Project recap and guide prepared by Philip Harrison, CTO
A recent project involved securing and managing Zebra Android-based ruggedised scanning guns (Zebra MC93’s). The ideal solution was an Android Enterprise (AE) kiosk, but first, we needed to get the device into Android Enterprise Device Owner (AEDO) mode, a pre-requisite for an AE kiosk.
Android Enterprise Zero-touch (ZT) will do this for you as part of the setup process, but in this case ZT was not an option. As the devices in question do not have cameras, NFC-bump and QR-code AE enrolment does not appear to be supported – an unusual oversight from Zebra/Google here, given these devices’ raison d’être is to scan codes and read NFC tags.
Token enrolment (afw#your_mdm_here) was an option, but we were trying to avoid as much typing as possible during the setup process.
Zebra’s StageNow tool – Enroll in an MDM
This is where Zebra’s StageNow tool is fantastic. StageNow is a free Windows-based tool that allows you to build configuration workflows for Zebra devices, which it encodes into barcodes (and in some cases additional package files) that you can subsequently scan with the devices to apply the configurations in seconds.
The “Enroll in an MDM” StageNow wizard will create a barcode that can be scanned on the very first screen of the Android setup wizard, causing the device to join a Wifi network, skip the wizard, download the MDM agent, install and launch it.
There’s only one problem: the “Enroll in an MDM” wizard in StageNow will only enrol AE devices into Device Owner mode for the SOTI MDM solution, for all other MDM solutions the devices will only be in Work Profile mode.
After a bit of digging, the only difference between the StageNow configuration package that does MDM enrolment for SOTI vs. other MDMs, is a single Intent call to the MDM agent app – “Enroll a Device Owner”.
This Intent in StageNow requires a Package Name (your MDM agent) and Class Name (your MDM agent’s Device Owner enrolment class); the next trick is figuring out what these are for your MDM solution.
In the case of this project, the MDM was MobileIron Core. MobileIron provide an app called Provisioner, which generates QR-codes/NFC-bumps that are used during the enrolment of Android Enterprise devices with a camera/NFC-reader.
Decoding one of these QR codes (plenty of free apps to achieve this) gives you content something like this –
The value of interest here is PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME”: “com.mobileiron/.receiver.MIDeviceAdmin”, which tells Android to provision the com.mobileiron package as Device Owner via the class com.mobileiron.receiver.MIDeviceAdmin.
We can use this information in our StageNow Intent to make the MobileIron agent Device Owner –
Note the “Enroll a Device Owner” Intent should be called after the MDM agent is installed, but before it is launched. As you cannot add steps to a StageNow wizard-based Profile (like “Enroll in an MDM”), you’ll need to use an Xpert Mode custom profile and add the various steps yourself.
It might look something like this –
Create a new Xpert Mode Profile and give it a name. You’ll then be asked to add any StageNowConfig and/or Deploy steps to the Profile, you’ll want one Wi-fi config to add a Wi-fi network to the device and then another to join that Wi-fi network –
Then in the Deploy stage, you’ll want a FileMgr step to download the MDM agent APK, an AppMgr step to install the downloaded APK, an Intent to make the agent Device Owner and an Intent to launch the agent –
Next, you can work through these six steps and configure them appropriately.
The first Wi-fi step you should use to add a Wi-fi network –
The next Wi-fi step will tell the device to connect to the network you added in the previous step –
Now onto the Deploy steps, the first of which is to download the latest MDM agent APK and store it on the device –
The next step will install the APK downloaded in the previous step –
Next is the Intent used to make the MDM agent Device Owner –
The last step then will be to launch the MDM agent –
The Publish page will allow you test the Profile, it will present a barcode on-screen that if scanned from the first page of the Android setup wizard on a new or factory reset Android device, should join your Wi-fi, download and install the MDM agent, make it Device Owner and launch it so you can login.
Assuming the config is done in your MDM to support it, the device should now be in either Device Owner (AEDO) or Device Owner with Work Profile mode!
For what it’s worth, these are the Intent details you need for some of the MDMs we came across –
|MDM||Package Name||Class Name for “Enroll a Device Owner” Intent||Class Name for launching the MDM agent Intent|