Android Enterprise zero-touch DPC extras collection

DPC extras can be used to associate Android Enterprise fully managed devices with a particular EMM/UEM platform during provisioning. 

The following examples offer a complete DPC extra snippet that can be copied and pasted into the zero-touch configuration. The items in bold will need to be edited to suit your environment, though, otherwise the zero-touch enrolment process will fail.

Editing ADMIN EXTRAS BUNDLE

To be of value, the ADMIN_EXTRAS_BUNDLE should ideally at least include the server URL or identifier (where appropriate), however lines for username, password, and more can optionally be omitted to allow the config to remain generic.

JSON doesn’t leave room for error – the last line within ADMIN_EXTRAS_BUNDLE must not have a trailing comma “,”. See “user” in the MobileIron config has a comma, but “quickstart” does not? If you remove “quickstart”, you’d need to remove the comma from “user” as it then becomes the last line, otherwise it could throw up an error.

Trust but verify

Most of these DPC extra collections have been submitted either by EMM vendors or customers of the EMM referenced. The vendor may make changes to the extras they provide without my knowledge so it is recommended should the below extras fail to properly work, that you validate with your EMM before contacting me (but do feel free to reach out with updates!)

Usernames & passwords

Unless the username and password are stipulated for the purpose of staging, they should not be included at all due to the potential security risks associated. If an IMEI not belonging to an organisation is mistakenly added (typo, miscommunication, human error), the device will be able to enrol automatically and potentially gain access to corporate resources.

Google announces zero-touch EMM integration

For those who consider copying and pasting JSON code a bit of a pain, you’re in luck; Google announced the zero-touch iFrame, allowing EMMs to integrate with a customer zero-touch account, allowing – amongst other features – the ability to manage DPC extras automatically.

Reach out to your vendor to ask when this functionality will be available.

MobileIron

{
"android.app.extra.PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED":true/false,
"android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE":{
"server":"your.server.com",
"user":"user",
"quickStart":true/false
}
}

AirWatch / Workspace One UEM

{
"android.app.extra.PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED":true/false,
"android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE":{
"serverurl":"your.server.com",
"gid":"yourGroupID",
"un":"staginguser",
"pw":"example"
}
}

SOTI

{
"android.app.extra.PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED":true/false,
"android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE":{
"enrollmentId":"EnrollmentID"
}
}

MaaS360

{
"android.app.extra.PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED":true/false,
"android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE":{
"enrollment_corp_id”:”CorporateID”,
”enrollment_account_type":"userAccount",
"enrollment_domain":"domain",
"enrollment_username”:”staginguser”,
"enrollment_email":"emailaddress@email.com",
"enrollment_password”:”example”,
"enrollment_ownership":"Corporate Owned"
}
}

Codeproof EMM

{
"android.app.extra.PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED":true/false,
"android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE":{
"displayname":"devicename",
"userid":"staginguser".
"password":"example"
}
}

Intune

{
"android.app.extra.PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED":true/false,
"android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE":{
"com.google.android.apps.work.clouddpc.EXTRA_ENROLLMENT_TOKEN": "YourEnrollmentToken" 
}
}

Miradore

{ 
"android.app.extra.PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED":true/false,
"android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE": {
"RegistrationKey": "REGISTRATIONKEY",
"EnrollmentKey": "ENROLLMENTKEY",
"SiteIdentifier": "SITEIDENTIFIER"
}
}

BlackBerry UEM

{ 
"android.app.extra.PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED":true/false,
"android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE": {
"URL":"SERVERURL",
"CACFPrint":"CHECKWITHBB", 
"stc":"CHECKWITHBB", 
"Username":"USERNAME"
}
}

FAMOC

{
"android.app.extra.PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED":true/false,
"android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE": {
"fqdn":"your.server.com",
"bootstrap_key":"yourIndividualKey"
}
}

mySync

{ 
"android.app.extra.PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED":true/false,
"android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE": {
"serviceUrl": "https://server.host.name.here/rest/api",
"installationCode": "ten-character-code"
}
}

XenMobile

{ 
"android.app.extra.PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED":true/false,
"android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE": {
"serverURL":"URL",
"xm_username":"username",
"xm_password":"password"
}
}

VXL Fusion UEM

{ 
"android.app.extra.PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED":true/false,
"android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE": {
"fusionuem_server_url":"server url",
"fusionuem_token_id":"token id"
}
}

Samsung Knox Manage

{
"android.app.extra.PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED":true/false,
"android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE": {
"ServerUrl": "Your Server Url",
"TenantId": "Your Knox Manage Tenant ID",
"TenantType": "M",
"Method": "ZeroTouch"
}
}

Chimpa MDM

{ 
"android.app.extra.PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED":true/false, 
"android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE":{ "chimpa_activationCode":"YOURTENANTCODE",
"provisionType":0/1, 
"additionalProvisioningText":"your additional text to show",
"whiteLabelLogo":"https://yoururl/resource.png",
} 
}

provisionType values:
0 Fully Managed
1 Enhanced Work Profile (Android 11+)

42Gears SureMDM

{
"android.app.extra.PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED": true/false,
"android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE”:{
"AccountId":"1000001",
"ServerPath":"suremdm.42gears.com"
}
}

Meraki Systems Manager

{
"android.app.extra.PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED":true/false,
"android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE":{ 
"enrollment_url":"https://m.meraki.com/enroll/?android_from_store=true&enrollment_code=Your_Meraki_Enrollment_Identifier"
}
}

Other interesting zero-touch config options

The following additional options go before the ADMIN_EXTRAS_BUNDLE line and may require EMM support to function:

"android.app.extra.PROVISIONING_SKIP_EDUCATION_SCREENS":true/false, 
"android.app.extra.PROVISIONING_LOCALE":"en_GB", 
"android.app.extra.PROVISIONING_USE_MOBILE_DATA":true/false,

Here’s a few more.

Submit zero-touch DPC extras

If you’d like to see your DPC extras added to this list, please fill out this form or comment below.

Comments

  1. Hello!

    I’ve seen absolutely nothing of it since announcement I’m afraid.

  2. Recently with Android 10, Google started enforcing the use of WIFI during setup to mitigate Mobile data usage whilst downloading required apps. For some of us, open WIFI is not available which make mandatory WIFI not feasible. In order to bypass the mandatory WIFI, you can use the following DPC extra (below example is for Intune, this should work with others as well)

    {
    “android.app.extra.PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED”:true,
    "android.app.extra.PROVISIONING_USE_MOBILE_DATA":true,
    “android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE”:{
    “com.google.android.apps.work.clouddpc.EXTRA_ENROLLMENT_TOKEN”: “<<your_token>>”
    }
    }

    NOTE: The comma after the command is not part of the command, but rather a formatting requirement of JSON.

  3. Chad that’s a fantastic comment and something I wasn’t aware of. Thank you!

Something to say?

Comment