Device Owner Provisioning

sravanthi
Level 2.0: Eclair

Hi Team,

 

I am trying to make my application as device owner app, I am trying to use QR code for provisioning. I am unable to acheive the result. When I scan the QR code  which I have generated (Generated QR code without enrollment token) in a factory reset device I am getting an error stating " Couldn't set up your device, for help contact your IT admin. Could you please help me where I am going wrong.
when I tried getting Enrollment Token using AMAPI I am getting the following error

com.google.api.client.googleapis.json.GoogleJsonResponseException: 400 Bad Request
POST https://androidmanagement.googleapis.com/v1/enterprises/%7B573991258109%7D/enrollmentTokens
{
"code" : 400,
"errors" : [ {
"domain" : "global",
"message" : "Invalid enterprise id. Provide a valid id.",
"reason" : "badRequest"
} ],
"message" : "Invalid enterprise id. Provide a valid id.",
"status" : "INVALID_ARGUMENT"
}

1 ACCEPTED SOLUTION

Moombas
Level 3.0: Honeycomb

Not as far as i know of as the enrollment token/id/url or whatever the MDM expects is pointing to the relvant enrollment rule to be used (because in each MDM you can have several).

Otherwise the MDM doesn't know how to proceed forward with the device (which settings to deploy, is it COPE, fully managed or just BYOD, and so on).

View solution in original post

18 REPLIES 18

Moombas
Level 3.0: Honeycomb

Please provide an example QR code you used, it should look like this (example using Soti Mobicontrol as MDM, providing a Wifi):

{"android.app.extra.PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM":"hn8mSNJMPcovWbnnWrb-uMpWZjNlNp-jyV_2A-Whumc=",

"android.app.extra.PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME":"net.soti.mobicontrol.androidwork/net.soti.mobicontrol.admin.DeviceAdminAdapter",

"android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION":"http://soti.net/apk/ae2",

"android.app.extra.PROVISIONING_WIFI_SSID":"AnySSID",

"android.app.extra.PROVISIONING_WIFI_SECURITY_TYPE":"WPA",

"android.app.extra.PROVISIONING_WIFI_PASSWORD":"password",

"android.app.extra.PROVISIONING_USE_MOBILE_DATA":true,

"android.app.extra.PROVISIONING_SKIP_ENCRYPTION":true,

"android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE":{

"enrollmentId":"IDorURL_used_for_enrollment",

"PROVISIONING_MODE":"MANAGED_PROFILE"

}

}

sravanthi
Level 2.0: Eclair

Hello,

This is the sample Json format which Iam using to generate QR code

{
"android.app.extra.PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME": "com.android.client/com.android.utils.AdminReceiver", "android.app.extra.PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM": "8:F9:D0:08:D9:82:B7:29:E2:7E:47:BB:BD:C2:EB:8D:BE:04:0F:C0:05", "android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION": "
https://android.eu-1.amazonaws.com/Android-V71-1623538246-024-aHR0cHM6C5hcHAvRGFzaGJvYXJkLw%3D%3D.ap...",

}

Moombas
Level 3.0: Honeycomb

You need this always: 

"android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE":{

"enrollmentId":"IDorURL_used_for_enrollment",

"PROVISIONING_MODE":"MANAGED_PROFILE"

}

sravanthi
Level 2.0: Eclair

Is there any way to move to device owner without enrollment token?

Moombas
Level 3.0: Honeycomb

Not as far as i know of as the enrollment token/id/url or whatever the MDM expects is pointing to the relvant enrollment rule to be used (because in each MDM you can have several).

Otherwise the MDM doesn't know how to proceed forward with the device (which settings to deploy, is it COPE, fully managed or just BYOD, and so on).

sravanthi
Level 2.0: Eclair

HI,

To create an Enrollment token using Android Management Api, I am following this method

EnrollmentToken enrollment_token = androidManagement.enterprises().enrollmentTokens().create(enterpriseID, token).execute();

 

In the above snippet the enterpriseID which I am using is the organization ID which I get in google console, and using it in this format   

String enterpriseID =enterprises/{DUOsdy871}

.

but with this I am getting the following error

{
"error": {
"code": 401,
"message": "Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.",
"status": "UNAUTHENTICATED",
"details": [
{
"@type": "type.googleapis.com/google.rpc.ErrorInfo",
"reason": "CREDENTIALS_MISSING",
"domain": "googleapis.com",
"metadata": {
"method": "google.android.devicemanagement.v1.DeviceManagementService.ListEnterprises",
"service": "androidmanagement.googleapis.com"
}
}
]
}
}
what OAuth access Token it is expecting.
In Google cloud console I have created an OAuth credentials and downloaded one Json file. How to use it. what login it is expecting. Where am I going wrong? Please guide me.

could you please suggest me one online QR generator tool?

Moombas
Level 3.0: Honeycomb

If you mean one in general i prefer this: https://barcode.tec-it.com/en

If you mean an enrollment QR-Code generator I use only my own written one.

Moombas
Level 3.0: Honeycomb

And just for your information, the extras are MDM related and can be different. @jasonbayton  has some nice listing here: https://bayton.org/android/android-enterprise-zero-touch-dpc-extras-collection/#intune

sravanthi
Level 2.0: Eclair


{
"android.app.extra.PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME": "com.android.client/com.android.utils.AdminReceiver",
"android.app.extra.PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM": "3OEI4RjlEMDA4QjcyOUUyN0U0N0JCQkRDMkVCOERCRTA0MEZDMDA1RjMyNDI1MNg",
"android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION": "https://Android-android-central-1.com/Android-V7.apk",
"android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE":{
"com.google.android.apps.work.clouddpc.EXTRA_ENROLLMENT_TOKEN": "{ds4VLNcI5FGVW0PcUVkKoqEbrOyGw_VqEUh1uhgM}"
}
}

Am I using in a correct format?  please correct me if I am doing anything wrong here. What all I need to handle in my android application?
Signature checksum: I have encoded my SHA256 value (example: 85:78:B8:F9:D0:08:04:B9:A8:1A:D9) to URL safe using base64encode.
and the enrollment tokent : I generated using AMAPI 

EnrollmentToken enrollment_token =  androidManagement.enterprises().enrollmentTokens().create(enterpriseID, token).execute();

Moombas
Level 3.0: Honeycomb

I think you have to remove the { and } inside the enrollment token

sravanthi
Level 2.0: Eclair

Even after removing that I am getting below error, when scanning QR code after Factory reset. Am I using the Checksum in the correct format?

is the SHA256 signature which I need to encode? and I am directly pasting the SHA256 value with " : " in base64encoder and encoding it.

 

sravanthi_0-1703228418187.png

 

Moombas
Level 3.0: Honeycomb

I don't know how/where checksum comes from but there are default ones for each MDM i think, so always the same if you use Intune for example (for any user/customer who uses Intune)

jeremy
Level 2.3: Gingerbread

Your enterprise ID is incorrect, you should first use the enterprise endpoint to enroll your enterprise and create your enterprise on Google servers.

Then you use the ID of the enterprise returned by Google to use the other API endpoint to create your enrollment token and manage your devices.

sravanthi
Level 2.0: Eclair

Could you please share me any code snippet or relevant document for the same. It will really help me.


Thanks in Advance

jeremy
Level 2.3: Gingerbread

You can use this https://github.com/codybrookshear/android-deviceowner-kotlin to create your own device owner without using the Google Management API

sravanthi
Level 2.0: Eclair

I tried this, but it is not working.

jeremy
Level 2.3: Gingerbread

The enrollement token provided but the Google API are only valid when used with the Google Android Management API. If you plan to create your own device owner you don't need these token, just create your own app by following this guide https://developer.android.com/reference/android/app/admin/DevicePolicyManager and this blog article which details the process:

 

https://medium.com/@codybrookshear/creating-an-android-device-owner-app-in-2023-b7e7b9fb3aca