What is Android Enterprise zero-touch?


Android Enterprise zero-touch allows enterprise to enroll company's devices to an EMM system without a necessity of going through the manual enrollment procedure. Android Enterprise zero-touch integration with FAMOC EMM gives a possibility to auto-enroll all devices with Android 8 and newer.

For more information visit Android Enterprise zero-touch page:

https://www.android.com/enterprise/management/zero-touch/


Integrating FAMOC Server with zero-touch service


In order to be able to use FAMOC zero-touch integration, FAMOC administrator has to integrate and authorize the whole FAMOC Server machine to appropriate Enterprise Google API. As a FAMOC administrator you will require:

  • SSH access to your FAMOC application machine

  • Google account


Create Google Developer Project


Using your Google account login to Google’s Developer Console - https://console.developers.google.com


Once logged in, create a new project. It will contain all zero-touch settings for this FAMOC Server integration, including appropriate credentials.

Choose a name for your project. That will help you identify it in the future. When the notification icon indicates that the project is ready - you’re all set to enabling Enterprise API.


Enable Enterprise API


Make sure that you’ve selected your project, and then go to:


  • “Menu” -> “APIs & Services” -> “Library”

  • or click “ENABLE APIS AND SERVICES”



In order to support zero-touch, the Google Project that you just created, needs the following API to be enabled:


  • Android Device Provisioning Partner API
    (Service name: androiddeviceprovisioning.googleapis.com)


Search and choose this API from Google’s library and then click “ENABLE”.



Configure API Credentials


FAMOC zero-touch Integration uses OAuth 2.0 credentials for authentication and authorization. In this step we’ll setup this method.


Configure OAuth Consent screen


Make sure that you’ve selected your project, and then go to:

  • Menu -> APIs & Services -> Credentials -> OAuth Consent screen



This OAuth consent screen will be presented to an administrator that is adding a zero-touch account to an organization in FAMOC. Fill appropriate information accordingly, paying extra attention to fields:

  • Application name (required)

  • Support e-mail (required)

  • Authorized domains (required) - it has to be top level domain on which your FAMOC Server is hosted (e.g. if machine is hosted on ‘emm.company.com’, the top level domain will be ‘company.com’

  • Application logo (optional) required if you want to use the logo, otherwise - optional

  • Application Homepage link, Application Privacy Policy link



When configured, click SAVE at the bottom of the page.


Configure OAuth client ID


Once you’ve configured OAuth consent screen you can generate credentials for your FAMOC Server. Make sure that you’ve selected your project, and then go to:

  • Menu -> APIs & Services -> Credentials -> Credentials

From the dropdown menu, choose OAuth Client ID and select Web application:



Fill appropriate information accordingly, paying most details to fields:

  • Name (required) - Internal name for credentials (will not be displayed to users)

  • Authorized JavaScript origins (required) - Address of your FAMOC Server machine, in format: `https://emm.yourcompany.com`. It has to match authorized top level domain in the configured OAuth consent screen.

  • Authorized redirect URIs (required) - Return address used during zero-touch enrollment. It has format: `https://emm.yourcompany.com/ui/devices/enrollment/zeroTouch`. It has to match authorized top level domain in the configured OAuth consent screen.


When configured, click CREATE at the bottom on the page. Download your credentials by clicking Download JSON button next to credentials that you have just configured.



Add Credentials to your FAMOC Server machine


The final step to integrating zero-touch with your FAMOC Server machine is adding the credentials from the previous step to your server machine. In order to do so, first log in to your FAMOC Server via SSH to user with root privileges. Once authorized edit this file with editor of your choice, e.g.:


[root@famoc-app /]# nano /var/www/aplikacje/config.php


In the file, please find section that begins with: `/*--BEGIN CUSTOM GLOBAL--*/` and add the content of the downloaded file accordingly:


/*--BEGIN CUSTOM GLOBAL--*/

$cons_zt_json=’CONTENT_OF_JSON_CREDENTIALS_FILE’;

/*--END CUSTOM GLOBAL--*/


Save the file and close the SSH session. Your FAMOC Server is all set and your administrators may start using benefits of zero-touch integration.


Adding zero-touch account to FAMOC organization


In order to start adding zero-touch devices to your FAMOC organization, you need to add your company zero-touch account to your FAMOC organization. You can do that using our bulk enrollment wizard in the devices view. When you logged in as administrator to your organization, go to the DEVICES tab, then hover over icon and choose Bulk enrollment.



And then select Android zero-touch method:



To add new zero-touch integration, use Start now button. It will open a modal that will guide you through the authorization process. Choose Authorize Google:



Log in with your zero-touch administrator account and grant appropriate permissions to FAMOC:



Once successfully authorized, FAMOC will be able to manage your zero-touch integration. From the dropdown list choose the desired zero-touch account to integrate with (if your administrator account is connected with more than one company at zero-touch console). Then choose the default user of the devices at FAMOC and assign Device Groups. You can also decide if you wish to demand credentials from user for enrollment:



On the next screen, provide your company details that will be presented to the user, during the device enrollment process:



Finally, select the device that you want to import to FAMOC. You can select required devices manually  or choose Autoimport option that will periodically (30 min interval) synchronize new devices from zero-touch to FAMOC. If you wish to demand user authorization for enrollment for a specific device select option Require credentials.


The device can be in one of the 3 states, based on it’s zero-touch configuration assignment:

  1. UNASSIGNED - the device has no zero-touch configuration (and will receive one if selected, or if autoimport is chosen)

  2. CURRENT - the device has current zero-touch configuration assigned (and will not receive a new configuration during synchronizations)

  3. OTHER - the device has already assigned a different EMM zero-touch configuration. By default it will not receive new zero-touch profile during autoimport. To override other EMM profile you must select the required devices on this step.



Once you’ve selected your configuration, click Synchronize to add the devices to your FAMOC account. It will redirect you to the summary screen. 



Go to the Zero-Touch portal in your browser and log in to your account (https://partner.android.com/zerotouch). Go to the tab: Devices. You'll see your organization's devices.



The Available devices provides you with information: number of successfully imported devices / number of selected devices. In case of any problems with import go and see system log for more details.

Once the synchronization is complete - you’re all set! The devices will enroll to FAMOC once turned on.