Enable the Android Management API in Google Cloud Console and create a service account with the androidmanagement.enrollmentTokens.create permission
Create an enterprise by POST to https://androidmanagement.googleapis.com/v1/enterprises using a Google Play Managed account bound to your organization
POST to https://androidmanagement.googleapis.com/v1/{parent=enterprises/*}/enrollmentTokens with a body specifying policyName, duration, allowPersonalUsage, and managedProfileApplicable fields
Extract the value field (the enrollment token string) and the qrCode field from the 200 response; the qrCode field contains JSON provisioning extras
Encode the qrCode JSON into a scannable QR image using any standard QR library and display it on device setup screens
On first boot, the device scans the QR code, Android Device Policy is installed automatically, and the device provisions against the specified policy
Known gotchas
Enrollment tokens have a configurable expiry (maximum 30 days); expired tokens return a 404 when a device attempts to use them — generate fresh tokens for each deployment wave
The policyName referenced in the token must already exist in the enterprise; referencing a non-existent policy causes silent provisioning failures where Device Policy falls back to an empty policy
Zero-touch enrollment requires devices to be purchased from an authorized zero-touch reseller and registered in the zero-touch portal; the Android Management API token alone cannot force zero-touch on arbitrary hardware
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp