I was digging through the enrollment settings today and saw a section for “ROM Enrollment“.
I’ve done Android Enterprise and Zero-Touch, but I’ve never really understood what ROM enrollment is for. Is this just an old legacy method, or is there a specific reason I should be using it? It sounds like something that requires rooting the device?
35 Views
It’s definitely not a legacy thing! It’s actually the “nuclear option” for device security.
“ROM Enrollment” basically means the Hexnode agent is baked into the actual OS firmware (the Read-Only Memory) by the manufacturer (OEM) before the device even leaves the factory.
We use this for our rugged Zebra scanners. Because the app is installed as a System App (located in the /system/app folder), users can’t uninstall it, and it gets elevated privileges automatically without asking the user for permission.
The biggest reason to use it is Factory Reset Protection. If I steal a standard Android phone and factory reset it, the MDM is gone. I have a free phone. But on a ROM-enrolled device, if a thief factory resets it, the device wipes everything except the system’s partition. So, when it reboots, the Hexnode agent is still there, wakes up, and immediately re-locks the device. It makes the device useless to anyone but you.
Oh wow, okay. So, it’s basically permanent management.
Does that mean I have to ship my devices to the manufacturer to get this done?
Usually, yes. You typically work with the OEM (like Samsung or a generic Android manufacturer) when you are placing a bulk order. You give them the Hexnode APK, and they flash it into the system’s image during production.
Pro Tip: If you go on this route, ask the OEM to also include the Hexnode System Agent app in the ROM, not just the main MDM app.
Updating a “System App” later can be a nightmare because the signatures have to match the firmware exactly. The System Agent acts as a bridge, so you can push updates to the main Hexnode app remotely without needing to re-flash the whole OS.
Don't have an account? Sign up
