SOTI Pulse Logo

Device Deployment without internet Access V15.2

J
JayDee
CTDI GmbH

Good morning everyone,

I´ve got a question about device Deployment without Internet access.

We are new in the SoTi environment and installed v15.2 last week to use it for remote support our Warehouse WiFi devices.
Our devices are from Zebra (TC7x) and Samsung Tablets (testing with Galaxy Tab A 10.1).

The firewall IPs are configured on the firewall like in the manual
https://www.soti.net/mc/help/v15.2/en/setup/installing/soti_services.html

and a "Global Proxy" is configured in Soti Global Settings. The server itself is running fine and has internet acccess without any problems.

The Problem is:

We want to deploy the Samsung Tablets in a firewall isolated WiFi without internet access, but access to the SoTi Server.

Our local SoTi supporter gave me a script:

{
"android.app.extra.PROVISIONING_TIME_ZONE":"Europe/Amsterdam",
"android.app.extra.PROVISIONING_LOCALE":"de_DE",
"android.app.extra.PROVISIONING_WIFI_PROXY_HOST":"<PROXY IP>",
"android.app.extra.PROVISIONING_WIFI_PROXY_PORT":"<PROXY PORT>",
"android.app.extra.PROVISIONING_WIFI_SECURITY_TYPE":"WPA",
"android.app.extra.PROVISIONING_WIFI_SSID":"<SSID>",
"android.app.extra.PROVISIONING_WIFI_PASSWORD":"<PASSWORD>",
"android.app.extra.PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME":"net.soti.mobicontrol.androidwork/net.soti.mobicontrol.admin.DeviceAdminAdapter",
"android.app.extra.PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM":"hn8mSNJMPcovWbnnWrb-uMpWZjNlNp-jyV_2A-Whumc\=",
"android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION":"http://<FQDN of INTERNAL HTTP SERVER/PATH/FILE>.apk",
"android.app.extra.PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED": true,
"android.app.extra.PROVISIONING_SKIP_ENCRYPTION": true,
"android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE": {
"enrollmentID":"<ENROLLMENT URL>"
}
}

to create a QR code with a QR code generator software, what we´ve done.

When we try to scan this QR code while pressing 3x times the welcome screen on an factory reset device and scan the QR code, it´s stay in "Getting ready for work setup..." and I can see really many connections to the internet which are blocked by the firewall but none to the internal sources.
I think this are connections to google play store or anything else.

I don´t understand why, because I dep the apk-file locally and also use are proxy which isn´t also working (can´t see any connections to the proxy).

I´m sure that we aren´t the only company that want to use Soti on isolated devices/WiFi.

The Questions:

Is such a scenario working with SoTi?
If "Yes", how? What could be your error?

The aim need to deploy new Android devices without internet access for the device itself.

Grateful for every answer and/or help

JayDee

mobicontrol deployment installation offline-client
5 years ago
Android
ANSWERS
SB
Simon Breuer
5 years ago

Hi JayDee,

I am quite sure, that Android Enterprise enrollment always needs a direct non-proxy connection to Google servers.

(look here for example: https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/2001/Android_Platform/GUID-80E36005-09EE-42B7-B318-D2B60BE2F482.html)

When enrolling ZEBRA devices you have got another possibility:
Enroll the devices with ZEBRA's StageNow tool. Download APK and INI file from local server and proceed enrolling without ever connecting to Google (unless you would like to bind a Managed GooglePlay account to the device).

But for your Samsung devices I do not see another solution than opening your firewall to Google. :(

J
JCMOD@SOTI
5 years ago

Hi JayDee,

Thank you for posting in SOTI Central.

Look into using the below format as a baseline and observe if you experience the same issue. MobiControl does support the installation and operation of the AE Agent within offline environments.

android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_NAME=net.soti.mobicontrol.androidwork android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION=INTERNAL.FQDN android.app.extra.PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED=false android.app.extra.PROVISIONING_RESET_PROTECTION_PARAMETERS=true android.app.extra.PROVISIONING_SKIP_ENCRYPTION=false

Also make sure you're using the MobiControl Stage Programmer App with the NFCProvisioning.txt file amended with the above (found via: \Android\data\net.soti.mobicontrol.programmer\files\nfcprovisioning.txt). This is an important step for this to work. Therefore, you'll also need a master device to perform this.

If this resolves the issue, please mark this post as resolved. Or if you need further assistance or require clarification, feel free to reach out.

Regards,

J
JayDee
5 years ago

Hi Simon,

we tested several things and made the same experience.

Samsung Galaxy Tab:
If we use the SoTi Stage Programmer App, we hadn´t any chance to use it without Internet connection.
Also the proxy configuration isn´t working (ignored) in this App for Samsung and needs a connection to Samsung License activation servers :(

Zebra:
I´ll test it with Zebra (TC77, TC75x,...) after upgrading the firmware to Android 10, because the actual firmware seems to need internet access to download the QR App.
StageNow could be an alternative. But we need to test it.

I don´t want to create a new "Staging" Wifi (Wifi Overhead) with Internet access because of SoTi/Samsung Android.

I´ll write made experience in this conversation :)

Thanks for your answer!

JayDee

J
JayDee
5 years ago

Hi JCMOD,

we copied your parameters

android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_NAME=net.soti.mobicontrol.androidwork android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION=INTERNAL.FQDN android.app.extra.PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED=false android.app.extra.PROVISIONING_RESET_PROTECTION_PARAMETERS=true android.app.extra.PROVISIONING_SKIP_ENCRYPTION=false

and exchange the "INTERNAL.FQDN" to "http://SERVERIP:PORT/FOLDER/" into the nfcprovisioning.txt file.

We made our settings in the Stage Programm App and started the NFC transfer.

NFC was starting on the Zebra TC77, connecting to the WiFi, but also ignoring the settings and tries to connect to google directly.


We found some entries where "http\://" instead of "http://"was used. Which would be the correct one?
Do we need to add the full APK-file into the INTERAL.FQDN link?

The Samsung Galaxy Tab A hasn´t NFC. :(

Thanks for your support!

JayDee

RC
Raymond Chan Diamond Contributor
5 years ago (edited 5 years ago)

Hi JayDee,

You should include the file name in the parameter e.g.

   android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION=https\://Myserve
r.com/Agents/GoogleMobiControl1440_1028.apk

You can also include the enrollment ID e.g.

  android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE=enrollmentId\=ABCDED12

Also, despite the file name of the configuration file having  the prefix "nfc",  all configurations defined in the file are also applicable to enrollment using QR-code.

RS
Randy, Saputra
4 years ago

Hi everyone,

What's the scenario for A+ enrollment? 

Device is Zebra Mc36 run on OS 4 or 5 if i am not mistaken, clearly not eligible for QR scan enrollment.

The client only have local network on the warehouse.

Thanks & regards,

Randy Saputra 

LB
Leonardo Bozi
4 years ago

Hi JCMOD@SOTI,

This offline provisioning method worked with an Android 8.1 device (LGE  LM-Q610.FGN), but it did not with an Android 10 device (Sonimtech XP8800). It got stuck on the screen "Getting ready for work".

The QRCode was created with these parameters:

{
"android.app.extra.PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM":"hn8mSNJMPcovWbnnWrb-uMpWZjNlNp-jyV_2A-Whumc=",
"android.app.extra.PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME":"net.soti.mobicontrol.androidwork/net.soti.mobicontrol.admin.DeviceAdminAdapter",
"android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION":"http://<INTERNAL_SERVER_IP>/GoogleMobiControl1501_1051.apk",
"android.app.extra.PROVISIONING_SKIP_ENCRYPTION":true,
"android.app.extra.PROVISIONING_LOCALE":"pt_BR",
"android.app.extra.PROVISIONING_WIFI_SSID":"<INTERNAL_SSID>",
"android.app.extra.PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED":false,
"android.app.extra.PROVISIONING_WIFI_IDENTITY":"<INTERNAL_USER_ID>",
"android.app.extra.PROVISIONING_WIFI_PASSWORD":"<INTERNAL_USER_ID_PASSWORD>",
"android.app.extra.PROVISIONING_WIFI_SECURITY_TYPE":"EAP",
"android.app.extra.PROVISIONING_WIFI_EAP_METHOD":"PEAP",
"android.app.extra.PROVISIONING_SKIP_USER_CONSENT":true,
"android.app.extra.PROVISIONING_TIME_ZONE":"America/Sao_Paulo"
}

Thanks in advance.

RC
Raymond Chan Diamond Contributor
4 years ago

Based on the format of the parameters shown in your screenshot,  I doubt whether you are using Mobicontrol Stage Programmer app (https://play.google.com/store/apps/details?id=net.soti.mobicontrol.programmer) on an Android provisioning device to do your AE device enrollment with QR/NFC.

Do not confuse the above with SOTI MobiControl Stage Barcode Generator" Windows Utility as documented at

    https://soti.net/mc/help/v14.1/en/mcstage/start/barcode_generator.html

and  downloadable at

    https://docs.soti.net/soti-mobicontrol/downloads/

The QR code generated with the latter likely won't work on Android-Enterprise device enrollment.

D
De_Johan
3 years ago

Was this issue ever solved?
We also can'ty enroll offline..

{"android.app.extra.PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM":"hn8mSNJMPcovWbnnWrb-uMpWZjNlNp-jyV_2A-Whumc=","android.app.extra.PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME":"net.soti.mobicontrol.androidwork/net.soti.mobicontrol.admin.DeviceAdminAdapter","android.app.extra.PROVISIONING_WIFI_HIDDEN":"false","android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION":"http://ipinternalserver/GoogleMobiControl.apk","android.app.extra.PROVISIONING_SKIP_ENCRYPTION":true,"android.app.extra.PROVISIONING_LOCALE":"nl_BE","android.app.extra.PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED":"true","android.app.extra.PROVISIONING_RESET_PROTECTION_PARAMETERS":"true","android.app.extra.PROVISIONING_TIME_ZONE":"Europe/Amsterdam","android.app.extra.PROVISIONING_WIFI_SECURITY_TYPE":"WPA","android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_NAME":"net.soti.mobicontrol.androidwork","android.app.extra.PROVISIONING_WIFI_SSID":"869-913","android.app.extra.PROVISIONING_WIFI_PASSWORD":"ourpassword","android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE":{"enrollmentId":"https://beanr-infpapp01.netwerk.hessenoordnatie.com"}}


When scanning this it's also stuck in 'getting ready for work setup'. I see the wifi icon after scanning the QR but the .apk never gets downloaded according to our webserver logs. When I copy paste the apk url on a working device connecting to the wifi the download does start so the url/server is correct. Any solution?

Similar Discussions