Back to top

Use Android zero touch enrollment

Last updated March 1st, 2024

Zero-touch enrollment allows you to quickly and easily enroll a large number of company-owned Android devices. After a device is registered with zero-touch, it automatically enrolls when the device user connects to the Internet and signs in to the Knox Manage agent. If you factory reset a device enrolled by zero-touch, the Knox Manage agent will automatically reinstall and the device will re-enroll in Knox Manage.

Zero-touch enrollment provides the following advantages:

  • Enrolls a large number of devices in bulk without having to manually enroll each device.
  • Allows a device to automatically install the Knox Manage agent after a factory reset.
  • Prevents an unauthorized device from joining your EMM environment.
  • Allows resellers to add devices to your zero-touch enrollment account.

For devices running Android 11 and higher, Knox Manage now supports a new device provisioning method that lets the device user choose the device’s mode, depending upon whether the device is for work use only or a mix of work and personal use.

Knox Manage still supports all the older provisioning methods that were available until the Android 10 release.

To enroll devices using zero-touch enrollment, complete the following steps.

Zero-touch enrollment flow

Before you use zero-touch enrollment

To use zero-touch enrollment properly, you should:

  • Make sure that the devices are compatible with zero-touch enrollment. All devices running Android 9 and higher support zero-touch. For devices running earlier versions of Android, you should verify their compatibility by checking with your zero-touch reseller or device manufacturer.

  • Prepare a device from a zero-touch reseller partner.

  • Sign up for an enterprise Google account. A personal Gmail account cannot be used. To create a Google account for enterprise use, go to Create your Google account.

  • Link your zero-touch account to Knox Manage to speed up registration.

  • Before enrolling a device in Fully Managed mode, make sure it is running Android 5 and higher. For more information about Android Enterprise, see the Android home page.

To link your zero-touch account to your Knox Manage tenant:

Normally, you would perform all zero-touch-related tasks on the Google admin portal. To provide a more productive and smoother experience, Knox Manage allows you to link your zero-touch account with your Knox Manage tenant, which lets you perform several tasks from the Knox Manage console:

  • View account details at a glance
  • Add more or remove zero-touch accounts
  • Navigate directly to the zero-touch device list

To link your zero-touch account with Knox Manage:

  1. On the Knox Manage console, go to Device Enrollment > Zero-Touch.
  2. Under Link your zero-touch account to your EMM provider, click Next.
  3. Select one or more zero-touch accounts associated with the Google account to link, then click Link.
  4. Click Next on the confirmation screen.

Sign in to the zero-touch enrollment portal

On the Knox Manage console

After your zero-touch account is linked to Knox Manage, you can sign in and manage the account through the Knox Manage console.

To sign in the zero-touch enrollment portal on the Knox Manage console:

  1. On the Knox Manage console, go to Device Enrollment > Zero-Touch.
  2. Submit your enterprise Google account credentials.

After you sign in to your enterprise Google account on Knox Manage, you can view the account details, add or remove zero-touch accounts, and follow the link to view the registered zero-touch devices. If you need to perform other tasks, you should access your zero-touch settings from the Google Admin console.

On the Google Admin console

To sign in to the zero-touch enrollment portal on the Google Admin console:

  1. Go to the zero-touch enrollment portal.
  2. Submit your enterprise Google account credentials.

After you sign in to the zero-touch enrollment portal, the following pages are available:

Page Description
Configurations Create, modify, and delete Knox Manage configurations.
Devices Displays the registered device list. You can assign and apply the Knox Manage configurations to the selected devices on the list.
Users Add, modify, and delete users who can access and manage the portal.
Resellers Add resellers to share your account with multiple resellers.

Create a Knox Manage configuration

To create a Knox Manage configuration:

  1. On the zero-touch enrollment portal, go to Configurations.
  2. Click add. The Add a new configuration window opens.
  3. Fill the fields:
Field Description
Configuration name Enter a configuration name.
EMM DPC

Android Enterprise — Select Samsung Knox Manage from the dropdown.

Android Management API — Select Android Device Policy from the dropdown.

DPC extras

Configure the extra settings for the device policy controller.

Android Enterprise — The following sample configuration contains the three minimum required fields:

                
                    {
                        "android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE":
                        {
                            "ServerUrl": "Your Server Url",
                            "TenantId": "Your Knox Manage Tenant ID",
                            "Method": "ZeroTouch"
                        }
                    }
                
            

(Optional) You can include the UserID and Password fields to enroll all devices with a shared user ID and password, and the Mode field to enforce fully managed (DO) or work profile (PO) mode on company-owned devices. This sample configuration demonstrates these extra fields:

                
                    {
                        "android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE":
                        {
                            "ServerUrl": "Your Server Url",
                            "TenantId": "Your Knox Manage Tenant ID",
                            "Method": "ZeroTouch",
                            "UserID": "Enrollment User ID",
                            "Password": "Password for the Enrollment User ID",
                            "Mode": "DO"
                        }
                    }
                
            

For work profile deployments, replace DO with PO.

The ServerURL of your applicable region is one of the following. The domain corresponds to the server address on your Knox Manage console.

Android Management API — Use the following sample configuration:

                
                    {
                        "android.app.extra.PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME":"com.google.android.apps.work.clouddpc/.receivers.CloudDeviceAdminReceiver",
                        "android.app.extra.PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM":"I5YvS0O5hXY46mb01BlRjq4oJJGs2kuUcHvVkAPEXlg",
                        "android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE":{
                            "com.google.android.apps.work.clouddpc.EXTRA_ENROLLMENT_TOKEN":"{Sign-in token}"
                        }
                    }
                
            

Replace {Sign-in token} with your unique token from the enrollment invitation email.

When enrolling through the Android Management API, device users should manually enter their credentials, even if you configure them in advance. This is different from enrolling through Android Enterprise, where credentials are automatically validated without user input.

Company Name Enter the name of your enterprise. It'll display on the user's device during enrollment.
Support email address Enter your enterprise IT admin email address. This address displays on the user's device during enrollment, and it can be used to contact your IT admin in case of any enrollment issues.
Support phone number Enter your enterprise IT support phone number. This number displays on the user's device during enrollment, and it can be used to contact your IT admin in case of any enrollment issues.
Custom message (Optional) Enter a message to show on the device screen during enrollment.
  1. Click Add to create the new Knox Manage configuration.

Assign a Knox Manage configuration to zero-touch devices

After zero-touch reseller partners have registered devices in the zero-touch enrollment portal, you can assign the newly created Knox Manage configurations to the devices either individually or in bulk with a CSV file.

Individual assignment

To assign a Knox Manage configuration to a device individually:

  1. On the zero-touch enrollment portal, go to Devices.
  2. Select the devices to which configurations are to be applied to on the device list, and then, under Configuration, select a Knox Manage configuration.

Bulk assignment

To assign a Knox Manage configuration to multiple devices at once:

  1. On the zero-touch enrollment portal, go to Devices.

  2. Click upload > Download results as .csv and save it to your local file system.

  3. Open the CSV file with a text editor and fill the following fields:

Field Example value Description
modemtype IMEI This field should be always set to IMEI in uppercase letters.
modemid 123456789012347 Enter the IMEI number of the device.
serial ABcd1235678 Enter the serial number of the device.
model VM1A Enter the model name of the device.
manufacture Google Enter the name of the device manufacturer.
Profiletype ZERO_TOUCH This field should always be set as ZERO_TOUCH in uppercase letters.
Profileid 54321 Enter the ID of the Knox Manage configuration you want to apply to the device. To view the configuration's ID, check the ID column on the Configurations page. To remove the device from zero-touch enrollment, enter 0.
  1. Go to the Devices page, then click upload > Upload batch configurations. A file dialog opens. Select the modified CSV file.

The devices in the CSV file are assigned to the chosen Knox Manage configuration.

Enroll a zero-touch device

After the Knox Manage configuration is assigned to a zero-touch device, in order to enroll it you must first install Knox Manage and sign in with a Knox Manage account.

To enroll a zero-touch device:

  1. Ensure the device is factory reset.
  2. Turn on the device, and then tap Start on the welcome screen.
  3. On the Connect to mobile network screen, insert a sim card or tap Skip.
  4. Tap an available Wi-Fi network to connect to it. The device checks for updates.
  5. On the Set up your device screen, read the privacy policy of Knox Manage and Google, and then tap Accept & continue. The device contacts the Knox Manage server.
  6. On the Google Services screen, tap Accept. The Knox Manage agent installs and launches.
  7. On the Sign in with your Samsung Knox Manage Account screen, enter a Knox Manage user ID and password, and then tap SIGN IN.
  8. On the Knox Manage terms and agreements screen, read the terms of use, privacy policy, and end-user license agreement, tap the check box next to Agree all, and then tap NEXT.
  9. On the Display over other apps page, if required, tap All display over other.

The device is registered and enrolled in Knox Manage.

Delete devices from the zero-touch enrollment portal

If you need to transfer ownership of a device, you can delete devices one at a time from the zero-touch enrollment portal.

To delete a device from the zero-touch enrollment portal:

  1. On the zero-touch enrollment portal, go to Devices.
  2. On the Devices page, select the device you want to remove, and then click DEREGISTER.
  3. In the Deregister device? window, click DEREGISTER to delete the devices from the zero-touch enrollment portal.

After you delete a device, if you want to re-register it to the zero-touch enrollment portal, you must contact your reseller. If you need to temporarily exclude a device from the zero-touch enrollment portal, consider removing its Knox Manage configuration.

Is this page helpful?