Category Filter

How to enroll Android devices by configuring ROM

Flashing a custom ROM to an Android device with Hexnode MDM as a system app is a foolproof method of enrollment. This enrollment method is used by Enterprises collaborating with OEM vendor. Here, a device is manufactured with specially configured ROM (Android firmware) with all permissions and privileges granted to Hexnode MDM. This device will be automatically enrolled in Hexnode MDM when the user powers on the device for the first time. Hexnode will act like a normal system app in this device.

Step 1: Setting up the Android firmware

This process needs to be carried out by the device manufacturer.

Setting up Hexnode MDM app

  1. Build your own custom ROM using Android Open Source Project (AOSP) or download one tailored to meet your needs.
  2. Edit the ROM image and copy Hexnode MDM APK to the system/priv-app folder.

    Ensure that you’ve copied the APK to the system/priv-app folder instead of system/app or data/app folders so that Hexnode MDM gets the privilege of silent app installation.

  3. Within the ROM image, grant the following permissions for Hexnode MDM app:
    • Usage Access
    • Draw Over Other Apps
    • Modify system properties
    • Camera, contacts, phone, storage and location access permissions
    • Set Hexnode MDM as a device owner
    • Set Hexnode MDM as a Device Administrator
    • Block deactivating Device Administration for Hexnode MDM app
    • Set Hexnode MDM as the default launcher (Home app)
    • Turn “Install from Unknown Sources” option On by default.

Make sure you leave the Hexnode MDM app unsigned. If signed, the MDM app update might not come in handy as every new version of Hexnode MDM needs to be signed by the OEM vendor.

[Optional] Installing Hexnode Remote View

To enable Remote View, make sure Hexnode’s Remote View app is installed on the device.


Moving Hexnode Remote View app to system/priv-app folder makes it non-removable.

[Optional] Setting up Vendor-specific service app (Recommended)

Hexnode MDM might call in for additional permissions as newer features are released.

To supply these permissions to Hexnode MDM automatically, we recommend Hexnode System Agent app to be signed by the OEM vendor.

Make sure that

  • The Hexnode System Agent app is set as a Device Administrator, and
  • The ability to remove Device Administration is blocked for Hexnode System Agent.

Place the Hexnode System Agent app in system/priv-app folder.

Step 2: Installing configuration file

Before moving on, let’s see what happens when the device is turned On for the first time after this set up is complete. The device starts up in ‘Lost Mode’ with nothing but several options to connect to the internet. While in ‘Lost Mode’, the users are restricted from accessing anything else on the device. The device gets enrolled in Hexnode MDM once the device establishes a connection with the Hexnode MDM servers over the internet.

Let’s head back to the original topic. Here’s how to install the configuration file to the device:

  1. Open your Hexnode MDM portal and navigate to Enroll > Platform – Specific > Android > Android ROM / OEM and click on Generate a new configuration file button.
  2. Provide a password at the bottom of the screen. If the user finds a way to get past the ‘Lost Mode’ without connecting to the internet, this password can block that attempt.
  3. Click on Generate a new configuration file button just below the password field.
  4. In the prompt that appears, click on Download file to download the ROM configuration file to your system.
  5. Copy the file hex_rom_config.txt to “system” folder on your Android device.


Check if the configuration file is named as hex_rom_config.txt and if not, please make sure that you change it.

Password Precedency

Once the device starts after setting up the Android firmware, it launches in lost mode with options to connect to the internet. As soon as the device connects to a network, it gets automatically enrolled in Hexnode MDM. In Admin > General Settings > Android Lost Mode Settings, there is an option to either enable or disable lost mode as soon as the device gets enrolled.
How to enroll Android devices in Hexnode MDM by configuring ROM

  • If the option Disable ‘Lost Mode’ on ROM-enrolled devices is left unchecked, the device remains in lost mode even after enrollment.
  • Conversely, if this option is checked, lost mode exits soon after the device gets enrolled in Hexnode MDM.

In case the device fails to connect to a secure network connection, device enrollment is blocked, and it remains in lost mode restricting the users from accessing the device. In such a scenario, configuration file password comes to play. Enter this password to exit lost mode for the device to function normally. Soon after the device connects to a steady internet source, it gets enrolled automatically.
How to enroll Android devices in Hexnode MDM by configuring ROM

Conditions when “Disable ‘Lost Mode’ on ROM-enrolled devices” option is left unchecked for an enrolled device:

  • When a kiosk exit policy (Policies > Kiosk Lockdown > Android Kiosk Lockdown > Kiosk Exit Settings > Kiosk exit password) is applied on the device- After device enrollment, enter the kiosk exit password to disable lost mode on the device.
  • When a kiosk exit policy is not applied on the device- After device enrollment, enter the Global Exit Settings (Android) password provided in Admin > General Settings to disable lost mode.

Step 3: Flashing the new ROM

Before flashing the new ROM, make sure the Hexnode MDM app can communicate with the Hexnode service app. Now, flash the newly deployed firmware on to the device, and… done.