In our August release, we’re announcing the addition of Android Zero-Touch Enrollment for company-owned devices in KACE® Cloud Mobile Device Manager.
Zero-touch enrollment lets administrators configure and deploy corporate-owned devices in bulk, without any need for individual device setup. When an end user turns on the device, configuration instructions are deployed and the device is enrolled without additional steps required by the end user. After enrollment, KACE Cloud MDM uses policies to automatically provision the device with apps and configurations.
Zero-touch enrollment is available on devices that are purchased through an authorized reseller. Organizations may have devices outside of the authorized reseller scope, which can also be enrolled using KACE Cloud. The enrollment process for each operating system and device scenario is described below.
Zero-Touch Enrollment for New Devices Enrollment for company-owned devices purchased through an authorized reseller can be automated using KACE Cloud. Instructions can be found in the Android Zero-Touch section of our documentation.
Enroll Devices Not Purchased Through Reseller Enrollment for devices not purchased through an authorized reseller can be completed using the AFW#KACE tag process described in the Android Fully Managed section of our documentation.
Enroll Personal Devices (BYOD) Personal Android devices can be enrolled in KACE Cloud by setting up an Android Work Profile. Instructions can be found in the Android Enrollment section of our documentation.
DEP Enrollment for New Devices DEP enrollment for company-owned devices purchased from Apple or an authorized reseller can be automated using KACE Cloud. Instructions can be found in the Apple Device Enrollment section of our documentation.
Enroll Devices Not Purchased Through Reseller Enrollment for devices not purchased through a reseller can be completed using the Supervised Mode process in KACE Cloud. Instructions can be found in the iOS Supervised Mode section of our documentation.
Enroll Personal Devices (BYOD) Personal iOS devices can be enrolled in KACE Cloud by installing a mobile device management profile on the device. Instructions can be found in the iOS Enrollment section of our documentation.
DEP Enrollment for New Devices DEP enrollment for new macOS devices can be completed by linking your KACE Cloud account with DEP then completing the process. Instructions can be found in the macOS Enrollment section of our documentation.
Enroll Personal Devices (BYOD) Personal macOS computers can be enrolled in KACE Cloud by installing a mobile device management profile on the computer. Instructions can be found in the macOS Enrollment section of our documentation.
New Feature: Zero-touch Enrollment for Android
Administrators will find the zero-touch feature in KACE Cloud under Settings > Android Settings. From the following screen, one or more admins—i.e., authorizing users, can add and manage enrollments for their specific organizations. Other functions include the ability to sync, revoke, reauthorize, and delete enrollments.
IMG 1. Zero-Touch Enrollment Page in KACE Cloud
Get started by linking your Android Zero-Touch Enrollment portal with KACE Cloud MDM using an authorized Google Corporate Account. Once authorized, all device admins can use KACE Cloud to create and view profiles and assign devices to those profiles.
IMG 2. Verification and Zero-Touch Enrollment Partner Portal
In KACE Cloud, admins can add and manage enrollments with functionality that allows them to sync, revoke, and reauthorize. And from the Zero-Touch Profiles section, admins can add, edit, and remove zero-touch profiles as well as view, assign, and unassign devices associated with a profile.
IMG 3. Zero-Touch Profiles screen
Learn more about the specific functions of Zero-Touch Enrollment in KACE Cloud in our Help Center. And for background information on Android Zero-Touch Enrollment, visit the Zero-touch enrollment for IT admins page in Android Enterprise Help.
Role Management and SSO Configuration
If user role assignment is set to Automatic during SSO Configuration, a manual attempt to update an individual user's role via the Users > Edit User path may appear possible, but will be overwritten by the original SSO Configuration. To resolve, the configuration setting can be changed to Manual, which will then enable editing of individual user roles.
Restrictions that are configured to deploy upon enrollment may not immediately appear in the inventory for impacted devices; however, the restrictions will be enforced on the device.
Device Owner Setup
When using the Device Owner enrollment flow (afw#kace), the enrollment flow may not complete if the Google Play services on the factory default image of the device are out of date. This a known issue with the Android operating system, caused by the enrollment process timing out before the update of the Play services on the device can complete. You will know that this situation occurred if you are never asked for your subdomain name during the enrollment process. If you end up back at the device home screen, locate and launch the KACE Cloud MDM agent app on the device and click the 'Enroll Device' button to complete the setup process.
Android devices require the Gmail app to be installed in order to use the email account configurations.
Set and Clear Passcode Commands
The set and clear passcode functions are different in Android 7.0 and later. On versions prior to 7.0, an administrator could set or clear the passcode as desired. On Android 7.0 and later, the passcode can only be set on devices that do not already have a passcode set, and passcodes cannot be cleared. The user interface does not currently warn users who are attempting to set or clear a passcode on Android 7.0 and later, but an error message will appear. Note that attempting to clear a passcode will also fail if there is a policy in place that requires use of a passcode to do so.
Factory Reset - Apple iOS iCloud Account Lock
When resetting an Apple iOS device back to factory defaults, the device will remain locked to the associated iCloud account. To prevent this from happening, before resetting the device, manually turn off the 'Find my phone' feature on the iPhone.
macOS 10.15 Account Configuration
During enrollment, if the ‘Prevent Primary Account Changes’ option is checked and DEP authentication is enabled, the primary account will be created automatically using the DEP authentication token as the account password. While still in the enrollment process, the password cannot be changed. However, once enrollment is complete, the account password can be changed as normal.
© 2019 Quest Software Inc.
ALL RIGHTS RESERVED.
This guide contains proprietary information protected by copyright. The software described in this guide is furnished under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose other than the purchaser’s personal use without the written permission of Quest Software Inc.
The information in this document is provided in connection with Quest Software products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Quest Software products. EXCEPT AS SET FORTH IN THE TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, QUEST SOFTWARE ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL QUEST SOFTWARE BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF QUEST SOFTWARE HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Quest Software makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. Quest Software does not make any commitment to update the information contained in this document.
If you have any questions regarding your potential use of this material, contact:
Quest Software Inc.
Attn: LEGAL Dept.
4 Polaris Way
Aliso Viejo, CA 92656
Refer to our website (www.quest.com) for regional and international office information.
Quest Software is proud of our advanced technology. Patents and pending patents may apply to this product. For the most current information about applicable patents for this product, please visit our website at www.quest.com/legal.
Quest and the Quest logo are trademarks and registered trademarks of Quest Software Inc. in the U.S.A. and other countries. For a complete list of Quest Software trademarks, please visit our website at www.quest.com/legal. All other trademarks, servicemarks, registered trademarks, and registered servicemarks are the property of their respective owners.