How to edit the Intune Android Enterprise QR code

Buy Me a Coffee

Update: System apps can now also be added with Intune more info: https://docs.microsoft.com/en-us/mem/intune/apps/apps-ae-system

 

In this blog I’m going to talk about the Intune Android Enterprise Enrollment QR code and how you can enable certain features currently not supported by Intune by editing it. The Enrollment QR code is used to manually enroll Fully Manage devices in Intune and can be found in the Microsoft Endpoint manager admin center. As you can see in the picture 1 at the moment you can only turn user enrollment on or off on the enrollment page. There are no additional options.

Picture 1: Android enrollment configuration.

 

What is a QR code

What is a QR code? According to Wikipedia a QR code is:

A QR code (abbreviated from Quick Response code) is a type of matrix barcode. A barcode is a machine-readable optical label that contains information about the item to which it is attached. In practice, QR codes often contain data for a locator, identifier, or tracker that points to a website or application. 

Let me summarize: “A QR code is a machine-readable optical label that contains data.” That means we can see what data is in the QR code. To view a QR code you will need a QR code scanner I’ve used this QR code scanner which can also generate QR codes.

 

Scan the QR code

I will start the app on my mobile phone and select Scan. Scan the QR code on the enrollment page, you should see a result simular to picture 2:

Picture 2: Scan result of the QR code

When we take a closer look at the content of the Enterprise Enrollment QR code, we can see it’s actually a JSON file with 4 objects (key/value pairs). For more information about the JSON objects you can take a look in the Android documentation.

{
"android.app.extra.PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME":"com.google.android.apps.work.clouddpc/.receivers.CloudDeviceAdminReceiver",
"android.app.extra.PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM":"I5YvS0O5hXY46xx01XXXjq4oJJGs2kuUcHvVkAPEXlg",
"android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION":"https://play.google.com/managed/downloadManagingApp?identifier=setup",
"android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE":{"com.google.android.apps.work.clouddpc.EXTRA_ENROLLMENT_TOKEN":"XXXXXXXX"}
}

 

Edit the QR code

Now we are going to edit the QR code. When you deploy a Samsung Android device using Knox there is an option “Enable System applications”. This setting is not enabled in Intune, but in this example we are going to add a Key/value pair. We need to add the following JSON line to the QR code:

"android.app.extra.PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED": true

This JSON line will skip the disabling of system apps during Intune enrollment. I will add this a new line below the last Key/value. Every line needs to end with a comma and JSON code needs to end with a curly bracket (}). The new QR JSON will now look like this:

{
"android.app.extra.PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME":"com.google.android.apps.work.clouddpc/.receivers.CloudDeviceAdminReceiver",
"android.app.extra.PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM":"I5YvS0O5hXY46xx01XXXjq4oJJGs2kuUcHvVkAPEXlg",
"android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION":"https://play.google.com/managed/downloadManagingApp?identifier=setup",
"android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE":{"com.google.android.apps.work.clouddpc.EXTRA_ENROLLMENT_TOKEN":"XXXXXXXX"},
"android.app.extra.PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED": true
}

 

Instead of using the app to generate the new QR code I will now use https://www.the-qrcode-generator.com to create a new QR code based on the edited JSON.

Picture 3: QR Code Generator

 

Enroll a device with the new QR code

I can now enroll the device using the new QR code instead of the QR in the Microsoft Endpoint manager admin center. I’ve added the screenshots of the default qr code and the edited QR code:

     

Picture 4: Enrollment with Default QR Code and Picture 5: Enrollment with Edited QR Code

As you can see in the screenshots above the following system apps (see table) have been added to the device. In the table i’ve added the system apps which are installed with the edited QR code. The additional apps which are installed depends on the Brand and type, the system apps mentioned are specific for a Samsung smartphone.

Samsung S Voice
Galaxy Store
Google Gmail
Maps
YouTube
Microsoft Word
Excel
PowerPoint
OneDrive
Linkedin
All apps Facebook
Gallery
Clock
Calendar
Radio

 

As described before you can use Android API documentation to edit the JSON and generate a new QR code. This example of turning on the system apps is just one example you can use.

I hope you enjoyed this blog. Leave a reply to this blogpost if you wish to add something or have any questions.

 

4 thoughts on “How to edit the Intune Android Enterprise QR code

  1. Daniel Löfgren

    Hi.

    Could you assist how I would get a QR code with the device connect to a Wifi in the enrollment?

    Kind regards
    Daniel Löfgren

    Reply
  2. Unai

    Good afternoon,

    I scan the QR code from Intune, after editing the QR code, how can I upload or edit the new QR code created into Intune?

    I am not able to find the way to upload or modify the existing QR code in the system.

    Thanks in advance,

    Reply
  3. Aad Lutgert Post author

    Hi Unai,

    That’s correct. You cannot upload the QR code in Intune. You need to backup the QR code and distribute it in a different way.

    regards, Aad

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *