# Provisioning

## Provisioning <a href="#provisioning" id="provisioning"></a>

### How do I enroll a personal device in a work profile? <a href="#how-do-i-enroll-a-personal-device-in-a-work-profile" id="how-do-i-enroll-a-personal-device-in-a-work-profile"></a>

#### Steps for IT Admin in the EMM <a href="#steps-for-it-admin-in-the-emm" id="steps-for-it-admin-in-the-emm"></a>

1. Open *EMM Console* to the *Policies* screen.
2. On the desired work profile policy, click *Generate Enrollment Barcode*.
3. Create a name for the barcode and select a desired lifespan for the enrollment code, up to 30 days. Click *Generate*.
4. Take a screenshot of the QR code and the 20-character manual-entry code or copy and paste them to a document for easy retrieval.
5. Provide the codes (and their expiration date) to the end-users who will be enrolling their personal devices.

#### Steps for End-User on the Device <a href="#steps-for-end-user-on-the-device" id="steps-for-end-user-on-the-device"></a>

1. In their personal Google Play store on their device, install [Android Device Policy Controller (DPC)](https://play.google.com/store/apps/details?id=com.google.android.apps.work.clouddpc\&hl=en_US).
2. Open Android DPC to the *Enroll this device* screen and click *Next*.
3. Scan QR code provided by the IT administrator or press *Enter code* to type code manually.
4. Click *View terms* to review general work profile information about the IT administrator’s access and any organization-specific terms and conditions. Click *Accept & continue*.
5. Once the work profile finishes loading, click *Next*.
6. Profile registers. Screen continues to *Set up your work profile* with steps designated by the IT administrator.
7. Follow prompts to set a screen lock. Options may be limited by IT administrator’s security preferences.
8. Click *Install* to install work apps. Click *Next* once complete.
9. Click *Done* to return to device. It will now have a separate section for work profile apps (how these are divided may vary by device).

### How do I enroll a managed or dedicated device via QR code? <a href="#how-do-i-enroll-a-managed-or-dedicated-device-via-qr-code" id="how-do-i-enroll-a-managed-or-dedicated-device-via-qr-code"></a>

#### Steps in the EMM <a href="#steps-in-the-emm" id="steps-in-the-emm"></a>

1. Open *EMM Console* to the *Policies* screen.
2. On the desired policy, click *Generate Enrollment Barcode*.
3. Create a name for the barcode and select a desired lifespan for the enrollment code, up to 30 days. Click *Generate*.
4. Take a screenshot of the QR code and the 20-character manual-entry code or copy and paste them to a document for easy retrieval.

#### Steps on the Device <a href="#steps-on-the-device" id="steps-on-the-device"></a>

1. The device must start out at factory reset state.
2. Press *Start* on the initial startup screen.
3. If the device has a barcode scanner and has a built-in option to set up off of a barcode, scan the QR code now, which automates steps 5-6 and 8-9.
4. Select and login to a WiFi network.
5. When prompted to copy apps and data from the cloud, select *Set up as new*.
6. When prompted to login to a Google account, in the *Email or phone* field enter the EMM token *afw#setup* and submit.
7. The device will begin setting up for Android for Work, and will provide a *View terms* link to Google’s terms and conditions. Click *Accept & continue*.
8. *Enroll this device* screen will display. Click *Next*.
9. Scan the QR code or press *Enter code* to manually type in the code.
10. When the device finishes updating, follow prompts to set a screen lock. Options may be limited by IT administrator’s security preferences.
11. Click *Install* to install work apps. Click *Next* once complete.
12. The device opens to its designated main page - either the Android home if a managed device, or the kiosked app/set of apps if a dedicated device.

### How do I enroll a managed or dedicated device via Zero-Touch Enrollment? <a href="#how-do-i-enroll-a-managed-or-dedicated-device-via-zero-touch-enrollment" id="how-do-i-enroll-a-managed-or-dedicated-device-via-zero-touch-enrollment"></a>

1. Zero-touch enrollment is a process which configures Android devices to their owners’ specifications out of the box with minimal user selection. On first boot or factory reset, the device checks for a configuration, downloads the appropriate DPC, and proceeds through setup. In order for the company IT administrator to register for a customer zero-touch account, the company must receive its devices from a reseller with a reseller zero-touch account. For more information, see Google’s article on [Zero-touch enrollment for IT admins](https://support.google.com/work/android/answer/7514005).
2. Register for a zero-touch portal customer account [here](https://docs.google.com/forms/d/e/1FAIpQLSeDHeWgCN8QRbIQL-7uwmCkC2y2sVmMETfUcsLeNpfXw8AKaQ/viewform), or the company’s device reseller can add a customer account.

#### Steps for IT Admin in the EMM <a href="#steps-for-it-admin-in-the-emm_1" id="steps-for-it-admin-in-the-emm_1"></a>

1. Open *EMM Console* to the *Policies* screen.
2. On the desired policy, click *Generate Enrollment Barcode*.
3. Create a name for the barcode and select a desired lifespan for the enrollment code, up to 30 days. Click *Generate*.
4. Take a screenshot of the QR code and the 20-character manual-entry code or copy and paste them to a document for easy retrieval.

#### Steps to Add a Policy Configuration in Zero-Touch Portal <a href="#steps-to-add-a-policy-configuration-in-zero-touch-portal" id="steps-to-add-a-policy-configuration-in-zero-touch-portal"></a>

1. Click Configurations in the navigation panel.

<figure><img src="https://799338798-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FSxhNrDkmDAkv7QEWfOIh%2Fuploads%2FKvlyRTqx2oW0SnUM2Wjb%2Fprovisioning_zeroTouch.png?alt=media&#x26;token=f3e7f262-a220-41fb-859b-411eabce95bf" alt="" width="563"><figcaption></figcaption></figure>

2. Click **+** in the *Configurations* table to add a configuration.
3. *Configuration Name:* Enter a name for the configuration.
4. *EMM DPC:* Select “Android Device Policy.”
5. *DPC Extras* should be left empty
6. *Company name:* Enter company name as would like it displayed to the user during provisioning.
7. *Support email address:* Enter the email address to be displayed on the provisioning screen for the user to contact with issues during setup.
8. *Support phone number:* Enter the phone number to be displayed on the provisioning screen for the user to contact with issues during setup.
9. *Custom message* (Optional)*:* Enter a brief message to be displayed on the support contact info screen before provisioning.
10. Click *Add* to save the configuration.
11. Click *Devices* in the navigation panel.
12. Locate the device to be configured with zero touch and set the appropriate configuration.

#### Steps for End-User to Provision Device <a href="#steps-for-end-user-to-provision-device" id="steps-for-end-user-to-provision-device"></a>

1. Boot device for the first time or factory reset it. Press the *Start* button on the initial setup screen.
2. If there are multiple options to proceed through setup (e.g. scanning a barcode and manual setup), zero-touch will block options other than manual setup.
3. Device will display a message stating that it “will be managed and kept secure” by the organization. It will have a *View terms* link for Google’s terms and conditions and a link to the contact information that the organization’s IT administrator entered in the Zero-Touch Portal.
4. Click *Accept & continue*.
5. Android DPC is automatically installed. *Enroll this device* screen is displayed. Click *Next*.
6. Scan the QR code or press *Enter code* to manually type in the code.
7. When the device finishes updating, follow prompts to set a screen lock. Options may be limited by IT administrator’s security preferences.
8. Click *Install* to install work apps. Click *Next* once complete. The device opens to its designated main page - either the Android home if a managed device, or the kiosked app/set of apps if a dedicated device.