Our Voice

CWSI announced as one of Ireland’s Best Managed Companies 2023.

CWSI, has been named as one of Ireland’s Best Managed Companies. The awards programme is led by Deloitte Ireland, in association with Bank of Ireland.

Learn More

Project Recap: Enrolling Zebra devices to MDM in Android Enterprise Device Owner (AEDO) mode using StageNow

A recent project involved securing and managing Zebra Android-based ruggedised scanning guns (Zebra MC93’s).  The ideal solution was an Android Enterprise (AE) kiosk, but first we needed to get the device into Android Enterprise Device Owner (AEDO) mode, a pre-requisite for an AE kiosk.

Android Enterprise Zero-touch (ZT) will do this for you as part of the setup process, but in this case ZT was not an option.  As the devices in-question do not have cameras, NFC-bump and QR-code AE enrolment does not appear to be supported – an unusual oversight from Zebra/Google here, given these devices’ raison d’être is to scan codes and read NFC tags.  Token enrolment (afw#your_mdm_here) was an option, but we were trying to avoid as much typing as possible during the setup process.

This is where Zebra’s StageNow tool is fantastic.  StageNow is a free Windows-based tool that allows you build configuration workflows for Zebra devices, which it encodes into barcodes (and in some cases additional package files) that you can subsequently scan with the devices to apply the configurations in seconds.  The “Enroll in an MDM” StageNow wizard will create a barcode that can be scanned on the very first screen of the Android setup wizard, causing the device to join a Wifi network, skip the wizard, download the MDM agent, install and launch it.  There’s only one problem: the “Enroll in an MDM” wizard in StageNow will only enrol AE devices into Device Owner mode for the SOTI MDM solution, for all other MDM solutions the devices will only be in Work Profile mode.

Step 1

After a bit of digging, the only difference between the StageNow configuration package that does MDM enrolment for SOTI vs. other MDMs, is a single Intent call to the MDM agent app – “Enroll a Device Owner”.  This Intent in StageNow requires a Package Name (your MDM agent) and Class Name (your MDM agent’s Device Owner enrolment class); the next trick is figuring out what these are for your MDM solution.

Step 2

In the case of this project, the MDM was MobileIron Core.  MobileIron provide an app called Provisioner, which generates QR-codes/NFC-bumps that are used during the enrolment of Android Enterprise devices with a camera/NFC-reader.  Decoding one of these QR codes (plenty of free apps to achieve this) gives you content something like this –

Step 3

The value of interest here is PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME”: “com.mobileiron/.receiver.MIDeviceAdmin”, which tells Android to provision the com.mobileiron package as Device Owner via the class com.mobileiron.receiver.MIDeviceAdmin.  We can use this information in our StageNow Intent to make the MobileIron agent Device Owner –

Note the “Enroll a Device Owner” Intent should be called after the MDM agent is installed, but before it is launched.  As you cannot add steps to a StageNow wizard-based Profile (like “Enroll in an MDM”), you’ll need to use an Xpert Mode custom profile and add the various steps yourself.  It might looks something like this –

Step 4

Create a new Xpert Mode Profile and give it a name.  You’ll then be asked to add any StageNowConfig and/or Deploy steps to the Profile, you’ll want one Wi-fi config to add a Wi-fi network to the device then another to join that Wi-fi network –

Step 5

Then in the Deploy stage, you’ll want a FileMgr step to download the MDM agent APK, an AppMgr step to install the downloaded APK, an Intent to make the agent Device Owner and an Intent to launch the agent –

Step 6

Next you can work through these six steps and configure them appropriately.  The first Wi-fi step you should use to add a Wi-fi network –

Step 7

The next Wi-fi step will tell the device to connect to the network you added in the previous step –

Step 8

Now onto the Deploy steps, the first of which is to download the latest MDM agent APK and store it on the device –

Step 9

The next step will install the APK downloaded in the previous step –

Step 10

Next is the Intent used to make the MDM agent Device Owner –

Step 11

The last step then will be to launch the MDM agent –

The Publish page will allow you test the Profile, it will present a barcode on-screen that if scanned from the first page of the Android setup wizard on a new or factory reset Android device, should join your Wi-fi, download and install the MDM agent, make it Device Owner and launch it so you can login.  Assuming the config is done in your MDM to support it, the device should now be in either Device Owner (AEDO) or Device Owner with Work Profile mode!

I hope you find this guide useful – the reason I’ve decided to put this together was the lack of material for this specific type of enrollment, in my research I found this guide from Jason Bayton to be particularly useful. So be sure to check his material out if you are doing any further research. If you would like to learn more about the work we do you can visit our case studies or solutions sections.

For what it’s worth, these are the Intent details you need for some of the MDMs we came across –

MDMPackage NameClass Name for “Enroll a Device Owner” IntentClass Name for launching the MDM agent Intent
MobileIron Corecom.mobileIroncom.mobileiron.receiver.MIDeviceAdmincom.mobileiron.MIClientMain
MobileIron Cloudcom.mobileiron.anyware.androidcom.mobileiron.polaris.manager.device.AndroidDeviceAdminReceivercom.mobileiron.polaris.manager.ui.StartActivity
Microsoft InTunecom.microsoft.windowsintune.companyportalcom.microsoft.omadm.client.PolicyManagerReceivercom.microsoft.windowsintune.companyportal.views.SplashActivity

Contact us to learn more about how we can enable your organisation to thrive in a mobile-first world. 

Relevant Resources

Our Voice

CWSI announced as one of Ireland’s Best Managed Companies 2023.

CWSI, has been named as one of Ireland’s Best Managed Companies. The awards programme is led by Deloitte Ireland, in association with Bank of Ireland.

Learn More

Technology Talks

Cyber Awareness- Navigating the Threat Landscape

Listen to our Chief Operations Officer, Des Ryan as he explains how the recent increase in cybercrime requires IT teams to stay vigilant to protect their organisations from threat actors. Hear Des’ recommendations on best practices to decrease your organisation’s chances of falling victim to the next cyber-attack.

Technology Talks

Discover Connect & Go.

IT departments are suffering from a lack of time and resource to manage the demands of regular roll-outs of devices. Hear from CWSI’s Jesper Schmidt and Thierry Lammers as they discuss our innovative service, Connect & Go, diving into their technical experience from firsthand use cases.