Android Enterprise Documentation: Create a QR code
android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION- Either of the two checksums below
android.app.extra.PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM- A String extra holding the URL-safe base64 encoded checksum of any signature of the android package archive at the download location specified in
android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION - Note: for devices running
Build.VERSION_CODES.LOLLIPOPandBuild.VERSION_CODES.LOLLIPOP_MR1, only SHA-1 hash is supported. Starting fromBuild.VERSION_CODES.M, this parameter accepts SHA-256 in addition to SHA-1. FromBuild.VERSION_CODES.Q, only SHA-256 hash is supported. - If the APK is signed with the APK signature scheme v2 or JAR-signed v1 scheme (untested with v3 or higher), you can use apksigner with any of the following to get the SHA-256 signature checksum (assumes variable named
apkcontains the filepath to the APK):shapksigner verify --print-certs "$apk" | sed '/Signer #1 certificate SHA-256/{s/.*SHA-256 digest:\s*//;q};d' | xxd -r -p | openssl base64 | tr -- '+/' '-_' | tr -d '\n'
PowerShellCoreapksigner verify --print-certs "$apk" | Select-String 'Signer #1 certificate SHA-256 digest:\s*(.*)' | % {[Convert]::ToBase64String([Convert]::FromHexString($_.Matches.Groups[1].Value)) -replace '\+','-' -replace '/','_'}
Windows
PowerShellapksigner verify --print-certs "$apk" | Select-String 'Signer #1 certificate SHA-256 digest:\s*(.*)' | % {[Convert]::ToBase64String(($_.Matches.Groups[1].Value -split '(..)' -ne '' | % {[Convert]::ToInt32($_,16)})) -replace '\+','-' -replace '/','_'}
- If the APK is signed with the JAR-signed v1 scheme, you can alternatively use
keytool(from Java's JRE/JDK) with either of the following to get the SHA-256 signature checksum (assumes variable namedapkcontains the filepath to the APK):shkeytool -printcert -jarfile "$apk" | sed '/\s*SHA256/{s/.*SHA256:\s*//;q};d' | xxd -r -p | openssl base64 | tr -- '+/' '-_' | tr -d '\n'
PowerShellCore or WindowsPowerShellkeytool -printcert -jarfile "$apk" | Select-String '\s*SHA256:\s*(.*)' | % {[Convert]::ToBase64String(($_.Matches.Groups[1].Value -split ':' | % {[Convert]::ToInt32($_,16)})) -replace '\+','-' -replace '/','_'}
- A String extra holding the URL-safe base64 encoded checksum of any signature of the android package archive at the download location specified in
android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_CHECKSUM- A String extra holding the URL-safe base64 encoded checksum of the file at download location specified in
android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION - Note: for devices running
Build.VERSION_CODES.LOLLIPOPandBuild.VERSION_CODES.LOLLIPOP_MR1, only SHA-1 hash is supported. Starting fromBuild.VERSION_CODES.M, this parameter accepts SHA-256 in addition to SHA-1. FromBuild.VERSION_CODES.Q, only SHA-256 hash is supported.
- A String extra holding the URL-safe base64 encoded checksum of the file at download location specified in
android.app.extra.PROVISIONING_LOCALEandroid.app.extra.PROVISIONING_TIME_ZONEβ Wiki list of tz database time zonesandroid.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLEandroid.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_COOKIE_HEADERandroid.app.extra.PROVISIONING_LOCAL_TIMEandroid.app.extra.PROVISIONING_WIFI_HIDDENandroid.app.extra.PROVISIONING_WIFI_SECURITY_TYPEandroid.app.extra.PROVISIONING_WIFI_PROXY_HOSTandroid.app.extra.PROVISIONING_WIFI_PROXY_PORTandroid.app.extra.PROVISIONING_WIFI_PROXY_BYPASSandroid.app.extra.PROVISIONING_WIFI_PAC_URLandroid.app.extra.PROVISIONING_SKIP_ENCRYPTION
Android Zero-Touch Enrollment EMM Provisioning Guide
Use the following intent extras to set up your DPC
android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLEandroid.app.extra.PROVISIONING_LOCALEandroid.app.extra.PROVISIONING_TIME_ZONEβ Wiki list of tz database time zonesandroid.app.extra.PROVISIONING_LOCAL_TIMEandroid.app.extra.PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLEDandroid.app.extra.PROVISIONING_MAIN_COLOR- ARGB color integer
(A & 0xff) << 24 | (R & 0xff) << 16 | (G & 0xff) << 8 | (B & 0xff) - Uses a signed integer. Thus, it takes the two's
complement.
- E.g. 0xff000000: 0x7F000000 - 2^31 (
2130706432 - 2147483647 = -16777216)
- E.g. 0xff000000: 0x7F000000 - 2^31 (
- White (0xffffffff): =
-1 - Black (0xff000000): =
-16777216 - LightGray (0xffcccccc): =
-3355444 - Red (0xffff0000): =
-65536
- ARGB color integer
android.app.extra.PROVISIONING_DISCLAIMERS
Don't include the following extras that you might use in other enrollment methods
android.app.extra.PROVISIONING_DEVICE_ADMIN_COMPONENT_NAMEandroid.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_CHECKSUMandroid.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_COOKIE_HEADERandroid.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATIONandroid.app.extra.PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM
android.app.extra.PROVISIONING_IMEIandroid.app.extra.PROVISIONING_MODE- 1 = Fully managed device
- 2 = Managed profile
android.app.extra.PROVISIONING_SKIP_USER_CONSENTandroid.app.extra.PROVISIONING_SKIP_EDUCATION_SCREENS
@robin-thoni @bashenk
Device Policy Controller (DPC) QR Provisioning Issue
I am developing a custom Device Policy Controller and attempting to enroll it through QR code provisioning. Below is a detailed description of my implementation and the issue I am facing.
Current DPC Implementation
My DPC application includes the following components and functionality:
Device admin receiver extending DeviceAdminReceiver class (MyDeviceAdminReceiver)
Policy management through DevicePolicyManager API
User interface controls for:
Camera enable/disable functionality
Device lock capability
Remote command execution via Firebase for camera control, device lock, and location tracking
All features function correctly when the app is installed manually and device owner mode is activated through ADB
Successful ADB Provisioning
The following ADB command successfully establishes device owner mode:
adb shell dpm set-device-owner com.example.testemmjc/.MyDeviceAdminReceiverAfter executing this command, all policy enforcement features (camera disable/enable, device lock, location tracking) work as intended, confirming that the DPC implementation itself is functional.
Problem Statement
QR code provisioning consistently fails on a factory-reset Samsung device. The error message displayed is:
"Couldn't set up device. Contact your IT admin."
QR Code Configuration
The JSON configuration being used for QR provisioning is:
Verification Steps Completed
I have confirmed the following:
APK is properly signed using release keystore
SHA-256 checksum is correctly calculated and encoded in base64url format
Package name in JSON matches the manifest declaration (com.example.testemmjc)
APK download URL is publicly accessible and serves the correct file
Device has been factory reset with no Google accounts configured
Manual installation combined with ADB device owner activation works without issues
The provisioning process fails during the initial QR scan phase, before the APK installation begins.
Request for Assistance
I am seeking guidance on potential issues related to:
Samsung-specific provisioning requirements or limitations
Differences between APK checksum and signature checksum verification
Server configuration or HTTP headers required for APK hosting
Additional manifest permissions or metadata required specifically for QR provisioning
Android version-specific restrictions (testing on Android 11 or later)
I have followed the official Android Enterprise provisioning documentation, but the QR provisioning method continues to fail while ADB provisioning succeeds with the same DPC application. Any insights into what might be preventing successful QR provisioning would be helpful.