Android Enterprise zero-touch DPC extras collection

DPC extras can be used to associate Android Enterprise fully managed devices with a particular EMM/UEM platform during provisioning. 

The following examples offer a complete DPC extra snippet that can be copied and pasted into the zero-touch configuration. The items in bold will need to be edited to suit your environment, though, otherwise the zero-touch enrolment process will fail.

Editing ADMIN EXTRAS BUNDLE

To be of value, the ADMIN_EXTRAS_BUNDLE should ideally at least include the server URL or identifier (where appropriate), however lines for username, password, and more can optionally be omitted to allow the config to remain generic.

JSON doesn’t leave room for error – the last line within ADMIN_EXTRAS_BUNDLE must not have a trailing comma “,”. See “user” in the MobileIron config has a comma, but “quickstart” does not? If you remove “quickstart”, you’d need to remove the comma from “user” as it then becomes the last line, otherwise it could throw up an error.

Trust but verify

Most of these DPC extra collections have been submitted either by EMM vendors or customers of the EMM referenced. The vendor may make changes to the extras they provide without my knowledge so it is recommended should the below extras fail to properly work, that you validate with your EMM before contacting me (but do feel free to reach out with updates!)

Usernames & passwords

Unless the username and password are stipulated for the purpose of staging, they should not be included at all due to the potential security risks associated. If an IMEI not belonging to an organisation is mistakenly added (typo, miscommunication, human error), the device will be able to enrol automatically and potentially gain access to corporate resources.

Google announces zero-touch EMM integration

For those who consider copying and pasting JSON code a bit of a pain, you’re in luck; Google announced the zero-touch iFrame, allowing EMMs to integrate with a customer zero-touch account, allowing – amongst other features – the ability to manage DPC extras automatically.

Reach out to your vendor to ask when this functionality will be available.

MobileIron

{
"android.app.extra.PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED":true/false,
"android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE":{
"server":"your.server.com",
"user":"user",
"quickStart":true/false
}
}

AirWatch / Workspace One UEM

{
"android.app.extra.PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED":true/false,
"android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE":{
"serverurl":"your.server.com",
"gid":"yourGroupID",
"un":"staginguser",
"pw":"example"
}
}

SOTI

{
"android.app.extra.PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED":true/false,
"android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE":{
"enrollmentId":"EnrollmentID"
}
}

MaaS360

{
"android.app.extra.PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED":true/false,
"android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE":{
"enrollment_corp_id”:”CorporateID”,
”enrollment_account_type":"userAccount",
"enrollment_domain":"domain",
"enrollment_username”:”staginguser”,
"enrollment_email":"emailaddress@email.com",
"enrollment_password”:”example”,
"enrollment_ownership":"Corporate Owned"
}
}

Codeproof EMM

{
"android.app.extra.PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED":true/false,
"android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE":{
"displayname":"devicename",
"userid":"staginguser".
"password":"example"
}
}

Intune

{
"android.app.extra.PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED":true/false,
"android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE":{
"com.google.android.apps.work.clouddpc.EXTRA_ENROLLMENT_TOKEN": "YourEnrollmentToken" 
}
}

Miradore

{ 
"android.app.extra.PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED":true/false,
"android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE": {
"RegistrationKey": "REGISTRATIONKEY",
"EnrollmentKey": "ENROLLMENTKEY",
"SiteIdentifier": "SITEIDENTIFIER"
}
}

BlackBerry UEM

{ 
"android.app.extra.PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED":true/false,
"android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE": {
"URL":"SERVERURL",
"CACFPrint":"CHECKWITHBB", 
"stc":"CHECKWITHBB", 
"Username":"USERNAME"
}
}

FAMOC

{
"android.app.extra.PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED":true/false,
"android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE": {
"fqdn":"your.server.com",
"bootstrap_key":"yourIndividualKey"
}
}

mySync

{ 
"android.app.extra.PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED":true/false,
"android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE": {
"serviceUrl": "https://server.host.name.here/rest/api",
"installationCode": "ten-character-code"
}
}

XenMobile

{ 
"android.app.extra.PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED":true/false,
"android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE": {
"serverURL":"URL",
"xm_username":"username",
"xm_password":"password"
}
}

VXL Fusion UEM

{ 
"android.app.extra.PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED":true/false,
"android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE": {
"fusionuem_server_url":"server url",
"fusionuem_token_id":"token id"
}
}

Samsung Knox Manage

{
"android.app.extra.PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED":true/false,
"android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE": {
"ServerUrl": "Your Server Url",
"TenantId": "Your Knox Manage Tenant ID",
"TenantType": "M",
"Method": "ZeroTouch"
}
}

Chimpa MDM

{ 
"android.app.extra.PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED":true/false, 
"android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE":{ "chimpa_activationCode":"YOURTENANTCODE",
"provisionType":0/1, 
"additionalProvisioningText":"your additional text to show",
"whiteLabelLogo":"https://yoururl/resource.png",
} 
}

provisionType values:
0 Fully Managed
1 Enhanced Work Profile (Android 11+)

42Gears SureMDM

{
"android.app.extra.PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED": true/false,
"android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE”:{
"AccountId":"1000001",
"ServerPath":"suremdm.42gears.com"
}
}

Meraki Systems Manager

{
"android.app.extra.PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED":true/false,
"android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE":{ 
"enrollment_url":"https://m.meraki.com/enroll/?android_from_store=true&enrollment_code=Your_Meraki_Enrollment_Identifier"
}
}

TinyMDM

{
"android.app.extra.PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED":true/false,
"android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE": {
"enrollmentId": “XXXXXXXXXXXXXXXX"
}
}

Other interesting zero-touch config options

The following additional options go before the ADMIN_EXTRAS_BUNDLE line and may require EMM support to function:

"android.app.extra.PROVISIONING_SKIP_EDUCATION_SCREENS":true/false, 
"android.app.extra.PROVISIONING_LOCALE":"en_GB", 
"android.app.extra.PROVISIONING_USE_MOBILE_DATA":true/false,

Here’s a few more.

Submit zero-touch DPC extras

If you’d like to see your DPC extras added to this list, please fill out this form or comment below.

Comments

  1. Hello!

    I’ve seen absolutely nothing of it since announcement I’m afraid.

  2. Recently with Android 10, Google started enforcing the use of WIFI during setup to mitigate Mobile data usage whilst downloading required apps. For some of us, open WIFI is not available which make mandatory WIFI not feasible. In order to bypass the mandatory WIFI, you can use the following DPC extra (below example is for Intune, this should work with others as well)

    {
    “android.app.extra.PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED”:true,
    "android.app.extra.PROVISIONING_USE_MOBILE_DATA":true,
    “android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE”:{
    “com.google.android.apps.work.clouddpc.EXTRA_ENROLLMENT_TOKEN”: “<<your_token>>”
    }
    }

    NOTE: The comma after the command is not part of the command, but rather a formatting requirement of JSON.

  3. Chad that’s a fantastic comment and something I wasn’t aware of. Thank you!

  4. says:

    Hi,
    I was curious if anyone is aware of a zero touch provisioning option that allows the user to receive SMS or phone calls during enrollment so they can complete MFA authentication to our IDP? iOS lets users receive phone calls in the foreground during DEP enrollment but sms and phone calls appear to be backgrounded on Android.
    Thanks

  5. I’m afraid not.

    ZT really stops once the DPC is pulled down and enrolment starts though, so I should think you’d be looking to discuss this with your EMM vendor.

  6. Hi @jason,

    I am not sure if I am on the right topic but I will ask a question anyway. I am new to Android and started reading Android Management API. My question is, is it possible to not use Google Play and host our own apps that we will use on our specific devices?

Something to say?

Comment