.png)
Enrollment is how an Android device goes from unmanaged to managed — how it gets connected to your Android MDM platform, receives its first set of policies, and becomes a device you can monitor, configure, and secure. Android offers several enrollment methods, and picking the right one depends on who owns the device, how many you're provisioning, and whether someone from IT is physically handling the hardware. Get this right and deployment is smooth. Get it wrong and you're troubleshooting enrollment failures across a fleet of 200 devices on rollout day.
The enrollment method you choose is tightly linked to the
Android Enterprise management mode. Fully managed devices use factory-reset enrollment methods (zero-touch, QR code, NFC). Work profile devices enroll on already-active phones, usually through a link or app. Understanding which method maps to which mode saves you from planning a deployment that doesn't work.
Zero-Touch Enrollment
Zero-touch is the gold standard for large-scale deployments of company-owned devices. The device comes pre-configured from the reseller or carrier to automatically enroll in your MDM platform the first time it's powered on. No IT staff needs to physically handle the device. No QR codes to scan. The employee — or the warehouse receiving dock — just powers on the device, connects to WiFi, and enrollment happens automatically.
How it works: you configure your MDM platform in the zero-touch enrollment portal (a Google-hosted admin console). You link your device reseller or carrier account. When devices are purchased, the reseller registers the device IMEI/serial numbers in the zero-touch portal, associating them with your organization. When a device boots for the first time and reaches the setup wizard, it checks with Google's zero-touch server, receives your MDM configuration, and enrolls itself.
This is the right method for: fleet deployments where you're buying 50 or 500 devices at once, remote employees who will receive devices by mail (IT never touches the hardware), and any scenario where you want enrollment to be automatic and tamper-resistant. Zero-touch enrolled devices can be configured so that the user can't skip enrollment — even a factory reset re-triggers enrollment.
The limitation: zero-touch requires purchasing devices through a zero-touch compatible reseller. Not all resellers participate. And it only works for fully managed devices and company-owned work profile devices — not BYOD.
QR Code Enrollment
QR code enrollment is the most common method for company-owned devices when zero-touch isn't available. An IT admin or the employee themselves scans a QR code during the device's initial setup wizard (the screen that appears after a factory reset), and the device configures itself with your MDM settings.
The QR code contains your MDM server information, enrollment credentials, WiFi configuration, and policy assignment. Your MDM platform generates the QR code — you print it, email it, or display it on a screen. During setup, the user taps the screen six times on the welcome screen (or uses a specific gesture depending on the manufacturer) to trigger the QR reader, scans the code, and the device enrolls.
This is the right method for: medium-scale deployments where zero-touch isn't set up yet, staging by IT before distributing devices to employees, and situations where you need to re-provision a device that was previously enrolled.
QR code enrollment only works during the initial setup wizard — meaning the device must be factory-reset first. You can't QR-enroll a device that's already been set up and in use. For already-active devices, you need work profile enrollment or DPC identifier.
NFC Bump
NFC enrollment uses a "programmer" device (usually an old Android phone running a provisioning app) that transmits enrollment configuration to a new device via NFC tap. Hold the two devices together during the new device's setup wizard, and the configuration transfers.
This is a niche method, most commonly used in staged provisioning environments where IT is physically setting up dozens of devices at a table. It's faster than QR scanning when you're doing high-volume staging because the NFC tap is faster than lining up a camera with a QR code. But it requires a programmer device and physical proximity.
For most organizations, QR code or zero-touch has replaced NFC enrollment. It's available if you need it, but it's not the default recommendation.
Samsung Knox Mobile Enrollment
Knox Mobile Enrollment (KME) is Samsung's zero-touch equivalent. If your fleet is Samsung devices, KME gives you the same automatic, no-touch enrollment experience as Google's zero-touch but through Samsung's infrastructure. Devices are registered in the Knox portal, linked to your MDM server, and auto-enroll on first boot.
KME and Google zero-touch can coexist. If a Samsung device is registered in both, KME takes priority. The practical difference is that KME has been available longer and some Samsung resellers are integrated with Knox but not with Google's zero-touch portal.
If you have a mixed fleet (Samsung + other manufacturers), use Google zero-touch for the non-Samsung devices and either zero-touch or KME for the Samsung devices. If your fleet is all Samsung, KME is fine as your primary method.
Work Profile Enrollment (BYOD)
Work profile enrollment is fundamentally different from the methods above because it happens on an already-active device. The employee is using their personal phone normally, and they add a work profile to it — no factory reset, no setup wizard, no IT physically handling the device.
The process: the employee receives an enrollment link (email, text, company portal page). They click it, which opens an enrollment flow. Android creates a work profile on the device, installs the MDM agent inside the work profile, and downloads the required work apps. The employee's personal apps and data are never touched. The whole thing takes a few minutes.
This is the method for BYOD deployments. It's low-friction by design — employees are more likely to enroll when the process is quick and doesn't disrupt their personal device. IT gets full management of the work container while the personal side stays private.
The MDM platform generates the enrollment link, which can include specific policy assignments, group memberships, and app bundles. Different employee roles can get different enrollment links that automatically assign the right configuration. A sales rep's work profile gets the CRM app and email. An engineer's work profile gets the VPN, code review tools, and internal wiki.
DPC Identifier Enrollment
DPC (Device Policy Controller) identifier enrollment is a manual method that works during the setup wizard. Instead of scanning a QR code, the user enters the DPC identifier string (like "afw#mdmvendor") in the Google account sign-in field. This triggers the MDM app download and enrollment.
This is a fallback method for situations where QR scanning isn't practical — older devices that don't support the QR reader in the setup wizard, or remote employees who are being walked through enrollment over the phone. It works but it's more error-prone than QR code (users mistype the identifier) and slower.
Managed Google Account Enrollment
Managed Google Account enrollment is an alternative approach where enrollment is tied to a Google Workspace or Cloud Identity account rather than a specific enrollment mechanism. The employee signs into their managed Google account during device setup, and the account triggers MDM enrollment automatically.
This method works well for organizations already using Google Workspace. The enrollment happens naturally as part of the account sign-in process — the employee doesn't need to scan a QR code or enter a DPC identifier. They sign in with their work Google account, and the device enrolls.
The limitation is that it requires the organization to use Google Workspace or Cloud Identity for identity management. Organizations using Microsoft 365 or other identity providers without Google integration can't use this method. It also ties enrollment to the Google account rather than the device — if the employee signs out of the account, the enrollment may be affected.
For organizations running Google Workspace with Android devices, this is one of the smoothest enrollment experiences available. The employee gets a new device, signs in with their work email, and everything configures itself — MDM enrollment, app deployment, policy application, and work profile creation (for BYOD) all happen through the account sign-in flow.
Enrollment at Scale: Practical Considerations
When enrolling more than a handful of devices, the operational details matter.
Network planning. Every device needs internet connectivity during enrollment to reach the MDM server, download the MDM agent, and receive its initial policy set. For on-site staging of 100+ devices, your WiFi needs to handle that many simultaneous connections downloading apps from Google Play. A dedicated staging network with sufficient bandwidth prevents enrollment bottlenecks.
Enrollment tokens and groups. MDM platforms let you create enrollment tokens or links that automatically assign devices to specific groups with pre-configured policies. Instead of enrolling devices and then manually assigning them, create separate enrollment tokens for "warehouse scanners," "field sales phones," and "reception kiosks." Each token applies the right policy, apps, and restrictions automatically.
Error handling. At scale, some devices will fail enrollment. Common causes: incompatible Android version (too old to support the required management features), insufficient storage for the MDM agent and initial apps, network timeout during download, or manufacturer-specific quirks. Track failed enrollments and have a troubleshooting runbook for common failures.
Post-enrollment verification. After enrollment, verify that the device received its policies correctly. MDM platforms show device compliance status — check that encryption is on, the correct apps are installed, and the device is reporting to the console. A device that enrolled but didn't receive its policies is worse than an unenrolled device — you think it's managed, but it isn't.
Choosing the Right Method
The decision tree is straightforward.
Company-owned, large scale, purchased through compatible reseller → zero-touch (or Knox Mobile Enrollment for Samsung). This is hands-off, tamper-resistant, and scales to thousands of devices.
Company-owned, IT physically staging devices → QR code enrollment. Print the QR code, factory reset the device, scan, done. Repeat for each device.
Company-owned, re-provisioning existing devices → factory reset + QR code.
Employee-owned BYOD → work profile enrollment via link. No factory reset, minimal disruption, the employee's personal side is untouched.
The enrollment method determines what the device looks like after provisioning — what MDM profile it receives, which apps get pushed, and what level of control IT has. Plan enrollment before you buy hardware, not after. A zero-touch compatible reseller costs the same as a non-compatible one, but the deployment experience is completely different.
For any fleet over 50 devices, investing in zero-touch enrollment setup — even though it requires reseller coordination upfront — pays for itself on the first deployment. For BYOD, the enrollment link method is simple enough that employees can self-serve. Either way, enrollment is a one-time event per device, but a botched enrollment creates support tickets that last weeks. Getting the device management foundation right starts here.
.webp)
