__# Additional Supported Enrollment Flags for Android Enrollment
This topic covers how to implement additional enrollment flags using QR Code or Zero Touch Portal entollment.
In the below example, the information in bold indicates Required Information when implementing QR Code or JSON enrollment.
For the optional values, starting at "android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE":
, enter the enrollment credentials that will be configured in the Workspace ONE Intelligent Hub. You can include the Workspace ONE UEM console Server URL, Group ID, enrollment username, and password.
Where is says "VMwareSpecificflags":"EnterValue"
, see the available flags below and use the correct value as needed.
{
**"android.app.extra.PROVISIONING\_DEVICE\_ADMIN\_COMPONENT\_NAME":"com.airwatch.androidagent/com.airwatch.agent.DeviceAdministratorReceiver",
"android.app.extra.PROVISIONING\_DEVICE\_ADMIN\_SIGNATURE\_CHECKSUM":"6kyqxDOjgS30jvQuzh4uvHPk-0bmAD-1QU7vtW7i\_o8=",
"android.app.extra.PROVISIONING\_DEVICE\_ADMIN\_PACKAGE\_DOWNLOAD\_LOCATION":"",
"android.app.extra.PROVISIONING\_SKIP\_ENCRYPTION":"false",**
"android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE":{
"serverurl":"",
"gid":"",
"un":"",
"pw":"",
"VMwareSpecificflags":"Value"
}
}
If any step during auto-enrollment fails or encounters an error, Hub can prompt the user to unpin, allowing the user to access the whole device. The unpin feature can be protected by an optional password as well. If set, the user must enter the password to unpin. The user has unlimited attempts to enter the password.
The following DPC extras must be added to the ‘Admin Extras Bundle’ in the enrollment QR code:
"android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE": { "*allowUnpinning*": "*true*", *"unpinPassword":"1234"* }
Determines if the user is not allowed to reboot the device into safe boot mode during enrollment. This applies to all out of the box enrollment methods including: Samsung Knox Mobile Enrollment (KME), Zero Touch, or QR Code. Set the boolean value by replacing the “Boolean” value with “true” or “false”.
`"disableSafeBoot":"Boolean"`
Determines if a user is not allowed to enable or access debugging features. Set the boolean value by replacing the “Boolean” value with “true” or “false”.
`"disableUsbDebugging":"Boolean"`
Determines if a user is not allowed to install non-market apps. Set the boolean value by replacing the “Boolean” value with “true” or “false”.
`"disableInstallUnknownSources":"Boolean"`
If users wants to use UEM authentication even though they are on Workspace ONE Access, then they should notify the same through a new QR Code, which is also used in the KME portal by custom JSON. Set the boolean value by replacing the “Boolean” value with “true” or “false”.
"useUEMAuthentication":"Boolean"
Set the local auto-discovery URL by replacing “String” in the example below with a URL similar to “www.myautodiscoveryurl.com”.
`"localAutoDiscoveryUrl":"String"`
Set the discovery retry count using an integer value. Consider a number less than 10. The following is for example purposes of how to correctly enter this value, replacing “Integer” with the number of your choice.
`"discoveryRetryCount":"Integer"`
Set the discovery retry interval in seconds. The following is for example purposes of how to correctly enter this value, replacing “Integer” with the number of your choice.
`"discoveryIntervalInSeconds":"Integer"`
Allow the device to skip adding a work account. Set the boolean value by replacing the “Boolean” value with “true” or “false”.
`"aospenrollment":"Boolean"`
Set the number of times to retry Auto Enrollment on failure. Consider using a value less than 10. The following is for example purposes of how to correctly enter this value, replacing “Integer” with the number of your choice.
`"retrycount":"Integer"`
Allow the user to navigate away from Hub during enrollment. Set the boolean value by replacing the “Boolean” value with “true” or “false”.
`"allowUnpinning":"Boolean"`
The enrollment certificate provisioning DPC extra provides a way for Workspace ONE Intelligent Hub for Android install a certificate before enrollment, which is ideal for closed network environments that uses self-signed certificates.
When the DPC extra is included in the QR code, then Hub automatically enrolls as Device Owner (Fully Managed) mode, installs the certificate, and enrolls the device.
Follow these steps to obtain the encoded certificate data:
{
"android.app.extra.PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME":"com.airwatch.androidagent/com.airwatch.agent.DeviceAdministratorReceiver",
"android.app.extra.PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM":"6kyqxDOjgS30jvQuzh4uvHPk-0bmAD-1QU7vtW7i_o8=",
"android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION":"",
"android.app.extra.PROVISIONING_SKIP_ENCRYPTION":false,
"android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE":
{"serverurl":"","gid":"","un":"","pw":"","workManagedCertData":"encoded certificate data"}
}
Note: If the UEM console is configured for COPE mode, enrollment fails Android 11 devices.