Deploy 50000 Android Devices: A Large-Scale Enrollment Guide

Q1: I have 50,000 Android devices arriving soon. What is the absolute first step I must take in Hexnode before unboxing anything?

For modern corporate deployments, your absolute first step is configuring your Android Enterprise organization within the Hexnode portal. Registering your organization (typically via a corporate Google account using Managed Google Play) establishes the foundation required to provision corporate-owned devices securely in “Device Owner” mode. If your fleet includes non-standard devices that don’t support Android Enterprise, you must instead start by configuring your basic open or authenticated enrollment settings within the Hexnode portal before distributing the hardware.

Q1: With so many enrollment options available, what is the absolute best enrollment type for deploying 50,000 corporate-owned devices?

For a massive corporate deployment, “Device Owner” (Fully Managed) mode is the gold standard. While other methods exist, Device Owner mode provides you with complete, device-level administrative control. Crucially, it is the only mode that unlocks automated, out-of-the-box bulk enrollment programs (like Android Zero-Touch and Samsung KME) that are strictly necessary for deploying thousands of devices efficiently.

Q2: What if a portion of these 50,000 devices actually belongs to the employees? Can we still manage them securely?

Yes. For employee-owned hardware, you should never use Device Owner mode. Instead, utilize the Android Enterprise Profile Owner method (often referred to as BYOD enrollment). Rather than taking full control of the device, this method creates a secure, isolated “Work Container” on the employee’s personal phone. Corporate apps and data live securely inside this container, while the employee’s personal apps and data remain completely private and inaccessible to IT.

Q3: We are providing the hardware, but we want to allow employees to use the devices for personal tasks too. Should we use the Profile Owner method for that?

No. Profile Owner is strictly for Bring Your Own Device (BYOD) scenarios where the user owns the hardware. If the company owns the device but wants to permit personal use, you should deploy them as Work Profile on Company-Owned (WP-C) devices.

WP-C gives you the best of both worlds: IT retains overarching device-level control (such as enforcing core security policies or factory resetting the device if it’s lost), while the user gets a distinct, private personal profile alongside their secure work profile.

Q1: How do I avoid manually touching 50,000 screens? What is the fastest deployment method?

For a fleet of this size, you should exclusively use “out-of-the-box” deployment programs. The method depends on your device manufacturer:

• For Samsung devices: Use Samsung Knox Mobile Enrollment (KME).
• For non-Samsung devices (Android 8.0+): Use Android Zero-Touch Enrollment (ZTE).

Both programs allow you to link the device’s hardware identifiers to Hexnode UEM while they are still in the shrink wrap. When the end-user powers on the device and connects to Wi-Fi, the device automatically locks into Hexnode management and downloads your required apps and configurations.

Q2: Are there any purchasing requirements to use Zero-Touch or KME?

Yes. To use Android ZTE or Samsung KME, you must purchase your hardware from authorized enterprise resellers or carrier partners. The reseller is responsible for uploading the device serial numbers or IMEIs directly into your Zero-Touch or Knox portals.

Q3: We are working directly with an OEM to manufacture custom Android devices for this rollout. Is there a way to bypass standard enrollment entirely?

Yes. Hexnode supports ROM Configuration. You can provide the Hexnode MDM application APK and specific configuration files to your OEM. The manufacturer will pre-install the MDM/UEM profile directly into the device’s firmware (ROM). When the devices are shipped and powered on, they are automatically enrolled and managed by Hexnode UEM without any user intervention.

Q1: If we use Zero-Touch or KME, what exactly does the end-user have to do when they receive the device?

The experience is highly streamlined. The user simply powers on the device, connects to a Wi-Fi or cellular network, and follows the standard Android setup prompts. The device will automatically recognize it belongs to your organization, bypass standard consumer setup steps (like asking for a personal Google account), and prompt the user to authenticate to complete the Hexnode enrollment.

Q2: We have a mix of standard Androids and Amazon Fire OS tablets. Can we deploy the Fire OS devices using these same bulk methods?

No, Amazon Fire OS devices do not support Android Enterprise or Google Mobile Services (like Zero-Touch). To enroll Fire OS devices, you must rely on standard non-Android Enterprise enrollment methods. You can enable Open or Authenticated Enrollment in Hexnode, and users will simply open the Silk web browser on the Fire OS device, navigate to your specific Hexnode enrollment URL, and download the Hexnode UEM agent directly.

Q1: We purchased a batch of devices from a standard retail vendor, not an authorized reseller. Since we can’t use Zero-Touch, how do we enroll these efficiently?

If ZTE or KME is unavailable, you will need to physically stage the devices using one of the following Device Owner provisioning methods:

• QR Code Enrollment (6-Tap Method): On the factory-reset welcome screen, tap the screen exactly 6 times. This launches a hidden QR reader. Scan a provisioning QR code generated from your Hexnode UEM portal. The device will automatically download the Hexnode app and enroll.
• DPC Identifier (afw#): On the welcome screen, when prompted to sign in with a Google Account, enter afw#hexnodemdm. This commands Google to download the Hexnode MDM agent and initiate the Device Owner setup.

Q2: We have a subset of rugged, specialized Android devices that do not have cameras (so no QR codes) and do not support Google Mobile Services (no Play Store). How do we deploy these?

For non-GMS devices without cameras, you must manually sideload the Hexnode UEM app.

1. Connect the device to a computer.
2. Transfer the Hexnode MDM APK via USB or Android Debug Bridge (ADB).
3. Install the APK.

Because it is a non-standard device, you may also need to use ADB commands to manually grant the necessary permissions (like device admin and usage access) to the Hexnode app to ensure it functions correctly and has the necessary control over the hardware.