AOSP tools for device management
ManagedProvisioning is the system application installing an MDM application at the device’s first start and granting the enhanced (Device Owner) permissions to it.
On stock ROMs, the provisioning application can be started from a Google’s proprietary setup wizard. AOSP ROM doesn’t have this app, however it has a very simple stub application replacing the setup wizard.
Provision is a stub application, a startup point of the first Android run. It sets up a managed device or, if a MDM application is not set, just marks the device as fully configured.
AOSP integration
To manage an AOSP-driven device, two steps must be done.
1. Preinstall Headwind MDM in the ROM
To preinstall Headwind MDM in the AOSP ROM, you need to create a new application in the packages/apps subdirectory and add this app to the ROM configuration. To simplify this task, we have created a simple AOSP add-on containing the Makefile and step-by-step integration instructions.
2. Adjust the provisioning application
To grant the device owner permissions to the Headwind MDM application, you need to update the source code of the “Provision” application. The updated code can be downloaded here. Read the README.md file and get the installation details.
How to test?
AOSP ROM can be built from the source code on an Ubuntu Linux-driven server. The final image can be installed on most Google Pixel and Nexus devices “out-of-the-box”, without any hacks or tweaks. The AOSP website contains detailed instructions on downloading the source code, building it and flashing the device.
The integration flows are tested on Google Pixel 5a running Android 13.
I don’t have the ROM source, please help!
Headwind MDM can be integrated into a ROM even if you don’t have the source code.
1. Ask the device manufacturer for the platform keys. Applications running with system permissions must be signed by these keys. In the AOSP source code, keys are located in the build/make/target/product/security directory. There are two files, platform.pk8 (private key) and platform.x509.pem (certificate).
2. Convert the platform keys to a JKS file (here’s how to).
3. Download the source code of the Provision app and build it in Android Studio. Sign it by the platform keys (see README.md for details). Notice: this source code is adapted to Android Studio, whereas the AOSP-based code can’t be built outside AOSP.
4. Download the latest Headwind MDM APK. You don’t need to rebuild it or sign it by the platform keys, only the Provision app should have system permissions.
5. Ask the device manufacturer to preinstall Headwind MDM and Provision apps to the ROM (replace the existing Provision app if it already exists). As an alternative, adjust the ROM yourself following the device manufacturer or other instructions.