Our Voice

CWSI Ranked 15th in the Deloitte 2023 Technology Fast 50 Awards.

Learn More

A Guide to Enrolling Zebra Devices to MDM in Android Enterprise Device Owner (AEDO) Mode Using StageNow

Project recap and guide prepared by Philip Harrison, CTO

A recent project involved securing and managing Zebra Android-based ruggedised scanning guns (Zebra MC93’s). The ideal solution was an Android Enterprise (AE) kiosk, but first, we needed to get the device into Android Enterprise Device Owner (AEDO) mode, a pre-requisite for an AE kiosk.

Android Enterprise Zero-touch (ZT) will do this for you as part of the setup process, but in this case ZT was not an option. As the devices in question do not have cameras, NFC-bump and QR-code AE enrolment does not appear to be supported – an unusual oversight from Zebra/Google here, given these devices’ raison d’être is to scan codes and read NFC tags.

Token enrolment (afw#your_mdm_here) was an option, but we were trying to avoid as much typing as possible during the setup process.

Zebra’s StageNow tool – Enroll in an MDM

This is where Zebra’s StageNow tool is fantastic.  StageNow is a free Windows-based tool that allows you to build configuration workflows for Zebra devices, which it encodes into barcodes (and in some cases additional package files) that you can subsequently scan with the devices to apply the configurations in seconds.

The “Enroll in an MDM” StageNow wizard will create a barcode that can be scanned on the very first screen of the Android setup wizard, causing the device to join a Wifi network, skip the wizard, download the MDM agent, install and launch it.

There’s only one problem: the “Enroll in an MDM” wizard in StageNow will only enrol AE devices into Device Owner mode for the SOTI MDM solution, for all other MDM solutions the devices will only be in Work Profile mode.

Step 1

After a bit of digging, the only difference between the StageNow configuration package that does MDM enrolment for SOTI vs. other MDMs, is a single Intent call to the MDM agent app – “Enroll a Device Owner”.

This Intent in StageNow requires a Package Name (your MDM agent) and Class Name (your MDM agent’s Device Owner enrolment class); the next trick is figuring out what these are for your MDM solution.

Package Name

Step 2

In the case of this project, the MDM was MobileIron Core.  MobileIron provide an app called Provisioner, which generates QR-codes/NFC-bumps that are used during the enrolment of Android Enterprise devices with a camera/NFC-reader.

Decoding one of these QR codes (plenty of free apps to achieve this) gives you content something like this –

QR codes

Step 3

The value of interest here is PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME”: “com.mobileiron/.receiver.MIDeviceAdmin”, which tells Android to provision the com.mobileiron package as Device Owner via the class com.mobileiron.receiver.MIDeviceAdmin.

We can use this information in our StageNow Intent to make the MobileIron agent Device Owner –

StageNow Intent

Note the “Enroll a Device Owner” Intent should be called after the MDM agent is installed, but before it is launched.  As you cannot add steps to a StageNow wizard-based Profile (like “Enroll in an MDM”), you’ll need to use an Xpert Mode custom profile and add the various steps yourself.

It might look something like this –

Step 4

Create a new Xpert Mode Profile and give it a name.  You’ll then be asked to add any StageNowConfig and/or Deploy steps to the Profile, you’ll want one Wi-fi config to add a Wi-fi network to the device and then another to join that Wi-fi network –

Xpert Mode Profile

Step 5

Then in the Deploy stage, you’ll want a FileMgr step to download the MDM agent APK, an AppMgr step to install the downloaded APK, an Intent to make the agent Device Owner and an Intent to launch the agent –

FileMgr step

Step 6

Next, you can work through these six steps and configure them appropriately.

The first Wi-fi step you should use to add a Wi-fi network –

six steps

Step 7

The next Wi-fi step will tell the device to connect to the network you added in the previous step –

connect to the network

Step 8

Now onto the Deploy steps, the first of which is to download the latest MDM agent APK and store it on the device –

download the latest MDM agent

Step 9

The next step will install the APK downloaded in the previous step –

APK downloaded

Step 10

Next is the Intent used to make the MDM agent Device Owner –

MDM agent Device Owner

Step 11

The last step then will be to launch the MDM agent –

MDM agent

The Publish page will allow you test the Profile, it will present a barcode on-screen that if scanned from the first page of the Android setup wizard on a new or factory reset Android device, should join your Wi-fi, download and install the MDM agent, make it Device Owner and launch it so you can login.

Assuming the config is done in your MDM to support it, the device should now be in either Device Owner (AEDO) or Device Owner with Work Profile mode!

For what it’s worth, these are the Intent details you need for some of the MDMs we came across –

MDMPackage NameClass Name for “Enroll a Device Owner” IntentClass Name for launching the MDM agent Intent
MobileIron Corecom.mobileIroncom.mobileiron.receiver.MIDeviceAdmincom.mobileiron.MIClientMain
MobileIron Cloudcom.mobileiron.anyware.androidcom.mobileiron.polaris.manager.device.AndroidDeviceAdminReceivercom.mobileiron.polaris.manager.ui.StartActivity
Microsoft InTunecom.microsoft.windowsintune.companyportalcom.microsoft.omadm.client.PolicyManagerReceivercom.microsoft.windowsintune.companyportal.views.SplashActivity

Contact us to learn more about how we can enable your organisation to thrive in a mobile-first world. 

Relevant Resources

Our Voice

CWSI Ranked 15th in the Deloitte 2023 Technology Fast 50 Awards.

Learn More

Our Voice

Exploring Cloud Security with Microsoft.

Hear from CWSI’s Client Solution Director, Paul Conaty as he interviews Microsoft Azure expert, Raymond Mulligan, on the best practices to follow when organisations are migrating to cloud

Learn More

Our Voice

CWSI Named Digital Technology Company of the Year.

CWSI, Ireland’s most experienced mobile and cloud security specialist, announces that it has been named Digital Technology Company of the Year at Technology Ireland's 2023 Award ceremony.

Learn More