the device admin package to:

https://play.google.com/managed/downloadManagingApp?identifier=setup

DPC identifier method

If Android Device Policy can't be added via QR code or NFC a user or IT admin can follow these steps to provision a fully managed or dedicated device:

  1. Follow the setup wizard on a new or factory-reset device.
  2. Enter Wi-Fi login details to connect the device to the internet.
  3. When prompted to sign in, enter afw#setup, which downloads Android Device Policy.
  4. Scan a QR code or manually enter an enrollment token to provision the device.

Zero-touch enrollment

This provisioning method requires an organization to purchase devices from an authorized reseller.

You use the zero-touch customer API to allow IT admins to create provisioning configurations and apply them to devices. These configurations are automatically applied to devices on first boot.


Apply a policy to newly enrolled devices

The method you use to apply policies to newly enrolled devices is up to you and the requirements of your customers. Here we present three different approaches:

  • (Recommended) When creating an enrollment token, you can specify the name of the policy (policyName) that will be initially linked to the device. When you enroll a device with the token, the policy is automatically applied to the device.

  • Set a policy as the default policy for an enterprise. If no policy name is specified in the enrollment token and there is a policy with the name enterprises/<enterprise_id>/policies/default, each new device is automatically linked to the default policy at the time of enrollment.

  • Subscribe to a Cloud Pub/Sub topic to receive notifications about newly enrolled devices. In response to an ENROLLMENT notification, call enterprises.devices.patch to link the device with a policy.

Enroll a device without a policy

If a device is enrolled without a valid policy, then the device is placed into quarantine. Quarantined devices are blocked from all device functions until the device is linked to a policy.

If a device is not linked to a policy in five minutes, then device enrollment fails and the device is factory reset. The quarantine device state gives you the opportunity to implement licensing checks or other enrollment validation processes as part of your solution.

Example licensing check workflow

  1. A device is enrolled without a default policy or specific policy.
  2. Check how many licenses the enterprise has remaining.
  3. If there are licences available, use devices.patch to attach a policy to the device, and then decrement your license count. If there are no licenses available, use devices.patch to disable the device. Alternatively, the API factory resets any device that is not attached to a policy within five minutes of enrollment.

Enviar comentarios sobre…

Android Management API
Android Management API