Just a quick step-by-step guide on how the configure Android Zero Touch with Intune.
Why
Why do we want to use Corporate-owned, fully managed user devices? In order to give the user an out-of-box experience that automatically enrolls devices into our MDM solution, just like Apple DEP but for Android Enterprise devices. Also, it gives a less confusing user experience, as we only have a work profile and not a private AND work profile, like we do with personal owned android devices.
Of course this is still a preview feature in Intune, and context is subject to change.
Prerequisites
- A compatible device running Android Oreo (8.0) or Pixel phone with Android Nougat (7.0), purchased from a reseller partner
- Intune licenses
- A Login to the Android Zero Touch portal provided by your reseller ( https://partner.android.com/zerotouch)
To do
- Enable Managed Google Play
- Create Android Zero Touch Token
- Create and Android Zero Touch configuration
Preparations in Intune
First we need to create an Enrollment Token in Intune. If you haven’t used Managed Google Play Intune yet, this need to be configured too.
Enable Managed Google Play
Go to Microsoft 365 Device Management Portal ( https://devicemanagement.portal.azure.com ) and go to Device Enrollment -> Android enrollment.
If Managed Google Play is enabled in your tenant, skip this and go to the next section.
Click Managed Google Play
Agree to the EULA and click “Launch Google to connect now”
A new Windows open, make sure you are signed in with your managed google account and click “Get started”
Enter your organizations name and make sure Intune is selection en Enterprise mobility management (EMM) provider
Enter the required info and continue. This doesn’t have to be any real persons or infomations.
Complete registration and return to Intune
Verify the setup is completed and close this windows. Now Managed Google Play is setup in your tenant.
Create an Enrollment Token for Android Zero Touch
Still in the Microsoft 365 Device Management Portal (https://devicemanagement.portal.azure.com ) -> Device Enrollment -> Android enrollment.
This is a prequisites for when we are going to configure the actual Zero Touch confuguration.
Select Corporate-owned, fully managed user devices
Change “Allow users to enroll corporate-owned user devices” to Yes
Copy the Token and save it for later.
Create and Android Zero Touch configuration
Login the Android Zero Touch portal with your Managed Google play login (the same used to set up Managed Google Play) https://partner.android.com/zerotouch
When signed in Click the little plus sign to create a new Configuration
Give it a name.
Select Microsoft Intune in EMM DPC
In DCP extra input the following JSON, but edit the value of EXTRA_ENROLLMENT_TOKEN to the Token created in the step above:
{
"android.app.extra.PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED":true,
"android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE":{
"com.google.android.apps.work.clouddpc.EXTRA_ENROLLMENT_TOKEN": "HJASYXKY"
}
}
More info on the above JSON can be found here:
Fill the rest of the fields and click Add.
In Default Configuration select the newly created Configuration and click apply.
On devices verify that your devices(s) have the default profile assigned:
What is the user experience?
Booting up a device assigned to the Zero Touch profile looks like this. I did not include all the screens, only those I found important for this post π
Connect to Wifi
And next picture we see the device is trying to connect to out tenant!
After a few more steps, we are prompted to sign in with our corporate credentials.
a few more steps.
Work apps are being installed
Once done we can see Intune Company Portal and Microsoft Authenticator is installed. If i had pushed other apps out, they would of course also be installed and possibly configured.
That’s it, a pretty nice feature that gives us a bit more control of Android devices than we previously had.
Larsstaal.com 
Zero-Touch portal, we must create an account in google store then link it on intune, then we must ask acces to Zero-touch portal to our reseller right? How do they do it?
LikeLike
They need to be a Zero-Touch reseller. When they are that, they will have the required informations from Google on how to do it π
LikeLike
Hi Lars, thank you very much for sharing this! We are investigating zero-touch devices in conjunction with Intune, and I have been asked to document the user experience setting up a device. How did you manage to screenshot the screens on the device during the setup phase? I can’t figure it out.
Many thanks
Jacques
LikeLike
Hi Jacques,
Tbh, i just took a screenshot on my device when i was setting it up. It is a Nokia device, so maybe that one just has support to take screenshots during setup π
LikeLike
Thanks Lars. π
LikeLike
Hi
Just a quick question, when the user logs in for the first time and authenticates on their new device, if MFA is enabled on their 365 account, does that notification appear?
That is the big issue weβre having with vanilla intune on fully managed policies.
Thanks
LikeLike
Did you find a solution?
LikeLike