Android Hub Registered Mode with AOSP Devices
This Blog is focusing on AOSP Device with Hub Registered Mode , so no MDM Capabilites only App Level Management. This is typically used for BYOD in China for example. For the Full MDM Features and Details on AOSP Devices , make sure to have a look on the “Let us have a look on AOSP Devices with Workspace ONE UEM” Blog : https://digitalworkspace.one/2022/11/25/let-us-have-a-look-on-aosp-devices-with-workspace-one-uem/ .
While Hub Registered Devices can be installed with the Apps from Google PlayStore, this does not work for AOSP Devices as there is no PlayStore. So you need to sideload the App via Download from the Browser or install via a 3rd Party App Store or install the App via ADB.
But let us first put together what is there in AOPS & Hub Registered mode:
- Hub App with App Catalog, TOTP, People, For You , Support Tab etc.
- VMware Productivity Apps like Boxer , Web, Content or Notebook etc.
- Remote Support with Workspace ONE Assist
- APK Application installations (Also 3rd Party, recommend to have Workspace ONE SDK enbedded )
- SDK based Certificate Authentication, Tunnel and Passcode Profile on App Level.
- WebClips are supported
- Enterprise Wipe Command
- DEEM/DEX Features like User Flows and Crash reporting
Setting the Pre-Reqs
It is highly recommended to have a separate OG for the AOSP/ Hub Registered Devices , so let us start on Hub Registered Mode in UEM Console.
First we need to enable the Hub Registered Mode in the Setting , therefore go to “Devices & Users” , “General” , “Enrollment” and Select the “Management Mode” Tab. Enable “Android” and then “Save” the settings.
To Enable Push as FCM is not supported on AOSP Devices we need to Go to the “Intelligent Hub Settings” , located in “Devices & Users ” Android in the Settings. Make sure you have “ENABLED” the AWCM in the Section as listed here:
If you want to set a App level Passcode , then this need to be on SDK side, this is optional.
Go to “Apps” , “Settings and Policies” , “Security Polices” and Select a Authentication Type with Passcode. You can also Define the Level of Passcode that is required.
Note: This is a App level Passcode for SDK Enabled Apps , not covering the Device Passcode.
I added some APKs in the Console as well to install them once the device is enrolled.
Now, as we have everything setup, we can enroll a Device. I used a Zebra TC26 with AOSP in Version 11.
To get the Hub I used the following link and then just downloaded and installed Hub :
<a href="https://getwsone.com/mobileenrollment/airwatchagent.apk" target="_blank" rel="noreferrer noopener">https://getwsone.com/mobileenrollment/airwatchagent.apk</a>
All details of the Download & Install can be seen here in the Video:
Once installed I enrolled a device and installed the Web App, see details here:
For sure this solution is quite limited in features compared to the MDM part that is missing here, but as we cover here a very rare Scenario with AOSP Devices that do not use MDM Capabilities (even if they are possible on the Device) , it was running very well and I could fulfil the Requirements of having Secure Mail with Boxer, Internal Intranet with Certificate based Authentication in the Web App and also Access to Content Shared via Content App to just name some if them. Also Assist was working well and even the DEEM part is reporting Crashes and usage:
Note: I have used a Beta Version with a Known Issue and could get Hub to crash and then the Crash was reported.
With all that it is good to see that Workspace ONE UEM is not stopping at MDM Capabilities and also offers a App Level Management even on NON-GMS Devices like in China or in some Frontline Closed Network Devices. So depending on the Use-Case you can use Hub Registered Mode or Fully Managed Mode on a AOSP Device.