Let us have a look on AOSP Devices with Workspace ONE UEM

• By -Patrick Zoeller

Let us have a look on AOSP Devices with Workspace ONE UEM

• Posted on 2022-11-25
• Posted in Android, Google, Uncategorized
• 2 Comments

While AOSP (Android Open Source Project) is not new I got quite a lot of request past months , so I decided let’s create a blog about it. AOSP is Android without Google Services, so no Google Play Store , No FCM (Firebase Cloud Messaging ) and there is No Work Profile or COPE Mode . So Management on that is different and also some limitations you should be aware. Mainly AOSP is used in Closed Network Scenario or in China , where GMS (Google Services) are not available. But if you are a global Enterprise with locations in China you may not come around AOSP Devices. I saw in the China market a lot of MDMs are still doing the EOL of Android Device Administrator , but it is really time now to transition to AOSP Mode as not just Google deprecated Device Admin some time ago, also VMware followed this guideline as you can see in the KB here: https://kb.vmware.com/s/article/80971

So let us have a look what is in the box with AOSP and what value you can get out of the Workspace ONE UEM Solution with AOSP Devices.

What is possible with AOSP, what is not there ?

While the Device Hardware might be the same on AOSP then when using Android Enterprise GMS, it is just the software that is different. Here some of the things to keep in mind:

• AOSP is only in Fully Managed Device , No Work Profile, No COPE is Available
• AOSP does not support Push with FCM , If you use Workspace ONE UEM you can use AWCM to solve this
• AOSP does not have any GMS Service like PlaysStore, so Public or Managed Play Store Apps can not be used.
• Enrollment can be tricky , no ZeroTouch , Sometimes No QR-Code Enrollment but Zebra & Honewell Devices supports Barcode Enrollment and also ADB works fine.

on the other side a lot of useful things are available:

• VPN with VMware Tunnel
• VMware Productivity Apps like Boxer , Web, Content or Notebook etc.
• Remote Support with Workspace ONE Assist
• APK Application installations and Configuration (Line of Business Apps) via App-Config , even OEM Config works with Workspace ONE UEM
• Hub Services , Workspace ONE Access incl. Mobile SSO , People Search and Unified Catalog with VDIs
• Profiles are supported like Passcode , VPN, Certificate, Restrictions etc.
• Commands for Reboot , Device Wipe and Change Passcode
• Compliance engine
• Application inventory, App Blacklisting & Suspend Apps
• Product Provisioning
• Frontline use cases with Launcher inc. CICO
• DEEM/DEX Features like User Flows and Crash reporting
• much more that I might have forgot to list here….

With all that it really feel that AOSP Mode is solving a lot of issues as Device Admin is no more available with most of the EMMs as Google set it to EOL some time ago already. In China this is a good option to enroll COBO devices in this mode.

So let us have a look on the Console Settings required for this.

Pre-Reqs in UEM

First of all login to the UEM Console and Create a separate OG / OG Structure for the AOSP Devices. This is required as the Settings for Android Enterprise Account provisioning are per OG only. Just create a new OG, similar to what I did here:

Then Go to the “Settings” / “Devices & Users” / “Android” / “Android EMM Registration” and Select the “Enrollment Settings”.

Make sure you override for that OG and Select “Work Managed” as “Management Mode” and “AOSP /Closed Network” as “Google Account Generation” and save the Settings.

As we have to make sure we use the AWCM Settings instead of FCM , we need to set this in the “Intelligent Hub Settings” in the “Settings” / “Devices & Users” / “Android” in the UEM Console.

There make sure you have Enabled “AirWatch Cloud Messaging” here.

Once done, I just added some Internal Applications (APK) to the Console like Web, Tunnel, Content and other internal Apps.

With all this setup , we can now start enrolling Devices with AOSP in that OG.

Setup Device

As some of the AOSP Devices do not have a QR-Code Reader or Barcode Reader I used ADB to enroll the Devices.

If you have Honeywell or Zebra AOSP Devices it would use a Barcode instead of the ADB to enroll. So let us first connect the Device via USB and Enable USB Debugging for this time to install Hub:

run in a Shell the Following Command:

adb devices

As in my case USB Debugging was not yet allowed on the device I had to “Allow” the Popup:

Once activated, run the Command again to see the Device :

If you have not yet installed Hub , you can install hub via ADB now with the following Command:

adb install /Users/user/Downloads/Hub.apk

Note: You need some Internet Connection to the Device Services of UEM , if you have no Wifi, 5G or Ethernet connected yet , it is time to do this before once installed you can set the Device Owner with the following command:

adb shell dpm set-device-owner com.airwatch.androidagent/com.airwatch.agent.DeviceAdministratorReceiver

Once done you see that VMware Intelligent Hub is getting launched, if not just launch it manually and you can start enrollment:

Here you can scan a QR-Code , use the Autodiscover via Mail or any other supported method to Enroll with Hub, you are not limited due to AOSP.

Once enrolled you can also use Workspace ONE Assist and all the other value adding Applications by VMware:

Setup via Barcode / QR-Code

Especially the Honeywell and the Zebra Devices worked also to enroll via a Barcode and that made it more easy. If you use a QR-Code or Barcode via StageNow or Enterprise Provisioner, just make sure you use the DPC Extras for AOSP in the android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE like here:

"android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE": { "serverurl": "dsxxx.awmdm.com", <strong>"</strong>aospEnrollment": "True" } 

if you have Android 13+ and a closed network make sure you use the Offline Parameter there as well:

"android.app.extra.PROVISIONING_ALLOW_OFFLINE": true

More details to this can be found on the official VMware Documentation: https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/services/closednetworkandroid/GUID-closednetworkQR.html

Conclusion

While initially it felt like you are very limited in China and on AOSP Devices this Blog post should show that the limitations are low and the capabilities to enroll devices to Workspace ONE are huge. As I used ADB here in the Blog , it is for sure also possible with other methods to enroll devices like NFC or with QR-Code depending on the Vendor of the Device and the OS. Overall it was an easy journey to onboard devices in China or Frontline Devices without GMS if you know the boxes to click to get it running.