Android Enterprise offers several options for provisioning devices out of the box. The following is a brief run-down of each -
NFC
Introduced in Android Lollipop (5.0), NFC offers the ability to tap a device against an NFC tag (or another Android device prior to Android 10) from the setup wizard in order to begin fully managed device provisioning. NFC is particularly useful for bulk, close-proximity device provisioning such as locally preparing devices to be deployed into a warehouse, or where staging is part of the typical device deployment flow.
DPC identifier
Introduced in Android Marshmallow (6.0), this may also be referred to by ecosystem partners as "EMM token", and is a shortcode entered in place of a Google account during device wizard setup. Eg:
afw#setup
(Android Management API)
Following which, the device will be pushed into fully managed provisioning. DPC identifier is useful for devices that either aren't in proximity of an NFC tag/capable device or cannot leverage newer provisioning methods (below). Managed Google accounts (G Suite) undergo a similar flow, pushing a device into fully managed provisioning if so desired by the G Suite administrator after inputting the managed Google account ID.
DPC identifier does not support DPC extras
Managed accounts
Similar to the DPC identifier flow, for managed Google accounts (Google Workspace, Cloud Identity), the Google account can be associated to an EMM platform, either Google Workspace Advanced Management, or a 3rd party linked solution, and when entering the managed Google account in the Google account prompt during the setup wizard, the device will be routed into the enterprise provisioning flow.
Managed accounts do not support DPC extras
QR code
Introduced in Android 7.0, later improved in Android 9, QR code provisioning allows for tapping 6x on the welcome screen of the setup wizard in order to invoke a scanner to scan an EMM-provided QR code. Prior to Android 9 the scanner will be downloaded on invocation, from 9 the scanner is baked in.
QR codes can be persistent or temporary. Single or multi-use. They're extremely useful for provisioning remotely, or providing as a static asset on a shared location (such as intranet) for simple setup.
QR code supports DPC extras
Zero-touch
Introduced in Android 8, zero-touch allows for a full out-of-box-experience to be configured and deployed by IT without having to interact with the device in any way. When devices are purchased from authorised resellers, they can be added to a zero-touch customer account and through a default configuration, benefit from zero-touch provisioning for administrators. More details about zero-touch can be found
here.
Zero-touch supports DPC extras
Others
Outside of the core provisioning methods offered by Google, OEMs can and do also leverage their own provisioning solutions; popular examples include Samsung Knox Mobile Enrollment (
link) and Zebra Stage Now (
link). Depending on the hardware, other such examples of user-invoked provisioning include scanning a barcode (not a QR code), "listening" for an audio sample, hardware key combinations and more. Reach out to your OEM to understand if any such non-standard provisioning methods are supported on your hardware, and for details on how to leverage them.
What are DPC extras?
DPC extras for supported provisioning methods allow for the pre-configuration of various native and EMM-based variables. An admin can for example configure the EMM server URL, an enrollment ID, device locale, usernames/passwords (though not recommended) and more.
An example may look like this:
{
"android.app.extra.PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED":true/false,
"android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE":{
"com.google.android.apps.work.clouddpc.EXTRA_ENROLLMENT_TOKEN": "YourEnrollmentToken"
}
}
Reach out to your EMM vendor to understand the DPC extras available to be configured with your EMM.
Fully managed provisioning methods for work profile deployments
It's possible to deploy a work profile on a company owned device through both zero-touch and QR code provisioning. This provisioning flow allows for the inflation of work profiles on company-owned devices, or a COPE deployment.
Additional reading
