I have followed Android-Management-API quick start and successfully done all steps and provision a device with work profile mode. But when I tried provisioning devices(via QR code scan) as dedicated devices after factory reset, it fails and I do not see my device in "devices-list" under my organization. I see "device-policy" in settings>Google on device but when i click on "device policy" it shows that policy not synced and clicking "sync" manually shows "error updating policy". Can you please help if i misconfigure anything?
My policy is given below:
{
"applications": [
{
"packageName": "com.google.android.gm",
"installType": "FORCE_INSTALLED"
}
],
"debuggingFeaturesAllowed": true
}
My QRcode is given below:
{
"android.app.extra.PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME": "com.google.android.apps.work.clouddpc/.receivers.CloudDeviceAdminReceiver",
"android.app.extra.PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM": "I5YvS0O5hXY46mb01BlRjq4oJJGs2kuUcHvVkAPEXlg",
"android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION": "https://play.google.com/managed/downloadManagingApp?identifier=setup",
"android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE":{
"com.google.android.apps.work.clouddpc.EXTRA_ENROLLMENT_TOKEN": "{enrollment-token}"
}
}
Related
I have released my app with google play integrity api.
App works after device integrity check success
"deviceIntegrity": {
"deviceRecognitionVerdict": ["MEETS_BASIC_INTEGRITY", "MEETS_DEVICE_INTEGRITY"]
},
I found issue with some user facing the issue that device passes device integrity at the time of install
but after restart device, deviceIntegrity check failed
here is response what i found during debugging after restart
{
"requestDetails": {
"requestPackageName": "com.my.package",
"timestampMillis": "1674455009345",
"nonce": "Y29tLm1hbnRyYS5yZHNlcnZpY2UyMDIzMDEyMzExNTIzMjajHDrnJ9vtl2AfC1fUdEDJmD_HfvFtcpc\u003d"
},
"appIntegrity": {
"appRecognitionVerdict": "UNEVALUATED"
},
"deviceIntegrity": {
},
"accountDetails": {
"appLicensingVerdict": "UNEVALUATED"
}
}
I have search about UNEVALUATED result
"Application integrity was not evaluated. A necessary requirement was missed, such as the device not being trustworthy enough."
But the issue accures only after restarting the android device
I Hope some one can help us on this issue.
I need to block network access to specific applications using Android management API.
I tried creating a policy something like that:
{
"applications": [
{
"packageName": "com.google.android.googlequicksearchbox",
"installType": "FORCE_INSTALLED",
"permissionGrants": [
{
"permission": "android.permission.CHANGE_NETWORK_STATE",
"policy": "DENY"
},
{
"permission": "android.permission.INTERNET",
"policy": "DENY"
}
]
}
]}
However it doesn't work, when checking the device's non-compliance details I'm getting this:
{
"nonComplianceDetails": [
{
"settingName": "applications",
"nonComplianceReason": "API_LEVEL",
"packageName": "com.google.android.googlequicksearchbox",
"fieldPath": "applications[1].permissionGrants"
},
],
}
Which basically means that my version of android doesn't support this restriction, I tried it on API 30 & 31.
I can't find any documentation on blocking network access to applications, and on which API level it's supported, anyone with experience on that?
With Android Management API Resource:Policy PermissionGrant is used for runtime (dangerous) permissions. Both Internet and CHANGE_NETWORK_STATE permissions are normal permissions, meaning they're granted at install time and don't need to be requested at runtime. More than likely, this is the reason your policy is triggering non-compliance.
One potential solution to block this application from the internet is to require a VPN connection (that does not route to the internet) for this application.
android.permission.INTERNET is a special permission which cannot be granted or denied
Below are the test cases that we created on Play Console for Play Integrity:
We have created combinations of different verdicts that can be received by Play Integrity API. All below test cases work when we remove all google accounts from a device and keep only that email ID with which the test case is created. But these test cases don't seem to work when a device has multiple google accounts.
Test case 1 - device 1:
As per the test case, the verdict returned should be "Basic device integrity met, running unlicensed Play-recognised app" but received below verdict:
`"appIntegrity": {
"appRecognitionVerdict": "UNRECOGNIZED_VERSION",
"certificateSha256Digest": ["KrKTIuq1ehCAmzZmpBnECGnylNUIhJNKmG3cIYU-xU8"],
"packageName": "mypackagename",
"versionCode": "228"
},
"deviceIntegrity": {
"deviceRecognitionVerdict": ["MEETS_BASIC_INTEGRITY", "MEETS_DEVICE_INTEGRITY"]
},
"accountDetails": {
"appLicensingVerdict": "LICENSED"
}`
With this verdict, the message displayed on mobile app is - "App is not google play recognized"
When we removed all accounts and kept only device 1 test case email account in the same device, we got the expected result.:
`"appIntegrity": {
"appRecognitionVerdict": "PLAY_RECOGNIZED",
"certificateSha256Digest": ["ki_C3iCaCK58mqf7FNrVH6KsPa8wDxBPsx_NQ37Qslw"],
"packageName": "mypackagename",
"versionCode": "228"
},
"deviceIntegrity": {
"deviceRecognitionVerdict": ["MEETS_BASIC_INTEGRITY"]
},
"accountDetails": {
"appLicensingVerdict": "UNLICENSED"
}`
With this verdict, the message displayed on mobile app is - "Integrity check fail"
Test case 2 - device 2:
The only exception is this device where all test cases work in spite of the device having multiple google accounts.
As per the test case, the verdict returned should be "Strong device integrity met, running licensed Play-recognised app" which is correctly returned:
`"appIntegrity": {
"appRecognitionVerdict": "PLAY_RECOGNIZED",
"certificateSha256Digest": ["ki_C3iCaCK58mqf7FNrVH6KsPa8wDxBPsx_NQ37Qslw"],
"packageName": "mypackagename",
"versionCode": "228"
},
"deviceIntegrity": {
"deviceRecognitionVerdict": ["MEETS_BASIC_INTEGRITY", "MEETS_DEVICE_INTEGRITY", "MEETS_STRONG_INTEGRITY"]
},
"accountDetails": {
"appLicensingVerdict": "LICENSED"
}`
With above verdict, no error message is displayed on mobile app and user successfully proceeds to next screen.
Tested same cases on few devices it's not working properly.
I am trying to connect to the Amazon IoT service using an android app following the guide on https://github.com/awslabs/aws-sdk-android-samples/tree/master/AndroidPubSubWebSocket.
I have change the CUSTOMER_SPECIFIC_ENDPOINT to the ENDPOINT value found in SETTINGS section of AWS IoT Console. Additionally I have changed the COGNITO_POOL_ID value to POOL_ID found under the Getting Started with Amazon Cognito.
Unfortunately now everytime I try to connect to the connect, even using the sample code form the above repo, the Connection Status is status keep on trying to Reconnect without providing any throwable object.
In the IoT thing policy did you give appropriate permissions to connect, subscribe and publish. The option can be found in AWS IoT->Security->Policy->Create Policy.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iot:*",
"Resource": "arn:aws:iot:us-east-2:293751794947:topic/replaceWithATopic"
}
]
}
The above policy gives all access to the user. Also, make sure your pool which you created is for unauthenticated users.
UPDATE
In the IAM policies.Do check if you have given appropriate permissions to the cognito pool. If not attach the IoTFullAccess policy to the pool. It will solve the problem.
I have a mobile meteor app that uses the Facebook API and manage users authentication and sign-ups with the accounts-facebook package.
As long as I tested the app on meteor.com server and on local builds, the following code I provided successfully made the app use the Facebook's user_friends permission:
(That's under client/accounts.js)
Accounts.ui.config({
requestPermissions: {
facebook: ['user_friends']
}
});
However, since I deployed to production with mup, it seems like the user_friends permission doesn't take effect on Facebook itself anymore. Going through my MongoDB I can see that in the db.meteor_accounts_loginServiceConfiguration collection the document for Facebook is:
{
_id: "gCMyTCnTXq3RTPMWm",
service: "facebook",
appId: "*********", // censored
loginStyle: "redirect",
secret: "***************************", // censored
requestPermissions: [
"user_friends"
]
}
So the Meteor app knows that it should ask new users for this permission. Looking at my Facebook account application privacy settings I can see that in contrast with the non-production version I had, there is no "user friends" permission anymore for my app:
Since it's a mobile app, I tried editting the accounts-config.js to contain the permission as well:
ServiceConfiguration.configurations.upsert(
{ service: "facebook" },
{
$set: {
appId: "***********", // censored
loginStyle: "redirect",
secret: "********************************", // censored
requestPermissions: ['user_friends']
}
}
);
Because I have customized login button I also do this while clicking it:
Meteor.loginWithFacebook(['user_friends']);
But had no success retrieving the permissions. Each time I did these changes I removed the users and the app from my Facebook account and tried again from a new Facebook login to avoid the fact that you can't override Facebook's permissions for exist user.
Appearently I used the Meteor.loginWith method wrong. It should get an options object that includes the requestPermissions string array like this, and the problem is solved:
Meteor.loginWithFacebook({requestPermissions: ['user_friends']}, function(err){
if (err){
throw new Meteor.Error("facebook failure");
}
});