Zero-Touch Enrollment Programs: ABM vs DEP – AZT vs KME
Updated: Sep 9
Acronyms, acronyms! The Mobile Device Management (MDM) world is filled with them. In a previous article, we introduced Zero Touch Enrollment Programs (ZTEPs) to achieve supervision. However, there are several different ZTEPs, and therefore several acronyms that you need to understand. In this article, we cover the differences between the types of zero-touch enrollment programs and how they work.
Why are zero-touch enrollment programs (ZTEPs) important?
Zero-touch enrollment programs are manufacturers’ work around for solving a key dilemma they face: privacy. Apple, Samsung, and Android all take user privacy seriously and thus are stuck between a rock and a hard place – consumer and corporate. They have designed their software to preserve an end user’s privacy. Whether that’s government, corporations, or anyone else, manufacturers protect consumers from third parties who want to control or monitor their personal devices. But what happens when the company owns the device? ZTEPs are the solution to give control back to the organization, allowing them to remove activation locks, block removal of management, and prevent skipping enrollment.
Apple/iOS – DEP vs VPP vs ABM
Apple originally had two programs: the Device Enrollment Program (DEP) was used for handling enrollment, while the Volume Purchasing Program (VPP) was used for corporate application purchases and deployment. However, in 2018, they combined the two and rebranded the program as Apple Business Manager (ABM). If you look through ABM, you will no longer find DEP or VPP listed under the corresponding sections, but MDMs (along with many blogs and system administrators) still refer to them by their original names. In most circles, you will find ABM and DEP used interchangeably. LINQ has followed the MDMs’ lead on this, so we typically still refer to the iOS device enrollment portion of ABM as DEP and the apps and books portion as VPP. One thing for certain is that ABM is the umbrella that houses DEP and VPP.
Setup for ABM requires a company email that has never been used as a consumer Apple ID, along with and your business’ DUNS number.
LINQ PRO TIP: We highly recommend using an account that is not user specific. Access to this program must remain in the organization, regardless of employee transition. We typically recommend MDMAdmin@yourcompanydomain or something similar that is a group address or a shared mailbox. Utilizing an admin credential is also useful for the Apple Push Notification Certificate (APNC -- a different token entirely separate from ABM), which must always be renewed with the same set of credentials. If you lose access to the account used to make the APNC, all devices must be factory reset to maintain active management of the devices.
AndroidOS – AZT vs KME
Unlike Apple, Android has many manufacturers (Samsung, LG, etc.) and Google encourages these manufacturers to innovate and add features above and beyond base Android. Because of this, Android and Samsung have two portals: Android Zero Touch (AZT) and Samsung Knox Mobile Enrollment (KME).
Android Zero Touch is a zero-touch enrollment program that enables IT to easily deploy mobile devices without manual setup. It works for any Android device, but sign up can be a bit unintuitive. It must be processed through an authorized reseller such as Verizon or AT&T, as the AZT application cannot be submitted through Google’s website online. Instead, mobile applications are distributed separately via a Managed Google Play account (a Google account tied to the organization). This process makes AZT accessible for all, but encourages manufacturers to make their own application.
AZT Sign In (once the reseller has it created).
LINQ PRO TIP: AZT and the Managed Google Play account will need a Google account associated with your business. When you create a Google account make sure it is not @gmail, but your actual email@yourcompanydomain, instead.
Knox Mobile Enrollment is a zero-touch enrolment program that provides easier device enrollment for both IT admins and device users, but only works for Samsung Devices. Oddly enough, some (but not all) MDMs require AZT for KME to work. Microsoft Intune, for example, utilizes the “Corporate Device Enrollment Token” that Intune generates from the AZT configuration to make KME work. On the other hand, VMWare Workspace One (formerly Airwatch) can setup KME separately from AZT. Odder still -- in any MDM, KME still utilizes a Managed Google Play account for app deployment. We agree. It can get confusing.
LINQ PRO TIP: You may not actually need KME if you would prefer to only have one console to manage Android devices, but KME is a bit more mature and does theoretically offer more features than base AZT. With KME, you can utilize the Knox Deployment Application to add devices that were not purchased from a connected authorized reseller – AZT does not have an equivalent feature.
For both AZT and KME, we highly recommend using an account that is not user specific. Access to this program must remain in the organization regardless of employee transition. We typically see MDMAdmin@yourcompanydomain.
To empower your MDM with zero-touch enrollment, you will need ABM for iOS (which contains DEP and VPP), whereas for Android deployment, we recommend setting up AZT, KME, and a Managed Google Play Account. Easy, right? Procuring, deploying, and managing your mobile fleet can be both time consuming and expensive. LINQ offers a wide range of enterprise mobility services to help you cut down on costs and focus on your business.