Enrolling devices in Android Enterprise

Enrolling a device with Android Enterprise allows you to encrypt your device drive, manage settings and apps on the device, and enforce various levels of security. You can also sync, wipe, or lock the device from the console without an agent on the device.

NOTE: Before enrolling Android Enterprise devices, you must create an enterprise account with Endpoint Manager. The same enterprise can be used for all management modes. For more information, see Android Enterprise accounts.

Work profile enrollment

Work profile mode is typically used with employee-owned devices (BYOD). Work profiles protect employee privacy by only allowing the enterprise to access data within the work profile, keeping the device user's personal data separate and secure.

To enroll a device, generate device enrollment data for your enterprise, then use a QR code or an enrollment token to enroll the device.

ClosedTo generate work profile device enrollment data

1.In the management console, select Tools > Modern Device Management > MDM Configurations > Google > Android Enterprise.

2.Select the enterprise you want the device to enroll with.

3.Click Enrollment codes.

4.Click Generate Codes.

5.Choose one of the following provisioning methods:

QR code provisioning. Click Save Image to save the generated QR code.

Token and URL provisioning. Copy and distribute the enrollment token to enroll devices without using the camera. (Optional) Copy and distribute the enrollment URL to give device users a direct link to the enrollment page.

ClosedTo set up the work profile on the device

1.On the device, navigate to Settings > Google > Set up your work profile.

2.Choose the appropriate option for your provisioning method:

QR code provisioning. Scan the enrollment QR code.

Token provisioning. Tap enter code then enter the enrollment token.

A work profile is set up on the device. If the enterprise has an applied policy that requires a passcode, the user will be required to set one during enrollment.

Fully managed enrollment

Fully managed mode is typically used for company-owned devices, since it has full control over the device and its data. Fully managed device mode offers extensive control over device policies, settings, and applications.

To enroll a device, generate device enrollment data for your enterprise, then use a QR code, an enrollment token, or zero-touch to enroll the device.

ClosedTo generate fully managed device enrollment data

1.In the management console, select Tools > Modern Device Management > MDM Configurations > Google > Android Enterprise.

2.Select the enterprise you want the device to enroll with.

3.Click Enrollment codes.

4.(Optional) Enter Wi-Fi information to send to the device. The data in this code is not encrypted.

5.Click Generate Code.

6.Choose one of the following provisioning methods:

QR code provisioning. Click Save Image to save the generated QR code.

Token provisioning. Copy and distribute the enrollment token to enroll devices without using the camera.

Zero-touch provisioning. Click Generate to create zero-touch enrollment information. Zero-touch provisioning is only available for devices purchased through an Android zero-touch vendor. Zero-touch provisioning configurations are valid for 30 days.

ClosedTo enroll a device in fully managed mode with a QR code

1.Generate enrollment data.

2.Factory reset the device.

3.Tap the start up screen six times and scan your QR code.

4.If you did not include Wi-Fi information in your QR code, enter the information to connect to your Wi-Fi network.

5.Read and accept the terms and conditions.

ClosedTo enroll a device in fully managed mode with a token

1.Generate enrollment data.

2.Factory reset the device.

3.Enter the information to connect to your Wi-Fi network.

4.Tap Set up as new.

5.In the email or phone field, enter afw#setup and tap Next.

6.Tap Install to install the Android Device Policy app.

7.View Google's device management terms and tap Accept & continue.

8.Agree to the end-user license agreement and tap Done.

9.Tap enter code then enter the enrollment token.

ClosedTo enroll a device in fully managed mode with zero-touch provisioning

1.Generate enrollment data.

2.Navigate to https://partner.android.com/zerotouch.

3.Click Configurations in the side navigation menu.

4.Click the New icon.

5.Enter a name for your configuration.

6.For the EMM DPC, use the drop-down menu to select Android Device Policy.

7.In the DPC extras field, paste the zero-touch enrollment information that you copied from the Management Console.

8.Enter your enterprise contact information.

9.Click Add.

10.Click Devices in the side navigation menu.

11.Use the drop-down menus to assign your configuration to devices.

When a zero-touch device is powered on for the first time, it will receive its assigned configuration, enroll with Android Enterprise in Endpoint Manager, and download your default policies. However, the user will still need to accept Google's terms and conditions as part of the device setup.

After enrollment, fully managed mode also gives you the option to set devices as kiosk devices. For more information about configuring a kiosk device, see Kiosk mode for Android Enterprise.