Welcome to Headwind MDM Q&A, where you can ask questions and receive answers from other members of the community.

Please do not post bug reports, missing feature requests, or demo inquiries. If you have such an inquiry, submit a contact form.

0 votes
Is it possible to grant Headwind MDM device owner rights without adb and enrollment?

My devices do not allow QR code based enrollment, but I can modify Android firmware files (/system partition).
by (32.4k points)

2 Answers

0 votes

Here's the related answer on StackOverflow: https://stackoverflow.com/questions/21183328/how-to-make-my-app-a-device-owner

If you can modify firmware files, you can add a startup script which creates the following files (the file owner is system:system, permissions: 600 - read and write access to owner only):

/data/system/device_owner_2.xml

<?xml version='1.0' encoding='utf-8' standalone='yes' ?>

<root>

<device-owner package="com.hmdm.launcher" name="" component="com.hmdm.launcher/com.hmdm.launcher.AdminReceiver" userRestrictionsMigrated="true" canAccessDeviceIds="true" />

<device-owner-context userId="0" />

</root>

(for older Android versions, the file name must be device_owner.xml)

/data/system/device_policies.xml

<?xml version='1.0' encoding='utf-8' standalone='yes' ?>

<policies setup-complete="true" provisioning-state="3">

<admin name="com.hmdm.launcher/com.hmdm.launcher.AdminReceiver">

<policies flags="17" />

<strong-auth-unlock-timeout value="0" />

<user-restrictions no_add_managed_profile="true" />

<default-enabled-user-restrictions>

<restriction value="no_add_managed_profile" />

</default-enabled-user-restrictions>

<cross-profile-calendar-packages />

</admin>

<password-validity value="true" />

<lock-task-features value="16" />

</policies>

Another option is to rebuild Headwind MDM and sign it by Android platform keys (if you have them!). This won't require firmware modification, but provides Headwind MDM with system privileges (silent app installation). Also, you need to set the SYSTEM_PRIVILEGES flag in build.gradle to true.

by (32.4k points)
0 votes

Special permissions (drawing over other apps, request install apps, access to usage history) are stored in the file /data/system/appops.xml, see details here: https://qa.h-mdm.com/5469/

To copy the XML files to the /data partition, you can add the following lines to the init.rc in the post-fs-data section (at the end of all):

copy /system/device_owner_2.xml /data/system/device_owner_2.xml

copy /system/device_policies.xml /data/system/device_policies.xml

chmod 0775 /data/system/device_owner_2.xml

chmod 0775 /data/system/device_policies.xml

(you need to write the files to the firmware in the /system folder).

You may also consider to check the existence of these files prior to copying, as well as copy other XML files containing sensitive permissions.

This option could be particularly useful when you're deploying Headwind MDM on the Android TV boxes.

by (32.4k points)
Hi.
I'm testing a tvbox device with root access and I've a reboot loop when loadin launcher if I set owner permission with "dpm set-device-owner com.hmdm.launcher/.AdminReceiver".
I'm checking the xml files (owner_2, policies and appops) and are correct. I can't change init.rc file because is in /system partition (read only).
I need some help to apply owner permission correctly to hmdm app. Thanks
If you set the device owner permissions incorrectly, the setup is just ignored, and in no way should you get the boot loop. It's hard to say what exactly happened, please look for the exceptions in logcat.
The device owner permission is right. All works fine (unattended installation apps, detailed information: mdm mode yes, default launcher com.hmdm.launcher...) but if I rebooted the device never boot completly again. I see the default background image but seems it not be able to run com.hmdm.launcher and reboots. I can't see logcat because I'm connecting wit wifi adb, and it is not available while device booting.
I've been trying to get mdm to work for weeks, on several devices, and I'm going little crazy.
To diagnose the issue, logcat is required. Please understand that it is impossible to diagnose the issue without any info.
Ok. Can you explain me how I can get the logcat when device not boot completly?
I think you need to connect via USB. Also, there should be some setting in Android which prevents the device from rebooting in the case of fatal errors, so the logcat won't be cleared. I don't think I could help much here, you can get help on Android firmware related issues on xda-developers.com.
...