Creating a QR Code for Android Device Enrollment

AndroidDeviceEnrollmentQRCreation.md

Creating a QR Code for Android Device Enrollment

Android Enterprise Documentation: Create a QR code

Always required

• android.app.extra.PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME

Required if a DPC isn't already installed on the device

• android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION
• Either of the two checksums below
  • android.app.extra.PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM
    • A String extra holding the URL-safe base64 encoded checksum of any signature of the android package archive at the download location specified in android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION
    • Note: for devices running Build.VERSION_CODES.LOLLIPOP and Build.VERSION_CODES.LOLLIPOP_MR1, only SHA-1 hash is supported. Starting from Build.VERSION_CODES.M, this parameter accepts SHA-256 in addition to SHA-1. From Build.VERSION_CODES.Q, only SHA-256 hash is supported.
    • If the APK is signed with the APK signature scheme v2 or JAR-signed v1 scheme (untested with v3 or higher), you can use apksigner with any of the following to get the SHA-256 signature checksum (assumes variable named apk contains the filepath to the APK):

      sh

      apksigner verify --print-certs "$apk" | sed '/Signer #1 certificate SHA-256/{s/.*SHA-256 digest:\s*//;q};d' | xxd -r -p | openssl base64 | tr -- '+/' '-_' | tr -d '\n'

      PowerShell Core

      apksigner verify --print-certs "$apk" | Select-String 'Signer #1 certificate SHA-256 digest:\s*(.*)' | % {[Convert]::ToBase64String([Convert]::FromHexString($_.Matches.Groups[1].Value)) -replace '\+','-' -replace '/','_'}

      Windows PowerShell

      apksigner verify --print-certs "$apk" | Select-String 'Signer #1 certificate SHA-256 digest:\s*(.*)' | % {[Convert]::ToBase64String(($_.Matches.Groups[1].Value -split '(..)' -ne '' | % {[Convert]::ToInt32($_,16)})) -replace '\+','-' -replace '/','_'}

    • If the APK is signed with the JAR-signed v1 scheme, you can alternatively use keytool (from Java's JRE/JDK) with either of the following to get the SHA-256 signature checksum (assumes variable named apk contains the filepath to the APK):

      sh

      keytool -printcert -jarfile "$apk" | sed '/\s*SHA256/{s/.*SHA256:\s*//;q};d' | xxd -r -p | openssl base64 | tr -- '+/' '-_' | tr -d '\n'

      PowerShell Core or Windows PowerShell

      keytool -printcert -jarfile "$apk" | Select-String '\s*SHA256:\s*(.*)' | % {[Convert]::ToBase64String(($_.Matches.Groups[1].Value -split ':' | % {[Convert]::ToInt32($_,16)})) -replace '\+','-' -replace '/','_'}

  • android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_CHECKSUM
    • A String extra holding the URL-safe base64 encoded checksum of the file at download location specified in android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION
    • Note: for devices running Build.VERSION_CODES.LOLLIPOP and Build.VERSION_CODES.LOLLIPOP_MR1, only SHA-1 hash is supported. Starting from Build.VERSION_CODES.M, this parameter accepts SHA-256 in addition to SHA-1. From Build.VERSION_CODES.Q, only SHA-256 hash is supported.

Recommended if the device isn't already connected to Wi-Fi

• android.app.extra.PROVISIONING_WIFI_SSID
• android.app.extra.PROVISIONING_WIFI_PASSWORD

Optional

• android.app.extra.PROVISIONING_LOCALE
• android.app.extra.PROVISIONING_TIME_ZONE – Wiki list of tz database time zones
• android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE
• android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_COOKIE_HEADER
• android.app.extra.PROVISIONING_LOCAL_TIME
• android.app.extra.PROVISIONING_WIFI_HIDDEN
• android.app.extra.PROVISIONING_WIFI_SECURITY_TYPE
• android.app.extra.PROVISIONING_WIFI_PROXY_HOST
• android.app.extra.PROVISIONING_WIFI_PROXY_PORT
• android.app.extra.PROVISIONING_WIFI_PROXY_BYPASS
• android.app.extra.PROVISIONING_WIFI_PAC_URL
• android.app.extra.PROVISIONING_SKIP_ENCRYPTION

---

EMM Provisioning

Android Zero-Touch Enrollment EMM Provisioning Guide

👍 EMM Recommended

Use the following intent extras to set up your DPC

• android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE
• android.app.extra.PROVISIONING_LOCALE
• android.app.extra.PROVISIONING_TIME_ZONE – Wiki list of tz database time zones
• android.app.extra.PROVISIONING_LOCAL_TIME
• android.app.extra.PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED
• android.app.extra.PROVISIONING_MAIN_COLOR
  • ARGB color integer (A & 0xff) << 24 | (R & 0xff) << 16 | (G & 0xff) << 8 | (B & 0xff)
  • Uses a signed integer. Thus, it takes the two's complement.
    • E.g. 0xff000000: 0x7F000000 - 2^31 (2130706432 - 2147483647 = -16777216)
  • White (0xffffffff): = -1
  • Black (0xff000000): = -16777216
  • LightGray (0xffcccccc): = -3355444
  • Red (0xffff0000): = -65536
• android.app.extra.PROVISIONING_DISCLAIMERS

👎 EMM Not recommended

Don't include the following extras that you might use in other enrollment methods

• android.app.extra.PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME
• android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_CHECKSUM
• android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_COOKIE_HEADER
• android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION
• android.app.extra.PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM

---

Additional references

• android.app.extra.PROVISIONING_IMEI
• android.app.extra.PROVISIONING_MODE
  • 1 = Fully managed device
  • 2 = Managed profile
• android.app.extra.PROVISIONING_SKIP_USER_CONSENT
• android.app.extra.PROVISIONING_SKIP_EDUCATION_SCREENS

I apologies for using this Gist for asking this question, but does anybody happen to have a super barebones DPC kotlin application I can take a look at? I've been working on my own but unfortunately I'm unable to correctly use it using the QR method. After scanning the code, the app is being downloaded, android displays “Device belongs to your organization”, but then it fails. Debugging by fetching the logs is a PITA, but it looks like Android is trying to fall back on the (non existent) CloudDPC app in stead of using my app as the DPC.

Unable to start service Intent { cmp=com.android.managedprovisioning/com.google.android.apps.work.clouddpc.base.managedprovisioning.provisioning.ProvisioningService } U=0: not found

I've got the feeling my app is not correctly registering itself as a DPC app. Any help is highly appreciated!

Finally found it! For anyone running into the same issue; you need the following additional activities (next to your DeviceAdminReceiver):

        <activity
            android:name=".GetProvisioningModeActivity"
            android:exported="true"
            android:permission="android.permission.BIND_DEVICE_ADMIN">
            <intent-filter>
                <action android:name="android.app.action.GET_PROVISIONING_MODE" />
                <category android:name="android.intent.category.DEFAULT"/>
            </intent-filter>
        </activity>

        <activity
            android:name=".PolicyComplianceActivity"
            android:exported="true"
            android:permission="android.permission.BIND_DEVICE_ADMIN">
            <intent-filter>
                <action android:name="android.app.action.ADMIN_POLICY_COMPLIANCE" />
                <category android:name="android.intent.category.DEFAULT"/>
            </intent-filter>
        </activity>

class PolicyComplianceActivity : Activity() {
    override fun onCreate(savedInstanceState: Bundle?) {
        super.onCreate(savedInstanceState)
        // Do any required setup
        val intent = Intent(this, MainActivity::class.java)
        intent.addFlags(Intent.FLAG_ACTIVITY_NEW_TASK)
        startActivity(intent)
        finish()
    }
}

class GetProvisioningModeActivity : Activity() {
    override fun onCreate(savedInstanceState: Bundle?) {
        super.onCreate(savedInstanceState)

        val result = Intent().apply {
            putExtra(
                DevicePolicyManager.EXTRA_PROVISIONING_MODE,
                DevicePolicyManager.PROVISIONING_MODE_FULLY_MANAGED_DEVICE
            )
        }

        setResult(Activity.RESULT_OK, result)
        finish()
    }
}