Get Started
MDM
field note · MDM

QR Codes for Device Enrolment: Yes or No?

QR codes for device enrolment: yes for non-touch corporate Android and Windows BYOD, no for sensitive scenarios where SAML SSO and DEP are stronger.

Paul Ogier · founder 08 May 2026 6 min read

TL;DR

Yes for non-touch corporate Android enrolment and Windows BYOD self-service, where the QR code is a faster swap-in for zero-touch and Autopilot. No for security-sensitive fleets, where SAML SSO plus ABM/DEP gives a stronger identity guarantee than a token in a square. And a permanent no for an unverified QR code stuck on a desk, in a Slack channel, or printed in the staff-room. That last one is just an unauthenticated enrolment portal with stickers.

What’s a QR-code enrolment actually doing?

Strip the magic away. A QR code is a URL plus an enrolment token, in a 2D barcode. The phone’s camera reads it, the device-policy controller (Android) or the OOBE flow (Windows) hits the URL, presents the token, and pulls a config profile. The device is enrolled. That’s the whole trick.

The token is the security boundary. Not the camera. Not the printout. Not the helpdesk person watching. The token. Whoever has it can enrol a device into the tenant under whatever identity the token grants. Often “anyone, this group”, because per-user binding needs SSO wired in and most rollouts skip that bit.

So when somebody asks “are QR codes safe for MDM enrolment?”, the honest reframe is: “is the token behind your QR code safe?” Different question. Grumpier answer.

Where QR codes earn their place

Three real wins.

Android Enterprise, corporate-owned, no Google account. The official afw#setup flow uses a QR code on the welcome screen of a factory-reset Android device. Hexnode and Intune both support it. For SMBs without Samsung Knox Mobile Enrolment or zero-touch entitlement from the OEM, this is the cleanest path to fully managed Android. Box, factory reset, six-tap to scan, done.

Windows BYOD self-service. Intune Company Portal can render an enrolment QR or a deep link the user clicks from a corporate intranet. User on their personal laptop scans, signs in with their work account, gets MAM-WE policies pushed. No helpdesk visit. Reasonable.

Kiosk and conference-room provisioning. Single-purpose Android tablets for boardroom signage, warehouse scanners, retail point-of-sale. Forty of them in an afternoon. A QR taped to the imaging trolley, scoped to one OU, beats touching each device by hand.

In all three the QR replaces something worse: manual config, reseller intervention, or a paid zero-touch SKU you don’t have. Not the most secure option. The least bad in that scenario.

Where QR codes are a security risk

Here’s the bit that earns this post the RANT tag.

A QR code on a sticky note that says “enrol your phone here” is, functionally, an unauthenticated enrolment portal. Anyone walking past, contractor, cleaner, journalist on a tour, can scan it. If the token has long-lived validity, a generic group, and no second factor, that scan succeeds. The attacker now has an enrolled device inside your tenant. Probably with a corporate certificate. Possibly with mail.

The variants we’ve seen in the wild:

  • A printed QR taped to the IT-room door, generated three years ago, still valid.
  • A QR on a Confluence “Welcome to the Company” page, exposed on the public internet because permissions drifted in 2022.
  • A QR in a #new-starters Slack channel, joinable by every contractor on the books.
  • A QR in a PDF emailed to staff, then forwarded to spouses, then forwarded again.
  • A QR on the IT-team’s whiteboard, captured in a Zoom recording the marketing team posted to YouTube.

Every one of these is an enrolment URL plus a static token. The QR is a delivery mechanism. The mechanism is fine. The token policy is the catastrophe.

What an attacker actually does with a leaked enrolment QR code

A walkthrough. Nothing exotic.

  1. Attacker spots a QR in a photo, a PDF, or a public wiki. Pulls the URL out with any decoder.
  2. Token validity check. Most tokens last weeks or months. Some, for life. They now know whether they’re racing or strolling.
  3. Factory-reset a burner Android, scan, watch it enrol against your tenant. If enrolment doesn’t require a per-user sign-in, they’re now an enrolled device in whatever group the token assigns. Often “All Mobile Devices”. Often a Conditional Access rule treats “compliant + enrolled” as trusted.
  4. Wi-Fi profile pushed by MDM with the PSK or 802.1X cert. VPN profile pushed. App configs pushed, some with API keys baked into the JSON. Mail auto-configured against Exchange Online.
  5. They pivot. The enrolled device dumps the Wi-Fi creds, harvests app configs, walks back out.

No zero-days needed. A QR with a long-lived group-scoped token and a Conditional Access posture that trusts “enrolled” as “legitimate” is enough.

What you should do instead

Five rules, in order of how much they cost you.

Rotate enrolment tokens. Default lifetime in Hexnode and Intune is too long for posters on walls. Days, not years. Fresh one per batch, burned after.

Time-limit the QR. Most platforms support explicit token expiry. Use it. A 24-hour window means a leaked QR is a 24-hour problem, not a 24-month one.

Require a second factor at enrolment. Bind the QR to a per-user sign-in. The token starts the flow; the user’s MFA-protected work account finishes it. The single highest-impact change you can make.

Use supervised enrolment where the platform offers it. Apple Business Manager (ABM) for iPhones, iPads, Macs: reseller registers the device against your organisation before it ships. No QR. Apple Configurator handles retrofit. For Android, zero-touch via a Google-approved reseller (Samsung, Pixel, friends). For Windows, Autopilot via OEM hardware-hash registration, self-deploy or pre-provision for volume. All three are stronger than QR because the device is cryptographically tied to your tenant before anyone sees it.

Treat the QR as a backup, not the front door. Supervised-first, QR-fallback. Zero-touch / ABM / Autopilot for the bulk; QR for the few stragglers that didn’t make OEM registration, scoped tight and rotated after use.

When QR codes are fine

Three scenarios where we use them happily.

  • One-shot setup events with the IT admin in the room. A 30-device Android rollout, IT in the room, QR generated that morning, expires that afternoon. Nobody scans without IT watching. Token revoked at the end. Real risk: low.
  • Supervised single-purpose Android, kiosk mode. The device leaves the IT bench locked into one app. If the token leaks afterwards, the only thing it enrols is another kiosk-mode tablet, which is its own audit trail.
  • Internal-only Windows BYOD via Intune Company Portal. The deep link or QR sits behind your SSO-protected portal. To get to the QR you’ve already authenticated. The QR is shorthand, not a credential.

The common thread: short-lived, scope-bounded, or behind authentication. The QR is not the security boundary. Something else is.

The TL;DR

QR codes are fine plumbing. A URL plus a token in a square. They become dangerous when the organisation forgets that the token is the actual credential, and starts treating the square like a magic key. For corporate-owned Android without zero-touch, and for Windows BYOD self-service, scan away. For security-sensitive scenarios use ABM/DEP, zero-touch, or Autopilot: cryptographically tied to the device hardware before the user touches it. If there’s a printed QR stuck to the IT-room door right now, take a photo for the laugh, then revoke that token.

Not sure which bucket your enrolment posture lives in? Book a 30-minute enrolment posture audit. We’ll walk your Hexnode or Intune tenant, list every active enrolment token, flag the ones too long-lived or too broadly scoped, and write the fix into a one-pager. No pitch. See also the MDM page, Hexnode, Intune, and the broader services hub.

QR codes for enrolment? Yes. Sometimes. With caveats. Mostly: please rotate the token.

More in this series: MDM

  1. A Practical Guide to Mac Compliance with Hexnode and Intune
  2. You Knew This Vendor Would Hold Your Data Hostage. You Signed Anyway.
  3. How to Manage FileVault With Hexnode
  4. The Unlucky Teacher Problem: Inheriting IT You Didn't Ask For
  5. How to Manage BitLocker With Hexnode
  6. Locking Down Windows Devices With Password and Screensaver Policies via Hexnode
  7. Managing Windows Update and Settings From Hexnode
  8. The IT Person Who Left 18 Months Ago Is Still Costing You Money
  9. Hexnode vs Intune: Choosing the Right MDM for Mixed Apple and Windows Fleets
  10. QR Codes for Device Enrolment: Yes or No? (Current)
  11. Bitdefender Housekeeping We Wish Every Client Did
  12. Google Workspace Pain: What We See in the Wild
  13. Full Disk Encryption: Should Bitdefender or Intune Manage It?
// filed under mdm back to field notes
keep reading

More field notes

all posts →
// mdm
// mdm 12 min

A Practical Guide to Mac Compliance with Hexnode and Intune

May 2026 Read →
// endpoint security 5 min

Bitdefender Housekeeping We Wish Every Client Did

May 2026 Read →
// google workspace 6 min

Google Workspace Pain: What We See in the Wild

May 2026 Read →

Ready to migrate?

Whether you need a full M365 migration plan or a security audit, our team is ready to architect your cloud future.

Email us directly support@osh.co.za