bashenk/AndroidDeviceEnrollmentQRCreation.md

Last active December 9, 2025 14:48

Star (15) You must be signed in to star a gist
Fork (2) You must be signed in to fork a gist

Select an option

Learn more about clone URLs
Clone this repository at <script src="https://gist.github.com/bashenk/58c6dd883b177ee6e6ed1c533f3e8066.js"></script>
Save bashenk/58c6dd883b177ee6e6ed1c533f3e8066 to your computer and use it in GitHub Desktop.

Download ZIP

Creating a QR Code for Android Device Enrollment

Raw

AndroidDeviceEnrollmentQRCreation.md

Creating a QR Code for Android Device Enrollment

Android Enterprise Documentation: Create a QR code

Always required

android.app.extra.PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME

Required if a DPC isn't already installed on the device

android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION
Either of the two checksums below
- android.app.extra.PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM
  - A String extra holding the URL-safe base64 encoded checksum of any signature of the android package archive at the download location specified in android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION
  - Note: for devices running Build.VERSION_CODES.LOLLIPOP and Build.VERSION_CODES.LOLLIPOP_MR1, only SHA-1 hash is supported. Starting from Build.VERSION_CODES.M, this parameter accepts SHA-256 in addition to SHA-1. From Build.VERSION_CODES.Q, only SHA-256 hash is supported.
  - If the APK is signed with the APK signature scheme v2 or JAR-signed v1 scheme (untested with v3 or higher), you can use apksigner with any of the following to get the SHA-256 signature checksum (assumes variable named apk contains the filepath to the APK):
    sh
    
    apksigner verify --print-certs "$apk" | sed '/Signer #1 certificate SHA-256/{s/.*SHA-256 digest:\s*//;q};d' | xxd -r -p | openssl base64 | tr -- '+/' '-_' | tr -d '\n'
    PowerShell Core
    
    apksigner verify --print-certs "$apk" | Select-String 'Signer #1 certificate SHA-256 digest:\s*(.*)' | % {[Convert]::ToBase64String([Convert]::FromHexString($_.Matches.Groups[1].Value)) -replace '\+','-' -replace '/','_'}
    Windows PowerShell
    
    apksigner verify --print-certs "$apk" | Select-String 'Signer #1 certificate SHA-256 digest:\s*(.*)' | % {[Convert]::ToBase64String(($_.Matches.Groups[1].Value -split '(..)' -ne '' | % {[Convert]::ToInt32($_,16)})) -replace '\+','-' -replace '/','_'}
  - If the APK is signed with the JAR-signed v1 scheme, you can alternatively use keytool (from Java's JRE/JDK) with either of the following to get the SHA-256 signature checksum (assumes variable named apk contains the filepath to the APK):
    sh
    
    keytool -printcert -jarfile "$apk" | sed '/\s*SHA256/{s/.*SHA256:\s*//;q};d' | xxd -r -p | openssl base64 | tr -- '+/' '-_' | tr -d '\n'
    PowerShell Core or Windows PowerShell
    
    keytool -printcert -jarfile "$apk" | Select-String '\s*SHA256:\s*(.*)' | % {[Convert]::ToBase64String(($_.Matches.Groups[1].Value -split ':' | % {[Convert]::ToInt32($_,16)})) -replace '\+','-' -replace '/','_'}
- android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_CHECKSUM
  - A String extra holding the URL-safe base64 encoded checksum of the file at download location specified in android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION
  - Note: for devices running Build.VERSION_CODES.LOLLIPOP and Build.VERSION_CODES.LOLLIPOP_MR1, only SHA-1 hash is supported. Starting from Build.VERSION_CODES.M, this parameter accepts SHA-256 in addition to SHA-1. From Build.VERSION_CODES.Q, only SHA-256 hash is supported.

Recommended if the device isn't already connected to Wi-Fi

Optional

EMM Provisioning

Android Zero-Touch Enrollment EMM Provisioning Guide

👍 EMM Recommended

Use the following intent extras to set up your DPC

android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE
android.app.extra.PROVISIONING_LOCALE
android.app.extra.PROVISIONING_TIME_ZONE – Wiki list of tz database time zones
android.app.extra.PROVISIONING_LOCAL_TIME
android.app.extra.PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED
android.app.extra.PROVISIONING_MAIN_COLOR
- ARGB color integer (A & 0xff) << 24 | (R & 0xff) << 16 | (G & 0xff) << 8 | (B & 0xff)
- Uses a signed integer. Thus, it takes the two's complement.
  - E.g. 0xff000000: 0x7F000000 - 2^31 (2130706432 - 2147483647 = -16777216)
- White (0xffffffff): = -1
- Black (0xff000000): = -16777216
- LightGray (0xffcccccc): = -3355444
- Red (0xffff0000): = -65536
android.app.extra.PROVISIONING_DISCLAIMERS

👎 EMM Not recommended

Don't include the following extras that you might use in other enrollment methods

Additional references

android.app.extra.PROVISIONING_IMEI
android.app.extra.PROVISIONING_MODE
- 1 = Fully managed device
- 2 = Managed profile
android.app.extra.PROVISIONING_SKIP_USER_CONSENT
android.app.extra.PROVISIONING_SKIP_EDUCATION_SCREENS

Author

bashenk commented Mar 12, 2024 •

edited

Loading

@rekire I updated the gist to include checksum calculation for the v2 signing scheme, which has a small chance of being one of the issues you could've encountered. To be clear, I was unable to get your sha256sum version to produce the proper checksum, but I also don't have a spare device to test with a factory reset these days, so I was just checking it against one of my known-working QR codes.

robin-thoni commented Oct 28, 2024

Great quick guide, thanks!

I had to patch your command to get the signature checksum, though:

apksigner verify --print-certs com.afwsamples.testdpc_9.0.12.apk | grep 'Signer #1' | sed "/s*SHA-256/{s/.*SHA-256 digest:\s*//p};d" | xxd -r -p | openssl base64 | tr -- '+/' '-_' | tr -d '\n'

(Added the grep part`)

Since apksigner is outputting multiple hashes:

Signer #1 certificate DN: CN=testdpc, OU=Android, O=Google Inc., L=Mountain View, ST=California, C=US
Signer #1 certificate SHA-256 digest: 8090f6630b4e8962479123249087cb4658feaae36a1b57dbeafd74d109b333dc
Signer #1 certificate SHA-1 digest: 9476412b9e9d0fbcfb68f82d9a17c5a4859f70c6
Signer #1 certificate MD5 digest: 3f9b85d5b13dfb38c01a771ef60fa4b8
Source Stamp Signer certificate DN: CN=Android, OU=Android, O=Google Inc., L=Mountain View, ST=California, C=US
Source Stamp Signer certificate SHA-256 digest: 3257d599a49d2c961a471ca9843f59d341a405884583fc087df4237b733bbd6d
Source Stamp Signer certificate SHA-1 digest: b1af3a0bf998aeede1a8716a539e5a59da1d86d6
Source Stamp Signer certificate MD5 digest: 577b8a9fbc7e308321aec6411169d2fb

Author

bashenk commented Oct 28, 2024

@robin-thoni Thanks for the update, including the example output! That modification could be easily added to the sed command, rather than creating a whole separate pipe for it. E.g., '/Signer #1 certificate SHA-256/{s/.*SHA-256 digest:\s*//;q};d'. I'll go ahead and update the gist with the new command.

AhmadRaza159 commented Dec 8, 2024 •

edited

Loading

@bashenk where to run these commands (keytool -printcert -jarfile "apkfile.apk" | sed '/\s*SHA256/{s/.SHA256:\s//;q};d' | xxd -r -p | openssl base64 | tr -- '+/' '-_' | tr -d '\n'), keytool is not recognized in command line

Author

bashenk commented Dec 8, 2024 •

edited

Loading

@AhmadRaza159 keytool is installed with the Java JRE/JDK, though you may need to update your PATH variable to include the bin folder in the Java directory (It can be installed either through your IDE or via Oracle JDK, OpenJDK, or choose your own alternative). Though, there's no need to use keytool anymore, because the first command (using apksigner) can handle V1 and V2 signed APKs.
The remainder of the commands should be preinstalled in any Linux operating environment, so you could either use a computer running a Linux distro, use WSL, or you could probably get it to work using Git for Windows if you include %ProgramFiles%\Git\usr\bin in your PATH (though if you choose the latter, I'd recommend reading up about what built-in Windows commands it ends up overriding). And also, if you're running it in Windows, you'll need to replace the single quotes (') with double quotes (") to get it to work on the command line, or it might work as-is in PowerShell if you have everything else right.

@AhmadRaza159 I've now added native PowerShell and PowerShell Core alternatives to the gist, though you'll still need apksigner or keytool.

shaikh-kamran commented Jun 15, 2025

How we decide if we have to use PROVISIONING_DEVICE_ADMIN_PACKAGE_CHECKSUM or PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM?

robin-thoni commented Jun 15, 2025

How we decide if we have to use PROVISIONING_DEVICE_ADMIN_PACKAGE_CHECKSUM or PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM?

PROVISIONING_DEVICE_ADMIN_PACKAGE_CHECKSUM identifies a particular package build

PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM identifies the publisher

The later allows to install an updated version of the package without requiring regenerating the QR code. The first one ensures you're installing a trusted and/or well tested version of the package.

shaikh-kamran commented Jun 16, 2025

Okay so i can use any one, both will work in any android version?

robin-thoni commented Jun 16, 2025

EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_CHECKSUM was added in API 21 (Android 5.0), while EXTRA_PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM was added in API 23 (Android 6.0)

MichMich commented Jun 17, 2025

Thanks for this super complete piece information. Much appreciated. Can anyone confirm if this method should allow me to generate a QR to install an APK as “Device Owner” without the use of an MDM or Android Enterprise?

robin-thoni commented Jun 17, 2025

Yes, you'll be able to install a Device Owner app using this method. You can try it out using this Google sample app.

MichMich commented Jun 17, 2025

Thanks for the rapid response! I really appreciate it.

MichaelTeeuw commented Jun 17, 2025

The Sample app seems to work. Good starter point to figure out why I run into issues with my app. Again: thanks for your help!

MichaelTeeuw commented Jun 18, 2025

I apologies for using this Gist for asking this question, but does anybody happen to have a super barebones DPC kotlin application I can take a look at? I've been working on my own but unfortunately I'm unable to correctly use it using the QR method. After scanning the code, the app is being downloaded, android displays “Device belongs to your organization”, but then it fails. Debugging by fetching the logs is a PITA, but it looks like Android is trying to fall back on the (non existent) CloudDPC app in stead of using my app as the DPC.

Unable to start service Intent { cmp=com.android.managedprovisioning/com.google.android.apps.work.clouddpc.base.managedprovisioning.provisioning.ProvisioningService } U=0: not found

I've got the feeling my app is not correctly registering itself as a DPC app. Any help is highly appreciated!

MichaelTeeuw commented Jun 18, 2025

Finally found it! For anyone running into the same issue; you need the following additional activities (next to your DeviceAdminReceiver):

        <activity
            android:name=".GetProvisioningModeActivity"
            android:exported="true"
            android:permission="android.permission.BIND_DEVICE_ADMIN">
            <intent-filter>
                <action android:name="android.app.action.GET_PROVISIONING_MODE" />
                <category android:name="android.intent.category.DEFAULT"/>
            </intent-filter>
        </activity>

        <activity
            android:name=".PolicyComplianceActivity"
            android:exported="true"
            android:permission="android.permission.BIND_DEVICE_ADMIN">
            <intent-filter>
                <action android:name="android.app.action.ADMIN_POLICY_COMPLIANCE" />
                <category android:name="android.intent.category.DEFAULT"/>
            </intent-filter>
        </activity>

class PolicyComplianceActivity : Activity() {
    override fun onCreate(savedInstanceState: Bundle?) {
        super.onCreate(savedInstanceState)
        // Do any required setup
        val intent = Intent(this, MainActivity::class.java)
        intent.addFlags(Intent.FLAG_ACTIVITY_NEW_TASK)
        startActivity(intent)
        finish()
    }
}

class GetProvisioningModeActivity : Activity() {
    override fun onCreate(savedInstanceState: Bundle?) {
        super.onCreate(savedInstanceState)

        val result = Intent().apply {
            putExtra(
                DevicePolicyManager.EXTRA_PROVISIONING_MODE,
                DevicePolicyManager.PROVISIONING_MODE_FULLY_MANAGED_DEVICE
            )
        }

        setResult(Activity.RESULT_OK, result)
        finish()
    }
}

Nickztar commented Nov 19, 2025

Hi! This has been super helpful. But I am struggling to read the android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE, anyone have any examples or tips on how to get the values out of this? It seems that is supposed to be read from GetProvisioning or PolicyCompliance but am unable to. Any help would be really appricated

saifikram969 commented Dec 9, 2025 •

edited

Loading

@robin-thoni @bashenk
Device Policy Controller (DPC) QR Provisioning Issue
I am developing a custom Device Policy Controller and attempting to enroll it through QR code provisioning. Below is a detailed description of my implementation and the issue I am facing.
Current DPC Implementation
My DPC application includes the following components and functionality:

Device admin receiver extending DeviceAdminReceiver class (MyDeviceAdminReceiver)
Policy management through DevicePolicyManager API
User interface controls for:

Camera enable/disable functionality
Device lock capability

Remote command execution via Firebase for camera control, device lock, and location tracking
All features function correctly when the app is installed manually and device owner mode is activated through ADB
Successful ADB Provisioning
The following ADB command successfully establishes device owner mode:
adb shell dpm set-device-owner com.example.testemmjc/.MyDeviceAdminReceiver

After executing this command, all policy enforcement features (camera disable/enable, device lock, location tracking) work as intended, confirming that the DPC implementation itself is functional.
Problem Statement
QR code provisioning consistently fails on a factory-reset Samsung device. The error message displayed is:
"Couldn't set up device. Contact your IT admin."
QR Code Configuration
The JSON configuration being used for QR provisioning is:

{
  "android.app.extra.PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME": "com.example.testemmjc/.MyDeviceAdminReceiver",
  "android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION": "https://maharanidevi.com/dpc.apk",
  "android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_CHECKSUM": "8ldAbIR-Baxlqwv-yUShimRmGyZR8Mqj4vQbI1mFmKo"
}

Verification Steps Completed
I have confirmed the following:

APK is properly signed using release keystore
SHA-256 checksum is correctly calculated and encoded in base64url format
Package name in JSON matches the manifest declaration (com.example.testemmjc)
APK download URL is publicly accessible and serves the correct file
Device has been factory reset with no Google accounts configured
Manual installation combined with ADB device owner activation works without issues
The provisioning process fails during the initial QR scan phase, before the APK installation begins.
Request for Assistance
I am seeking guidance on potential issues related to:

Samsung-specific provisioning requirements or limitations
Differences between APK checksum and signature checksum verification
Server configuration or HTTP headers required for APK hosting
Additional manifest permissions or metadata required specifically for QR provisioning
Android version-specific restrictions (testing on Android 11 or later)
I have followed the official Android Enterprise provisioning documentation, but the QR provisioning method continues to fail while ADB provisioning succeeds with the same DPC application. Any insights into what might be preventing successful QR provisioning would be helpful.

bashenk/AndroidDeviceEnrollmentQRCreation.md

Creating a QR Code for Android Device Enrollment

Always required

Required if a DPC isn't already installed on the device

Recommended if the device isn't already connected to Wi-Fi

Optional

EMM Provisioning

👍 EMM Recommended

👎 EMM Not recommended

Additional references

bashenk commented Mar 12, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

robin-thoni commented Oct 28, 2024

Uh oh!

bashenk commented Oct 28, 2024

Uh oh!

AhmadRaza159 commented Dec 8, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

bashenk commented Dec 8, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

shaikh-kamran commented Jun 15, 2025

Uh oh!

robin-thoni commented Jun 15, 2025

Uh oh!

shaikh-kamran commented Jun 16, 2025

Uh oh!

robin-thoni commented Jun 16, 2025

Uh oh!

MichMich commented Jun 17, 2025

Uh oh!

robin-thoni commented Jun 17, 2025

Uh oh!

MichMich commented Jun 17, 2025

Uh oh!

MichaelTeeuw commented Jun 17, 2025

Uh oh!

MichaelTeeuw commented Jun 18, 2025

Uh oh!

MichaelTeeuw commented Jun 18, 2025

Uh oh!

Nickztar commented Nov 19, 2025

Uh oh!

saifikram969 commented Dec 9, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

bashenk commented Mar 12, 2024 •

edited

Loading

AhmadRaza159 commented Dec 8, 2024 •

edited

Loading

bashenk commented Dec 8, 2024 •

edited

Loading

saifikram969 commented Dec 9, 2025 •

edited

Loading