Android Enterprise Customer Community

sravanthi · ‎12-19-2023

Hi Team,

I am trying to make my application as device owner app, I am trying to use QR code for provisioning. I am unable to acheive the result. When I scan the QR code which I have generated (Generated QR code without enrollment token) in a factory reset device I am getting an error stating " Couldn't set up your device, for help contact your IT admin. Could you please help me where I am going wrong.
when I tried getting Enrollment Token using AMAPI I am getting the following error

com.google.api.client.googleapis.json.GoogleJsonResponseException: 400 Bad Request
POST https://androidmanagement.googleapis.com/v1/enterprises/%7B573991258109%7D/enrollmentTokens
{
"code" : 400,
"errors" : [ {
"domain" : "global",
"message" : "Invalid enterprise id. Provide a valid id.",
"reason" : "badRequest"
} ],
"message" : "Invalid enterprise id. Provide a valid id.",
"status" : "INVALID_ARGUMENT"
}

Moombas · ‎12-20-2023

Not as far as i know of as the enrollment token/id/url or whatever the MDM expects is pointing to the relvant enrollment rule to be used (because in each MDM you can have several).

Otherwise the MDM doesn't know how to proceed forward with the device (which settings to deploy, is it COPE, fully managed or just BYOD, and so on).

View solution in original post

Moombas · ‎12-19-2023

Please provide an example QR code you used, it should look like this (example using Soti Mobicontrol as MDM, providing a Wifi):

{"android.app.extra.PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM":"hn8mSNJMPcovWbnnWrb-uMpWZjNlNp-jyV_2A-Whumc=",

"android.app.extra.PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME":"net.soti.mobicontrol.androidwork/net.soti.mobicontrol.admin.DeviceAdminAdapter",

"android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION":"http://soti.net/apk/ae2",

"android.app.extra.PROVISIONING_WIFI_SSID":"AnySSID",

"android.app.extra.PROVISIONING_WIFI_SECURITY_TYPE":"WPA",

"android.app.extra.PROVISIONING_WIFI_PASSWORD":"password",

"android.app.extra.PROVISIONING_USE_MOBILE_DATA":true,

"android.app.extra.PROVISIONING_SKIP_ENCRYPTION":true,

"android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE":{

"enrollmentId":"IDorURL_used_for_enrollment",

"PROVISIONING_MODE":"MANAGED_PROFILE"

}

sravanthi · ‎12-20-2023

Hello,

This is the sample Json format which Iam using to generate QR code

{
"android.app.extra.PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME": "com.android.client/com.android.utils.AdminReceiver", "android.app.extra.PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM": "8:F9:D0:08:D9:82:B7:29:E2:7E:47:BB:BD:C2:EB:8D:BE:04:0F:C0:05", "android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION": "
https://android.eu-1.amazonaws.com/Android-V71-1623538246-024-aHR0cHM6C5hcHAvRGFzaGJvYXJkLw%3D%3D.ap...",

}

Moombas · ‎12-20-2023

You need this always:

"android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE":{

"enrollmentId":"IDorURL_used_for_enrollment",

"PROVISIONING_MODE":"MANAGED_PROFILE"

}

sravanthi · ‎12-20-2023

Is there any way to move to device owner without enrollment token?

Moombas · ‎12-20-2023

Not as far as i know of as the enrollment token/id/url or whatever the MDM expects is pointing to the relvant enrollment rule to be used (because in each MDM you can have several).

Otherwise the MDM doesn't know how to proceed forward with the device (which settings to deploy, is it COPE, fully managed or just BYOD, and so on).

sravanthi · ‎12-21-2023

HI,

To create an Enrollment token using Android Management Api, I am following this method

EnrollmentToken enrollment_token = androidManagement.enterprises().enrollmentTokens().create(enterpriseID, token).execute();

In the above snippet the enterpriseID which I am using is the organization ID which I get in google console, and using it in this format

String enterpriseID =enterprises/{DUOsdy871}

.

but with this I am getting the following error

{
"error": {
"code": 401,
"message": "Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.",
"status": "UNAUTHENTICATED",
"details": [
{
"@type": "type.googleapis.com/google.rpc.ErrorInfo",
"reason": "CREDENTIALS_MISSING",
"domain": "googleapis.com",
"metadata": {
"method": "google.android.devicemanagement.v1.DeviceManagementService.ListEnterprises",
"service": "androidmanagement.googleapis.com"
}
}
]
}
}
what OAuth access Token it is expecting.
In Google cloud console I have created an OAuth credentials and downloaded one Json file. How to use it. what login it is expecting. Where am I going wrong? Please guide me.

sravanthi · ‎12-21-2023

could you please suggest me one online QR generator tool?

Moombas · ‎12-21-2023

If you mean one in general i prefer this: https://barcode.tec-it.com/en

If you mean an enrollment QR-Code generator I use only my own written one.

Moombas · ‎12-21-2023

And just for your information, the extras are MDM related and can be different. @jasonbayton has some nice listing here: https://bayton.org/android/android-enterprise-zero-touch-dpc-extras-collection/#intune

sravanthi · ‎12-21-2023

{
"android.app.extra.PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME": "com.android.client/com.android.utils.AdminReceiver",
"android.app.extra.PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM": "3OEI4RjlEMDA4QjcyOUUyN0U0N0JCQkRDMkVCOERCRTA0MEZDMDA1RjMyNDI1MNg",
"android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION": "https://Android-android-central-1.com/Android-V7.apk",
"android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE":{
"com.google.android.apps.work.clouddpc.EXTRA_ENROLLMENT_TOKEN": "{ds4VLNcI5FGVW0PcUVkKoqEbrOyGw_VqEUh1uhgM}"
}
}

Am I using in a correct format? please correct me if I am doing anything wrong here. What all I need to handle in my android application?
Signature checksum: I have encoded my SHA256 value (example: 85:78:B8:F9:D0:08:04:B9:A8:1A:D9) to URL safe using base64encode.
and the enrollment tokent : I generated using AMAPI

EnrollmentToken enrollment_token =  androidManagement.enterprises().enrollmentTokens().create(enterpriseID, token).execute();

Moombas · ‎12-21-2023

I think you have to remove the { and } inside the enrollment token

sravanthi · ‎12-21-2023

Even after removing that I am getting below error, when scanning QR code after Factory reset. Am I using the Checksum in the correct format?

is the SHA256 signature which I need to encode? and I am directly pasting the SHA256 value with " : " in base64encoder and encoding it.

Moombas · ‎12-21-2023

I don't know how/where checksum comes from but there are default ones for each MDM i think, so always the same if you use Intune for example (for any user/customer who uses Intune)

jeremy · ‎12-20-2023

Your enterprise ID is incorrect, you should first use the enterprise endpoint to enroll your enterprise and create your enterprise on Google servers.

Then you use the ID of the enterprise returned by Google to use the other API endpoint to create your enrollment token and manage your devices.

sravanthi · ‎12-20-2023

Could you please share me any code snippet or relevant document for the same. It will really help me.

Thanks in Advance

jeremy · ‎12-20-2023

You can use this https://github.com/codybrookshear/android-deviceowner-kotlin to create your own device owner without using the Google Management API

sravanthi · ‎12-20-2023

I tried this, but it is not working.

jeremy · ‎12-22-2023

The enrollement token provided but the Google API are only valid when used with the Google Android Management API. If you plan to create your own device owner you don't need these token, just create your own app by following this guide https://developer.android.com/reference/android/app/admin/DevicePolicyManager and this blog article which details the process:

https://medium.com/@codybrookshear/creating-an-android-device-owner-app-in-2023-b7e7b9fb3aca

Android Enterprise Customer Community

Android Enterprise Customer Community

Device Owner Provisioning