From setup to scale: your experiences with ChromeOS automatic enrollment
Hi everyone, Automatic enrollment can be a real game changer when you’re deploying at scale — whether that’s ChromeOS zero-touch enrollment for new devices or ChromeOS Flex remote enrollment for existing fleets. I’d love to hear how it’s been working for you in the real world: What did your rollout look like (drop-ship to users, office-based, hybrid, global)? What’s one tip or best practice you’d share with someone setting up their next automatic enrollment deployment? If you’ve used both ChromeOS zero-touch and ChromeOS Flex, what factors usually influence your decision in practice? If useful, we’ve got a great community guide on ChromeOS enrollment essentials and an informative ChromeOS Flex case study that’s worth a read too! Looking forward to learning from your experiences 👀 Speak soon, Rafa
Issue: Play Protect Blocks DPC Installation During QR Provisioning on Android 14 / One UI 6.1
Hello, We use QR code provisioning to install our custom Device Policy Controller (DPC) app from a custom download URL (not Google Play). The exact same APK + QR configuration: Works on: Samsung Galaxy S20 — Android 13 / One UI 5.0 Blocked on: Samsung Galaxy S21 — Android 14 / One UI 6.1 Play Protect stops installation with the message: "App blocked to protect your device. This app can request access to sensitive data. This can increase the risk of identity theft or financial fraud." Provisioning QR: { "android.app.extra.PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME": "<DeviceAdmin component>", "android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_CHECKSUM": "<Package checksum>", "android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION": "<S3 bucket url>", "android.app.extra.PROVISIONING_LOCALE": "en_US", "android.app.extra.PROVISIONING_TIME_ZONE": "Europe/Helsinki", "android.app.extra.PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED": false, "android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_NAME": "<Package name>", "android.app.extra.PROVISIONING_WIFI_HIDDEN": true, "android.app.extra.PROVISIONING_WIFI_SECURITY_TYPE": "WPA", "android.app.extra.PROVISIONING_WIFI_SSID": "<WiFi SSID>", "android.app.extra.PROVISIONING_WIFI_PASSWORD": "<WiFi Password>" } Questions: Question 1: What changed in Android 14 or One UI 6.1 related to: - Sideloading DPCs during provisioning - Play Protect enforcement during QR setup Question 2: What is the new required approach to ensure the DPC installation is allowed? (e.g., signature checksum requirement, Play signing, allow list, new provisioning extras) Question 3: Is there updated documentation that describes the new DPC provisioning security rules? We need to understand the change and how to properly support Android 14+ devices in enterprise deployments. Thank you!
Issue with Android Enterprise provisioning: afw#identifier invalid and Play Protect blocking app during QR enrollment
We are an organization using a third-party MDM / Device Policy Controller (DPC) solution to manage our Android Enterprise devices. The DPC application is published on Google Play and has been working for managed provisioning. Recently, we started facing issues during Android Enterprise enrollment, and we are seeking guidance on the correct and supported setup. Issues observed 1. afw#identifier enrollment When attempting enrollment using afw#<identifier>, the setup fails with errors such as invalid token, wrong setup, or unable to continue enrollment. This previously worked and now fails consistently, even though the DPC remains published on Google Play. 2. QR code–based provisioning When using QR code provisioning, the device completes initial setup but then Google Play Protect shows “App blocked by Play Protect” for the DPC. The DPC app is Play-approved and not sideloaded by end users. We have already submitted a Play Protect appeal through the official appeal form. 3. Distribution method For QR provisioning, the DPC APK is currently hosted on our own HTTPS server, and the QR includes: Device Admin component SHA-256 signature checksum Secure download location Despite this, Play Protect flags the app after provisioning. Clarifications we are seeking Are there recent changes or requirements for afw#identifier enrollment that could cause invalid token or setup errors? Does Play Protect apply additional checks during QR-based provisioning, even for Play-approved DPC apps? Is using a self-hosted APK download location still supported for Device Owner provisioning, or is Managed Google Play / Zero-Touch enrollment now required? Is there a supported way to allowlist or whitelist a legitimate enterprise DPC app so it is not blocked during provisioning? Are there recommended best practices for third-party MDM providers or enterprise customers to avoid Play Protect blocks during enrollment? We are not attempting to bypass Play Protect or supported security mechanisms. We want to ensure our Android Enterprise setup follows current Google-recommended practices and understand the correct approach going forward. Any guidance or clarification from the community or product experts would be appreciated.
Enable third-party Android mobile management
Hey Android Enterprise community, I'm trying to understand what the "Enable third-party Android mobile management" checkbox in Google Admin does. How does this affect situations where multiple Android Enterprises are bound to multiple EMM solutions? Will both Android Enterprise continue working if they are bound to different EMM solutions, even if only one is selected on the screen above? If I use the Enrollment token link method to provision a device and have no users in my Google Workspace, will switching the EMM provider in the dropdown below the checkbox have any effect? Also, does Authenticate Using Google affect provisioning if there are no users in Google Workspace? Thanks, Marko
