2

I have been going through detailed documentation of Android Enterprise for Dedicated Devices setup. I have query regarding expiry of Enrollment Token. Before that, let me highlight scenario.

  1. I manage Dedicated Device using my own server implementing Android Management APIs. I have to create Enrollment Token for an enterprise that will link associated devices to it. Google has explained process here with sample code.

  2. Now on android device, if I use DPC identifier to provision factory reset device, user has to enter afw#setup instead of google account, which will download Device Policy. After entering Enrollment Token, device will be associated to corresponding enterprise. Kiosk app will be downloaded and will take hold of the device.

In documentation, it has been specified that token will expire in 30 days. What will happen if Enrollment Token expires? What will be impact on device and app altogether? Has anyone experienced?

Fred
  • 2,191
  • 1
  • 12
  • 14
NightFury
  • 13,436
  • 6
  • 71
  • 120

1 Answers1

0

When an enrollment token expires it can no longer be used to provision new devices. If you try to provision a device with an expired token a message will inform you that the token is invalid and will prompt you to enter another token.

Existing devices that have been provisioned using the token are not affected by the token expiring, the token is only relevant during device provisioning.

You can verify that by generating a token with a short duration (e.g. 5 minutes).

Fred
  • 2,191
  • 1
  • 12
  • 14
  • Hi Fred, I've seen in Intune that generated enrollment tokens are shorter (8 characters instead of 20). You can then use these tokens with Zero Touch (they're inserted manually in the Zero Touch configuration). How come? Are they able to generate tokens with an infinite duration? – Florian Mar 21 '19 at 17:08
  • Hi Florian, you can indeed set up a device with zero-touch by setting the configuration to match the `qrCode` field in the [`EnrollmentToken`](https://developers.google.com/android/management/reference/rest/v1/enterprises.enrollmentTokens). The documentation is not very clear on that point, we will make it clearer. However I'm not aware of a way to make the enrollment token shorter, are you sure it's the token issued by the Android Management API? – Fred Mar 21 '19 at 20:31
  • Hi Fred, I would say so, because in the Zero Touch DPC Configuration, the `android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE` contains the `com.google.android.apps.work.clouddpc.EXTRA_ENROLLMENT_TOKEN`, with a 8 characters long token. Anyway, what is the most strange is that their token doesn't seem to expire. Is it possible with the Android Management API? – Florian Mar 22 '19 at 10:22
  • This is strange, I'm not aware of anything like that. The maximum duration of a token is 30 days, it's not possible to create tokens that don't expire. – Fred Mar 22 '19 at 11:09
  • 1
    After discussing with the team, it seems what you are describing is a `signinEnrollmentToken`, see documentation [here](https://developers.google.com/android/management/provision-device#sign-in_url). – Fred Mar 22 '19 at 11:22
  • Wow, makes sense now! Thanks Fred. So I guess this `signinEnrollmentToken` does not expire. – Florian Mar 22 '19 at 11:48
  • Correct, it does not expire. – Fred Mar 22 '19 at 17:34