Creating a QR Code for Android Device Enrollment

AndroidDeviceEnrollmentQRCreation.md

Creating a QR Code for Android Device Enrollment

Android Enterprise Documentation: Create a QR code

Always required

• android.app.extra.PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME

Required if a DPC isn't already installed on the device

• android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION
• Either of the two checksums below
  • android.app.extra.PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM
    • A String extra holding the URL-safe base64 encoded checksum of any signature of the android package archive at the download location specified in android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION
    • Note: for devices running Build.VERSION_CODES.LOLLIPOP and Build.VERSION_CODES.LOLLIPOP_MR1, only SHA-1 hash is supported. Starting from Build.VERSION_CODES.M, this parameter accepts SHA-256 in addition to SHA-1. From Build.VERSION_CODES.Q, only SHA-256 hash is supported.
    • If the APK is signed with the APK signature scheme v2 or JAR-signed v1 scheme (untested with v3 or higher), you can use apksigner with any of the following to get the SHA-256 signature checksum (assumes variable named apk contains the filepath to the APK):

      sh

      apksigner verify --print-certs "$apk" | sed '/Signer #1 certificate SHA-256/{s/.*SHA-256 digest:\s*//;q};d' | xxd -r -p | openssl base64 | tr -- '+/' '-_' | tr -d '\n'

      PowerShell Core

      apksigner verify --print-certs "$apk" | Select-String 'Signer #1 certificate SHA-256 digest:\s*(.*)' | % {[Convert]::ToBase64String([Convert]::FromHexString($_.Matches.Groups[1].Value)) -replace '\+','-' -replace '/','_'}

      Windows PowerShell

      apksigner verify --print-certs "$apk" | Select-String 'Signer #1 certificate SHA-256 digest:\s*(.*)' | % {[Convert]::ToBase64String(($_.Matches.Groups[1].Value -split '(..)' -ne '' | % {[Convert]::ToInt32($_,16)})) -replace '\+','-' -replace '/','_'}

    • If the APK is signed with the JAR-signed v1 scheme, you can alternatively use keytool (from Java's JRE/JDK) with either of the following to get the SHA-256 signature checksum (assumes variable named apk contains the filepath to the APK):

      sh

      keytool -printcert -jarfile "$apk" | sed '/\s*SHA256/{s/.*SHA256:\s*//;q};d' | xxd -r -p | openssl base64 | tr -- '+/' '-_' | tr -d '\n'

      PowerShell Core or Windows PowerShell

      keytool -printcert -jarfile "$apk" | Select-String '\s*SHA256:\s*(.*)' | % {[Convert]::ToBase64String(($_.Matches.Groups[1].Value -split ':' | % {[Convert]::ToInt32($_,16)})) -replace '\+','-' -replace '/','_'}

  • android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_CHECKSUM
    • A String extra holding the URL-safe base64 encoded checksum of the file at download location specified in android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION
    • Note: for devices running Build.VERSION_CODES.LOLLIPOP and Build.VERSION_CODES.LOLLIPOP_MR1, only SHA-1 hash is supported. Starting from Build.VERSION_CODES.M, this parameter accepts SHA-256 in addition to SHA-1. From Build.VERSION_CODES.Q, only SHA-256 hash is supported.

Recommended if the device isn't already connected to Wi-Fi

• android.app.extra.PROVISIONING_WIFI_SSID
• android.app.extra.PROVISIONING_WIFI_PASSWORD

Optional

• android.app.extra.PROVISIONING_LOCALE
• android.app.extra.PROVISIONING_TIME_ZONE – Wiki list of tz database time zones
• android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE
• android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_COOKIE_HEADER
• android.app.extra.PROVISIONING_LOCAL_TIME
• android.app.extra.PROVISIONING_WIFI_HIDDEN
• android.app.extra.PROVISIONING_WIFI_SECURITY_TYPE
• android.app.extra.PROVISIONING_WIFI_PROXY_HOST
• android.app.extra.PROVISIONING_WIFI_PROXY_PORT
• android.app.extra.PROVISIONING_WIFI_PROXY_BYPASS
• android.app.extra.PROVISIONING_WIFI_PAC_URL
• android.app.extra.PROVISIONING_SKIP_ENCRYPTION

---

EMM Provisioning

Android Zero-Touch Enrollment EMM Provisioning Guide

👍 EMM Recommended

Use the following intent extras to set up your DPC

• android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE
• android.app.extra.PROVISIONING_LOCALE
• android.app.extra.PROVISIONING_TIME_ZONE – Wiki list of tz database time zones
• android.app.extra.PROVISIONING_LOCAL_TIME
• android.app.extra.PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED
• android.app.extra.PROVISIONING_MAIN_COLOR
  • ARGB color integer (A & 0xff) << 24 | (R & 0xff) << 16 | (G & 0xff) << 8 | (B & 0xff)
  • Uses a signed integer. Thus, it takes the two's complement.
    • E.g. 0xff000000: 0x7F000000 - 2^31 (2130706432 - 2147483647 = -16777216)
  • White (0xffffffff): = -1
  • Black (0xff000000): = -16777216
  • LightGray (0xffcccccc): = -3355444
  • Red (0xffff0000): = -65536
• android.app.extra.PROVISIONING_DISCLAIMERS

👎 EMM Not recommended

Don't include the following extras that you might use in other enrollment methods

• android.app.extra.PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME
• android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_CHECKSUM
• android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_COOKIE_HEADER
• android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION
• android.app.extra.PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM

---

Additional references

• android.app.extra.PROVISIONING_IMEI
• android.app.extra.PROVISIONING_MODE
  • 1 = Fully managed device
  • 2 = Managed profile
• android.app.extra.PROVISIONING_SKIP_USER_CONSENT
• android.app.extra.PROVISIONING_SKIP_EDUCATION_SCREENS

Great quick guide, thanks!

I had to patch your command to get the signature checksum, though:

apksigner verify --print-certs com.afwsamples.testdpc_9.0.12.apk | grep 'Signer #1' | sed "/s*SHA-256/{s/.*SHA-256 digest:\s*//p};d" | xxd -r -p | openssl base64 | tr -- '+/' '-_' | tr -d '\n'

(Added the grep part`)

Since apksigner is outputting multiple hashes:

Signer #1 certificate DN: CN=testdpc, OU=Android, O=Google Inc., L=Mountain View, ST=California, C=US
Signer #1 certificate SHA-256 digest: 8090f6630b4e8962479123249087cb4658feaae36a1b57dbeafd74d109b333dc
Signer #1 certificate SHA-1 digest: 9476412b9e9d0fbcfb68f82d9a17c5a4859f70c6
Signer #1 certificate MD5 digest: 3f9b85d5b13dfb38c01a771ef60fa4b8
Source Stamp Signer certificate DN: CN=Android, OU=Android, O=Google Inc., L=Mountain View, ST=California, C=US
Source Stamp Signer certificate SHA-256 digest: 3257d599a49d2c961a471ca9843f59d341a405884583fc087df4237b733bbd6d
Source Stamp Signer certificate SHA-1 digest: b1af3a0bf998aeede1a8716a539e5a59da1d86d6
Source Stamp Signer certificate MD5 digest: 577b8a9fbc7e308321aec6411169d2fb

@robin-thoni Thanks for the update, including the example output! That modification could be easily added to the sed command, rather than creating a whole separate pipe for it. E.g., '/Signer #1 certificate SHA-256/{s/.*SHA-256 digest:\s*//;q};d'. I'll go ahead and update the gist with the new command.

@bashenk where to run these commands (keytool -printcert -jarfile "apkfile.apk" | sed '/\s*SHA256/{s/.SHA256:\s//;q};d' | xxd -r -p | openssl base64 | tr -- '+/' '-_' | tr -d '\n'), keytool is not recognized in command line

@AhmadRaza159 keytool is installed with the Java JRE/JDK, though you may need to update your PATH variable to include the bin folder in the Java directory (It can be installed either through your IDE or via Oracle JDK, OpenJDK, or choose your own alternative). Though, there's no need to use keytool anymore, because the first command (using apksigner) can handle V1 and V2 signed APKs.
The remainder of the commands should be preinstalled in any Linux operating environment, so you could either use a computer running a Linux distro, use WSL, or you could probably get it to work using Git for Windows if you include %ProgramFiles%\Git\usr\bin in your PATH (though if you choose the latter, I'd recommend reading up about what built-in Windows commands it ends up overriding). And also, if you're running it in Windows, you'll need to replace the single quotes (') with double quotes (") to get it to work on the command line, or it might work as-is in PowerShell if you have everything else right.

@AhmadRaza159 I've now added native PowerShell and PowerShell Core alternatives to the gist, though you'll still need apksigner or keytool.