Managing Android Devices on Closed Network #gotchas#

Are you trying to deploy Android devices on Closed Network? In this blog post, I will walk through key considerations and concerns to ensure a successful deployment. 

1. Avoid Android Legacy (Device Administrator Mode)

Google is deprecating support for Android Legacy and VMware has officially annouced the end of support by March 31st, 2022. See KB details here.

2. Android 10+ is blocked for Android Legacy

If you have desperate need to use Android Legacy, please avoid using Android 10+  as VMware has blocked enrollments. See KB for details. 

Per KB article, with the release of Android 10, device administrators are subject to API deprecations and behavioral changes that impact UEM workflows. Hence, Android 10+ is blocked. See article linked above for details.

3. Embrace Android Enteprise

Android Enteprise is recommended managed method by Google.

Per Google’s article, you need a minimum of Android 7+ to support QR code device provisioning. Unfortunately, QR Code reader is not a native application for Android 7 and 8. Hence, you will need Android 9+ since the QR code reader is native to the OS.

4. Only use Android Enteprise Approved Devices

Ensure the devices are recommended by Android. Check this site to ensure your device is approved. Note, Huawei is not a supported OEM / manufacturer for Android Enteprise. Save yourself the trouble and make sure the device is approved by Google 🙂


Samsung Android devices  require internet connectivity to KNOX Cloud Service in order to activate license key upon enrollment. This can pose issues for devices on a closed network.

On a closed network, the customer must install an On-Premise Knox License Server.  The format for the Knox license key is noted here.

Your client must engage Samsung Team to deploy On-Premise Knox Server.

6. SSL Certificate Concerns

I highly recommend binding a Public SSL certificate on UEM Device Services (DS) server. This will prevent any trust related issues between device and DS server. As a result, you will not run into issues related to enrollment or device management. Note, some public SSL certs have known issues. For example, not all Comodo certificates are natively trusted by Android.

If your client is planning to use self-signed certificate, just make sure the root and intermediate certificates are some how loaded on the device before enrollment. Otherwise, your client will not be able to enroll devices to Workspace ONE UEM.

VMware understand the challenge here and is planning to add features in FY22 which will load the certificate during QR enrollment. Until this feature is available avoid self-signed certificate and use Public SSL certs 🙂


Leave a Comment