Creating a QR Code for Android Device Enrollment

AndroidDeviceEnrollmentQRCreation.md

Create a QR code

Android Enterprise Documentation: Create a QR code

Always required

• android.app.extra.PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME

Required if a DPC isn't already installed on the device

• android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION

Required: Either one of the two checksums below (URL-safe base64 encoded SHA-256 checksum).

Note: For devices running Build.VERSION_CODES.LOLLIPOP and Build.VERSION_CODES.LOLLIPOP_MR1, only SHA-1 hash is supported. Starting from Build.VERSION_CODES.M, this parameter accepts SHA-256 in addition to SHA-1. From Build.VERSION_CODES.Q, only SHA-256 hash is supported.

• android.app.extra.PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM
  • If the APK is signed with the v2 scheme or v1 scheme, you can use apksigner.jar/apksigner.bat with the following to get the SHA-256 signature checksum:
    • apksigner verify --print-certs "apkfile.apk" | sed "/s*SHA-256/{s/.*SHA-256 digest:\s*//p};d" | xxd -r -p | openssl base64 | tr -- '+/' '-_' | tr -d '\n'
  • If the APK is signed with the JAR-signed v1 scheme, you can use the following to get the SHA-256 signature checksum:
    • keytool -printcert -jarfile "apkfile.apk" | sed "/s*SHA256/{s/\s*SHA256:\s*//p};d" | xxd -r -p | openssl base64 | tr -- '+/' '-_' | tr -d '\n'
• android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_CHECKSUM

Recommended if the device isn't already connected to Wi-Fi

• android.app.extra.PROVISIONING_WIFI_SSID
• android.app.extra.PROVISIONING_WIFI_PASSWORD

Optional

• android.app.extra.PROVISIONING_LOCALE
• android.app.extra.PROVISIONING_TIME_ZONE – Wiki list of tz database time zones
• android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE
• android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_COOKIE_HEADER
• android.app.extra.PROVISIONING_LOCAL_TIME
• android.app.extra.PROVISIONING_WIFI_HIDDEN
• android.app.extra.PROVISIONING_WIFI_SECURITY_TYPE
• android.app.extra.PROVISIONING_WIFI_PROXY_HOST
• android.app.extra.PROVISIONING_WIFI_PROXY_PORT
• android.app.extra.PROVISIONING_WIFI_PROXY_BYPASS
• android.app.extra.PROVISIONING_WIFI_PAC_URL
• android.app.extra.PROVISIONING_SKIP_ENCRYPTION

---

EMM Provisioning

Android Zero-Touch Enrollment EMM Provisioning Guide

👍 EMM Recommended

Use the following intent extras to set up your DPC

• android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE
• android.app.extra.PROVISIONING_LOCALE
• android.app.extra.PROVISIONING_TIME_ZONE – Wiki list of tz database time zones
• android.app.extra.PROVISIONING_LOCAL_TIME
• android.app.extra.PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED
• android.app.extra.PROVISIONING_MAIN_COLOR
  • ARGB color integer (A & 0xff) << 24 | (R & 0xff) << 16 | (G & 0xff) << 8 | (B & 0xff)
  • Uses a signed integer. Thus, it takes the two's complement.
    • E.g. 0xff000000: 0x7F000000 - 2^31 (2130706432 - 2147483647 = -16777216)
  • White (0xffffffff): = -1
  • Black (0xff000000): = -16777216
  • LightGray (0xffcccccc): = -3355444
  • Red (0xffff0000): = -65536
• android.app.extra.PROVISIONING_DISCLAIMERS

👎 EMM Not recommended

Don't include the following extras that you might use in other enrollment methods

• android.app.extra.PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME
• android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_CHECKSUM
• android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_COOKIE_HEADER
• android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION
• android.app.extra.PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM

---

Additional references

• android.app.extra.PROVISIONING_IMEI
• android.app.extra.PROVISIONING_MODE
  • 1 = Fully managed device
  • 2 = Managed profile
• android.app.extra.PROVISIONING_SKIP_USER_CONSENT
• android.app.extra.PROVISIONING_SKIP_EDUCATION_SCREENS

Thank you very helpful just the hash calculation seems to be wrong. It should be:

sha256sum your.apk | cut -d\  -f1 | xxd -r -p| openssl base64 | tr -- '+/' '-_'

Thank you very helpful just the hash calculation seems to be wrong. It should be:

sha256sum your.apk | cut -d\  -f1 | xxd -r -p| openssl base64 | tr -- '+/' '-_'

Ah, that's probably much simpler than what I had. I was originally basing it off instructions available at the time, but I think toolings have been updated since then, and so I am quite confident you're right. When I get a chance I'll test it out and update the gist. I'm sure other things have changed since I created this as well, so if I'll do a check for the important/useful things while I'm at it.

Hi really helpful
but I'm stuck on Android Zero-Touch Enrollment it requires a reseller?
or we can do it without a reseller account i need to enroll in my app after a hard reset can anyone help me how this is possible?
or share steps to enroll a device with zero-touch i have a Google Workspace account but it does not work for zero touch enrollment as well.

@ap9101 this gist is for QR Code Enrollment in particular, not Zero-Touch Enrollment. The section on EMM Provisioning has a link to Google's Zero-Touch Enrollment guide, but I mainly only included that section for reference and completeness purposes.
As far as I know, Zero-Touch requires a reseller at least in part because they have to upload the device IMEI to their portal. To get to the QR Code enrollment screen after a hard reset, tap the welcome screen six times (opens up a QR code reader, or in older devices it'll download the QR code reader after prompting for Wi-Fi first if necessary).

@rekire I updated the gist to include checksum calculation for the v2 signing scheme, which has a small chance of being one of the issues you could've encountered. To be clear, I was unable to get your sha256sum version to produce the proper checksum, but I also don't have a spare device to test with a factory reset these days, so I was just checking it against one of my known-working QR codes.