Managing Android devices in a closed network
Headwind MDM Enterprise can manage mobile devices in closed corporate networks having no Internet connection.
Headwind MDM in a closed network
To set up the service on the LAN, several important points must be taken into account.
- Setting up HTTPS. Encrypted protocol on an internal network requires proper configuration of domain name and certificate authority services. In particular, internal root and intermediate certificates should be installed on a mobile device. Headwind MDM will not work with self-signed certificates!
- Device provisioning. Most Android devices require an Internet connection for the initial MDM setup to initialize Google services. If no connection is available, the setup wizard may stop working.
- Installing applications. The installer of Headwind MDM uses Internet resources to download required components, both third-party apps (databases, web servers, etc.) and Headwind MDM components (mobile agents). If external resources are unavailable in the private network, the required software should be installed manually.
Setting up HTTPS
Prior to setting up HTTPS, we recommend to request the cybersecurity department whether using an unencrypted protocol (plain HTTP) is allowed. If your corporate security policies allow using HTTP in the internal network, this approach would be an easiest way to setup MDM, because it doesn’t require certificates and even domain names, you can just use the server’s IP address. Note: the remote control module will not work with plain HTTP.
Domain names and certificates
HTTPS protocol requires:
- A domain name
- A domain certificate issues by the certificate authority known to the device
To assign a domain name to the server, set up the DNS service, and add the DNS A record binding the domain name with the Headwind MDM server IP address.
Usage of Let’s Encrypt
By default, Headwind MDM generates HTTPS certificates via the free domain certification engine “Let’s Encrypt”. To confirm the domain ownership (validate the domain), this service connects with the domain by HTTP. Let’s Encrypt cannot validate domains on a private network, therefore you need to prepare certificates manually and turn off usage of Let’s Encrypt during the Headwind MDM setup
Internet domain
We recommend to install Headwind MDM on a subdomain of your organization’s domain, for example: mdm.your-company.com. If your company already has a “wildcard” SSL certificate (*.your-company.com), you can use it for the HTTPS setup.
If you have no certificate, you can order it from any certificate provider (the recommended method to verify a domain is DNS).
Local domain
“Local” domains like mdm.local can’t be certified by Internet-based certificate authorities. As a workaround, you can request us for a custom build ignoring the certificate validation error. Here’s what may happen:
- Your cybersecurity department may not allow HTTPS without certificates;
- Other applications, both third-party (like a browser) and Headwind MDM components, may not work without a certificate.
Local certificate authority
Android doesn’t allow work with self-signed domain certificates! Therefore, to use HTTPS on local domains, it’s necessary to set up your own certificate authority, that is, to generate:
- Self-signed “root” certificate
- Intermediate certificate signed by root
- Domain certificate signed by intermediate
After generating this certificate chain, you should deliver it on a device. Headwind MDM Enterprise includes the service of custom build of Headwind MDM launcher including your certificates. To get this service, you need to provide us with your root and intermediate certificates in the PEM format (Base64-encoded).
Device provisioning on the LAN
Initial device setup may require Internet access
Many of Headwind MDM users are struggling to set up mobile devices on the LAN. Despite all certificates are set up and the web panel is perfectly working in a browser, mobile devices are stuck on the “Loading the administrator application” screen, and after a few minutes fail with the “Can’t install the administrator application” error. The only recovery option is reset to factory defaults.
As we revealed, this problem is related to Google mobile service (GMS) initialization failure.
If you get this error, a workaround would be to enroll the device in a separate Wi-Fi network, which is isolated from your LAN and connected to the Internet.
In this case, the LAN-based address of Headwind MDM will be unavailable. To let Android OS download the MDM agent, specify an external URL to download the application com.hmdm.launcher (the external URL can be retrieved here).
Once Headwind MDM is installed (and tells you that it can’t connect to the server), switch back to the LAN. The MDM server becomes available, and the mobile agent can retrieve the configuration and continue the setup.
Note: in Android 13 and above, there is a special parameter of the QR code enrollment, which notifies Android of the offline provisioning. To turn on this option, open the configuration details, switch to the “MDM settings” tab, and add the following text in the “Other QR code entries” field:
"android.app.extra.PROVISIONING_ALLOW_OFFLINE": true
Connectivity management
Headwind MDM provides various options to manage network connectivity on Android devices.
- Manage WiFi networks. The WiFi manager integrated with the MDM system can be used to disable unknown networks or predefine passwords for certain WiFi points.
- Set up private APNs. Headwind MDM includes a tool for remote setting up a private APN, so you do not need to adjust the settings of each device manually.
- Set up network policies. In the Headwind MDM web panel, you can choose whether WiFi or mobile connection is enabled or disabled.
Get more help on MDM setup
If you need to set up MDM in your corporate private network, but have concerns about the implementation, please contact us. Our experts will review your network design and suggest the most appropriate solution.