QR Code Enrollment For Closed Network Devices

Configure and Host a PAC file for Network Configuration

Devices that ship with Google services pre-installed (also known as GMS devices) test their connectivity to certain Google endpoints when connecting to Wi-Fi networks. If these connectivity checks fail, out-of-box enrollment and provisioning of Internal Applications uploaded to the [Apps & Books > Applications] pages fail.

If the network being used to enroll the device is also closed and has no access to Google endpoints, it is possible to skip the connectivity checks by using a Proxy Auto-Configuration (PAC) file that simply directs the device to make connections directly, without the use of proxies.

The contents of the PAC file:

function FindProxyForURL(url, host) {
return "DIRECT";
}

Note that an actual proxy server is not required. A PAC file with the contents above should be hosted on an http/https endpoint within the closed network.

Host the Workspace ONE Intelligent Hub App on the Closed Network

During work managed enrollment, the device downloads the Workspace ONE Intelligent Hub. Since the device does have access to Google Play, the application file must be hosted on an http/https endpoint within the closed network for download. The latest version of the Workspace ONE Intelligent Hub can be downloaded from the My Workspace ONE portal.

Creating a QR code for Closed Network Enrollment

See Generate a QR Code with the Enrollment Configuration Wizard, Android for steps to create the QR code.

To create a QR code for closed-network enrollment, you must:

  1. Set the Workspace ONE Intelligent Hub option to Hosted on an external URL.
  2. Enter the http/https endpoint within the closed network from which the Workspace ONE Intelligent Hub can be downloaded in the URL text box.
  3. Set Configure optional Wi-Fi for the device to connect to prior to enrollment to None.

For closed-network deployments, you must manually add the network during out-of-box setup.

Enrolling the device using a QR code

  1. Power on the device. The setup wizard prompts the user to tap the Welcome screen six times. The taps have to be done in the same place on the screen.

    For Android 8.0+ devices, proceed to step 2 in order to download the QR Code reader. For Android 9.0+ devices, the camera will open automatically after you complete the six taps, so you can skip to step 3.

  2. Connect to Wi-Fi and download a QR code reader by following these steps:

    • Select ‘Add Network’ to manually configure a network.
    • Enter the SSID and password of the closed network.
    • Under Advanced options, set Proxy as Proxy Auto-Config and enter the http/https URL of the PAC file location.
    • Proceed with connecting to the Wi-Fi.
    • The device should connect to the Wi-Fi network and skip any connectivity checks to Google.
    • The setup wizard automatically downloads a QR code reader. The QR code reader app automatically starts once complete.
  3. Scan your QR code. If you already connected to Wi-Fi as part of step 2 since you’re using an Android 8.x device, skip to step 5.
  4. Ensure that Wi-Fi details are not included in the QR code. This is covered in the above section titled ‘Creating a QR code for closed-network enrollment’. You will be prompted to connect to a network.
    • Select ‘Add Network’ to manually configure a network.
    • Enter the SSID and password of the closed network.
    • Under Advanced options, set Proxy as Proxy Auto-Config and enter the http/https URL of the PAC file location.
    • Proceed with connecting to the Wi-Fi.
    • The device should connect to the Wi-Fi network and skip any connectivity checks to Google.
  5. The setup wizard then automatically downloads the Workspace ONE Intelligent Hub and will begin enrolling the device into Workspace ONE UEM.

Additional Requirements for Android 13+

To enroll Android 13 devices in closed networks, add an additional flag to the QR code:

  1. Decode the QR code generated through the Workspace ONE UEM Console. The contents will be in JSON format.
  2. Add “android.app.extra.PROVISIONING_ALLOW_OFFLINE”: true, to the JSON payload.
  3. Encode the JSON code back into a QR code.

Example JSON payload for QR Code with flag added:

{
  "android.app.extra.PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME": "com.airwatch.androidagent/com.airwatch.agent.DeviceAdministratorReceiver",
  "android.app.extra.PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM": "6kyqxDOjgS30jvQuzh4uvHPk-0bmAD-1QU7vtW7i_o8=\n",
  "android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION": "https://play.google.com/managed/downloadManagingApp?identifier=hub",
  "android.app.extra.PROVISIONING_SKIP_ENCRYPTION": false,
  "android.app.extra.PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED": true,
  "android.app.extra.PROVISIONING_ALLOW_OFFLINE": true,
  "android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE": {
    "serverurl": "ds135.awmdm.com",
    "aospEnrollment": "True"
  }
check-circle-line exclamation-circle-line close-line
Scroll to top icon