Project Overview
Delivered automated Android device provisioning and lockdown using ManageEngine MDM, Zebra StageNow, and Enterprise Home Screen. Standardized XML profiles enforce a restricted launcher experience, keep the application set consistent, and significantly reduce hands-on setup time while improving policy compliance.
Table of Contents
Problem and Goal
- Problem: Devices were provisioned manually, resulting in inconsistent settings, policy drift, and exposure to unapproved apps.
- Goal: Establish policy-driven provisioning, enforce kiosk mode, and maintain an auditable, near zero-touch rollout for every device.
Architecture
- ManageEngine MDM orchestrates device groups, compliance policies, certificate delivery, and lifecycle automation.
- Zebra StageNow generates enrollment barcodes that apply XML profiles during factory setup.
- Enterprise Home Screen (EHS) locks devices into kiosk mode with an approved app catalog.
- Profile payloads are delivered over Wi-Fi when possible, with USB sideload of APKs reserved for offline staging.
Provisioning Workflow
- Factory reset the Zebra Android device to start from a trusted baseline.
- Scan the StageNow barcode to bootstrap Wi-Fi, certificates, and auto-enrollment into ManageEngine MDM.
- Dynamic assignment places the device into the correct MDM group based on serial number or site tag.
- MDM deploys Wi-Fi profiles, certificates, approved applications, and hardened system settings.
- Install and activate the EHS kiosk profile to present only authorized applications and tools.
- Run a validation checklist, capture screenshots for audit, and promote the device into the production group.
Policy and Configuration
- XML-driven configuration controls Wi-Fi, application packages, launcher icon sizes, orientation locks, debugging, and password policies.
- EHS enforces the kiosk allowlist, hides administrative tools, and restricts navigation keys to prevent breakout.
- MDM compliance policies monitor for drift, notify administrators, and can quarantine non-compliant devices.
Results and Impact
- Designed and automated Android endpoint provisioning with ManageEngine MDM, Zebra StageNow, and Enterprise Home Screen to standardize app access and device posture across 17+ sites and 350+ devices, cutting setup time by 50%.
- Created a repeatable factory reset to in-service workflow using barcode kits, USB sideloading, and MDM group assignment, lowering new device time-to-ready from over 1 hour per device to under 30 minutes per device.
Sanitized XML Example
<config>
<kiosk/>
<applications>
<application label="Kiosk App" package="com.example.kiosk" activity="com.example.kiosk.MainActivity"/>
<application label="Support Tool" package="com.example.support" activity="com.example.support.MainActivity"/>
</applications>
<tools/>
<passwords>
<!-- Store admin credentials in MDM, not here -->
<admin attempts="1">ENC_ADMIN_SECRET_PLACEHOLDER</admin>
</passwords>
<user_options>
<icon_settings>
<app_icon_size>XL</app_icon_size>
</icon_settings>
</user_options>
<preferences>
<orientation>portrait</orientation>
<usb_debugging_disabled>1</usb_debugging_disabled>
<wifi>
<ssid>CORP_SSID_PLACEHOLDER</ssid>
<security>wpa2</security>
<eap>peap</eap>
<identity>mdm-enroll</identity>
<hidden>0</hidden>
</wifi>
</preferences>
</config>Summary
- Built a repeatable, auditable Android provisioning system leveraging StageNow bootstrapping and ManageEngine MDM automation.
- Delivered a hardened kiosk experience through Enterprise Home Screen with staged rollouts and rollback plans.
- Documented validation checklists and monitoring to sustain compliance and security outcomes.
Tools, Skills, and Concepts Demonstrated
Tools
- ManageEngine MDM, Zebra StageNow, Enterprise Home Screen, and Zebra USB sideload utilities.
Skills
- Endpoint lifecycle management, Android Enterprise administration, policy design, and change control with RBAC.
Concepts
- Kiosk mode operations, app allowlists, XML-based configuration management, compliance monitoring, and near zero-touch provisioning.