# Device Provisioning - Android

# Supported devices

In general, any device running Android 6+ with Google Play Services is compatible with Cerberus Enterprise.

For a better user experience, we suggest using devices that meet the [Android Enterprise Recommended](https://androidenterprisepartners.withgoogle.com/devices/) requirements.

<p class="callout info">Some features are limited to specific Android versions, or may behave differently across OS versions. For more information about a specific feature, see the [Policies](https://enterprise.cerberusapp.com/docs/books/user-manual/chapter/policies-android "Policies") section of the documentation.</p>

Cerberus Enterprise supports both company-owned and personally-owned devices, and two management modes: device owner and profile owner.

**Personally-owned** devices can be managed through a **work profile**. This enables a BYOD solution by keeping employees' work data and apps separate from personal data and apps, improving both security and privacy. This option is suitable for devices already owned by employees that you want to enroll in your organization for work use.

**Company-owned** devices can also be managed through a work profile, but you can also choose the **fully managed** option, which allows stricter control over the device. Company-owned devices with a work profile are suitable when you provide corporate devices to employees for work, while still allowing personal use. Fully managed devices are better suited for devices that must be used only for work, or for **dedicated devices** (COSU, corporate-owned single-use), such as kiosks.

For more information on device provisioning, see the [Device provisioning overview](https://enterprise.cerberusapp.com/docs/books/user-manual/page/device-provisioning-overview "Device provisioning overview") page.

<div id="bkmrk-"><div><div>  
</div></div></div>

# Enrollment tokens

 Cerberus Enterprise uses enrollment tokens to start the Android device enrollment (provisioning) process. The token you select defines the initial policy applied to enrolled devices and influences which provisioning modes are allowed.

<p class="callout info"> The Android enrollment tokens tab is available only after completing [**Android Management setup**](https://enterprise.cerberusapp.com/docs/books/user-manual/page/android-management-setup "Android Management setup"). </p>

## Where to find enrollment tokens

 In the dashboard, open **Enrollment tokens**. Depending on your account configuration, the page can show multiple tabs (Android tokens, Google sign-in enrollment, Apple manual enrollment, and Apple Automated Device Enrollment).

<p class="callout info"> If your Android enterprise is backed by a managed Google domain (Google Workspace), the dashboard can also show an **Authenticate Using Google Enrollment** tab. For details on enabling and using it, see [**Authenticate Using Google enrollment**](https://enterprise.cerberusapp.com/docs/books/user-manual/page/authenticate-using-google-enrollment "Authenticate Using Google enrollment"). </p>

## Enrollment tokens list (Android)

 The Android tokens tab shows a table of all tokens. Clicking a row opens the token details page.

### Columns

- **Id**: internal token identifier.
- **Status**: **Available**, **Used** (one-time token already used), or **Expired**.
- **Expiration**: expiration date/time, or **Never**.
- **Policy**: the policy assigned to the token (the UI tooltip also shows the policy id).
- **Personal usage**: Allowed / Disallowed / Dedicated device.
- **Allowed usages**: Multiple or One time only.
- **User**: optional user pre-assigned to devices enrolled with the token.

### Actions

- Each row has a delete action (**Delete enrollment token**). Deletion is disabled when the license is expired.
- The table supports multi-row selection: you can enable selection mode, select multiple tokens, and delete them with **Delete selected tokens**.
- Use the refresh action to reload the list. The table is paginated (10/25/50 items per page).

## Create a new enrollment token

 On the Android tokens tab, click **New enrollment token** to open the token creation page. If your license is expired, the create button is disabled.

### Token options

#### 1. Policy

**Required.** The policy automatically applied to all devices enrolled using this token. Select one of your [**Android policies**](https://enterprise.cerberusapp.com/docs/books/user-manual/chapter/policies-android "Policies"). If you don't have any policy yet, create one first.

#### 2. User

 Optional. If set, newly enrolled devices are automatically associated with this user.

#### 3. Personal usage

 Controls whether personal usage is allowed on a device provisioned with this enrollment token:

- **Allowed**: suitable for personally-owned devices (work profile) and company-owned devices for work and personal use.
- **Disallowed**: suitable for company-owned devices for work use only (fully managed).
- **Dedicated device**: suitable for kiosk/dedicated devices (device is not associated with a single user).

#### 4. Allowed usages

 Select whether the token can be used multiple times (**Multiple**) or only once (**One time only**).

#### 5. Expiration

 Select the expiration unit (**Minutes**, **Hours**, **Days**, or **Never**). When not set to Never, enter the expiration value. The allowed range depends on the selected unit and can go up to 10,000 days.

### Provisioning options (QR code only)

 These additional options are embedded into the QR code and are applied during provisioning of fully managed devices enrolled by scanning the QR code. They do not apply to work profiles or devices enrolled using the Enrollment URL or Token.

#### Wi‑Fi configuration

 Use this to let a device automatically connect to Wi‑Fi during provisioning, so it can download and initialize the management app. Available fields include **SSID**, **Hidden SSID**, **Security**, and (when needed) **Passphrase**.

 You can also configure an HTTP proxy (**Proxy**) and, depending on the mode, set **Host**/**Port**, **PAC URI**, and **Proxy bypass host**.

#### Other options

 Additional options include **Locale**, **Time zone**, and **Skip encryption**.

## Enrollment token details

 When you open a token, the details page shows the token configuration and usage information:

- **Status**, **Expiration**, **Usage**, **Personal usage**, and **Allowed usages**.
- **Token**: the raw enrollment token value (copyable).
- **Enrollment URL**: a Google Android Enterprise enrollment URL (copyable and sendable by email).
- **QR code**: shown on the right side of the page, used to enroll fully managed devices.

<p class="callout info"> For step-by-step provisioning procedures, follow the Android enrollment guides: [**Personally-owned devices**](https://enterprise.cerberusapp.com/docs/books/user-manual/page/personally-owned-devices "Personally-owned devices"), [**Company-owned devices for work and personal use**](https://enterprise.cerberusapp.com/docs/books/user-manual/page/company-owned-devices-for-work-and-personal-use "Company-owned devices for work and personal use"), [**Company-owned devices for work use only**](https://enterprise.cerberusapp.com/docs/books/user-manual/page/company-owned-devices-for-work-use-only "Company-owned devices for work use only"), and [**Zero-touch**](https://enterprise.cerberusapp.com/docs/books/user-manual/page/zero-touch "Zero-touch"). </p>

# Personally-owned devices

<div id="bkmrk-devices-owned-by-emp">Devices owned by employees can be set up with a **work profile**. A work profile provides a self-contained space for work apps and data, separate from personal apps and data. Most app, data, and other management policies apply to the work profile only, while employees' personal apps and data remain private.</div><div id="bkmrk-"><div></div></div><div id="bkmrk-to-set-up-a-work-pro">To set up a work profile on a personally-owned device, use one of the following provisioning methods (ensure that the [enrollment token](https://enterprise.cerberusapp.com/docs/books/user-manual/page/enrollment-tokens "Enrollment tokens") has ***Personal usage*** set to **Allowed**):</div><div id="bkmrk--0"></div>#### Enrollment token link

<table id="bkmrk-android-version-work" style="width: 161px;"><colgroup><col width="“25%”"></col><col width="“25%”"></col><col width="25%"></col><col width="25%"></col></colgroup><tbody><tr><td style="width: 161px;"><span style="text-align: center; display: block;">Android version</span></td></tr><tr><td style="width: 161px;"><span style="text-align: center; display: block;"><small>6.0+</small></span></td></tr></tbody></table>

<div id="bkmrk-you-can-provide-the-">You can provide the Enrollment URL to the end users. When an end user opens the link from their device, they will be guided through the work profile setup.</div><div id="bkmrk--1"></div>#### Add work profile from *"Settings"*

<table id="bkmrk-android-version-5.1%2B" style="width: 161px;"><colgroup><col width="“25%”"></col><col width="“25%”"></col><col width="25%"></col><col width="25%"></col></colgroup><tbody><tr><td style="width: 161px;"><span style="text-align: center; display: block;">Android version</span></td></tr><tr><td style="width: 161px;"><span style="text-align: center; display: block;"><small>6.0+</small></span></td></tr></tbody></table>

<div id="bkmrk-to-set-up-a-work-pro-0"><div>To set up a work profile on their device, a user can:</div>  
<div>1. Go to *Settings* &gt; *Google* &gt; *Set up &amp; restore*.</div><div>2. Tap *"Set up your work profile"*.</div>  
These steps initiate a setup wizard that downloads *Android Device Policy* on the device. Next, the user will be prompted to scan a QR code or manually enter an enrollment token to complete the work profile setup.</div><div id="bkmrk--2"></div>#### Download Android Device Policy

<table id="bkmrk-android-version-5.1%2B-0" style="width: 161px;"><colgroup><col width="“25%”"></col><col width="“25%”"></col><col width="25%"></col><col width="25%"></col></colgroup><tbody><tr><td style="width: 161px;"><span style="text-align: center; display: block;">Android version</span></td></tr><tr><td style="width: 161px;"><span style="text-align: center; display: block;"><small>6.0+</small></span></td></tr></tbody></table>

<div id="bkmrk-to-set-up-a-work-pro-1">To set up a work profile on their device, a user can download Android Device Policy from the Google Play Store. After the app is installed, the user will be prompted to scan a QR code or manually enter an enrollment token to complete the work profile setup.</div>

# Company-owned devices for work and personal use

<div id="bkmrk-setting-up-a-company">Setting up a company-owned device with a **work profile** enables the device for both work and personal use. On company-owned devices with work profiles:</div><div id="bkmrk-"></div>- Most app, data, and other management policies apply to the work profile only.
- Employees' personal profiles remain private. However, enterprises can enforce certain device-wide policies and personal usage policies.
- Enterprises can use *Block scope* to enforce compliance actions on an entire device or only its work profile.
- Device disenrolling and device commands apply to an entire device.

<div id="bkmrk-to-set-up-a-company-">To set up a company-owned device with a work profile, use one of the following provisioning methods (ensure that the [enrollment token](https://enterprise.cerberusapp.com/docs/books/user-manual/page/enrollment-tokens "Enrollment tokens") has **Personal usage** set to **Allowed**):</div><div id="bkmrk--0"></div>#### QR code method

<table id="bkmrk-android-version-work" style="width: 161px;"><colgroup><col width="“25%”"></col><col width="“25%”"></col><col width="25%"></col><col width="25%"></col></colgroup><tbody><tr><td style="width: 161px;"><span style="text-align: center; display: block;">Android version</span></td></tr><tr><td style="width: 161px;"><span style="text-align: center; display: block;"><small>8.0+</small></span></td></tr></tbody></table>

<div id="bkmrk-on-a-new-or-factory-">On a new or factory-reset device, the user (typically an IT admin) taps the screen six times in the same spot. This triggers the device to prompt the user to scan a QR code.</div>

# Company-owned devices for work use only

<div id="bkmrk-full-device-manageme">**Full device management** is suitable for company-owned devices intended exclusively for work purposes. Enterprises can manage all apps on the device and can enforce the full spectrum of Android Management API's policies and commands.</div><div id="bkmrk-"></div><div id="bkmrk-it%27s-also-possible-t">It's also possible to lock a device down (via policy) to a single app or small set of apps to serve a dedicated purpose or use case. This subset of fully managed devices is referred to as **dedicated devices**.</div><div id="bkmrk--0"></div><div id="bkmrk-to-set-up-full-manag">To set up full management on a company-owned device, use one of the following provisioning methods (ensure that the [enrollment token](https://enterprise.cerberusapp.com/docs/books/user-manual/page/enrollment-tokens "Enrollment tokens") has **Personal usage** set to **Disallowed**):</div><div id="bkmrk--1"></div>#### QR code method

<table id="bkmrk-android-version-work" style="width: 161px;"><colgroup><col width="“25%”"></col><col width="“25%”"></col><col width="25%"></col><col width="25%"></col></colgroup><tbody><tr><td style="width: 161px;"><span style="text-align: center; display: block;">Android version</span></td></tr><tr><td style="width: 161px;"><span style="text-align: center; display: block;"><small>7.0+</small></span></td></tr></tbody></table>

<div id="bkmrk-on-a-new-or-factory-">On a new or factory-reset device, the user (typically an IT admin) taps the screen six times in the same spot. This triggers the device to prompt the user to scan a QR code.</div><div id="bkmrk--2"></div>#### DPC identifier method

<table id="bkmrk-android-version-5.1%2B" style="width: 161px;"><colgroup><col width="“25%”"></col><col width="“25%”"></col><col width="25%"></col><col width="25%"></col></colgroup><tbody><tr><td style="width: 161px;"><span style="text-align: center; display: block;">Android version</span></td></tr><tr><td style="width: 161px;"><span style="text-align: center; display: block;"><small>5.1+</small></span></td></tr></tbody></table>

<div id="bkmrk-if-android-device-po"><div>If Android Device Policy can't be added via QR code a user or IT admin can follow these steps to provision a fully managed or dedicated device:</div>  
<div>1. Follow the setup wizard on a new or factory-reset device.</div><div>2. Enter Wi-Fi login details to connect the device to the internet.</div><div>3. When prompted to sign in, enter **afw#setup**, which downloads Android Device Policy.</div><div>4. Scan a QR code or manually enter an enrollment token to provision the device.</div></div>

# Zero-touch

IT admins can provision company-owned devices using the zero-touch enrollment method, outlined in [Zero-touch enrollment for IT admins](https://support.google.com/work/android/answer/7514005). When a device is first turned on, the device is automatically forced into the settings defined by the IT admin.

IT admins can preconfigure devices purchased from [authorized resellers](https://www.android.com/enterprise/management/zero-touch/) and manage them using the Cerberus Enterprise dashboard. To link your Zero-touch account, go to **Zero-touch** section in the dashboard, then follow the instructions.

<table id="bkmrk-android-version-work"><colgroup><col width="“25%”"></col><col width="“25%”"></col><col width="25%"></col><col width="25%"></col></colgroup><tbody><tr><td><span style="text-align: center; display: block;">Android version</span></td><td><span style="text-align: center; display: block;">Work profile</span></td><td><span style="text-align: center; display: block;">Fully managed device</span></td><td><span style="text-align: center; display: block;">Dedicated device</span></td></tr><tr><td><span style="text-align: center; display: block;"><small>8.0+ (Pixel 7.1+)</small></span></td><td><span style="text-align: center; display: block;">✓</span></td><td><span style="text-align: center; display: block;">✓</span></td><td><span style="text-align: center; display: block;">✓</span></td></tr></tbody></table>

# Authenticate Using Google enrollment

 Authenticate Using Google enrollment (also referred to as **Google Authentication for Enrollment**) lets users authenticate with their Google Workspace account during Android device enrollment.

<p class="callout info"> This feature is available only for Android enterprises backed by a managed Google domain (Google Workspace). </p>

## Where to find it

 In the dashboard, open **Enrollment tokens** and select the **Authenticate Using Google Enrollment** tab. The tab is shown only when Android Management is configured and the Google Workspace integration is available for your enterprise.

## Enable (or disable) Google Authentication

 Google Authentication is enabled from the **Google Admin console**. After changing the setting, return to Cerberus Enterprise and use **Refresh Status** to reload the current configuration.

1. Log in to your [**Google Admin console**](https://admin.google.com/) with an administrator account.
2. Open **Devices**.
3. Go to **Mobile &amp; endpoints** → **Settings** → **Third-party integrations**.
4. Find the **Android EMM integration** for Cerberus Enterprise and open it.
5. Click **Manage EMM providers**.
6. Toggle **Authenticate Using Google** to enable or disable Google authentication for enrollment.
7. Click **Save**.
8. Return to the Cerberus Enterprise dashboard and click **Refresh Status** on the **Authenticate Using Google Enrollment** tab.

## Google Authentication Enrollment Token

 When Google Authentication is enabled, the dashboard shows a dedicated enrollment token used for this enrollment mode. The page can show a **QR code**, an **Enrollment Token** value, and an **Enrollment URL** (copyable and sendable by email).

### Key options

- **Allow Personal Usage**: controls whether the token can enroll devices for work and personal use (work profile scenarios) or work use only (fully managed / dedicated scenarios).
- **Fallback Default Policy**: the policy applied when the enrolling user does not have a specific Google Authentication default policy assigned.

### Policy interaction

 The policy setting **Work account setup authentication** (workAccountSetupConfig.authenticationType) controls how users authenticate during work account setup, but the Google Admin Console setting **Authenticate Using Google** and the enrollment token type can still require authentication.

 For already enrolled devices, this policy only applies if the device is managed by a managed Google Play account (i.e., enrolled without **Authenticate Using Google Enrollment**).

<p class="callout info"> Some actions (for example changing token options) can be disabled when the license is expired. </p>

## Enroll a device

 During enrollment, the user is prompted to authenticate with their Google Workspace account. After a successful enrollment, the device is associated with the authenticated user.

### Work profile (personally-owned devices)

- Share the **Enrollment URL** with the user. When the user opens it on their Android device, they are guided through work profile setup and Google authentication.
- Alternatively, the user can start from Android Settings and choose the work profile setup flow, then scan the QR code or enter the enrollment token when prompted.

### Company-owned devices

- **QR code method**: on a new or factory-reset device, tap the screen multiple times in the same spot until the QR code prompt appears, then scan the QR code shown in the dashboard.
- **DPC identifier method** (when QR scanning is not available): follow the setup wizard, connect to Wi‑Fi, then when prompted to sign in enter **afw#setup** and proceed by scanning the QR code or entering the enrollment token. When prompted, authenticate with the Google Workspace account.

 For general Android provisioning procedures (work profile vs fully managed), see the standard Android enrollment pages in this manual.