1. Home
  2. How to enroll Android devices in Hexnode MDM by configuring ROM

How to enroll Android devices in Hexnode MDM by configuring ROM

Flashing a custom ROM to an Android device with Hexnode MDM as a system app is a foolproof method of enrollment. This enrollment method is used by Enterprises collaborating with OEM vendor. Here, a device is manufactured with specially configured ROM (Android firmware) with all permissions and privileges granted to Hexnode MDM. This device will be automatically enrolled in Hexnode MDM when the user powers on the device for the first time. Hexnode will act like a normal system app in this device.

Step 1: Setting up the Android firmware

This process needs to be carried out by the device manufacturer.

Setting up Hexnode MDM app

  1. Build your own custom ROM using Android Open Source Project (AOSP) or download one tailored to meet your needs.
  2. Edit the ROM image and copy Hexnode MDM APK to the system/priv-app folder.

    Ensure that you’ve copied the APK to the system/priv-app folder instead of system/app or data/app folders so that Hexnode MDM gets the privilege of silent app installation.

  3. Within the ROM image, grant the following permissions for Hexnode MDM app:
    • Usage Access
    • Draw Over Other Apps
    • Modify system properties
    • Camera, contacts, phone, storage and location access permissions
    • Set Hexnode MDM as a device owner
    • Set Hexnode MDM as a Device Administrator
    • Block deactivating Device Administration for Hexnode MDM app
    • Set Hexnode MDM as the default launcher (Home app)
    • Turn “Install from Unknown Sources” option On by default.

Make sure you leave the Hexnode MDM app unsigned. If signed, the MDM app update might not come in handy as every new version of Hexnode MDM needs to be signed by the OEM vendor.

[Optional] Installing Hexnode Remote View

To enable Remote View, make sure Hexnode’s Remote View app is installed on the device.


Moving Hexnode Remote View app to system/priv-app folder makes it non-removable.

Hexnode MDM might call in for additional permissions as newer features are released.

To supply these permissions to Hexnode MDM automatically, we recommend Hexnode System Agent app to be signed by the OEM vendor.

Make sure that

  • The Hexnode System Agent app is set as a Device Administrator, and
  • The ability to remove Device Administration is blocked for Hexnode System Agent.

Place the Hexnode service app in system/priv-app folder.

Step 2: Installing configuration file

Before moving on, let’s see what happens when the device is turned On for the first time after this set up is complete. The device starts up in ‘Lost Mode’ with nothing but several options to connect to the internet. While in ‘Lost Mode’, the users are restricted from accessing anything else on the device. The device gets enrolled in Hexnode MDM once the device establishes a connection with the Hexnode MDM servers over the internet.

Let’s head back to the original topic. Here’s how to install the configuration file to the device:

  1. Open your Hexnode MDM portal and navigate to Admin > ROM Enrollment and click on the Generate Configuration File button.
  2. Provide a password at the bottom of the screen. If the user finds a way to get past the ‘Lost Mode’ without connecting to the internet, this password can block that attempt.
  3. Download the ROM configuration file by clicking on the Generate Configuration File button just below the password field.
  4. Copy the file hex_rom_config.txt to “system” folder on your Android device.

Check if the configuration file is named as hex_rom_config.txt and if not, please make sure that you change it.

Step 3: Flashing the new ROM

Before flashing the new ROM, make sure the Hexnode MDM app can communicate with the Hexnode service app. Now, flash the newly deployed firmware on to the device, and… done.

Was this article helpful?

Leave a Comment