Creating a QR Code for Android Device Enrollment

AndroidDeviceEnrollmentQRCreation.md

Creating a QR Code for Android Device Enrollment

Android Enterprise Documentation: Create a QR code

Always required

• android.app.extra.PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME

Required if a DPC isn't already installed on the device

• android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION
• Either of the two checksums below
  • android.app.extra.PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM
    • A String extra holding the URL-safe base64 encoded checksum of any signature of the android package archive at the download location specified in android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION
    • Note: for devices running Build.VERSION_CODES.LOLLIPOP and Build.VERSION_CODES.LOLLIPOP_MR1, only SHA-1 hash is supported. Starting from Build.VERSION_CODES.M, this parameter accepts SHA-256 in addition to SHA-1. From Build.VERSION_CODES.Q, only SHA-256 hash is supported.
    • If the APK is signed with the APK signature scheme v2 or JAR-signed v1 scheme (untested with v3 or higher), you can use apksigner with any of the following to get the SHA-256 signature checksum (assumes variable named apk contains the filepath to the APK):

      sh

      apksigner verify --print-certs "$apk" | sed '/Signer #1 certificate SHA-256/{s/.*SHA-256 digest:\s*//;q};d' | xxd -r -p | openssl base64 | tr -- '+/' '-_' | tr -d '\n'

      PowerShell Core

      apksigner verify --print-certs "$apk" | Select-String 'Signer #1 certificate SHA-256 digest:\s*(.*)' | % {[Convert]::ToBase64String([Convert]::FromHexString($_.Matches.Groups[1].Value)) -replace '\+','-' -replace '/','_'}

      Windows PowerShell

      apksigner verify --print-certs "$apk" | Select-String 'Signer #1 certificate SHA-256 digest:\s*(.*)' | % {[Convert]::ToBase64String(($_.Matches.Groups[1].Value -split '(..)' -ne '' | % {[Convert]::ToInt32($_,16)})) -replace '\+','-' -replace '/','_'}

    • If the APK is signed with the JAR-signed v1 scheme, you can alternatively use keytool (from Java's JRE/JDK) with either of the following to get the SHA-256 signature checksum (assumes variable named apk contains the filepath to the APK):

      sh

      keytool -printcert -jarfile "$apk" | sed '/\s*SHA256/{s/.*SHA256:\s*//;q};d' | xxd -r -p | openssl base64 | tr -- '+/' '-_' | tr -d '\n'

      PowerShell Core or Windows PowerShell

      keytool -printcert -jarfile "$apk" | Select-String '\s*SHA256:\s*(.*)' | % {[Convert]::ToBase64String(($_.Matches.Groups[1].Value -split ':' | % {[Convert]::ToInt32($_,16)})) -replace '\+','-' -replace '/','_'}

  • android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_CHECKSUM
    • A String extra holding the URL-safe base64 encoded checksum of the file at download location specified in android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION
    • Note: for devices running Build.VERSION_CODES.LOLLIPOP and Build.VERSION_CODES.LOLLIPOP_MR1, only SHA-1 hash is supported. Starting from Build.VERSION_CODES.M, this parameter accepts SHA-256 in addition to SHA-1. From Build.VERSION_CODES.Q, only SHA-256 hash is supported.

Recommended if the device isn't already connected to Wi-Fi

• android.app.extra.PROVISIONING_WIFI_SSID
• android.app.extra.PROVISIONING_WIFI_PASSWORD

Optional

• android.app.extra.PROVISIONING_LOCALE
• android.app.extra.PROVISIONING_TIME_ZONE – Wiki list of tz database time zones
• android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE
• android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_COOKIE_HEADER
• android.app.extra.PROVISIONING_LOCAL_TIME
• android.app.extra.PROVISIONING_WIFI_HIDDEN
• android.app.extra.PROVISIONING_WIFI_SECURITY_TYPE
• android.app.extra.PROVISIONING_WIFI_PROXY_HOST
• android.app.extra.PROVISIONING_WIFI_PROXY_PORT
• android.app.extra.PROVISIONING_WIFI_PROXY_BYPASS
• android.app.extra.PROVISIONING_WIFI_PAC_URL
• android.app.extra.PROVISIONING_SKIP_ENCRYPTION

---

EMM Provisioning

Android Zero-Touch Enrollment EMM Provisioning Guide

👍 EMM Recommended

Use the following intent extras to set up your DPC

• android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE
• android.app.extra.PROVISIONING_LOCALE
• android.app.extra.PROVISIONING_TIME_ZONE – Wiki list of tz database time zones
• android.app.extra.PROVISIONING_LOCAL_TIME
• android.app.extra.PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED
• android.app.extra.PROVISIONING_MAIN_COLOR
  • ARGB color integer (A & 0xff) << 24 | (R & 0xff) << 16 | (G & 0xff) << 8 | (B & 0xff)
  • Uses a signed integer. Thus, it takes the two's complement.
    • E.g. 0xff000000: 0x7F000000 - 2^31 (2130706432 - 2147483647 = -16777216)
  • White (0xffffffff): = -1
  • Black (0xff000000): = -16777216
  • LightGray (0xffcccccc): = -3355444
  • Red (0xffff0000): = -65536
• android.app.extra.PROVISIONING_DISCLAIMERS

👎 EMM Not recommended

Don't include the following extras that you might use in other enrollment methods

• android.app.extra.PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME
• android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_CHECKSUM
• android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_COOKIE_HEADER
• android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION
• android.app.extra.PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM

---

Additional references

• android.app.extra.PROVISIONING_IMEI
• android.app.extra.PROVISIONING_MODE
  • 1 = Fully managed device
  • 2 = Managed profile
• android.app.extra.PROVISIONING_SKIP_USER_CONSENT
• android.app.extra.PROVISIONING_SKIP_EDUCATION_SCREENS

How we decide if we have to use PROVISIONING_DEVICE_ADMIN_PACKAGE_CHECKSUM or PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM?

How we decide if we have to use PROVISIONING_DEVICE_ADMIN_PACKAGE_CHECKSUM or PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM?

PROVISIONING_DEVICE_ADMIN_PACKAGE_CHECKSUM identifies a particular package build

PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM identifies the publisher

The later allows to install an updated version of the package without requiring regenerating the QR code. The first one ensures you're installing a trusted and/or well tested version of the package.

Okay so i can use any one, both will work in any android version?

EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_CHECKSUM was added in API 21 (Android 5.0), while EXTRA_PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM was added in API 23 (Android 6.0)

Thanks for this super complete piece information. Much appreciated. Can anyone confirm if this method should allow me to generate a QR to install an APK as “Device Owner” without the use of an MDM or Android Enterprise?

Yes, you'll be able to install a Device Owner app using this method. You can try it out using this Google sample app.

Thanks for the rapid response! I really appreciate it.

The Sample app seems to work. Good starter point to figure out why I run into issues with my app. Again: thanks for your help!

I apologies for using this Gist for asking this question, but does anybody happen to have a super barebones DPC kotlin application I can take a look at? I've been working on my own but unfortunately I'm unable to correctly use it using the QR method. After scanning the code, the app is being downloaded, android displays “Device belongs to your organization”, but then it fails. Debugging by fetching the logs is a PITA, but it looks like Android is trying to fall back on the (non existent) CloudDPC app in stead of using my app as the DPC.

Unable to start service Intent { cmp=com.android.managedprovisioning/com.google.android.apps.work.clouddpc.base.managedprovisioning.provisioning.ProvisioningService } U=0: not found

I've got the feeling my app is not correctly registering itself as a DPC app. Any help is highly appreciated!

Finally found it! For anyone running into the same issue; you need the following additional activities (next to your DeviceAdminReceiver):

        <activity
            android:name=".GetProvisioningModeActivity"
            android:exported="true"
            android:permission="android.permission.BIND_DEVICE_ADMIN">
            <intent-filter>
                <action android:name="android.app.action.GET_PROVISIONING_MODE" />
                <category android:name="android.intent.category.DEFAULT"/>
            </intent-filter>
        </activity>

        <activity
            android:name=".PolicyComplianceActivity"
            android:exported="true"
            android:permission="android.permission.BIND_DEVICE_ADMIN">
            <intent-filter>
                <action android:name="android.app.action.ADMIN_POLICY_COMPLIANCE" />
                <category android:name="android.intent.category.DEFAULT"/>
            </intent-filter>
        </activity>

class PolicyComplianceActivity : Activity() {
    override fun onCreate(savedInstanceState: Bundle?) {
        super.onCreate(savedInstanceState)
        // Do any required setup
        val intent = Intent(this, MainActivity::class.java)
        intent.addFlags(Intent.FLAG_ACTIVITY_NEW_TASK)
        startActivity(intent)
        finish()
    }
}

class GetProvisioningModeActivity : Activity() {
    override fun onCreate(savedInstanceState: Bundle?) {
        super.onCreate(savedInstanceState)

        val result = Intent().apply {
            putExtra(
                DevicePolicyManager.EXTRA_PROVISIONING_MODE,
                DevicePolicyManager.PROVISIONING_MODE_FULLY_MANAGED_DEVICE
            )
        }

        setResult(Activity.RESULT_OK, result)
        finish()
    }
}