When a major defense organization deployed 500+ managed Android devices to field units operating on isolated internal networks, their IT team faced a constraint that eliminated every standard provisioning approach: no public internet on the enrollment network, no access to Google's Android Enterprise zero-touch infrastructure, and a deployment window that could not accommodate an IT technician spending 20 minutes with each device. The entire fleet was enrolled using CV MDM's QR-based zero-touch provisioning — on an air-gapped internal network — in a single operational day.
This article explains exactly how that works, what is inside the QR code, what happens on the device during enrollment, and how ongoing fleet management operates after the initial provisioning — all without a single outbound connection to the public internet.
What Is Zero-Touch Enrollment?
Zero-touch enrollment is a provisioning method where a device goes from factory-reset state to fully managed, policy-compliant, and application-loaded without any manual configuration steps by the person holding the device. The administrator generates a QR code from the MDM console once. A field operator scans it. Everything else — network join, APK download, verification, agent installation, Device Owner grant, policy sync, app deployment — is automated.
✕Traditional Manual Enrollment
- 1.IT tech receives device
- 2.Powers on, works through 30-step setup wizard
- 3.Signs in with corporate account
- 4.Manually installs MDM app
- 5.Accepts device management prompt
- 6.Manually assigns device to group
- 7.Waits for policies to sync
- 8.Installs each application manually
✓CV MDM Zero-Touch Enrollment
- 1.Field operator receives device
- 2.Taps screen 6 times on Welcome screen
- 3.Camera opens automatically
- 4.Scans QR code
- 5.Everything else is automated
What Is Actually Inside the QR Code?
The QR code is not a URL to a provisioning portal. It is a self-contained JSON payload encoding every piece of information the device needs to complete enrollment autonomously — network credentials, server address, application source, and cryptographic verification. There are no follow-up HTTP calls to external infrastructure required. Everything is either embedded in the payload or available on your internal server.
CV MDM QR Enrollment Payload — All Nine Fields
The Enrollment Flow, Step by Step
From factory reset to operational: here is exactly what happens during a CV MDM zero-touch enrollment, at each stage.
Factory Reset
Device is reset to factory state, or is brand new out of the box. No prior configuration. No previous enrollment.
Tap Six Times
On the Android setup wizard's Welcome screen, tap the screen six times in rapid succession. This activates Android's Device Owner provisioning mode and opens the camera for QR scanning.
Scan QR Code
The camera opens automatically. The operator scans the QR code from the administrator's screen or a printed sheet. No typing. No account credentials. One scan.
Auto Wi-Fi Join
The device reads Wi-Fi credentials from the QR payload and joins your internal network automatically. No manual password entry. The device is now on your LAN.
APK Download & Verify
Device downloads the MDM agent APK from your internal server over LAN. SHA-256 checksum is verified against the value embedded in the QR payload. If the checksum does not match, installation halts.
Device Owner Granted
The MDM agent installs with Device Owner privileges — the highest management authority on the Android platform. All policy APIs become available. The device is under full administrative control.
Policy Sync
Device contacts your MDM server on the same LAN, downloads its assigned configuration profile, and applies all policies: app restrictions, network policies, device settings, compliance rules.
App Deployment
All applications assigned to this device's group are silently downloaded from your server and installed without any user interaction. The operator does not touch the device during this phase.
Operational
Device is fully managed, all policies active, all assigned applications installed, registered in your MDM console with its IMEI, serial number, and assigned group. Ready for field use.
Total time from tap-six to operational: 90 seconds to 3 minutes depending on APK size and LAN speed. No IT technician required at the device side. No internet connectivity required at any step.
Why QR-Based Enrollment Works Without Internet
This is the architecturally critical distinction. Google's Android zero-touch enrollment and Samsung Knox Mobile Enrollment both require outbound connectivity to vendor-operated cloud infrastructure during the provisioning process. The device must reach Google's or Samsung's servers to complete enrollment. On an air-gapped network, those connections fail — and enrollment does not complete.
CV MDM's QR approach eliminates this dependency entirely. The QR payload embeds everything the device needs to complete enrollment: the server address (your internal IP or hostname), the Wi-Fi credentials (for your internal network), the APK source URL (your internal server), and the cryptographic checksum. Every resource the device contacts during enrollment — the Wi-Fi access point, the APK host, the MDM server — lives on your LAN. There are no external lookups, no vendor cloud calls, no DNS resolution to public domains.
✕Google / Knox Zero-Touch
- —Device contacts Google or Samsung servers during provisioning
- —Enrollment fails on air-gapped networks
- —Requires pre-registration of device IMEIs with vendor portal
- —Internet connectivity is a prerequisite, not an option
✓CV MDM QR Enrollment
- —Every resource needed for enrollment is on your internal server
- —Works on fully air-gapped networks with no outbound connectivity
- —No pre-registration with any vendor portal required
- —Internet connectivity is irrelevant to the enrollment process
Fleet Management After Enrollment
Enrollment is the beginning. All ongoing management is equally network-isolated — every management channel runs between your devices and your server, over your LAN, with no external dependency at any point in the device lifecycle.
Policy Updates
Pushed from your server to devices over LAN via MQTT on port 31000. Policy changes reach devices within seconds of being applied from the console.
App Updates
New APK version uploaded to your server. Devices notified via MQTT. Download and install silently on next connection — no user action required.
Remote Commands
Wipe, lock, and reboot commands sent from your server, received via MQTT even if a device has been offline and just reconnected. Commands are queued and delivered on reconnection.
Location Tracking
Periodic GPS reports sent from devices to your server on your internal network. No external location service involved.
Compliance Monitoring
Devices report policy compliance status on every sync. Non-compliant devices are flagged in your console and can trigger automated response policies.
Audit Logging
All device events, policy applications, and admin actions are logged to your PostgreSQL database. Full audit trail stored on your hardware under your control.
Practical Considerations for Large Deployments
Deploying 500 devices in a day is operationally straightforward once the server is configured. Here are the logistics that make large-scale zero-touch rollouts work in practice.
Print QR Codes
Generate one QR code per configuration profile. Print, laminate, and distribute to deployment team leads. Printed QR codes are durable, require no screen, and can be used by any operator in any location on your network.
Staging Area Setup
Set up a single Wi-Fi access point on your internal network in a designated enrollment area. Devices are scanned there and distributed to their assigned units. The only network requirement is line-of-sight to the internal LAN at this staging point.
Parallel Enrollment
Ten people with ten printed QR codes can enroll ten devices simultaneously. Each scan initiates an independent enrollment sequence. There is no serialization bottleneck. Throughput scales linearly with the number of operators in the staging area.
Automatic Device Naming
Configure IMEI-based or serial-number-based auto-naming in the QR payload so devices self-identify in your console at enrollment time. No manual naming step. The console inventory is populated correctly from the first contact.