How to Enroll Android Devices as Device Owner via Hexnode UEM

Enrolling a device as a Device Owner (DO) provides the organization with full administrative control over the hardware. Unlike Profile Owner (PO) mode, which is used for BYOD, Device Owner mode is designed for company-owned assets, removing personal apps and restricting the device to enterprise-approved applications only.

Pre-Enrollment Requirements

• Organization Registration: You must first enroll your organization in Android Enterprise.
• Device Status: The device must be new or factory reset. Remove all existing Google accounts before resetting.
• Supported OS Versions:
  • Samsung Knox: Android 6.0+ (Knox SDK 2.6+).
  • Standard Android: Android 5.0+.

Method 1: QR Code Enrollment (Android 7.0 and Later)

Using a QR code is the most efficient method to provision a device in Device Owner mode. This process bypasses manual account entry and automates the initial setup.

Phase 1: Hexnode UEM Portal Configuration

1. Locate the QR Code: Navigate to Enroll > Platform-Specific > Android > Android Enterprise > Organization.
   1. Alternative paths: Admin > Android Enterprise > Organization or Enroll > All Enrollments > Enterprise.



2. Select Enrollment Profile: Ensure the selected profile has the Management Type set to Device Owner.
3. Update Details: Changing the profile will automatically update the QR code to reflect your specific configurations (e.g., Wi-Fi settings).
4. Critical Retention: Do not delete the enrollment profile from the portal while devices are in the process of enrolling, or the setup will fail.

Phase 2: On-Device Enrollment Steps

1. Initialize Scanner: On the device’s “Welcome” screen, tap the screen 6 times in the same location. This triggers the automatic installation of a QR code reader.



2. Scan and Authenticate: Scan the QR code displayed in the Hexnode UEM portal (refer to Phase 1: Locate the QR Code).
3. Establish Connection:
   1. If the QR code contains Wi-Fi Network Configurations, the device will attempt to connect automatically.
   2. If no Wi-Fi is pre-configured, manually connect the device to a network when prompted.



4. Accept Terms: Tap Accept & Continue to proceed with the work profile creation.



5. Grant Permissions: Enable the required Hexnode UEM configurations, such as Device administration, Usage Access, Draw Over Apps, etc.



6. Completion: Tap Next. The enrollment is complete once the Work Account is generated on the device.

Method 2: DPC Identifier / “afw#hexnodemdm” (Android 6.0 and Later)

The DPC (Device Policy Controller) Identifier method allows IT admins to provision a device as a Device Owner manually by using a specialized Google-recognized tag. This method is ideal for devices that do not support QR code scanning at startup.

Step-by-Step Enrollment Procedure

1. Factory Reset: Begin with a new device or one reset to factory settings.
2. Initial Setup: Follow the on-screen prompts until you reach the Google Account (Sign-in) screen.
3. Enter DPC Identifier: In the email field, enter exactly: afw#hexnodemdm and tap Next.



4. Download Hexnode App: The device will recognize the identifier and prompt you to install the Hexnode for Work app. Tap Install and confirm.





5. Server Authentication: Once the app opens, authenticate using one of two methods:
   1. Manual: Enter your Hexnode Server Name.
   2. QR Scan: Scan the code found in the portal under Enroll > Platform-Specific > Android > QR Code, Email or SMS.



6. EULA Acceptance: Review and tap Agree to the Hexnode End-User License Agreement.



7. Provision Device Owner: Tap Continue twice to authorize Hexnode to set up the device in Device Owner Mode. This grants the organization full administrative control. Finally, tap SET UP to continue the installation process.





8. Grant System Permissions: To ensure full functionality, enable the following permissions when prompted:
   1. Device Administration & Notification Access
   2. Usage Access & Draw Over Other Apps
   3. Write System Settings



9. Finalization: Tap Next. Enrollment is complete once the Work Account is successfully generated.

Important Technical Notes

• Account Visibility: After using the afw#hexnodemdm method, a default Android Enterprise account may temporarily appear in the device settings. This will automatically be replaced once a specific user account is assigned.



• Device Variances: Some manufacturers may prompt for additional security permissions. Always Allow these requests to prevent enrollment interruptions.
• Pre-requisite: Ensure all personal Google accounts are removed before the factory reset to avoid FRP (Factory Reset Protection) lock issues.

Method 3: ADB Command Line (Android 5.0 and Later)

For devices running Android 5.0 (Lollipop) or later that do not support QR codes or DPC identifiers, the ADB (Android Debug Bridge) method is the standard way to provision a device as a Device Owner. This method requires a computer and a physical USB connection.

Phase 1: Prepare the Android Device

1. Factory Reset: Ensure the device is fresh from a factory reset and on the initial setup screen.
2. Enable Developer Mode: Navigate to Settings > System > About Phone.
   1. Tap Build Number seven (7) times until “Developer Options” are enabled.
3. Activate Debugging: Go to Settings > Developer Options and toggle USB Debugging to On.

Phase 2: PC Setup and Installation

1. Download Requirements:
   1. Download the Hexnode for Work APK.
   2. Install Android Debug Bridge (ADB) on your Windows, macOS, or Linux system.
2. Initialize ADB: Open your terminal or command prompt and navigate to your ADB directory:
   adb command to set adb location

   Shell

   cd C:\adb

   1	cd  C:\adb

3. Start ADB Server: Run the following command to begin the session:
   adb command to start server

   Shell

   adb start-server

   1	adb start-server

4. Install Hexnode App: Connect the device via USB and install the APK:
   adb command to install Hexnode app

   Shell

   adb install /path to HexnodeMDMWork.apk/

   1	adb install /path to HexnodeMDMWork.apk/

Phase 3: Granting Device Owner Privileges

1. Set Device Owner: Execute the following command to grant Hexnode full administrative control. Note: There should be no other accounts (like Gmail) on the device for this to succeed.
   adb command to set device owner

   Shell

   adb shell dpm set-device-owner com.hexnode.mdm.work/com.hexnode.mdm.receivers.HexnodeDeviceAdminReceiver

   1	adb shell dpm set-device-owner com.hexnode.mdm.work/com.hexnode.mdm.receivers.HexnodeDeviceAdminReceiver

2. Finalize in App: Open the Hexnode app on the device and enter your Server Name.



3. EULA Acceptance: Review and tap Agree to the Hexnode End-User License Agreement.



4. Grant System Permissions: Accept the EULA and enable the following settings when prompted:
   1. Device Administration
   2. Usage Access & Draw Over Apps
   3. Write System Settings & Notification Access



5. Complete Enrollment: Tap Next. The setup is successful once the Work Account is created.

Frequently Asked Questions (FAQs)

Q1. What is the difference between Device Owner and Profile Owner mode?

Device Owner (DO) is designed for corporate-owned assets, giving the organization full administrative control over the entire hardware. Profile Owner (PO) is intended for BYOD (Bring Your Own Device), where IT only manages a secure “Work Profile” container, leaving the user’s personal data private and untouched.

2. Does Device Owner enrollment always require a factory reset?

Yes. To establish the “chain of trust” and ensure that the MDM agent has primary authority over the hardware, Android requires the device to be in its “out-of-the-box” state. If a device is already in use, it must be factory reset before starting the enrollment process.

Trouble shooting

1. Error: “Unable to complete enrollment. Please contact your administrator for assistance.”

Context: Occurs during Android Enterprise enrollment (Device Owner or Work Profile on Company-Owned Device) via a Hexnode UEM Enrollment Profile.

Probable Cause

The enrollment profile was deleted or unassigned from the Hexnode UEM portal before the device could finish the setup process.

Solution

For IT Administrators:

• Maintain Assignment: Ensure the enrollment profile remains active and assigned in the portal throughout the entire process.
• Remediation: If the error persists, create a new enrollment profile, set it as the default, and have the user restart the enrollment from the beginning.

For Users:

• Contact your IT administrator. The profile may have been removed accidentally or intentionally, and they must reassign it before you can retry.

Need more help?

For detailed walkthroughs on specific enrollment hurdles, refer to these dedicated Hexnode resources:

• Common issues in Android Enterprise
• Common Issues in Android Enrollment