Category Filter

How to enroll Android devices by configuring ROM

Flashing a custom ROM to an Android device with Hexnode MDM as a system or privileged app is a foolproof method of enrollment. This enrollment method is used by enterprises collaborating with OEM vendor. Here, a device is manufactured with specially configured ROM (Android firmware) with all permissions and privileges granted to Hexnode UEM. This device will be automatically enrolled in Hexnode UEM when the user powers on the device for the first time. Hexnode MDM app will act like a normal system or privileged app on this device.

Step 1: Setting up the Android firmware

This process needs to be carried out by the device manufacturer.

Setting up Hexnode MDM app

  1. Build your own custom ROM using Android Open-Source Project (AOSP) or download one tailored to meet your needs.
  2. Edit the ROM image and copy Hexnode MDM APK to the /system/priv-app or the /system/app folder.
    • If your device is running Android 5.0 or later, ensure that you’ve copied the APK to the /system/priv-app folder instead of /system/app or /data/app folders so that Hexnode UEM gets the privilege of silent app installation.
    • If your device is running OS below Android 5.0, copy the APK to /system/app folder for the device enrollment.
  3. Within the ROM image, grant the following permissions for Hexnode MDM app:
    • Usage Access
    • Draw Over Other Apps
    • Modify system properties
    • Camera, contacts, phone, storage and location access permissions
    • Set Hexnode UEM as a device owner
    • Set Hexnode UEM as a Device Administrator
    • Block deactivating Device Administration for Hexnode MDM app
    • Set Hexnode UEM as the default launcher (Home app)
    • Turn “Install from Unknown Sources” option On by default.

Make sure you leave the Hexnode MDM app unsigned. If signed, the MDM app update might not come in handy as every new version of Hexnode UEM needs to be signed by the OEM vendor.

[Optional] Installing Hexnode Remote View

To enable Remote View, make sure Hexnode’s Remote View app is installed on the device.


Moving Hexnode Remote View app to /system/priv-app or /system/app folder makes it non-removable.

[Optional] Setting up Vendor-specific service app (Recommended)

Hexnode UEM might call in for additional permissions as newer features are released.

To supply these permissions to Hexnode UEM automatically, we recommend Hexnode System Agent app to be signed by the OEM vendor.

Make sure that

  • The Hexnode System Agent app is set as a Device Administrator, and
  • The ability to remove Device Administration is blocked for Hexnode System Agent.

Make the Hexnode System Agent app a privileged app on devices running Android 5.0 or later, and system app on devices running below Android 5.0.

Step 2: Installing configuration file

Before moving on, let’s see what happens when the device is turned On for the first time after this set up is complete. The device starts up in ‘Lost Mode’ with nothing but several options to connect to the internet. While in ‘Lost Mode’, the users are restricted from accessing anything else on the device. The device gets enrolled in Hexnode UEM once it establishes a connection with the Hexnode MDM servers over the internet.

Let’s head back to the original topic. Here’s how to install the configuration file to the device:

  1. Open your Hexnode MDM portal and navigate to Enroll > Platform – Specific > Android > Android ROM / OEM and click on Generate a new configuration file button.
  2. Provide a password at the bottom of the screen. If the user finds a way to get past the ‘Lost Mode’ without connecting to the internet, this password can block that attempt.
  3. Click on Generate a new configuration file button just below the password field.
  4. In the prompt that appears, click on Download file to download the ROM configuration file to your system.
  5. Copy the file hex_rom_config.txt to “system” folder on your Android device.


Check if the configuration file is named as hex_rom_config.txt and if not, please make sure that you change it.

Password Precedency

Once the device starts after setting up the Android firmware, it launches in lost mode with options to connect to the internet. As soon as the device connects to a network, it gets automatically enrolled in Hexnode UEM. In Admin > General Settings > Android Lost Mode Settings, there is an option to either enable or disable lost mode as soon as the device gets enrolled.
How to enroll Android devices in Hexnode UEM by configuring ROM

  • If the option Disable ‘Lost Mode’ on ROM-enrolled devices is left unchecked, the device remains in lost mode even after enrollment.
  • Conversely, if this option is checked, lost mode exits soon after the device gets enrolled in Hexnode UEM.

In case the device fails to connect to a secure network connection, device enrollment is blocked, and it remains in lost mode restricting the users from accessing the device. In such a scenario, configuration file password comes to play. Enter this password to exit lost mode for the device to function normally. Soon after the device connects to a steady internet source, it gets enrolled automatically.
How to enroll Android devices in Hexnode MDM by configuring ROM

Conditions when “Disable ‘Lost Mode’ on ROM-enrolled devices” option is left unchecked for an enrolled device:

  • When a kiosk exit policy (Policies > Kiosk Lockdown > Android Kiosk Lockdown > Kiosk Exit Settings > Kiosk exit password) is applied on the device- After device enrollment, enter the kiosk exit password to disable lost mode on the device.
  • When a kiosk exit policy is not applied on the device- After device enrollment, enter the Global Exit Settings (Android) password provided in Admin > General Settings to disable lost mode.

Step 3: Flashing the new ROM

Before flashing the new ROM, make sure the Hexnode MDM app can communicate with the Hexnode service app. Now, flash the newly deployed firmware on to the device, and… done.