Comment thread for the following:
Android Enterprise FAQ | Jason Bayton
Comment thread for the following:
Great stuff Jason. Here are some FAQs that I get almost every day:
Q. Does Zero Touch cost anything?
A. No, it costs zero, from Google at least. Reseller partners can choose to charge for this service, or bundle it part of other offerings if they choose to do so.
Q. If I have Zero Touch from Google, do I still need an EMM?
A. Yes of course. Zero Touch is just a provisioning method that deploys an EMM agent to your device, over the air (OTA) to enrol into a Fully Managed Device profile using Android Enterprise (not legacy Device Admin) APIs. Google do not provide a free EMM solution.
Q. If I want to use Android Enterprise do I need to buy G Suite and register my domain?
A. No. Unless you are already a G Suite customer, you can use your EMM console to register a new Android Enterprise organisation and your EMM will create unique and generic Managed Google Play service accounts on each Android device, that allow you to sign into the Google Play Store and receive EMM policies. These accounts are silently added to the device. You do not need to configure your domain, create users, or manage the authentication to services like Active Directory.
Q. If I already have devices that I have purchased and I want to configure them later for Zero Touch, can I upload these myself to the Zero Touch portal?
A. No. Only a reseller has the ability to upload devices since it is their obligation to ensure that the device identifiers (IMEI or serial) are correct and that you own the devices, not another organisation or an employee. If you do own these devices, can prove this, and can supply acccurate device identifiers, please discuss this with your preferred reseller for assistance. It is up to the reseller if they wish to peform this for you since there are consequences for resellers who upload incorrect data to the Zero Touch portal.
Q. I use Samsung Knox does this mean I can’t use Android Enterprise?
A. No. Since Android 5.x (Lollipop), like all other OEMs, you have been able to deploy a free Work Profile or enrol into a Fully Managed Device using Samsung devices and your preferred EMM solution. Since Android 8.0, Samsung have further improved this integration by having the Knox Workspace container use the Android Enterprise “Profile Owner” APIs to create the Workspace. This avoids having two competing container solutions on Samsung Android devices, simplify choices for customers. Customers can optionally select to activate a Knox Platform for Enterprise license to enable premium features to the device. Knox PfE contains all of the APIs from the previously separate Knox Standard, Knox Custom and Knox Premium SDKs.
Q. Samsung does not support Zero Touch, so does that mean I can’t enrol an Samsung device over the air into Android Enterprise?
A. No, Knox Mobile Enrolment has full support for Android Enterprise, so you don’t need to use Zero Touch on a Samsung Device. WIth supported EMMs and the mininum Knox version, you can use KME to deploy an Android Enterprise Fully Managed Device.
Q. Can I use Zero Touch to configure my employee owned BYOD devices?
A. No, Zero Touch is only for corporate owned devices.
Fully integrated these @Gerard_Kennedy, thanks!
Also merged the ZT FAQ into this one.
It appears under ZT that there is no explicit opting into the Google Terms of Service or Privacy Statement. Is this somehow implicit? Is there a Google public statement regarding this? Thanks.
Good question! It’s an all-or-nothing tied in with the terms provided by the organisation. No opt out as of right now. I’ll update when I know more.
Jason, Do you know if it is possible to see the location of device(s) when they are enrolled in Android Enterprise? And also the timeline activity of the device(s)? And if so, how is it done?
Two points from my side to help you keep the FAQ content up to date:
- VMware suppoprts Device Administrator to Android Enterprise migration as of version Workspace ONE UEM 1907 | July 18 2019 (Android (Legacy) Device Administrator Migration)
- VMware supports SSO for legacy Kerberos/IWA apps on Android with Mobile SSO and with Identity Bridging feature on Unified Access Gateway. No 3rd party software is necessary. (Configuring Web Reverse Proxy and Identity Bridging in VMware Unified Access Gateway: VMware Workspace ONE Operational Tutorial | VMware)
Updated the first question, but VMware isn’t native kerberos, nor is it vendor agnostic. All the same it’s mentioned here so folks will see VMware has a solution.
Great stuff! Thanks for summing up so much useful info.
One question: what about backup/restore procedures for COPE devices? I see that backup of personal profile is straightfoward, but what about work profile data? Any good solution there,in case an employee needs to replace his phone?
To support ZT do is it required to pass ZT certification?
If Yes, Is AER precertification is needed to pass ZT certification?
QR Code enrollment requires Wi-Fi.
We have a customer who is using his devices on a closed/private network. No Wi-Fi network is accepted.
This customer wants to use QR-Code method enrollment. NFC method is allowed also.
Now we observe a problem on a private network to use this enrollment method.
The customer starts the device with activated SIM card, taps 6 times on the Welcome screen, scan the QR-Code, and now enters into the WiFi settings screen.
At this point, there is no yet mobile data. It seems that the Welcome Screen disables it, or the mobile data is not enabled yet.
Since the customer does not agree to use a Wi-Fi network, he is stuck in this Wi-Fi settings screen. No option to skip and no option to “Use mobile network”, like in case of ZT enrollment. Unfortunately ZT is not relevant in private network.
We found a workaround:
- Start the device with SIM card.
- On the Welcome Screen, press the start button
- On Wi-Fi settings screen press, Skip.
- It enables mobile data.
- Press back 2 times to go to the Welcome Screen.
- Tap 6 times to activate a QR scanner.
- Now it works.
Steps 1-5 are not acceptable to the customer.
Are you familiar with some method to enable mobile data on the device using a more elegant method?
Maybe there is some DPC extra?
Sorry for the delay. Work profile can support cloud backup, but that would require a Google account being added, alternatively a corp solution for cloud backup could be used.
As work profile is supposed for corp data, perhaps consider how this data is managed. I for example don’t permit downloads to the device and office apps can only save back into SharePoint or OneDrive. Same sort of thing should be possible for G Suite, which means only temp data generally ends up in a profile and if that’s deleted its no big deal.
How do you manage this?
AER is not required for ZT, it’s up to the OEM to support the provisioning method on 8.0+ devices.
However if a device is AER it must support ZT.
Leave your other question on LTE with me. I’ll find out.
I am trying to do Android Enterprise Enrollment of Android 5.1.1 with NFC and Intune. As far as I know, Intune doesn’t have a provisioning application. And the Microsoft Intune application that typically gets deployed (not Company Portal) is compatible with Android 6.0+. By this summation, would it be safe to say then that Intune does not support NFC bump on Android 5.0? Or am I reading into this wrong?
The company portal application supports Android 5.0+ and requires user enrollment.
This may be helpful for members to understand if it isn’t understood already.
It shouldn’t be too difficult to create an NFC tag with the required provisioning key value pairs to make this work. Do you have NFC tags?