Enroll a Fully Managed non-GMS Android device using ADB

When dealing with non-GMS Android devices (specialized rugged devices, devices in China) one big challenge is actually enrolling them, since the code that enrolls a Fully Managed device is not part of AOSP. As I mentioned in my post about China, only a few vendors took care of this. In this post we you will see how ADB works with the rest.

Disclaimer: this method works, but does not scale well, and was designed for testing in Android Emulator and not for production. Check with your MDM/EMM/UEM vendor for production support!

Basically, Android shell has a command called called dpm (Device Policy Manager) that can be used to enroll a Device Owner (= Android Enterprise Fully Managed). The effect is essentially the same as if you did full enrollment, but this is officially not guaranteed (which is why you’d want to check with your MDM provider).

Below is the script that waits for the device to connect, installs agent APK, and enrolls it as the device owner. Then after 1 second wait we launch the WS1 Hub to prompt for credentials etc. The example uses VMware Workspace ONE UEM, but would work for any other by replacing the vendor-specific piece.

adb wait-for-device
adb install c:\downloads\WS1hub.apk
adb shell dpm set-device-owner com.airwatch.androidagent/com.airwatch.agent.DeviceAdministratorReceiver
timeout 1
adb shell am start com.airwatch.androidagent

This is it, in a nutshell! Below are additional notes.

Additional notes

For the above to work, we need to get the APK and the string for set-device-owner (called Admin Component Name). How can we get them? The simplest way is to use your MDM to generate an Android Enterprise enrollment QR code, and then just get it from there using any standard QR reader. Here is an example for Workspace ONE:

{
"android.app.extra.PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME":
"com.airwatch.androidagent/com.airwatch.agent.DeviceAdministratorReceiver",

"android.app.extra.PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM":
"6kyqxDOjgS30jvQuzh4uvHPk-0bmAD-1QU7vtW7i_o8=\n",

"android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION":
"https://getwsone.com/mobileenrollment/airwatchagent.apk", 

"android.app.extra.PROVISIONING_SKIP_ENCRYPTION": false,
"android.app.extra.PROVISIONING_WIFI_SSID": "MySSID",
"android.app.extra.PROVISIONING_WIFI_PASSWORD": "MyPassword",

"android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE": 
  {
   "serverurl": "https://cn####.awmdm.com", 
   "gid": "MyOG", 
   "un":"StagingUser", 
   "pw":"StagngPassword"
  }
}

From there you can get all you need (because essentially both GMS Setup Wizard, which consumes this barcode, and ADB dpm command use the same API). Easy!

However, you can see that the Wizard can also take the enrollment data, creating a more automated scenario, as well as additional parameters. I’ve looked into the dpm source code and could not find anything there that would take such parameters. Thus, the ADB method is very laborious and manual: manually enable ADB, manually plug the device, manually provision connectivity, manually enter the enrollment details (hope you have the MDM QR code). At least, disabling ADB later on can be done via MDM. And after device reset all is gone! Which is why the recommended way is for the device vendor to apply some effort and create a small piece of enrollment code for their own non-GMS Initial Setup Wizard.

Currently, the vendors I know that can do it are:

  • Zebra
  • Honeywell

Maybe, there are more, but I don’t know. If you do know, or you are such a vendor – please write a comment! Also, I know for sure that as of now neither Samsung nor Nokia support automated device enrollment in China (I will surely update this once it changes!)

Summary

This ADB based method is very manual, does not scale well, not officially supported by many MDMs – but it works! So if you have nothing else to choose from, what else can you do? At least, it works! Write your opinion in comments, and press your device vendors to give some love to non-GMS devices!

Advertisement

9 thoughts on “Enroll a Fully Managed non-GMS Android device using ADB

Add yours

  1. Good stuff, thanks.
    In my case I have to use different usernames and passwords to enroll each device, so I would need to modify the QR contents for each one and then send it using adb.
    So, in that case, how should be the adb command to send the QR string?

    Liked by 2 people

    1. Hi, Andy. I have written in the blog that I did not find a way to pass the enrollment data such as username into the DPM command. The QR there is NOT the Android Enterprise QR code (that one requires GMS), but a WS1 Hub QR code. So you will have to generate a bunch of them yourself

      Liked by 1 person

  2. Hi
    I am setting WS1 lab with Android emulator. I try not use your guide to enroll the emulator.

    Where do you store set-device-owner string? How do you pass this string through adb?

    Thanks,
    -Sittichai

    Like

      1. You install ADB on your host machine and simply use the CLI (CMD, Terminal, PowerShell – whichever you like)

        Like

      2. Thanks.

        Now I can install latest WS1 hub agent on Android 11 emulator.

        But I cannot enroll because there is an error that said my device is rooted.

        Like

  3. Hi!

    we tried to enroll the devices with adb using WS1. but we got the message: enrollment blocked. you are not allowed to enroll your device

    i didn´t find any restriction about this.
    even if i set the device-owner, i´m not allowed to enroll the phone.

    any ideas?

    Like

    1. There can be a whole lot of reasons – check out the KB. For instance, device with the same ID might be enrolled in another OG and a combination of settings prevents it from enrolling into a different one before you delete it manually.
      Maybe you have “require Google account” or similar GMS related requirement somewhere

      Liked by 1 person

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Create a free website or blog at WordPress.com.

Up ↑

%d bloggers like this: