How to set up Android Enterprise with EMM token registration
Android Enterprise can simplify Android management, but the wrong device enrollment method can complicate IT's job. Understand the pros and cons of EMM token registration.
Setting up Android Enterprise with token-based enrollment is a straightforward process, but there are some limitations IT should consider.
Android Enterprise offers several device enrollment methods to facilitate the setup and management of Android endpoints. One of the most versatile methods is enterprise mobility management (EMM) token registration, or token-based enrollment. This method is also the least popular, and for some good reasons.
How does EMM token registration for Android Enterprise work?
EMM token registration enables administrators to provide a unique token from their EMM provider, which users enter during the device setup. The process is similar to that of managed Google account enrollment but provides more flexibility.
The Android device policy controller plays a crucial role in token-based enrollment. The DPC application enforces device management policies that admins have defined in their EMM platform. During the EMM token registration process, the DPC automatically installs on the device.
After first turning on a new or factory-reset device, the user enters the EMM token. It triggers the installation of the DPC, which then communicates with the EMM server to download and apply the necessary configurations and policies.
To ensure the process is secure and efficient for IT and end users, there are some best practices admins can follow. Put the following practices in place for a seamless setup:
Provide clear instructions and training to users on using tokens for device enrollment. This can come in the form of documentation and just-in-time training.
Distribute EMM tokens securely via encrypted email or SMS to authorized users to minimize the risk of interception.
Implement token expiration to ensure tokens are valid only for a limited time. This reduces the risk of misuse in the case of interception.
Maintain a system to track token issuance and usage. Using this system, conduct regular token audits to identify and revoke unused or compromised tokens.
Pros and cons of Android Enterprise EMM token registration
There are a few reasons why EMM token registration is less widespread than other Android enrollment methods. The process of manually entering a long, complex token during mobile device setup is prone to error compared to other methods. Generating, distributing and managing tokens can also create more administrative overhead for IT departments.
For work profile devices, EMM token registration enables IT to apply settings and control work-related apps and data without interfering with the user's data.
This makes it less efficient for large-scale development as well. Methods such as zero-touch enrollment, for example, automate much of the setup process and are thus better suited to large deployments in remote and hybrid environments.
Token-based enrollment does shine in some use cases, such as when security is a top priority. It enables IT administrators to enforce policies such as app permissions, device settings and data usage limits. This ensures that devices comply with corporate and regulatory requirements from the moment users activate them. As a result, it's also ideal for managing dedicated devices, such as kiosks and point-of-sale systems. For work profile devices, EMM token registration enables IT to apply settings and control work-related apps and data without interfering with the user's data.
However, EMM token registration isn't available for work profiles on personally owned devices. Instead, it supports full device management, dedicated device management and work profiles on corporate-owned devices running Android 8.0 or later. In general, EMM token registration is not available for devices running Android 5.1.1 or earlier, or for devices running custom builds.
7 steps to enroll a device in Android Enterprise with EMM token registration
While Google does provide a list of approved EMM platforms for Android Enterprise, keep in mind that there are minor differences between EMM platforms and how they support tokens.
An IT admin or end user can use EMM token registration to enroll a device in Android Enterprise. Either way, the user setting up the device can expect the following process:
Before initiating the token registration process, make sure the user device meets the necessary prerequisites and is either new or has undergone a factory reset. The setup process must start from scratch to avoid conflicts with existing configurations.
Turn on the device and follow the setup wizard.
Connect the device to a Wi-Fi network.
The device -- now online -- obtains the unique EMM token from the EMM platform. The platform generates the token via the Google Play EMM API. Then, it distributes the token via secure email or SMS to the user who is setting up the device.
When prompted to sign in, enter the EMM token instead of a Gmail account. The device then fetches its configuration from the EMM system associated with the token.
The device communicates with the EMM server using the token to authenticate and download the necessary configuration profiles and management settings.
Follow any additional prompts to complete the setup. This might include configuring security policies or installing enterprise applications.
Will Kelly is a freelance writer and content strategist who has written about cloud, DevOps, AI and enterprise mobility.
Dig Deeper on Mobile operating systems and devices
