Getty Images/iStockphoto

Tip

How to choose an Android Enterprise enrollment method

When setting up Android Enterprise devices, there are several enrollment methods IT should consider. Admins should learn how to determine which method, or methods, to use.

To reap the benefits of Android Enterprise, organizations must choose the right method for device setup.

Android Enterprise is a Google program that provides organizations with tools to manage and secure their employees' Android devices. The suite comprises a set of tools, APIs and features designed to help IT administrators deploy and manage Android devices securely and efficiently.

The first decision that organizations should make with Android management is how to approach this program and enroll devices in it. Whether they are deploying fully managed devices or BYOD endpoints, admins have a few appropriate enrollment options to consider.

5 key features of the Android Enterprise

Several components of Android Enterprise help organizations provision devices for use in an enterprise environment. IT should understand these features and how they apply to device enrollment.

1. Android Enterprise management APIs

The suite's management APIs provide programmatic access to device and app management functions. This enables IT to automate and customize device provisioning and management workflows.

2. Work profiles

Android Enterprise lets users separate their work and personal data on a single device. It creates a secure container to store work apps and data on the device, keeping them isolated from personal apps and data. This ensures privacy and security for both work and personal use on the same device.

3. Managed Device mode

An MDM strategy is the first step to managing mobile devices within an organization. Managed Device mode enables admins to control and manage Android devices fully. IT can apply policies and configurations to devices centrally, which ensures compliance with the organization's security requirements and enables remote management and troubleshooting.

4. Managed Google Play

Google offers a version of the Google Play Store specifically for organizations, which is the core of the Managed Google Play platform. It enables administrators to build a catalog of apps and distribute them to managed devices. In addition to the managed app store, its features include app approval workflows, license management and bulk app purchasing. This makes deploying and managing apps on Android devices easier.

5. Android Enterprise Recommended program

The Android OS is open source and can run on many different kinds of devices, including those that aren't fit for enterprise use. To make sure organizations run the OS on supportable device models, Google created the Android Enterprise Recommended program. This directory helps organizations identify devices and enterprise mobility management (EMM) platforms that meet Google's standards for enterprise use. Devices and tools that are part of the Android Enterprise Recommended program undergo rigorous testing and certification to ensure compatibility, security and performance.

How does device enrollment for Android Enterprise work?

To get started with Android Enterprise, admins must enroll their organization's devices in the program. The enrollment process can vary depending on the method the organization chooses. However, it generally consists of the following steps:

  1. Select an enrollment method. Choose a method based on the organization's deployment requirements and preferences.
  2. Prepare the devices. Before enrollment, IT might need to prepare the device according to the requirements of the chosen enrollment method. If it isn't a new device, it will typically need to undergo a factory reset.
  3. Initiate enrollment. Administrators or users can start the enrollment process on the device by following the instructions for the selected enrollment method. This might involve scanning a QR code, tapping a near-field communication (NFC) tag or using a preprovisioned token.
  4. Provision and configure the device. At enrollment, the device communicates with the organization's EMM platform or device management console. The EMM platform provides the device with configurations, policies and applications. This can include configuring network settings, installing work apps and creating work profiles.
  5. User authentication and consent. During enrollment, users might need to verify their identity and authorize the device for enterprise use. Users might also need to consent to the organization's policies and terms of service for device management.
  6. Completion and activation. Once the enrollment process is complete, the device is ready for enterprise use. The device remains under the organization's EMM provider, which allows IT to remotely monitor the device, enforce security policies and distribute updates and apps as needed.

Comparing Android Enterprise enrollment methods

Android Enterprise provides several device enrollment methods to choose from. IT can enroll devices via QR code, zero-touch provisioning, EMM token, NFC, managed Google account or EMM management app.

These methods offer scalability for deploying Android devices in an enterprise environment. Different enrollment methods will work for different organizations. One of the main factors when choosing an enrollment method is the management sets it can support. There are some methods that IT can use to deploy any of the management sets, while others only support one or two management sets.

To figure out which Android Enterprise enrollment method to use, organizations must first determine which of the following management sets they plan to deploy:

  • Full device management.
  • Dedicated device management.
  • Work profiles on corporate-owned devices.
  • Work profiles on personally owned devices.

Each Android Enterprise enrollment method has advantages and limitations. Consider the pros and cons of each one before deciding which method, or combination of methods, to use.

A table showing the management sets that each Android Enterprise enrollment method can support.

QR code enrollment

With QR code enrollment, users can scan a QR code displayed on the device or provided by an administrator during setup. This method supports full device management, dedicated device management and work profiles on corporate-owned devices running Android 8.0 or later.

One of the main advantages of QR code enrollment is its convenience and ease of use. It's possible to use it with various devices, including existing ones. It also provides flexibility for onboarding devices without requiring specialized hardware.

One drawback of this method is that it requires physical access to the device to scan the QR code. It also might not be suitable for large-scale deployments due to the manual setup.

Zero-touch enrollment

One option that is suitable for large-scale deployments is zero-touch enrollment. This method fully automates the setup process. When a user first powers their device on and connects it to the internet, it automatically enrolls into the organization's EMM platform.

The main benefit of zero-touch enrollment is that it requires minimal user intervention. It's also the most accessible option, as it supports full device management, dedicated device management and work profiles on both corporate and personal devices. Plus, this method enables IT to deploy a consistent configuration that adheres to organizational policies.

The disadvantage of zero-touch is that it requires coordination with device resellers or carriers for supported devices. It also provides limited device support compared to other enrollment methods. While simple for end users, the process still requires some work from the IT side.

EMM token registration

To perform EMM token registration, or token-based enrollment, administrators must generate enrollment tokens. Users enter these tokens into their devices during the setup process, thus initiating enrollment. This method also supports full device management, dedicated device management and work profiles on corporate-owned devices running Android 8.0 or later.

EMM token registration provides a secure and consistent process for enrolling devices. With this method, IT can delegate enrollment tasks to specific users or groups. It also offers flexibility for organizations with different models of devices.

However, distributing enrollment tokens to users can add complexity to the enrollment process. Because end users must enter the token during device setup, there's also a greater risk of user error.

NFC enrollment

If a user's device has NFC capability, they can enroll it in Android Enterprise by tapping it against an NFC tag. This method is only available for full device management and dedicated device management.

This is a quick and convenient enrollment process that is compatible with a variety of NFC-capable devices. It's most suitable for environments where device provisioning takes place in person.

The limitation of this method is that devices must have NFC capability to use it. Like QR code enrollment, it might not be ideal for large-scale deployments. Because it doesn't support work profiles, NFC enrollment is more popular for rugged deployments.

The NFC enrollment process involves the following steps:

  1. Prepare the NFC tag to include the necessary enrollment information. The tag might consist of the enrollment URL, server details and any authentication credentials necessary for enrollment.
  2. Power on the Android device and enable NFC in the device settings.
  3. Hold the NFC tag close to the NFC-enabled area on the device. This is usually on the back of or near the top of the device.
  4. If enrollment doesn't automatically start, a prompt asking for permission to enroll the device should pop up. Accept the prompt.
  5. Follow the onscreen instructions to complete the enrollment. The device might need to synchronize with the management server to receive additional configurations or policies first.
  6. Verify the device has successfully enrolled in the EMM platform.

Managed Google account enrollment

A managed Google Account is a Google account that an organization or a domain administrator -- rather than an individual user -- creates, owns and manages. These accounts give users access to Google services and resources while enabling IT admins to maintain control and oversight.

If an organization uses managed Google accounts, it's possible to enroll devices via the corresponding account credentials. Users can begin device enrollment by signing in with the managed Google account they use for work. This method is available for full device management and work profiles on corporate and personal devices.

Managed Google account enrollment provides seamless integration with Google's ecosystem for device management. The setup process can be helpfully intuitive for users who are already familiar with Google services. Additionally, it simplifies app management and distribution through Managed Google Play.

Of course, this enrollment method will only work for organizations that use managed Google accounts. It also involves more user intervention than some other options.

To enroll a device using a managed Google account, take the following steps:

  1. Prepare the device. If the device is already set up, IT must perform a factory reset to begin enrollment. Next, ensure the device has a Wi-Fi connection.
  2. Proceed through the initial setup screens. Upon reaching the "Set up email" or "Set up account" screen, enter the email address and password associated with the organization's managed Google account. If prompted, agree to Google's terms of service and privacy policy.
  3. The device will begin the auto-enrollment process into Android Enterprise. Follow any onscreen prompts to complete the process.
  4. From there, the device will download the configuration and policies that IT has assigned. Verify that the device appears and has been enrolled in the organization's EMM platform.

EMM app enrollment

When deploying work profiles for personal devices, using a management app from Google Play is a viable enrollment option. An admin or end user can download their EMM provider's management app from the Google Play Store. Once they open the app, they can follow the onscreen instructions to set up a work profile on the device.

Since the only compatible management set with this method is work profiles on personally owned devices, it has a limited use case. The process might vary based on the EMM provider as well.

To enroll an Android Enterprise device with the Google Play app, take the following steps:

  1. Access the Google Play Store. If users have not yet signed in, they might have to sign in with a managed Google account and accept the Google Play terms of service and privacy policy.
  2. Search for the EMM provider's management app and download it. The EMM might offer an enrollment link, QR code or other resource to help with this step or trigger app download.
  3. Once installation is complete, open the app.
  4. Follow the onscreen instructions to set up a work profile on the device.
For small-scale deployments with a limited number of devices, QR code or NFC enrollment both provide simplicity and ease of setup.

With all the enrollment options, device administrators must keep several considerations in mind. The choice depends on factors such as the organization's requirements, deployment scale, device ownership model and IT infrastructure.

For small-scale deployments with a limited number of devices, QR code and NFC enrollment both provide simplicity and ease of setup. Automated methods, such as zero-touch, are more efficient for large-scale deployments involving hundreds or thousands of devices. For corporate-owned devices, preferable options include zero-touch and token-based enrollment. With either of these methods, IT can retain full control over devices and enforce strict security policies.

Helen Searle-Jones holds a group head of IT position in the manufacturing sector and has more than 25 years of experience with managing a wide range of Microsoft technologies in the cloud and on-premises.

Dig Deeper on Mobile application strategy