Welcome to Headwind MDM Q&A, where you can ask questions and receive answers from other members of the community.

0 votes
I want to manage Google Pixel devices running GrapheneOS.

Can I get full functions of Headwind MDM (silent installation, etc.)?
by

2 Answers

0 votes

GrapheneOS has no ManagedProvisioning service (QR code based installer). Therefore, you need to grant the device owner rights to Headwind MDM launcher in another way.

Testing

For testing purposes, you can use adb to grant the device owner rights. Here is how to: https://qa.h-mdm.com/1411/

Production

The adb method is not suitable for production purposes. 

You need to rebuild Headwind MDM launcher and sign it by GrapheneOS platform keys. In the launcher source code, use the system build variant (Enterprise version only), or manually set SYSTEM_PRIVILEGES to true in app/build.gradle, and change the android:sharedUserId to android.uid.system in AndroidManifest.xml.

The platform keys can be found here: $ANDROID_ROOT/build/target/product/security/  More detailed instruction can be found here: https://stackoverflow.com/questions/51723768/how-to-sign-android-app-with-platform-keys-using-gradle

Embedding Headwind MDM into GrapheneOS source

Another method is to embed the launcher into GrapheneOS source code instead.

Here is the how to do it in short:

Create a folder for Headwind MDM in <grapheneos-source-root-directory>/package/apps/HMDM

Inside this directory create an Android.mk file with below content

LOCAL_PATH := $(call my-dir)

include $(CLEAR_VARS)

LOCAL_MODULE_TAGS := optional

LOCAL_MODULE := HMDM

LOCAL_CERTIFICATE := platform

LOCAL_SRC_FILES := HMDM.apk

LOCAL_MODULE_CLASS := APPS

LOCAL_MODULE_SUFFIX := $(COMMON_ANDROID_PACKAGE_SUFFIX)

include $(BUILD_PREBUILT)

Put the apk file in the same folder (HMDM.apk for example)

Now we've to include the apk in the system image to do that, to do that we've to mention the module name in the PRODUCT_PACKAGES list in the file:

For android 11 - aosp-root-dir/build/target/product/handheld_system.mk

So just add HMDM in the list here is a screenshot:

by (11.9k points)
0 votes

Here are the commands to convert platform keys to a JKS file:

openssl pkcs8 -inform DER -nocrypt -in platform.pk8 > platform.key

openssl pkcs12 -export -in platform.x509.pem -inkey platform.key -name android -password pass:android -out platform.p12

keytool -importkeystore -deststorepass android -srckeystore platform.p12 -srcstoretype PKCS12 -srcstorepass android -destkeystore platform.jks

The keystore password, key password, and key name are: android

by (11.9k points)
edited by
...