Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Important
Device users shouldn't restart devices until enrollment is complete. If device users setting up fully managed devices or corporate-owned devices with a work profile restart their devices in the middle of enrollment, their devices may not be able to register with Microsoft Intune. Devices that restarted may appear to be enrolled but they won't be protected by your Intune policies.
After you've set up your Android Enterprise dedicated devices, fully managed devices, or corporate-owned work profile devices in Intune, you can enroll the devices. You have several options for how to enroll these devices: QR code, Google Zero Touch, Knox Mobile Enrollment, Near Field Communication (NFC), or token entry.
Note
If you have a Microsoft Entra Conditional Access policy defined that uses the require a device to be marked as compliant Grant control or a Block policy and applies to All Cloud apps, Android, and Browsers, you must exclude the Microsoft Intune cloud app from this policy. This is because the Android setup process uses a Chrome tab to authenticate your users during enrollment. For more information, see Microsoft Entra Conditional Access documentation.
Factory reset protection helps prevent unauthorized access to your device after it's been factory reset. If the device is reset without your permission, in some situations, only the Google email addresses you enter can unlock the device. When the Factory reset protection emails setting is configured, there is different factory reset protection behavior:
| Enrollment method | Settings > Factory data reset | Settings > Recovery/bootloader | Intune wipe | 
|---|---|---|---|
| Corporate-owned devices with work profile (COPE) | ✅ factory reset protection | ✅ factory reset protection | ❌ no factory reset protection | 
| Fully managed (COBO) | ❌ no factory reset protection | ✅ factory reset protection | ❌ no factory reset protection | 
| Dedicated (COSU) | ❌ no factory reset protection | ✅ factory reset protection | ❌ no factory reset protection | 
For corporate owned devices with a work profile running Android 15, you will need to re-enter the Google account associated with the configuration after any reset done via the Settings app. It's important to plan your reprovisioning workflow (such as applying an Intune wipe or resetting via the Settings app) accordingly so that you can provide the required credentials if needed. For background and guidance, see Factory reset protection (FRP) enforcement behavior for Android Enterprise.
Enroll by using a QR code
Intune admins can scan the QR code directly from the enrollment profile to enroll a device. We recommend this enrollment method for most customer scenarios.
- After you wipe the device, tap the first screen you see repeatedly to launch the QR reader.
- If prompted to, install a QR reader on your device. Devices running Android 9.0 and later are preinstalled with a QR reader.
- Scan the enrollment profile QR code, and then follow the on-screen prompts to complete enrollment.
Tip Browser zoom settings may prevent your device from scanning the QR code. Zoom in and try again if your device has difficulty scanning the code. 
Enroll by using Google Zero Touch
Important
Devices must be purchased from an authorized zero-touch reseller and support zero-touch enrollment. For more information, such as prerequisites, where to purchase devices, and how to associate a Google Account with your corporate email, see Zero-touch enrollment for IT admins (opens Android Enterprise Help docs).
This method utilizes zero-touch enrollment and the Google zero-touch enrollment portal to provision and enroll company-owned devices. Provisioning begins right out of the box when users turn their devices on. This section describes how to:
- Create a zero-touch configuration with provisioning details in the Microsoft Intune admin center.
- Create a zero-touch configuration with provisioning details in the zero-touch enrollment portal.
Create zero-touch configuration in admin center
The zero-touch iframe gives you access to the zero-touch enrollment portal and zero-touch configurations in the Microsoft Intune admin center.
To enable the iframe, you must first add the update app sync permission and enable enrollment for corporate-owned, fully managed devices. Once you enable the iframe, you can:
- Link your zero-touch account to Intune
- Add support information
- Configure zero-touch enabled devices
- Customize provisioning extras
Complete the steps in this section to enable the iframe. To create configurations in the zero-touch enrollment portal instead, skip to Create configuration in zero-touch enrollment portal.
Step 1: Add required permission
Add the update app sync permission.
- Sign in to the Microsoft Intune admin center admin.
- Select Tenant administration > Roles.
- Select your role from the list.
- Select Properties.
- Go to Permissions and then select Edit.
- Select Android Enterprise.
- Next to Update app sync, select Yes.
- Select Review + save to review your changes.
- Select Save.
Step 2: Link zero-touch account to Intune
Link a zero-touch account with your Microsoft Intune account.
- In the admin center, go to Devices > By platform > Android. 
- Select Device onboarding > Enrollment. 
- Under Bulk enrollment methods, choose Zero-touch enrollment. 
- The iframe opens. Select Next to begin setup. 
- Sign in with the Google account you provided to your reseller. 
- Select the zero-touch account you want to link, and then select Link. 
- A default configuration is created. A screen appears with basic information about the configuration. Intune will automatically apply the default configuration to any zero-touch enabled device that's without an existing configuration. - Caution - The token used for the default configuration is meant for a fully managed device. Once you link your account, the default zero-touch configuration created in Intune overrules the default configuration profile set in the zero-touch enrollment portal. If you want to create a zero-touch configuration for a corporate-owned work profile device or a dedicated device, don't link your account to Intune. Instead, select View devices in the zero-touch portal. Then continue to Create configuration in zero-touch enrollment portal in this article for next steps. 
- Select Next to continue. 
- Add support information to assist device users during setup. 
- Select Save. 
Once your account is linked with Intune, the default configuration is applied to zero-touch enabled devices that don't already have a configuration, and to future devices added by a reseller. You can view existing zero-touch configurations, edit support information, unlink the account, and link other accounts in the admin center.
Create configuration in zero-touch enrollment portal
Add a zero-touch configuration in the zero-touch enrollment portal. You can use the portal by itself to manage configurations, or you can use it in combination with the zero-touch iframe. The portal supports configurations for fully managed and dedicated devices, and corporate-owned devices with a work profile.
- Sign in to the zero-touch enrollment portal with your Google account. 
- Select the option to add a new configuration. 
- Fill out the information in the configuration panel. 
- Select Microsoft Intune as the EMM DPC app. 
- Copy the following JSON text into the DPC extras field. Replace - YourEnrollmentTokenwith the enrollment token you created as part of your enrollment profile. Be sure to surround the enrollment token with double quotes.- { "android.app.extra.PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME": "com.google.android.apps.work.clouddpc/.receivers.CloudDeviceAdminReceiver", "android.app.extra.PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM": "I5YvS0O5hXY46mb01BlRjq4oJJGs2kuUcHvVkAPEXlg", "android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION": "https://play.google.com/managed/downloadManagingApp?identifier=setup", "android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE": { "com.google.android.apps.work.clouddpc.EXTRA_ENROLLMENT_TOKEN": "YourEnrollmentToken" } }
- Enter your organization's name and support information, which is shown on screen while users set up their devices. 
For more information about how to assign a default configuration or apply a configuration in the zero-touch portal, see Zero-touch enrollment for IT admins (opens Android Enterprise Help docs).
Enroll by using Knox Mobile Enrollment
To use Samsung Knox Mobile Enrollment, the device must be running Android OS version 8.0 or later and Samsung Knox 2.8 or higher. For more information, learn how to automatically enroll your devices with Knox Mobile Enrollment.
Enroll by using Near Field Communication (NFC)
Create a specially formatted NFC tag to provision NFC-supported devices running Android 8.0 or later. You can use your own app or any NFC tag-creation tool. For more information, see C-based Android Enterprise device enrollment with Microsoft Intune and Google's Android Management API documentation.
For corporate-owned work profile (COPE) devices, the NFC enrollment method is only supported on devices running Android versions 8.0 or later. It's not supported with Android 11.0. For more information, see the Google developer docs.
Enroll by using a token
We recommend this method for new or factory-reset devices, in scenarios where the QR code or NFC method aren't available. It requires the person provisioning the device to type in the enrollment token string (example: 12345) that they're provided. When you're ready for enrollment, share the token directly with targeted users or post it to your organization's support site for easy retrieval. The token works for all Intune-licensed users and doesn't expire.
This method is supported on corporate-owned devices running Android 8.0 and later. It isn't supported on:
- Corporate-owned, personally enabled (COPE) devices running Android 11 and later.
- Devices enrolled via device enrollment manager accounts.
You can use this method in conjunction with the Microsoft Intune DPC identifier to set up fully managed devices.
- Turn on the device.
- On the Welcome screen, select your language.
- Connect to your wireless network, and then choose NEXT.
- Accept the Google Terms and conditions, and then choose NEXT.
- On the Google sign-in screen, enter afw#setup instead of a Gmail account. This value is the DPC identifier for Microsoft Intune. Choose NEXT.
- Choose INSTALL for the Android Device Policy app.
- Continue to install the policy. Some devices may require additional terms acceptance.
- On the Enroll this device screen, allow your device to scan the QR code. Or, enter the token manually.
- Follow the on-screen prompts to complete enrollment.
For more information about provisioning devices with the DPC identifier method, see the Google developer docs.