Eugene
Raynor

The big ‘HOWs’ of managing custom Android OS (custom ROM) in the workplace

Eugene Raynor

Jun 16, 2021

15 min read

Android devices are built to be customized. A well-recognized fact that even Google acknowledges. It’s the very reason there exists a remarkable open-source community for Android (the AOSP), filled with modders, developers, testers, and users from all around the world. It comes as no surprise then, that the choices for custom Android OS that exist today are innumerable.

But is custom Android OS viable in the workplace? What benefits do they provide that sets them apart from their stock counterparts? And the big one. How do you manage them? These are some of the issues that we shall try to assess in this blog.

What is a custom Android OS?

A custom Android OS (or, a custom ROM) is basically a personalized Android firmware, that’s designed based on the Android open-source code provided by Google. With this code, developers can design their own custom versions of Android, and flash them to the supported devices, to enable access to new features and functionalities that would otherwise be unavailable on the Android.

Is it safe to flash a custom ROM on your Android?

Well, safe is a matter of perspective. Before I get on to explain, I’ll just state that – officially, any modification to the device firmware is not recommended by Google. The reason being that, not all custom ROMs go through the same officially verified quality checks that the stock firmware goes through.

However, in my personal opinion, flashing a custom ROM on your Android is as safe as trusting your original stock firmware. That is, as long as you’re installing the right one. This statement strictly depends on the source from which you download the firmware.

If you’re downloading from a verified developer, you’ll be safe. Well, as safe as you can be. There is always a chance of vulnerabilities affecting your system, but this chance is more or less the same for both stock and custom firmware. Moreover, if the code for your custom ROM is open-sourced, vulnerabilities can be quickly identified and patched by developer communities.

Now, if you’re an IT admin who needs to manage your corporate Androids by configuring a custom ROM, you can contact your OEM vendor to carry out this process.

By using a UEM, and having the UEM app signed by your OEM vendor and placed in the system folder on your custom ROM image, you can enroll the Androids on first launch after flashing the firmware. Don’t follow? No worries. We’ll get to more on that later.

How to identify a ‘safe’ custom Android OS?

As an IT admin, the most sensible option to ensure that your custom Android OS is safe is to have it configured by your registered OEM vendor itself.

However, Google also holds another way to identify if your Android OS is reliable. Enter the SafetyNet APIs (special mention to the SafetyNet Attestation API), and Google’s Compatibility Test Suite (CTS).


If any Android with a custom ROM requires access to the applications and services offered by Google Mobile Services (GMS), it needs to pass the CTS tests for SafetyNet. Unless this test is passed, most of the secure applications and services – including banking apps on Google Play Store – will refuse to install or run on your custom-ROM enabled Android.

This is because, – among other reasons – custom ROM enabled Androids that don’t pass the CTS test, have a high chance of having the application sandboxing feature compromised. For banking apps, this means that all your transactions and banking details may be accessed by the rest of your device, or by third-party software. So yeah, SafetyNet is a critical check that will ensure the reliability of your custom Android OS.

8 benefits of flashing a custom Android OS

Benefits of flashing custom Android OS
Benefits of flashing custom Android OS
 

Access to latest software and OS updates

This is by far one of the most attractive reasons to flash a custom OS on your Android. Most manufacturers take a long time to deploy the latest software and OS update to their Androids. Especially if it’s the older models. Moreover, OS releases may be delayed in some regions, or sometimes completely unavailable. Patiently waiting for an anticipated update only to be disappointingly let down is something we all may have faced at some point.

Well not anymore! As soon as a new OS update is released, developers modify it to create a new custom Android OS, enabling end-users to access the new features and functionalities, even before it officially hits the shelves on their stock ROMs.

Access to additional features and functionalities

With new and updated software and OS comes access to additional features and functionalities, and the ability to tweak the Androids to your liking even further. Don’t want users to access the headphone jack? Disable it. Don’t like the volume warning when your headphones are plugged in? Get rid of it. Wanna run your apps in tablet mode? Just do it. There are very few limits to options you can tweak on a custom Android OS.

Remove Bloatware

Today, most Androids tend to come with a lot of pre-installed applications and software, most of which you may never use. These apps just end up being nothing but a source of revenue for manufacturers. Ergo – possibly why they’re there in the first place.

What is bloatware?

Bloatware is the term used for any software that uses a large amount of space, draining the devices’ battery and computing power that could have been used for other beneficial purposes.

Flashing a custom ROM enables you to remove this bloatware from your users’ Android, and retain only the applications you may need. This in turn reinforces your ITs’ ability to easily provision company endpoints with just the approved software.

Enhance device performance

By removing all that bloatware, custom ROMs enable you to eliminate all the useless clutter that pollutes your RAM and provisions memory for your essential applications and software to use. Moreover, with custom ROMs, users can overclock or underclock their Android depending on their ever-changing demands and ensure optimal performance at all times.

Provide a personalized experience

When it comes to the UI, most manufacturers can’t help but go overboard, presumably to make their Android stand out among all the competition, and that’s understandable. But sometimes, the folks at UI just can’t control themselves and ends up lighting up your device like a Van Gogh painting with all their tweaks and adjustments.

I’ve been on the receiving end and trust me, it’s not fun. If that’s your case, you can install a custom ROM on your Android and unlock access to a whole suite of customizable options, enabling you to personalize Android devices to your company requirements.

Improve battery life

This comes as maybe a subdivision of our earlier point. Less bloatware equals fewer battery-draining applications and hence, improved battery life. Underclocking your device also enables you to improve battery life in critical conditions.

Better Privacy and security

Now it’s true that if you own a smartphone, asking for privacy can be akin to asking Santa Claus for a rainbow-colored unicorn. In fact, I think he’d sooner get you the unicorn. But with a custom Android OS, you can to a certain limit, have a greater say in what data is accessible to third-party software. And if you need to ensure maximum privacy on your company Androids, I’d also suggest making use of a UEM solution to gain access to deeper options for securing your Androids.

Support for non-traditional peripherals

Manufacturers release devices such that their models usually stop receiving new updates after around 2 years of use. Also, unless you’re using a flagship device, the support period becomes considerably shorter. In such cases, installing a custom ROM on your non-traditional Androids enables you to receive updates that were not originally available for your device, along with proper support from the developers.

What’s the catch? – Things to consider before flashing a custom ROM

IT admin checking device specifications
IT admin checking device specifications
 

Requires a factory reset

Flashing a custom Android OS on your devices require a complete factory reset. So, in case your users have got some important information stored on their Androids, you’ll need to advise them to back up all their data to a temporary location until the flashing process is complete.

Chance to brick your device

When flashing a custom ROM by yourself, you run a high chance of bricking your device. Granted, if you choose the right ROM for the right model, follow the instructions to the letter, and stay away from the less popular ROMs, you’re bound to have a successful installation. However, there still rests the small chance that you may inadvertently brick the device.

Chance of hardware incompatibility

Custom ROMs will make changes to the software on your phone. So, there lies a small chance that some of your device hardware may become slightly unstable with your installed ROM. You might notice this in the form of apps force-closing, random bugs, reduced camera quality, and maybe even occasional restarts. However, this too depends on the custom ROM you have flashed. As long as you’ve chosen a popular ROM for your device (or a ROM configured by your OEM vendor), you won’t run into these problems. And even if you do, you’ll receive regular updates and bug fixes for your firmware.

Makes warranty invalid

Flashing a custom ROM that’s not approved by your device manufacturer will void the warranty on your Androids. You should make sure that users are aware of this clause before deciding to install a custom ROM.

Does not provide support for all applications and services

For security reasons, some applications will refuse to run on devices with a custom Android OS. This includes banking apps, apps with in-app purchases, apps that store personal information and more. In short, any app that examines the SafetyNet status of your device may not provide support on a custom ROM.

When should you flash a custom ROM on work devices?

Flashing a custom ROM
Flashing a custom ROM
 

To personalize the device to enterprise requirements

A custom Android OS equips enterprises with immense options to customize their work devices according to their corporate requirements. Remove certain device functionalities, personalize the UI, and more. All this becomes possible by flashing a custom ROM.

To get updates to latest security patches that would otherwise be unavailable

Stock Androids usually stop receiving software updates after a couple of years, and this may pose an issue if your enterprise requires their work devices to be updated to the latest security patches. This is where custom Android builds can help you. Custom ROM developers can provide software updates and patches along with support that would otherwise be unavailable on users’ devices.

To remove bloatware and unlock additional features on the device

You don’t want your enterprise endpoints to be filled with useless apps that take up both your space and your computing memory. Such applications may end up reducing your employee productivity. Devices with custom Android OS gets rid of all this bloatware and enables access to features and functionalities that would otherwise be unobtainable on stock Androids.

How to enroll devices with custom Android OS in Hexnode UEM?

Enroll custom ROM Android devices in Hexnode
Enroll custom ROM Android devices in Hexnode
 

Hexnode device admin enrollment

IT can enroll their custom Android OS devices in Hexnode as device admin, using a variety of methods, including enrolling using Active Directory credentials, self/Email/SMS enrollment and QR code enrollment. Rooted devices can be quickly identified and managed, enabling IT to easily monitor the status and health of custom Android OS devices.

To successfully complete the device admin enrollment process, the Android device should be able to grant all the permissions requested by the Hexnode app.

  • Device Administration
  • Usage access
  • Draw over other apps
  • Write system settings
  • Notification access
  • Allow app installation
  • Allow location, storage and phone permissions

Hexnode ROM configured enrollment

ROM configured enrollment is one of the easiest and foolproof methods of UEM enrollment that exists for Androids. This method is usually used by enterprises collaborating with an OEM vendor. (Pssst, this method usually requires no work from the IT admin.)

Try out Hexnode’s Android device management capabilities
So how does it work? Here, you purchase your required corporate Androids directly from your registered OEM vendor, and instruct them to flash a custom ROM to these Androids with Hexnode UEM as a pre-built system app. This ensures that all the required permissions are provided to the UEM app. Now, once the devices are shipped to the end-users, they will be automatically enrolled in the Hexnode portal when the user powers them on for the first time.

So here are the steps involved for ROM configured enrollment.

Step: 1 Edit custom ROM image. (This step is meant for your OEM vendor)

Edit and set up the custom ROM image for the Android, and copy the Hexnode UEM apk to the,

  • ‘system/priv-app’ folder for Android 5.0+. (This ensures that Hexnode UEM can perform silent app installation.)
  • ‘/system/app’ folder for Androids below OS 5.0.

Note

It is to be noted that every new version of Hexnode UEM needs to be signed by the OEM vendor. You will also need to manually update the Hexnode UEM app once the new versions are released. To avoid this troublesome process, we recommend going for the Hexnode Systems Agent app.


Grant the following permissions to the Hexnode UEM app.

Permissions

Optionally, you can also copy the Hexnode Remote view apk to the device, and make the app non-removable, by copying it to the ‘system/priv-app’ or ‘system/app folder’.

Step: 2 Send configuration file. (This step is meant for the IT admin)

Now, as the IT admin, you need to generate a configuration file from the Hexnode portal. Once you generate a new configuration file, you’re gonna have to provide a password for this file. Why? Cuz this password is important for when your end-users turn on their Androids for the first time. We’ll get to that part soon. Okay so once it is created, you download the configuration file and send it to your OEM vendor. That’s it. As the IT admin, your part in this affair is done.

Step: 3 Flash the custom ROM. (This step is meant for your OEM vendor)

Next, your vendor will have to make sure that the configuration file they received is named exactly as ‘hex_rom_config.txt’. No mistakes. Then, they must copy it to ‘system’ folder on the ROM image. Once that’s done, they flash the ROM to the required devices and done! All that’s left is to ship the Androids to your end-users.

So, what exactly happens at the user-end for this process? Alright so once your users receive their ROM configured Androids, naturally, they’ll turn it on.

When a ROM configured Android is turned on for the first time, it boots up into lost mode, with options to connect to the internet. Now, this is where the password you’ve set for the configuration file becomes relevant. Without access to the configuration file password, end-users cannot go out of lost mode.

Now, once the device connects to a network, the enrollment process begins, and as soon as the device is successfully enrolled to your Hexnode portal, it automatically leaves lost mode. All the policies and settings you’ve configured for your endpoints from the Hexnode portal, are applied over-the-air.

IT admins also have the option to leave these devices in lost mode even after the enrollment process is complete. This can be configured from the Hexnode portal.

If you’re building a custom ROM or downloading one from Android open-source project (AOSP)

Now, in case you plan to build a custom ROM by yourself, or download one from AOSP, you’ll need to perform the above-mentioned processes by yourself. However, it is worth noting that not all custom ROM images can be edited to add the Hexnode UEM agent as a system app. You will have to check with the developer before downloading.

Advantages offered by Hexnode’s ROM configured enrollment

With Hexnode’s ROM configured enrollment, enterprises are equipped with plenty of options to manage their corporate Androids, that would otherwise be impossible without using Android Enterprise enrollment.

Advantages

  • Silent app installation and uninstallation
  • App upgrading and downgrading
  • Remote actions
  • Lost mode activation
  • Make Hexnode MDM app non-removable
  • Enable/disable system bars when in kiosk mode

Summing up

Custom Android OSes are living testimony to the Android style of being open, free-for-all, and constantly evolving. They succeed in taking control from the manufacturers and returning it to the people, to decide how they would like software to be designed.

Enrolling Androids by configuring ROM offers enterprises with immense device management possibilities on par with most management solutions, just the way Google does with their Android Enterprise program.

Share
  •  
  •  
  •  
  •  
  •  
Eugene Raynor

Seeking what's there lurking over the horizon.

Share your thoughts