Set up MDM without Internet

Many companies use private networks to improve security of their corporate mobile devices. Here are the methods to set up a private network:

  • VPN. Connection to a corporate private network is established through a secure tunnel over the Internet.
  • WiFi. Private Wi-Fi network can have no Internet connection. WiFi-based private network (LAN or VLAN) is effective and easy to set up, but the range of the WiFi signal is too short.
  • Private APN. Some wireless providers propose corporate tariffs including private access points. This method to organize a private network seems to be the most secure because it doesn’t require setting up a client software on mobile devices.

The problem of mobile device management using private APN, VPN, or VLAN, is the necessity of allowing access to certain hosts providing cloud services. This task is not easy to manage, and may be against corporate security rules.

Self hosted MDM solution

Headwind MDM server can be installed inside the private network, so you can manage your mobile devices even if they have no Internet connection. However there are few points you need to know.

HTTPS certificates for private domain names.

To generate the HTTPS certificate for a domain name, the certificate authority (including a free LetsEncrypt service) requires the confirmation of your ownership for the domain. Obviously, they cannot check the domain names which are not available in Internet.

Here are the options how to resolve the issue:

  • Use a subdomain of your company domain. Once you generate a certificate, you can update the DNS record so it will be resolved to a correct server inside your private network.
  • Do not use HTTPS. In principle HTTP could be safe enough when using inside VLAN, but you many need to confirm HTTP usage with your security experts.
  • Use self-signed certificates. There are two options how to use self-signed HTTPS certificates on mobile devices. The first one is to add trusted certificates manually on each managed device. The second approach is to rebuild Headwind MDM agent so it will accept any certificate (which should not be considered as a secure approach).

We would recommend the first approach and use a subdomain of your company domain (or any other domain owned by you) for managing devices in your private network.

Device enrollment without Internet connection

There is another issue while setting up managed Android devices without Internet connection. We have revealed that certain models of mobile devices require Internet connection during QR code based enrollment because they want to check the device owner application with Google Play Protect. Unfortunately there is no user-friendly error reporting. Once Google Play Protect website is not available, the device enrollment fails reporting a general error.

To resolve this issue, we recommend setting up a WiFi network for the single purpose of enrollment. If you’re using a private APN, you can switch off WiFi in the Headwind MDM web panel to force the device connection through the mobile network only.

Connectivity management

Headwind MDM provides various options to manage connections.

  • Manage WiFi networks. The WiFi manager integrated with the MDM system can be used to disable unknown networks or predefine passwords for certain WiFi points.
  • Set up private APNs. Headwind MDM includes a tool for remote setting up a private APN, so you do not need to adjust the settings of each device manually.
  • Set up network policies. In the web panel, you can choose whether WiFi or mobile connection is enabled or disabled.

Get more help on MDM setup

If you need to set up MDM in your corporate private network, but have concerns about the implementation, please contact us. Our experts will review your network design and suggest the most appropriate solution.