Pulse | Community Support

Android offline enrollment

Solved

Hello,

I'm trying to enroll Android devices (EDA52) offline to onpremise server. Already gave up on QR enrollment as that way the device tries to connect to Google services first no matter what I try.

So now I'm trying a workaround... I setup the device manually, connect it to our offline machine wifi and sideload the agent via cable. So far so good. But when I try to enroll through the agent and my enrollment link, it creates work profile instead of work managed device. The device is in correct group, but no soti profiles are pushed to it as those are for work managed devices.

Basically no matter what I try, it just does not work as I would expect. IT security will not let us open the wifi even that little bit.

a year ago

Android

ANSWERS

Michal Janovac

a year ago

Just so you know guys... In the end I contacted SOTI tech support and they helped me solve it.

QR enrollment does not work at all...

What helped in the end was this:

1)Manual setup without connecting to mobile or wifi.

2)Enter developer mode on the device, turn on USB debug.

3)Connect to the restricted wifi.

4)Connect the device via USB. SOTI provided me with command line tool to install the agent, make the agent the owner of the device (work managed device) via the USB debug.

5)Enroll...

Yes, it is quite convoluted solution, but IT WORKS.

Solution

Rafael Schäfer

a year ago

Just in beforehand: I don't use offline enrollment yet, but:

Do you have "provisioning_allow_offline" in the QR?
- This may be needed to enroll a device in offline state.
Do you have also the relevant paths provided where the device gets the agent locally (from your network)?
Not sure if Honeywell provides something similar as Zebra does with StageNow which could help as well.

If you search for a good enrollment QR generator, Jason Bayton has done an online one here: https://bayton.org/qr-generator/
(Hint: You may not enter the correct sensitive data in the web (wifi password, enrollment token etc.) but generate the QR code structure, fill in locally the correct data and generate the QR locally on your machine then.)

Michal Janovac

a year ago

Ok, I did not have it there, but I just tried to add it, tested it and no luck. I would even be fine with sideloading if that worked. Enrollment link is for work managed device, but when I sideload the agent, it creates work profile instead. Does not make any sense.

Raymond Chan

a year ago

Hi Michal,

A compliant AE device has to be presented with QR code with correct parameters right upon device factory reset to get the device into managed-device mode, otherwise, without factory resetting the device again, the device will just be enrolled into work profile mode.

Did you use Soti MobiControl Stage Programmer (https://play.google.com/store/apps/details?id=net.soti.mobicontrol.programmer) to do your QR enrollment?

Have you configured any advanced options with the MobiControl Stage Programmer to handle your special use case using closed network? If so, what have you configured?

In my experience, allowing the device to connect to Google Services in the ENROLLMENT PHASE is no big deal. There are plenty of policies and arrangement to restrict the device to a closed network under NORMAL operation AFTER the enrollment. Devices usually have to get upgrade and/or security fixes for both the system firmware and various bundled apps from time to time, and the device need to be allowed access outside the closed network during such MAINTENANCE phases. Can the security lunatics insist on disallowing such upgrade/security fix temporarily from the outside network if it is known that the existing software on the device has big security issues?

Michal Janovac

a year ago

Ok, good to know, and no, I have never used that app.

Michal Janovac

a year ago

And now I know why. This app is not even once mentioned in help for 2024.1.

Raymond Chan

a year ago

It is, but only very briefly. E.g. for MobiControl v2024.1, at

https://www.soti.net/mc/help/v2024.1/en/console/devices/managing/enrollment/androidplus/enterprise/stage_programmer_provision.html

Some Soti guys and I mentioned about various advanced options in this forum in the last few years, e.g.

https://discussions.soti.net/discussions/why-enrollment-by-afw-mobicontrol-and-qr-code-gives-different-results

https://discussions.soti.net/discussions/device-deployment-without-internet-access-v15-2

...

There have been many more changes/enhancements from time to time.

Michal Janovac

a year ago

Will give it a try, thank you.

Raymond Chan

a year ago

There are many QR code generators availalble.e.g. MobiControl Stage Programmer Android app, or the online QR generator mentioned by Rafael ( at https://bayton.org/qr-generator/ ), or in the Soti article "Provisioning Android Devices Using QR Codes" ( at https://barcode.tec-it.com/ ).

Using which one is not too critical. Knowing what options & syntax to use that is compatible with the targeted device brand/firmware-version and MDM solution is more important.

Michal Janovac

a year ago

Is there some list somewhere? Even the QR code generator on the server has the option to add extras in the json format. But as I am NOT proficient in Javascript, I could use some help. The only thing I added was the android.app.extra.PROVISIONING_ALLOW_OFFLINE": true

Rafael Schäfer

a year ago

It should be something like this (untested extraction from my used QR generations on my own generator):

{
"android.app.extra.PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME": "net.soti.mobicontrol.androidwork/net.soti.mobicontrol.admin.DeviceAdminAdapter",
"android.app.extra.PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM": "hn8mSNJMPcovWbnnWrb-uMpWZjNlNp-jyV_2A-Whumc=",
"android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION": "YOUR_LOCAL_PATH_TO_DL_THE_AGENT",
"android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE": {
"enrollmentId": "YOUR_ID",
"PROVISIONING_MODE": "FULLY_MANAGED_DEVICE"
},
"android.app.extra.PROVISIONING_ALLOW_OFFLINE": true
}

Michal Janovac

a year ago

Yup, that's mostly it right there. +some locale etc. Does not work.

Michal Janovac

a year ago

It literally does not do anything past trying to connect to google. Device is in setting up the device screen and firewall reports only attempts to connect to google. It does not even try to download the agent or anything. No google account is set up in SOTI.

I see many threads like this in these forums and none of them is marked as solved.

Rafael Schäfer

a year ago

If i would have a locally stored agent, i could try it but as i don't have i can't test and/or verify as we always use ZTE which means connection possible to Google always.

Michal Janovac

a year ago

The agent is not a problem... One URL and one port. Whole google is another story. So the download is not a big issue - the problem is that the setup won't even get to that. Without connection to google it just never ever gets to the next step. FW shows just over and over attempts to connect to google first, only THEN (if it connects) it tries to download the agent. Yes, we went through all the steps, even temporarily tried to open the fw to see what will stick...

Thomas G.

a year ago

For offline enrollment, depending on your MC version, you need to check that in the AddDeviceRule => "Enroll on SafetyNet Attestation Failure" // Enrollment Policy => "Enroll Device even if Play Integrity Attestation Fails"
is checked.
We only use offline enrollment, and host the agent on a seperate webserver to control which version is used.

Michal Janovac

a year ago

AddDeviceRules are legacy as far as I know. Did not find anything like that in 2024.1. The other option is checked ofc. That was one the first things I tried.

Rafael Schäfer

a year ago

AddDeviceRules may be legacy but you have policies -> Enrollment which is the same.
So please check what Thomas wrote in your enrollment rule.

Thomas G.

a year ago

just to avoid missunderstanding, "Enroll Device even if Play Integrity Attestation Fails" has to be "on".

In your network, you have to allow communication from the device to a server which hosts the agent, and to your MobiControl Deployment server port 5494 and if changed the port of the Deploymentserver extension. Make sure that Date and Time on the device is correct, and if you use selfsigned certifcates that the "chain of trust" is working. If you create the QR code just by the json, be careful with the characters. We ususally use the OEM Tools like Enterprise Provisioner and StageNow to create the codes.

Regarding your workaround, if you install only the .apk, the result is always a Work Profile as the intent to set the Device Owner is missing. Here is an article about it how to do it manually
SOTI Discussion Forum

Michal Janovac

a year ago

Ok, let me rephrase. :)

Enroll Device even if Play Integrity Attestation Fails is ON/Checked/Button is blue and not grey. And to make myself clear - the manual enrollment works, ports are opened etc. Even the QR enrollment works - if we open the network for google services - which we do not want. That is also tested. The QR code enrollment tries to connect to google first no matter what I try. And as the connection cannot be made, it is stuck there forever. Even had a call today with SOTI tech support... Nothing.

The powershell I will need to test on Monday, thank you.

Discussions

Articles

A link to reset your password has been sent to your registered email.

Android offline enrollment

Similar Discussions

Discussions

Articles

Choose Login Type

SOTI Customers

SOTI Customers

SOTI Altitude Partner Login

Reset your Password

A link to reset your password has been sent to your registered email.

Reset your Password

Verify Your Email

Android offline enrollment

Similar Discussions