Welcome to Headwind MDM Q&A, where you can ask questions and receive answers from other members of the community.

IMPORTANT: Please notify the team about your question by filling in the form on the contact page. Otherwise, we may miss your question!

0 votes
Is it possible to grant Headwind MDM device owner rights without adb and enrollment?

My devices do not allow QR code based enrollment, but I can modify Android firmware files (/system partition).
by (10.6k points)

2 Answers

0 votes

Here's the related answer on StackOverflow: https://stackoverflow.com/questions/21183328/how-to-make-my-app-a-device-owner

If you can modify firmware files, you can add a startup script which creates the following files (the file owner is system:system, permissions: 600 - read and write access to owner only):

/data/system/device_owner_2.xml

<?xml version='1.0' encoding='utf-8' standalone='yes' ?>

<root>

<device-owner package="com.hmdm.launcher" name="" component="com.hmdm.launcher/com.hmdm.launcher.AdminReceiver" userRestrictionsMigrated="true" canAccessDeviceIds="true" />

<device-owner-context userId="0" />

</root>

(for older Android versions, the file name must be device_owner.xml)

/data/system/device_policies.xml

<?xml version='1.0' encoding='utf-8' standalone='yes' ?>

<policies setup-complete="true" provisioning-state="3">

<admin name="com.hmdm.launcher/com.hmdm.launcher.AdminReceiver">

<policies flags="17" />

<strong-auth-unlock-timeout value="0" />

<user-restrictions no_add_managed_profile="true" />

<default-enabled-user-restrictions>

<restriction value="no_add_managed_profile" />

</default-enabled-user-restrictions>

<cross-profile-calendar-packages />

</admin>

<password-validity value="true" />

<lock-task-features value="16" />

</policies>

Another option is to rebuild Headwind MDM and sign it by Android platform keys (if you have them!). This won't require firmware modification, but provides Headwind MDM with system privileges (silent app installation). Also, you need to set the SYSTEM_PRIVILEGES flag in build.gradle to true.

by (10.6k points)
0 votes

Special permissions (drawing over other apps, request install apps, access to usage history) are stored in the file /data/system/appops.xml, see details here: https://qa.h-mdm.com/5469/

To copy the XML files to the /data partition, you can add the following lines to the init.rc in the post-fs-data section (at the end of all):

copy /system/device_owner_2.xml /data/system/device_owner_2.xml

copy /system/device_policies.xml /data/system/device_policies.xml

chmod 0775 /data/system/device_owner_2.xml

chmod 0775 /data/system/device_policies.xml

(you need to write the files to the firmware in the /system folder).

You may also consider to check the existence of these files prior to copying, as well as copy other XML files containing sensitive permissions.

This option could be particularly useful when you're deploying Headwind MDM on the Android TV boxes.

by (10.6k points)
...