Android Management Device Provision Fail - android

I used this quick start guide to setup my project and enterprise. Currently the project is under 'No Organization' on the Google Cloud Console hierarchy.
I have setup the following device policy with a single app in kiosk mode. The app is restricted to a single country and is developed in-house.
{
"safeBootDisabled": true,
"screenCaptureDisabled": true,
"factoryResetDisabled": true,
"systemUpdate": {
"type": "WINDOWED",
"startMinutes": 0,
"endMinutes": 240
},
"applications": [
{
"packageName": "com.xxx.yyy",
"installType": "KIOSK",
"defaultPermissionPolicy": "GRANT"
}
],
"debuggingFeaturesAllowed": true,
"funDisabled": true,
"appAutoUpdatePolicy": "WIFI_ONLY",
"kioskCustomization": {
"statusBar": "NOTIFICATIONS_AND_SYSTEM_INFO_ENABLED"
}
}
I currently use the QR method to provision devices.
The problem I am having is that the provisioning process is failing at the stage when the app is being installed.
When I use this API to check what went wrong I can see that it failed because of the following error:
{
"nonComplianceDetails": [
{
"settingName": "applications",
"nonComplianceReason": "APP_NOT_INSTALLED",
"packageName": "com.xxx.yyy",
"installationFailureReason": "NOT_AVAILABLE_IN_COUNTRY"
},
{
"settingName": "persistentPreferredActivities",
"nonComplianceReason": "APP_NOT_INSTALLED",
"packageName": "com.xxx.yyy"
}
]
}
If I change my device policy from install type "KIOSK" to "AVAILIBLE" the device is successfully provisioned. I can then install the app from the Play store and reset the install type to "KIOSK" mode.
But this is far from ideal because the entire device fleet of 85 production devices settings', are then changed just to provision a single device.
So it seems that while provisioning the device the location settings are incorrect?
Does anybody know why this is happening?

Try to create a separate policy just for this device so that you can provision it without affecting other devices, and once provisioned, you can update which policy is applied to the device to be the same to all other devices.
You can use policies.patch to update the policy or devices.patch.
This also could be for a lack of Kiosk support mode for a given app as KIOSK required the app to have an official “lock task mode” per https://developer.android.com/work/dpc/dedicated-devices/lock-task-mode.

Related

Android Management API features: Set up policy compliance rules

I've been following the Android Management API guide quickstart: https://developers.google.com/android/management/compliance
Then, I've been testing on my device (in this case, my device fails to comply with any of the passwordPolicies), and it worked.
My setup:
{
"policyEnforcementRules": [
{
"settingName": "passwordPolicies",
"blockAction": {
"blockAfterDays": 0,
"blockScope": "BLOCK_SCOPE_DEVICE"
},
"wipeAction": {
"wipeAfterDays": 1,
"preserveFrp": false
}
}
]
}
The device I am testing this on is Pixel 5 running Android 12.
When my device fails with passwordPolicies, many apps on this device have been blocked.
I don't know the list of apps to block. How to set up a list of apps to block when failing policy compliance rules?
Please help me, Thanks!

Get location details using Android Management API

I'm new to Android Management API and I'm unable to figure out how to get the location details using Android Management API. I have tried updating policy as such :
policy_json = '''
{
"applications": [
{
"packageName": "com.google.samples.apps.iosched",
"installType": "FORCE_INSTALLED",
"permissionGrants": [
{
"permission": "android.permission.ACCESS_FINE_LOCATION",
"policy": "GRANT"
}
}
],
"locationMode": "HIGH_ACCURACY"
}
'''
But I don't seem to have gotten the location details. Can anybody please help me through? Thank you!
The value HIGH_ACCURACY is only available in Android 8 or below. If you are using Android 9 or above, you should use LOCATION_ENFORCED instead.
Additionally, please note that locationMode only works on company owned devices.
Please refer to this link for more information.

How to allow systemui activity in KIOSK Mode via Android Management API?

I am using Android Management API to run my APP in Kiosk Mode. It's relying on a USB Device to work correctly, but the prompt for accepting the connection throws an LOCK TASK MODE VIOLATION Error.
At this moment my App gets stuck (propably since the authorization prompt can't be displayed) and can only be reset by reboot.
As explained in this post you can whitelist com.android.systemui, but how can this be applied to the Android Management API?
Alright, i figured it out. I reread this section of the management api documentation. Seems like this is the way to "whitelist" apps for Lock Task Mode, although it's a bit misleading.
So you simply just add the packages as "FORCE_INSTALLED" to your policy, even already installed packages from your system. So in my case:
{
...
"applications": [
{
"packageName": "com.example.app",
"installType": "KIOSK",
"defaultPermissionPolicy": "GRANT"
},
{
"packageName": "com.android.systemui",
"installType": "FORCE_INSTALLED",
"defaultPermissionPolicy": "GRANT"
}
]
}

How can I launch an app automatically using MDM?

I have implemented an Android Management API and a CustomApp API into my project. As I have full device control "managementMode": "DEVICE_OWNER". Is there is a way to launch the app automatically after applying the policy?
My policy is:
{
"applications": [
{
"packageName": "com.xxx.kiosk",
"installType": "FORCE_INSTALLED",
"defaultPermissionPolicy": "GRANT",
"managedConfiguration": {
"venueId": 8
}
},
{
"packageName": "com.evernote",
"installType": "FORCE_INSTALLED",
"defaultPermissionPolicy": "GRANT"
}
],
"setupActions": [
{
"launchApp": {
"packageName": "com.xxx.kiosk"
},
"title": {
"defaultMessage": "Hello"
},
"description": {
"defaultMessage": "Testing"
}
}
]
}
I've tried to implement setupActions -> launchApp -> packageId but nothing happens. The policy only installs the app but does not launch it.
Kind regards
I don't believe such functionality is available using the AMAPI for already provisioned devices.
The setupActions were meant to be executed at provisioning time using the Android Device Policy app. The policy in your example should automatically start the com.xxx.kiosk app right after the device gets provisioned.

Unable to install apk after device provisioning (Android 8.0)

We are developing a COSU app using Android Management API and QR code provisioning. We're planning to distribute app with private Google play, but for now I'm trying to make it work with manual installation using apk. That's how it should work:
A client receives qr code from us, that applies policy without restrictions to the device.
After provisioning client downloads apk from some other source (probably via email) and installs it.
Client applies policy with restrictions from app with call to API.
So, I'm stuck on second step - an attempt to install downloaded apk leads to this error:
Default policy seems to be ok:
{
"name": "enterprises/<enterpriseName>/policies/policy_unlocked",
"version": "11",
"applications": [
{
"packageName": "com.axmor.fsinphone",
"installType": "AVAILABLE",
"defaultPermissionPolicy": "GRANT"
}
],
"persistentPreferredActivities": [
{
"receiverActivity": "com.axmor.fsinphone",
"actions": [
"android.intent.action.MAIN"
]
}
],
"systemUpdate": {
"type": "WINDOWED",
"startMinutes": 120,
"endMinutes": 240
},
"debuggingFeaturesAllowed": true
}
]
}
And this policy is applied to device:
"policyName": "enterprises/<enterpriseName>/policies/policy_unlocked",
"appliedPolicyName": "enterprises/<enterpriseName>/policies/policy_unlocked",
What I've tried:
Installing release apk and signed apk (same result)
Installing apk with adb from Android studio - this works, but it's not what I want.
(copying the solution here from comments)
To be able to install apps from outside the Play Store you need to set installUnknownSourcesAllowed to true in the Policy. More details in the policy references.

Categories

Resources