Android No Touch Work Profile Enrollment for BYOD via Link/QR-Code
While there are multiple ways to enroll devices I want to show today a new way of enrolling a Device with sending the user a Link or a QR-Code.
Prerequisites:
While there are no Pre-Requisites of Versions on the UEM side it only requires a supported UEM Version. For the rest make sure you have the following prerequisite met:
- Android Intelligent Hub 23.01 or Newer
- Device with PlayStore (open Hub from Playstore)
As we use a QR-Code or a Link you need a Browser or a QR-Code Reader (Android Camera works as well in most cases) to initiate the Enrollment.
Optional: Token Based Enrollment & API calls
While it is totally optional I wanted to show that this works even without any Password for the User. I used the following Settings in Workspace ONE UEM.
First I enabled the “Registered Devices Only” Setting, then I enabled the “Require Registration Token”. Once done make sure you save the settings.
As I wanted to automate the whole registration process I used a API Call to register Device. Details below:
In the Response you can see the Token Code and use this as a Group ID in the next part of the Blog.
Creating the Link/QR-Code:
Here I show the manual Process of creating the Link, while it would also work to automate that with an Automation.
While we generate the Link , we need to first have the Environment Settings like DS Url and Group ID ready. As I used Token Based Enrollment I added my Token generated in UEM to the Settings. In my case it looks like this:
{"url":"https://dsxxx.awmdm.com","gid":"MyToken"}Once done we need to convert this to Base64, which ends up with the following Content for me:
eyJ1cmwiOiJodHRwczovL2RzeHh4LmF3bWRtLmNvbSIsImdpZCI6Ik15VG9rZW4ifQ==With that we can now jump to the Google Page from creating a Campain:
Make sure you fill out the Application ID with “com.airwatch.androidagent” and the Campaign Content with the Base64 encoded Details we just created in the step before. Once done click to “Generate URL”
Once done you have the Link and QR-Code that you can use with any Browser or any QR-Code Reader enabled Camera.
In my Case the URL (Sample Data for this Blog) is the following, I can now use this to test it out :
https://play.google.com/store/apps/details?id=com.airwatch.androidagent&referrer=utm_source%3Dgoogle%26utm_medium%3Dcpc%26utm_content%3DeyJ1cmwiOiJodHRwczovL2RzeHh4LmF3bWRtLmNvbSIsImdpZCI6Ik15VG9rZW4ifQ%253D%253D%26anid%3DadmobTo show the whole process a bit better I created a Video on showcasing the Settings.
Device Experience
While I decided to go with a “QR-Code” to enroll with the Token in the QR-Code. I was able to enroll the device without any big user interaction from the Launch of the Hub till the Android Work Profile is finished.
Conclusion
While this process works only with Android perfectly keep in mind that iOS is a but different and this Blog Post is not applicable there. As you can see Automations are possible and you can also use it as a Day 0 Onboarding on a BYOD Device of a future Employee. Also keep in mind that once enrolled you can leverage Mobile SSO and TOTP as MFA , so the user can work without having to fill a Password in ever.
vExpert, blogger and VMware champion. Worked 10 years as a VMware & Microsoft consultant for a partner before joining VMware in 2017.