Skip to content

Instantly share code, notes, and snippets.

@bashenk
Last active January 6, 2025 18:30
Show Gist options
  • Save bashenk/58c6dd883b177ee6e6ed1c533f3e8066 to your computer and use it in GitHub Desktop.
Save bashenk/58c6dd883b177ee6e6ed1c533f3e8066 to your computer and use it in GitHub Desktop.
Creating a QR Code for Android Device Enrollment

Creating a QR Code for Android Device Enrollment

Android Enterprise Documentation: Create a QR code

Always required

Required if a DPC isn't already installed on the device

Recommended if the device isn't already connected to Wi-Fi

Optional


EMM Provisioning

Android Zero-Touch Enrollment EMM Provisioning Guide

👍 EMM Recommended

Use the following intent extras to set up your DPC

👎 EMM Not recommended

Don't include the following extras that you might use in other enrollment methods


Additional references

@rekire
Copy link

rekire commented Nov 17, 2023

Thank you very helpful just the hash calculation seems to be wrong. It should be:

sha256sum your.apk | cut -d\  -f1 | xxd -r -p| openssl base64 | tr -- '+/' '-_'

@bashenk
Copy link
Author

bashenk commented Nov 17, 2023

Thank you very helpful just the hash calculation seems to be wrong. It should be:

sha256sum your.apk | cut -d\  -f1 | xxd -r -p| openssl base64 | tr -- '+/' '-_'

Ah, that's probably much simpler than what I had. I was originally basing it off instructions available at the time, but I think toolings have been updated since then, and so I am quite confident you're right. When I get a chance I'll test it out and update the gist. I'm sure other things have changed since I created this as well, so if I'll do a check for the important/useful things while I'm at it.

@ap9101
Copy link

ap9101 commented Mar 4, 2024

Hi really helpful
but I'm stuck on Android Zero-Touch Enrollment it requires a reseller?
or we can do it without a reseller account i need to enroll in my app after a hard reset can anyone help me how this is possible?
or share steps to enroll a device with zero-touch i have a Google Workspace account but it does not work for zero touch enrollment as well.

@bashenk
Copy link
Author

bashenk commented Mar 12, 2024

@ap9101 this gist is for QR Code Enrollment in particular, not Zero-Touch Enrollment. The section on EMM Provisioning has a link to Google's Zero-Touch Enrollment guide, but I mainly only included that section for reference and completeness purposes.
As far as I know, Zero-Touch requires a reseller at least in part because they have to upload the device IMEI to their portal. To get to the QR Code enrollment screen after a hard reset, tap the welcome screen six times (opens up a QR code reader, or in older devices it'll download the QR code reader after prompting for Wi-Fi first if necessary).

@bashenk
Copy link
Author

bashenk commented Mar 12, 2024

@rekire I updated the gist to include checksum calculation for the v2 signing scheme, which has a small chance of being one of the issues you could've encountered. To be clear, I was unable to get your sha256sum version to produce the proper checksum, but I also don't have a spare device to test with a factory reset these days, so I was just checking it against one of my known-working QR codes.

@robin-thoni
Copy link

Great quick guide, thanks!

I had to patch your command to get the signature checksum, though:

apksigner verify --print-certs com.afwsamples.testdpc_9.0.12.apk | grep 'Signer #1' | sed "/s*SHA-256/{s/.*SHA-256 digest:\s*//p};d" | xxd -r -p | openssl base64 | tr -- '+/' '-_' | tr -d '\n'

(Added the grep part`)

Since apksigner is outputting multiple hashes:

Signer #1 certificate DN: CN=testdpc, OU=Android, O=Google Inc., L=Mountain View, ST=California, C=US
Signer #1 certificate SHA-256 digest: 8090f6630b4e8962479123249087cb4658feaae36a1b57dbeafd74d109b333dc
Signer #1 certificate SHA-1 digest: 9476412b9e9d0fbcfb68f82d9a17c5a4859f70c6
Signer #1 certificate MD5 digest: 3f9b85d5b13dfb38c01a771ef60fa4b8
Source Stamp Signer certificate DN: CN=Android, OU=Android, O=Google Inc., L=Mountain View, ST=California, C=US
Source Stamp Signer certificate SHA-256 digest: 3257d599a49d2c961a471ca9843f59d341a405884583fc087df4237b733bbd6d
Source Stamp Signer certificate SHA-1 digest: b1af3a0bf998aeede1a8716a539e5a59da1d86d6
Source Stamp Signer certificate MD5 digest: 577b8a9fbc7e308321aec6411169d2fb

@bashenk
Copy link
Author

bashenk commented Oct 28, 2024

@robin-thoni Thanks for the update, including the example output! That modification could be easily added to the sed command, rather than creating a whole separate pipe for it. E.g., '/Signer #1 certificate SHA-256/{s/.*SHA-256 digest:\s*//;q};d'. I'll go ahead and update the gist with the new command.

@AhmadRaza159
Copy link

AhmadRaza159 commented Dec 8, 2024

@bashenk where to run these commands (keytool -printcert -jarfile "apkfile.apk" | sed '/\s*SHA256/{s/.SHA256:\s//;q};d' | xxd -r -p | openssl base64 | tr -- '+/' '-_' | tr -d '\n'), keytool is not recognized in command line

@bashenk
Copy link
Author

bashenk commented Dec 8, 2024

@AhmadRaza159 keytool is installed with the Java JRE/JDK, though you may need to update your PATH variable to include the bin folder in the Java directory (It can be installed either through your IDE or via Oracle JDK, OpenJDK, or choose your own alternative). Though, there's no need to use keytool anymore, because the first command (using apksigner) can handle V1 and V2 signed APKs.
The remainder of the commands should be preinstalled in any Linux operating environment, so you could either use a computer running a Linux distro, use WSL, or you could probably get it to work using Git for Windows if you include %ProgramFiles%\Git\usr\bin in your PATH (though if you choose the latter, I'd recommend reading up about what built-in Windows commands it ends up overriding). And also, if you're running it in Windows, you'll need to replace the single quotes (') with double quotes (") to get it to work on the command line, or it might work as-is in PowerShell if you have everything else right.

@AhmadRaza159 I've now added native PowerShell and PowerShell Core alternatives to the gist, though you'll still need apksigner or keytool.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment