Additional Supported Enrollment Flags for Android Enrollment (DPC Extras)

This topic covers how to implement additional enrollment flags using QR Code or Zero Touch Portal entollment.

Formatting

In the below example, the information in bold indicates Required Information when implementing QR Code or JSON enrollment.

For the optional values, starting at "android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE":, enter the enrollment credentials that will be configured in the Workspace ONE Intelligent Hub. You can include the Workspace ONE UEM console Server URL, Group ID, enrollment username, and password.

Where is says "VMwareSpecificflags":"EnterValue", see the available flags below and use the correct value as needed.

{
   **"android.app.extra.PROVISIONING\_DEVICE\_ADMIN\_COMPONENT\_NAME":"com.airwatch.androidagent/com.airwatch.agent.DeviceAdministratorReceiver",
   "android.app.extra.PROVISIONING\_DEVICE\_ADMIN\_SIGNATURE\_CHECKSUM":"6kyqxDOjgS30jvQuzh4uvHPk-0bmAD-1QU7vtW7i\_o8=",
   "android.app.extra.PROVISIONING\_DEVICE\_ADMIN\_PACKAGE\_DOWNLOAD\_LOCATION":"",
   "android.app.extra.PROVISIONING\_SKIP\_ENCRYPTION":"false",**
   "android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE":{
      "serverurl":"",
      "gid":"",
      "un":"",
      "pw":"",
      "VMwareSpecificflags":"Value"
   }
}

Unpin Hub in case of Autodiscovery Enrollment Error

Note: This flag is only supported on Andoid 10 and lower.

If any step during auto-enrollment fails or encounters an error, Hub can prompt the user to unpin, allowing the user to access the whole device. The unpin feature can be protected by an optional password as well. If set, the user must enter the password to unpin. The user has unlimited attempts to enter the password.

The following DPC extras must be added to the ‘Admin Extras Bundle’ in the enrollment QR code:

"android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE": { "*allowUnpinning*": "*true*", *"unpinPassword":"1234"* }

Disable Safeboot

Determines if the user is not allowed to reboot the device into safe boot mode during enrollment. This applies to all out of the box enrollment methods including: Samsung Knox Mobile Enrollment (KME), Zero Touch, or QR Code. Set the boolean value by replacing the “Boolean” value with “true” or “false”.

"disableSafeBoot":"Boolean"

Disable USB Debugging

Determines if a user is not allowed to enable or access debugging features. Set the boolean value by replacing the “Boolean” value with “true” or “false”.

"disableUsbDebugging":"Boolean"

Disable Unknown Sources

Determines if a user is not allowed to install non-market apps. Set the boolean value by replacing the “Boolean” value with “true” or “false”.

"disableInstallUnknownSources":"Boolean"

Use UEM Authentication

If users wants to use UEM authentication even though they are on Workspace ONE Access, then they should notify the same through a new QR Code, which is also used in the KME portal by custom JSON. Set the boolean value by replacing the “Boolean” value with “true” or “false”.

"useUEMAuthentication":"Boolean"

Local Auto Discover URL

Set the local auto-discovery URL by replacing “String” in the example below with a URL similar to “www.myautodiscoveryurl.com”.

"localAutoDiscoveryUrl":"String"

Discovery Retry Count

Set the discovery retry count using an integer value. Consider a number less than 10. The following is for example purposes of how to correctly enter this value, replacing “Integer” with the number of your choice.

"discoveryRetryCount":"Integer"

Discovery Interval in Seconds

Set the discovery retry interval in seconds. The following is for example purposes of how to correctly enter this value, replacing “Integer” with the number of your choice.

"discoveryIntervalInSeconds":"Integer"

AOSP Enrollment

Allow the device to skip adding a work account. Set the boolean value by replacing the “Boolean” value with “true” or “false”.

"aospenrollment":"Boolean"

Retry Count

Set the number of times to retry Auto Enrollment on failure. Consider using a value less than 10. The following is for example purposes of how to correctly enter this value, replacing “Integer” with the number of your choice.

"retrycount":"Integer"

Allow Unpinning

Allow the user to navigate away from Hub during enrollment. Set the boolean value by replacing the “Boolean” value with “true” or “false”.

"allowUnpinning":"Boolean"

Enrollment Certificate

The enrollment certificate provisioning DPC extra provides a way for Workspace ONE Intelligent Hub for Android install a certificate before enrollment, which is ideal for closed network environments that uses self-signed certificates.

When the DPC extra is included in the QR code, then Hub automatically enrolls as Device Owner (Fully Managed) mode, installs the certificate, and enrolls the device.

Follow these steps to obtain the encoded certificate data:

  1. Upload the certificate to an Android Credentials profile
  2. Save the profile. Do not assign it to any devices
  3. Select the Profile and view the Profile XML. The ‘CertificateData’ in the profile XML is what is used in the JSON below.
  4. Add the following key to the Admin Extras Bundle in the QR Code provisioning JSON: “workManagedCertData”:“encoded certificate data”
{
   "android.app.extra.PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME":"com.airwatch.androidagent/com.airwatch.agent.DeviceAdministratorReceiver",
   "android.app.extra.PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM":"6kyqxDOjgS30jvQuzh4uvHPk-0bmAD-1QU7vtW7i_o8=",
   "android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION":"",
   "android.app.extra.PROVISIONING_SKIP_ENCRYPTION":false,
   "android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE":

{"serverurl":"","gid":"","un":"","pw":"","workManagedCertData":"encoded certificate data"}
}

Note: If the UEM console is configured for COPE mode, enrollment fails Android 11 devices.

Opt out of Enabling Chrome and Camera on Devices running Android 9.0

By default, Intelligent Hub enables both the Chrome and Camera applications during enrollment of corporate-owned devices. Set this DPC Extra to “false” to opt out of enabling these applications by default on devices running Android 9.0.

Historically, organizations have only been able to suspend the Chrome application on Android 9 devices through the “Allow Chrome Browser” setting in Restrictions Profiles. However, doing so prevents the Android System Webview from receiving updates. Organizations can now completely disable Chrome on Android 9 devices by setting this DPC Extra to “false”. This allows Android System Webview to be updated.

Supported on Fully Managed and Corporate Owned Devices.

"autoEnableSystemApps":"false"

Set Default Value for Allow Disabling Application Verification (Android 9.0 only)

In the Android Restrictions Profile payload, activating “Allow Disabling Application Verification” allows end users to deactivate Play Protect scanning on the device. However, the default behavior for Intelligent Hub for this setting is deactivated. For an organization pushing a Restrictions Profile with “Allow Disabling Application Verification” deactivated, this means that:

  • When you add a version to the Restrictions Profile and push the new version to the device, Intelligent Hub momentarily deactivates this setting. Android then re-activates Play Protect Scanning. After the new version of the Profile is applied, the end user would have to manually deactivate Play Protect scanning once again.
  • When you uninstall the Restrictions Profile, Play Protect scanning is reactivated, and end users cannot deactivate it again until a new Restrictions Profile is installed that deactivates Play Protect scanning.

Organizations may wish to keep Play Protect scanning deactivated in the above scenarios. To do so, set the following DPC Extra to “true” while enrolling devices. This modifies the default value of “Allow Disabling Application Verification” in the Restrictions profile to activated. If devices are enrolled using the above flag, organizations can still prevent end users from deactivating Play Protect scanning by pushing a Restrictions Profile with “Allow Disabling Application Verification” set to false.

"disablePlayVerifyApps":"true"

Display user privacy dialog during enrollment of Work Managed Android devices

By default, Android Intelligent Hub does not display the user privacy dialog during enrollment of devices in Work Managed mode. Hub does show this dialog (“Your Privacy Matters…”) today by default during enrollment in Work Profile and Corporate Owned Personally Enabled modes. To better meet use cases where individual end users are assigned a fully managed device, administrators can now opt to display this dialog for Work Managed mode enrollment.

"promptPrivacy":"True"
check-circle-line exclamation-circle-line close-line
Scroll to top icon