Prerequisites
Android Enterprise (Android Management / Google Play for Work) account has been bound in System Management → Organization Management and shows as connected/authorized.
The user has permission to create GMA Zero-touch (administrator or appropriate role).
Access to the Google Zero-touch customer Portal for binding/authorization.
KiwiCloud Enrollment Configuration(s) have been pre-created (naming rule, associated group, Wi-Fi, Google customer info, etc.).
Interaction Flow
1. Bind Android Enterprise in Organization Management
Go to System Management → Organization Management and follow the page prompts to complete Android Enterprise binding and authorization
Verify: confirm the page shows Android Enterprise as “connected/authorized”.
✅ Verify: On System Settings / Enterprise Integrations or the Organization Management page you should see the bound enterprise name and connection status.
2. Enrollment → Google Zero-touch → Click Registration Config
Go to Enrollment → Google Zero-touch and click Enrollment Configuration.
If the system detects no Zero-touch account info is bound, a prompt will appear: Google Zero-touch authorization has expired, Please rebind
Clicking bind redirects you to Google's account binding/authorization page.
After completing the binding flow, return to KiwiCloud.
✅ Verify: After successful binding, when selecting the Google Zero-touch authorized customer in Enrollment Config you can see the associated Google Zero-touch customer Portal account or customer name.
3. Create Enrollment Configuration (Interaction change)
After binding, click Enrollment Config again to open the actual configuration creation flow.
In the creation form:
Select Google Zero-touch authorized customer — the page lists bound Google Zero-touch customer Portal accounts/customers for selection;
Select devices — choose devices or device pools visible under that customer;
Select KiwiCloud Enrollment Configuration — choose a pre-created KiwiCloud Enrollment Configuration (naming rule, associated group, Wi-Fi, Google customer info, etc.).
Submit the configuration:
Important — Overwrite behavior: On submission, the KiwiCloud enrollment Configuration you select for the chosen devices will overwrite the corresponding enrollment configuration on the Google Zero-touch customer Portal for those devices (if any). In other words, the KiwiCloud-submitted configuration becomes the final configuration the devices use.
✅ Verify: The GMA Zero-touch enrollment record shows the selected Google customer, device list, and the referenced KiwiCloud Registration Configuration.
4. Device Boot Behavior (Enforcement)
When configured devices boot and go online, they request configuration from Google Zero-touch and receive the KiwiCloud enrollment Configuration.
Devices will be automatically assigned to the associated group and the group's associated policies (app publish/update, device policy, kiosk, etc.) will be applied automatically.
Google account info and Wi-Fi from the Configuration are also applied to the device (if configured).
✅ Verify (Admin console): Devices appear in the device list; the device Group field shows the target group; policy/app deployment status shows “deployed / installing / installed”.
Troubleshooting & Notes
Cannot see bind entry or cannot bind Google Zero-touch account
Confirm the current user has permission to create/bind GMA Zero-touch (admin or appropriate role).
Check for browser pop-up blockers that may block Google auth.
If binding fails, capture error screenshots and contact KiwiCloud Support with details and timestamps.
Device is not fetching config / not enrolling via Google Zero-touch
Verify the device is correctly assigned to the selected customer/project in Google Zero-touch.
Check device network, time sync, and Wi-Fi (if delivered as part of the config).
Collect device
adb logcat(if possible) and backend enrollment logs; check Google Zero-touch console for assignment/enrollment status.
Device enrolled but not in target group or policy not applied
Confirm the KiwiCloud enrollment Configuration referenced at submission includes the correct Associated Group.
If using Auto Group, ensure device attributes match the auto-group rules.
Check for other system-level priorities or conflicting policies that might override group/policy assignment.