Jump to:navigation, search
Wiki

Android Zero-Touch

From Securepoint Wiki













































De.png
En.png
Fr.png









Configure Android Zero Touch

Last adaptation to the version: 1.16

New:
  • Updates
Last updated: 
    11.2024
notempty
This article refers to a Resellerpreview
Access: portal.securepoint.cloud  Mobile Security Settings

Zero-Touch

Android Zero-Touch offers the possibility to use devices

  • without physical contact to the administrator
  • and without scanning a QR code into an MDM.
  • Devices are identified solely by their serial number (Wifi-only) or their IMEI.
  • It is thus not possible to put the device into operation without MDM.

Procedure

Order device from registered dealer for zero-touch devices

  • Only certain devices are suitable for Android Zero-Touch: Device list
  • These devices must mandatorily be purchased from certain retailers who can register the serial numbers or IMEIs with Google for Zero-Touch.
    List of dealers for Germany | List of dealers for Austria | List of dealers for Switzerland
  • The reseller must be provided with a Gmail address and associated company name at the time of order.
    Multiple Gmail addresses can be assigned to a Securepoint Unified Security instance
    Only one company name can be assigned to each Gmail address.

    • Establish a link with Zero-Touch

    Link Securepoint Unified Security Tenant (end customer) to a Gmail address registered in Google's Zero Touch portal

















































    Requirements
    • A Gmail address,
    • which was provided to the dealer when the device was ordered.
  • To avoid unwanted side effects, a new account should definitely be created.

    It is recommended to use a naming scheme here: mdm.$customer_name@gmail.com

    • notempty
    If the account is suspended by Google or deleted by the owner, all devices will be reset.
    It is essential to ensure that this Google account is not deleted under any circumstances, or that the GMail address is blocked.



    Configuration

    Configuration in the Securepoint Mobile Security Portal under  Mobile Security Settings of the respective end customer/tenant in the section  Android Zero Touch

    Step 1: Dialog: Add
    Step 1: Dialog: Add
     Add/Link Opens the dialog for adding a link
    Google-Zero-touch-en.png
    Step 2
    Access data for Google account
    Google-Zero-touch-Zugriff-en.png
    Step 3
    Grant access permission
  • A security alert from Google is sent via email: "Securepoint Unified Security has been granted access to your Google account".













    • Step 2: Login data
    Step 2: Login data
    Enter the access data to the Google account that was registered with the dealer when ordering mobile devices
    Step 3: Grant access permissions
    Step 3: Grant access permissions

    Grant access permission so that the portal can access the Google account as needed

  • A security alert from Google is sent via email: "Securepoint Unified Security has been granted access to your Google account".
    • Step 4: Finalize
    Step 4: Finalize
     Confirm The Google user account has been successfully added for Zero-Touch configuration. Finish with the Confirm button. Google-Zero-touch-hinzugefügt-en.png
    Finish with the Confirm button
    Result
    Result
    Google account linked to Zero-Touch MSP v1.16 Einstellungen Zero-touch-en.png
    Zero-Touch entry in the Settings menu
    MS v1.16 Gerät Zerotouch nicht konfiguriert-en.png

    If the retailer has already stored the IMEI or serial number in Google's Zero Touch portal, the device will appear in the  Mobile Security Android Devices menu with a Zero Touch tag in the header of the device tile.


    Create enrollment tokens

    MS 1.31 Android Geräte Token Zero-Touch-en.png
    Dialogfenster zur Erstellung eines Enrollment Tokens für Zero Touch

    Es muss ein Enrollment Token für die Registrierung von Zero Touch Geräten erstellt werden.
    Dafür wird ein Android-Profil benötigt. Entweder kann ein bestehendes genutzt werden, oder ein neues Profil wird angelegt. Weitere Informationen dazu sind im Wiki-Artikel zu Android-Profilen zu finden.
    Die nächsten Schritte:

    •  Mobile Security Android Devices Schaltfläche  Neues Gerät anmelden
    • Im Dialogfenster:
      • Möchten Sie einen vorhandenen Registrierungstoken verwenden? Erstellen Sie einen neuen Registrierungstoken
      • Profil das gewünschte Profil
      • Lizenz die entsprechende Lizenz
      • Code nutzen    notempty
        Das muss aktiviert werden, sonst ist der Registrierungstoken für Zero Touch nicht nutzbar!
      • Weitere Optionen kann beliebig konfiguriert werden
      •  Registrierungstoken erstellen

    Das so erstellte Enrollment Token kann jetzt für Zero Touch verwendet werden.


    Register Zero Touch device


























































    Registration in the menu  Mobile Security Android Zero-Touch
    Either

    • Add device to an existing configuration:
      • Edit configuration: Click on the device tile (or via the hamburger menu in the device tile at the top right) /  Edit)
      • if necessary, select a new valid enrollment token
        Enrollment tokens are valid for a maximum of 30 days
      • Select device(s) by IMEI or serial number
      • Save information

    or

    • with the button  Add configuration
      • select enrollment token
      • select customer
      • Fill in other details (company name, contact details...)
      • Select device(s) by IMEI or serial number
      • Save details
  • As soon as the device is connected to the Internet for the first time or after a factory reset, the profile is pushed to the device and the connection to the MDM is established.
    The enrollment on the device itself is, depending on the configuration, exactly as described in the sections COPE, COBU or COSU.
    Only the scanning of the enrollment token is omitted!
    • Name TTT-Point Zero Touch Configuration name MSP v1.16 Zero-Touch Konfiguration hinzufügen.png
    Menu for adding zero touch devices
    Enrollment token
    		Profile: Selected profile | Token abCD12 The selected enrollment token (as created in the Devices / Enroll new device menu) will be applied to all devices enrolled with this configuration. notempty
    For security reasons for ZeroTouch Enrolment, only enrolment tokens that have been provided with a PIN can be selected.
    Customer SecurepointCustomer The description for the customer as it was transmitted to the device retailer.
    If several Gmail addresses were linked to the zero touch portal, different descriptions can be selected here.
    Standard    Defines whether this configuration is the default or not.
    When    is enabled, new zero touch devices are automatically added to this configuration unless another is specified
    Note: At least one configuration should be defined as default.
    Company TTT-Point Freely selectable designation for the company to which this device is to be assigned.
    E-mail admin@anyideas.de Contact Email Address
    Displays on mobile during the setup process when IT Administrator is tapped on the "This device belongs to your organization" screen.
    Phone number 01234-56789 Contact phone number display see above
    Custom message Welcome to TTT-Point Shown on the display during device setup
    Devices 123456789012345 This configuration can be assigned to devices based on their IMEI or serial number
  • The box is only active if a customer has been selected as well
    •  Save Saves the configuration
    Zero touch configuration with assigned device MSP v1.16 Zero-Touch Konfiguration-en.png

    Closing by user

  • The end user must now switch on the device for the first time and establish an Internet connection.
    The configuration from the profile is then automatically applied to the device.
    • Retrieved from "https://wiki.securepoint.de/index.php?title=MS/enrollment/Zero-touch&oldid=93868"