Simplifying Device Onboarding: Android Zero Touch Enrollment Explained

Nearly every owner of a smartphone dreads losing their device or having it stolen. You risk permanently losing any pictures, contacts, text messages, and other application data not backed up elsewhere. According to a 2011 study by the physical device security company Kensington, 70 million smartphones are lost annually, 93 percent of which are never recovered.

Of course, the risk connected to data loss multiplies significantly when the lost device is a company-owned work phone. Not only is this an expensive piece of capital, but increases the likelihood of potential company or client data being exposed. The same Kensington study found that 52 percent of device thefts occur in the workplace.

Combine that with the cybersecurity company Varonis’ estimate that “1 in 36 mobile devices have high-risk apps installed” and the firm’s broader perception that mobile and IoT (Internet-of-Things) devices are at the center of “a huge increase in hacked and breached data.” 

The statistics start to look pretty scary for data security in the enterprise mobile management sphere. While no plan is going to be the silver bullet that eliminates all risk, one solid risk-mitigation technique would be having mobile security policies like remote device wiping deployed to all company-owned devices as soon as they are turned on for the first time.

One tool that significantly increases security for Android devices is Google’s Zero-Touch Enrollment (ZTE). Zero-Touch enrolls your device straight out of the box into whatever Android Enterprise security policies you choose, significantly narrowing the opportunities for a bad actor to compromise a device before it is secured. Minimize data loss with Zero Touch Enrollment – Reach out to Bluefletch now!

How Zero-Touch Works

Introduced by Google in 2017, the Zero-Touch Enrollment is implemented by two parties, device resellers (a list of which can be found here) and IT administrators. Each party can use the same Zero-Touch Portal website for its separate tasks. 

Device Resellers can use the site to register devices they sell to customers for Zero-Touch. IT administrators purchasing these devices can use the site to configure the unbox-to-enrollment flow that the end-user will see. For example, as an IT admin, you could set up a configuration for all devices to enroll straight into an Enterprise Mobility Management (EMM) policy by including its enrollment token in the configuration.

The real strength of Zero-Touch is that once a device is connected to a cellular or WiFi network, there is only one viable path to set it up. The end-user, or a bad actor who manages to get his hands on a device, cannot access the Android operating system until the device has connectivity. 

Then he must proceed through the enrollment flow, which could be configured to deploy security policies. Think how much narrower the window of exploitation is in that scenario compared to a situation where a device is already set up in Android and is handed to the end-user to enroll in security policies at their own leisure.

Securing Devices Through an EMM

The next step is to ensure that the security policies which Zero-Touch Enrollment pushed provide the level of security the company desires. I mentioned earlier that a Zero-Touch configuration could include enrollment in an EMM. 

Android Enterprise EMMs use Android Management APIs to provide a selection of security protocols for the IT administrator to configure. A company can choose which protocols it thinks are relevant to its needs and only turn on those. For example, an enterprise could choose to set up policies regarding…

  • Authentication
    The company could require the creation of a screen-lock password before the device can complete enrollment. The organization could go a step further and specify the degree of complexity for each password. Maybe a simple numeric PIN is secure enough for one organization’s needs, but another requires a PIN without consecutive or repeating numbers, and yet another could set their policy to only accept numbers, and letters, and special characters.
  • Compliance Enforcement
    An enterprise policy could include protocols to automatically lockdown applications or wipe the device completely if it is out of compliance with its policy for a prescribed amount of time.


  • Network Security
    Protocols like requiring all apps to be scanned by Play Protect in the Managed Google Play Store or requiring devices to connect through an always-on VPN are options are options for an organization to protect its network from intrusion. 

These are just a few. The full enumeration of features offered by each EMM is available from Android’s list of partner EMMs.

As a finishing touch to the armor protecting your data on a lost or stolen device, consider the proprietary features that an EMM provider might offer as part of its own MDM (mobile device manager). For some example: Streamline device deployment and security – Book a Zero Touch strategy session!

EMM Examples

  • Microsoft Endpoint Manager’s Conditional Access Policy
    Conditional Access policies can grant or deny sign-in based on configurable signals like location, user role, or IP range, or can require further security steps like multifactor authentication.

    A well-configured Conditional Access protocol could handily quarantine a device from company resources if it presented indications of being in the wrong hands.

  • VMware Workspace ONE’s Data Loss Prevention Policy
    Data Loss Prevention is one of VMWare Workspace ONE’s app security policies. It enables and disables features that could be used to extract data from a compromised device.

    The policy can enable whitelisting the apps allowed to open documents or disable copy-and-pasting from company documents, for instance.
  • BlueFletch Enterprise Luggage Tag Mode
    Luggage Tag Mode turns a company-owned Android into a mere display for the device owner’s contact information if it wanders off of the whitelisted networks.

    It provides options for a legitimate user to get back into the device and for an alarm to sound at set intervals.

Each of these three platforms also provides Android EMMs and can support Zero-Touch Enrollment, permitting device admins to utilize all of Android’s standard securities from provisioning onward and any of the MDM’s own specialty protocols.

Zero-Touch has you covered

Let’s go back to the statistics we were looking at earlier. If of the millions of devices lost 93 percent are never recovered, then being able to remotely wipe an active device and knowing that devices which have not been set up yet are still safe might let your IT admins sleep just a little better at night.

And given the estimate that 1 in 36 devices have risky applications installed, another good place to start with your device security is implementing policies to block untrustworthy apps and taking steps to prevent one from being slipped in during enrollment. Android Management APIs and Zero-Touch have these big-ticket items covered.


Zero-Touch Enrollment is not a fail-safe tool, and it will likely become more susceptible to penetration with time, but combined with an EMM, it can prevent the biggest opportunities for mobile breaches and discourage the would-be hacker or thief looking for an easy target. Your devices could be the resilient ones that just are not worth the effort to breach or steal. Enhance data protection with efficient enrollment – Let our experts guide you!