This topic covers how to implement additional enrollment flags using QR Code or Zero Touch Portal entollment.
In the below example, the information in bold indicates Required Information when implementing QR Code or JSON enrollment.
For the optional values, starting at "android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE":
, enter the enrollment credentials that will be configured in the Workspace ONE Intelligent Hub. You can include the Workspace ONE UEM console Server URL, Group ID, enrollment username, and password.
Where is says "VMwareSpecificflags":"EnterValue"
, see the available flags below and use the correct value as needed.
{
**"android.app.extra.PROVISIONING\_DEVICE\_ADMIN\_COMPONENT\_NAME":"com.airwatch.androidagent/com.airwatch.agent.DeviceAdministratorReceiver",
"android.app.extra.PROVISIONING\_DEVICE\_ADMIN\_SIGNATURE\_CHECKSUM":"6kyqxDOjgS30jvQuzh4uvHPk-0bmAD-1QU7vtW7i\_o8=",
"android.app.extra.PROVISIONING\_DEVICE\_ADMIN\_PACKAGE\_DOWNLOAD\_LOCATION":"",
"android.app.extra.PROVISIONING\_SKIP\_ENCRYPTION":"false",**
"android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE":{
"serverurl":"",
"gid":"",
"un":"",
"pw":"",
"VMwareSpecificflags":"Value"
}
}
Note: This flag is only supported on Andoid 10 and lower.
If any step during auto-enrollment fails or encounters an error, Hub can prompt the user to unpin, allowing the user to access the whole device. The unpin feature can be protected by an optional password as well. If set, the user must enter the password to unpin. The user has unlimited attempts to enter the password.
The following DPC extras must be added to the ‘Admin Extras Bundle’ in the enrollment QR code:
"android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE": { "*allowUnpinning*": "*true*", *"unpinPassword":"1234"* }
Determines if the user is not allowed to reboot the device into safe boot mode during enrollment. This applies to all out of the box enrollment methods including: Samsung Knox Mobile Enrollment (KME), Zero Touch, or QR Code. Set the boolean value by replacing the “Boolean” value with “true” or “false”.
"disableSafeBoot":"Boolean"
Determines if a user is not allowed to enable or access debugging features. Set the boolean value by replacing the “Boolean” value with “true” or “false”.
"disableUsbDebugging":"Boolean"
Determines if a user is not allowed to install non-market apps. Set the boolean value by replacing the “Boolean” value with “true” or “false”.
"disableInstallUnknownSources":"Boolean"
If users wants to use UEM authentication even though they are on Workspace ONE Access, then they should notify the same through a new QR Code, which is also used in the KME portal by custom JSON. Set the boolean value by replacing the “Boolean” value with “true” or “false”.
"useUEMAuthentication":"Boolean"
Set the local auto-discovery URL by replacing “String” in the example below with a URL similar to “www.myautodiscoveryurl.com”.
"localAutoDiscoveryUrl":"String"
Set the discovery retry count using an integer value. Consider a number less than 10. The following is for example purposes of how to correctly enter this value, replacing “Integer” with the number of your choice.
"discoveryRetryCount":"Integer"
Set the discovery retry interval in seconds. The following is for example purposes of how to correctly enter this value, replacing “Integer” with the number of your choice.
"discoveryIntervalInSeconds":"Integer"
Allow the device to skip adding a work account. Set the boolean value by replacing the “Boolean” value with “true” or “false”.
"aospenrollment":"Boolean"
Set the number of times to retry Auto Enrollment on failure. Consider using a value less than 10. The following is for example purposes of how to correctly enter this value, replacing “Integer” with the number of your choice.
"retrycount":"Integer"
Allow the user to navigate away from Hub during enrollment. Set the boolean value by replacing the “Boolean” value with “true” or “false”.
"allowUnpinning":"Boolean"
The enrollment certificate provisioning DPC extra provides a way for Workspace ONE Intelligent Hub for Android install a certificate before enrollment, which is ideal for closed network environments that uses self-signed certificates.
When the DPC extra is included in the QR code, then Hub automatically enrolls as Device Owner (Fully Managed) mode, installs the certificate, and enrolls the device.
Follow these steps to obtain the encoded certificate data:
{
"android.app.extra.PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME":"com.airwatch.androidagent/com.airwatch.agent.DeviceAdministratorReceiver",
"android.app.extra.PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM":"6kyqxDOjgS30jvQuzh4uvHPk-0bmAD-1QU7vtW7i_o8=",
"android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION":"",
"android.app.extra.PROVISIONING_SKIP_ENCRYPTION":false,
"android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE":
{"serverurl":"","gid":"","un":"","pw":"","workManagedCertData":"encoded certificate data"}
}
Note: If the UEM console is configured for COPE mode, enrollment fails Android 11 devices.
By default, Intelligent Hub enables both the Chrome and Camera applications during enrollment of corporate-owned devices. Set this DPC Extra to “false” to opt out of enabling these applications by default on devices running Android 9.0.
Historically, organizations have only been able to suspend the Chrome application on Android 9 devices through the “Allow Chrome Browser” setting in Restrictions Profiles. However, doing so prevents the Android System Webview from receiving updates. Organizations can now completely disable Chrome on Android 9 devices by setting this DPC Extra to “false”. This allows Android System Webview to be updated.
Supported on Fully Managed and Corporate Owned Devices.
"autoEnableSystemApps":"false"
In the Android Restrictions Profile payload, activating “Allow Disabling Application Verification” allows end users to deactivate Play Protect scanning on the device. However, the default behavior for Intelligent Hub for this setting is deactivated. For an organization pushing a Restrictions Profile with “Allow Disabling Application Verification” deactivated, this means that:
Organizations may wish to keep Play Protect scanning deactivated in the above scenarios. To do so, set the following DPC Extra to “true” while enrolling devices. This modifies the default value of “Allow Disabling Application Verification” in the Restrictions profile to activated. If devices are enrolled using the above flag, organizations can still prevent end users from deactivating Play Protect scanning by pushing a Restrictions Profile with “Allow Disabling Application Verification” set to false.
"disablePlayVerifyApps":"true"
By default, Android Intelligent Hub does not display the user privacy dialog during enrollment of devices in Work Managed mode. Hub does show this dialog (“Your Privacy Matters…”) today by default during enrollment in Work Profile and Corporate Owned Personally Enabled modes. To better meet use cases where individual end users are assigned a fully managed device, administrators can now opt to display this dialog for Work Managed mode enrollment.
"promptPrivacy":"True"