For Android hardware manufacturers, delivering a managed fleet to enterprise customers can be challenging, as AOSP does not include an MDM provisioning framework out of the box. As a result, OEMs often have to invest in expensive firmware customization, which can prevent them from fulfilling otherwise profitable enterprise orders.
Workarounds for AOSP
To enable management of AOSP-based Android devices, MDM vendors typically implement workarounds, such as tools that simplify ADB-assisted MDM installation or embedding the MDM agent into the ROM. Headwind MDM supports three approaches for managing custom Android devices:
- Using ADB, an Android Studio utility, to promote an installed MDM application to Device Owner.
- Using the native AOSP Provision tool to install the MDM agent with elevated permissions.
- Signing the MDM agent with platform (“system”) keys and running it with system permissions, allowing it to promote itself to Device Owner.
Best Practices for Custom Device Enrollment
In practice, enterprise customers rarely persuade OEMs to modify their firmware and include the provisioning tool. The ADB-based approach is also labor-intensive and is impractical for organizations managing thousands of devices. As a result, the most common provisioning method for special-purpose Android devices – such as digital signage, handheld computers, and kiosks – is to build a platform-signed MDM agent and preinstall it in the firmware. This approach has two major advantages:
- Developing and maintaining a custom Android firmware for each enterprise customer is expensive, whereas signing an MDM agent with platform keys is relatively straightforward for an OEM.
- Preinstalling an application in the Android firmware is already a routine part of the manufacturing process.
However, maintaining a custom platform-signed MDM agent remains expensive for both OEMs and MDM vendors.
Signing-as-a-Service Platform
To simplify this process, Headwind MDM has released a cloud build platform that enables OEMs and enterprise customers to update their custom MDM agent and generate a new platform-signed APK in just a few clicks. No developer workstation, Android Studio, or dedicated Android developer is required.
The platform also supports customization of the open-source MDM agent and includes AI-powered code review and malware scanning to improve the security and quality of the generated APK, helping ensure more reliable operation of managed devices.
“The service has been a huge relief for us. Our engineers do not speak English, and updating our MDM agent used to be a major headache that often took weeks. Now our support team can complete the entire process in minutes,”
said Guo Jiaying, Product Manager at a Shanghai-based manufacturer of embedded Android displays for medical devices.
Headwind MDM’s AI-powered Signing-as-a-Service combines the flexibility of open source with fully automated build and signing workflows, making it easier for OEMs to deliver managed Android devices to enterprise customers. The platform includes comprehensive documentation and a streamlined workflow that guides customers and OEMs through the entire MDM deployment process.
Privacy-Oriented: No Platform Key Sharing Required
The signing platform is open source and privacy-oriented. If an OEM is not permitted to share its platform keys with third-party developers or customers for security reasons, it can deploy a self-hosted instance of the signing module and upload the platform keys locally. The build platform will then sign the Headwind MDM Launcher APK remotely using the OEM’s self-hosted signing instance.
