__# Additional Supported Enrollment Flags for Android Enrollment

This topic covers how to implement additional enrollment flags using QR Code or Zero Touch Portal entollment.

Formatting

In the below example, the information in bold indicates Required Information when implementing QR Code or JSON enrollment.

For the optional values, starting at "android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE":, enter the enrollment credentials that will be configured in the Workspace ONE Intelligent Hub. You can include the Workspace ONE UEM console Server URL, Group ID, enrollment username, and password.

Where is says "VMwareSpecificflags":"EnterValue", see the available flags below and use the correct value as needed.

{
   **"android.app.extra.PROVISIONING\_DEVICE\_ADMIN\_COMPONENT\_NAME":"com.airwatch.androidagent/com.airwatch.agent.DeviceAdministratorReceiver",
   "android.app.extra.PROVISIONING\_DEVICE\_ADMIN\_SIGNATURE\_CHECKSUM":"6kyqxDOjgS30jvQuzh4uvHPk-0bmAD-1QU7vtW7i\_o8=",
   "android.app.extra.PROVISIONING\_DEVICE\_ADMIN\_PACKAGE\_DOWNLOAD\_LOCATION":"",
   "android.app.extra.PROVISIONING\_SKIP\_ENCRYPTION":"false",**
   "android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE":{
      "serverurl":"",
      "gid":"",
      "un":"",
      "pw":"",
      "VMwareSpecificflags":"Value"
   }
}

Unpin Hub in case of Autodiscovery Enrollment Error

If any step during auto-enrollment fails or encounters an error, Hub can prompt the user to unpin, allowing the user to access the whole device. The unpin feature can be protected by an optional password as well. If set, the user must enter the password to unpin. The user has unlimited attempts to enter the password.

The following DPC extras must be added to the ‘Admin Extras Bundle’ in the enrollment QR code:

"android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE": { "*allowUnpinning*": "*true*", *"unpinPassword":"1234"* }

Disable Safeboot

Determines if the user is not allowed to reboot the device into safe boot mode during enrollment. This applies to all out of the box enrollment methods including: Samsung Knox Mobile Enrollment (KME), Zero Touch, or QR Code. Set the boolean value by replacing the “Boolean” value with “true” or “false”.

`"disableSafeBoot":"Boolean"`

Disable USB Debugging

Determines if a user is not allowed to enable or access debugging features. Set the boolean value by replacing the “Boolean” value with “true” or “false”.

`"disableUsbDebugging":"Boolean"`

Disable Unknown Sources

Determines if a user is not allowed to install non-market apps. Set the boolean value by replacing the “Boolean” value with “true” or “false”.

`"disableInstallUnknownSources":"Boolean"`

Use UEM Authentication

If users wants to use UEM authentication even though they are on Workspace ONE Access, then they should notify the same through a new QR Code, which is also used in the KME portal by custom JSON. Set the boolean value by replacing the “Boolean” value with “true” or “false”.

"useUEMAuthentication":"Boolean"

Local Auto Discover URL

Set the local auto-discovery URL by replacing “String” in the example below with a URL similar to “www.myautodiscoveryurl.com”.

`"localAutoDiscoveryUrl":"String"`

Discovery Retry Count

Set the discovery retry count using an integer value. Consider a number less than 10. The following is for example purposes of how to correctly enter this value, replacing “Integer” with the number of your choice.

`"discoveryRetryCount":"Integer"` 

Discovery Interval in Seconds

Set the discovery retry interval in seconds. The following is for example purposes of how to correctly enter this value, replacing “Integer” with the number of your choice.

`"discoveryIntervalInSeconds":"Integer"`

AOSP Enrollment

Allow the device to skip adding a work account. Set the boolean value by replacing the “Boolean” value with “true” or “false”.

`"aospenrollment":"Boolean"`

Retry Count

Set the number of times to retry Auto Enrollment on failure. Consider using a value less than 10. The following is for example purposes of how to correctly enter this value, replacing “Integer” with the number of your choice.

`"retrycount":"Integer"`

Allow Unpinning

Allow the user to navigate away from Hub during enrollment. Set the boolean value by replacing the “Boolean” value with “true” or “false”.

`"allowUnpinning":"Boolean"` 

Enrollment Certificate

The enrollment certificate provisioning DPC extra provides a way for Workspace ONE Intelligent Hub for Android install a certificate before enrollment, which is ideal for closed network environments that uses self-signed certificates.

When the DPC extra is included in the QR code, then Hub automatically enrolls as Device Owner (Fully Managed) mode, installs the certificate, and enrolls the device.

Follow these steps to obtain the encoded certificate data:

  1. Upload the certificate to an Android Credentials profile
  2. Save the profile. Do not assign it to any devices
  3. Select the Profile and view the Profile XML. The ‘CertificateData’ in the profile XML is what is used in the JSON below.
  4. Add the following key to the Admin Extras Bundle in the QR Code provisioning JSON: “workManagedCertData”:“encoded certificate data”
{
   "android.app.extra.PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME":"com.airwatch.androidagent/com.airwatch.agent.DeviceAdministratorReceiver",
   "android.app.extra.PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM":"6kyqxDOjgS30jvQuzh4uvHPk-0bmAD-1QU7vtW7i_o8=",
   "android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION":"",
   "android.app.extra.PROVISIONING_SKIP_ENCRYPTION":false,
   "android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE":

{"serverurl":"","gid":"","un":"","pw":"","workManagedCertData":"encoded certificate data"}
}

Note: If the UEM console is configured for COPE mode, enrollment fails Android 11 devices.

check-circle-line exclamation-circle-line close-line
Scroll to top icon