I tried to execute the following code to set my app as a device owner. I can't use ADB because I have more than 10K android-9 non rooted devices. So, Need to do this programmatically.
String name = AdminReceiver.class.getName();
if (name.startsWith(BuildConfig.APPLICATION_ID)) {
name = name.substring(BuildConfig.APPLICATION_ID.length());
}
final String command = "dpm set-device-owner " + BuildConfig.APPLICATION_ID + '/' + name;
Process process = Runtime.getRuntime().exec(command);
Log.d(TAG,"RETURN VALUE:"process.waitFor();
process.waitFor() always return 1.
Need to do this programmatically
Fortunately, that is not possible, for blindingly obvious security reasons.
Use QR Enrollment instead!
You can generate a QR Code which contains a URL for your Device Owner package. Then you can scan this code in the factory setup process of the device.
See the documentation here
The Data in the QR Code would look something like this:
{
"android.app.extra.PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME": "com.google.android.apps.work.clouddpc/.receivers.CloudDeviceAdminReceiver",
"android.app.extra.PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM": "I5YvS0O5hXY46mb01BlRjq4oJJGs2kuUcHvVkAPEXlg",
"android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION": "https://play.google.com/managed/downloadManagingApp?identifier=setup"
}
Simply replace the information with your own device owner package information. After scanning, the device will download, install, and set up the device owner.
If you become an EMM Partner with Google, you can even do Zero-Touch-Enrollment by getting preconfigured android devices from the manufacturers. But Google stopped approving requests for custom device policy managers and you must use the Android Management API now.
Footnotes
Instructions on how to scan the QR Code
Device Admin Developer reference for streamlining this into the device admin app
Related
I've been following the Android Management API guide quickstart:
https://colab.research.google.com/github/google/android-management-api-samples/blob/master/notebooks/quickstart.ipynb
I have created a dummy project, enterprise, and service account.
I can generate a qrcode with the following python script:
from apiclient.discovery import build
import google.auth
import os
from urllib.parse import urlencode
import webbrowser
# set key as environment variable, so that google.auth.default() can automatically find the project
os.environ["GOOGLE_APPLICATION_CREDENTIALS"] = "./celtic-bazaar-342809-6536138e074c.json"
credentials, project = google.auth.default()
# Create the API client.
androidmanagement = build('androidmanagement', 'v1')
print('\nAuthentication succeeded.')
enterprise_name = 'enterprises/LC0498xe68'
policy_name = enterprise_name + '/policies/policy2'
# define policy
policy_json = {
'debuggingFeaturesAllowed': True,
'locationMode': 'LOCATION_DISABLED'
}
result = androidmanagement.enterprises().policies().patch(
name=policy_name,
body=policy_json
).execute()
enrollment_token = androidmanagement.enterprises().enrollmentTokens().create(
parent=enterprise_name,
body={"policyName": policy_name}
).execute()
image = {
'cht': 'qr',
'chs': '500x500',
'chl': enrollment_token['qrCode']
}
qrcode_url = 'https://chart.googleapis.com/chart?' + urlencode(image)
webbrowser.open(qrcode_url, new=0)
print('\nIf the code is not displayed automatically, visit this URL to scan the QR code:', qrcode_url)
However when i scan the code with my device, I get the following error:
"Oops Couldn't set up your device. Contact your IT department."
If I just set the policy_json to {'debuggingFeaturesAllowed': True} I don't get the error, but adding any other options (adjustVolumeDisabled, uninstallAppsDisabled, etc.) results in the error and the options aren't applied.
If I go to the device's settings -> security -> Device administrators, I can see that 'Device Policy' is there and cannot be deactivated but none of the options are applied.
The device I am testing this on is an Asus ZenPad Z380M running Android 7.0
What is causing this error?
Are you provisioning a work profile or fully managed device (company owned device after factory-reset ) ?
https://developers.google.com/android/management/reference/rest/v1/enterprises.policies#locationmode
location mode works only on company owned devices.
but this policy as work profile should install.
Turns out the device wasn't being enrolled at all using this method even when there was no error. I checked this with the REST api:
https://developers.google.com/android/management/reference/rest/v1/enterprises.devices/list
The way I got around it was to follow the guide for enrolling an Android 6.0 device:
Turn on a new or factory-reset device.
Follow the setup wizard and enter your Wi-Fi details.
When prompted to sign in, enter afw#setup.
Tap Next, and then accept the installation of Android Device Policy.
Scan the QR code.
Strange since the device definitely was running Android 7.0 but it's an old device so it may be because of that.
I'm provisioning Android devices in Device-Owner mode via QR code. The device owner app is from our EMM tool (Ivanit EPM).
The Provisioning itself works fine, but the problem is, that after the provisioning the Backup Service is not accessible (greyed out).
But one of our customers, needs it to restore the contacts from the old devices.
I already searched a lot, and found something to enable Backup Service (see link below), but not with QR code method.
https://developer.android.com/reference/android/app/backup/package-summary
This is the QR code in Text with line breaks:
{ 'android.app.extra.PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME': 'afw.com.landesk.ldmsagent/com.landesk.ldmsagent.DeviceAdmin',
'android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION': 'http://community.ivanti.com/downloads/patch/component/LD2016/android-AFW-prod.apk',
'android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_CHECKSUM': 'hOYijtSjVpTKDz1KT_TGoP8cPyDbH_nuxJkIzWpNn7E',
'android.app.extra.PROVISIONING_SKIP_ENCRYPTION': true }
Does somebody has an ideas, how to get the Backup Service working again?
Is there a way with android.app.extra.PROVISIONING, or is there a way to give the settings from an xml or json or something?
I am very much new to AirWatch Concept but had gone thoroughly about AirWatch. I have gone through the following links,
http://developer.air-watch.com/android/application-configuration-with-the-android-sdk/
http://developer.air-watch.com/android/android-sdk-setup/
but in vain.
Could anyone please help me regarding the integration of Air Watch in Android ?
Things i have done so far,
I have created app in the https://apidev.awmdm.com, and i have added assignemnts. The question here is, How can i get the assignment details in my android application that were added in the Air Watch Console.
Help is really appreciated.
Update:
I am able to create and push the application from AIR WATCH CONSOLE to my Device. Now, the issue i am facing is, If i am adding some application configuration in the AIR WATCH CONSOLE, i am not able to get those details in my application.
I have gone through the below Url for the above scenario,
https://appconfig.org/android/ which is very much similar to https://appconfig.org/ios/
I have implemented those things that were mentioned in the above url but still then i am not able to get those details.Please let me know if i am wrong anywhere.
I got to know that the key value pairs that were being passed in Air watch console will be coming into com.apple.configuration.managed key in iOS. Does any one have an idea that how these key value pairs will come. As far as i know, they will be handled via Restriction Manager. But no idea/clue how to handle in Android.
Updated:
xml/app_restrictions.xml:
<?xml version="1.0" encoding="utf-8"?>
<restrictions xmlns:android="http://schemas.android.com/apk/res/android"
xmlns:tools="http://schemas.android.com/tools">
<restriction
android:key="ManagedServer"
android:restrictionType="string"
android:title="Managed Server"
tools:ignore="ValidRestrictions" />
<restriction
android:key="#string/mdm_key_managed_server_name"
android:restrictionType="string"
android:title="#string/mdm_key_managed_server_url"
tools:ignore="ValidRestrictions" />
<restriction
android:key="#string/mdm_key_managed_server_url"
android:restrictionType="string"
android:title="#string/mdm_key_managed_server_url"
tools:ignore="ValidRestrictions" />
</restrictions>
oncreate Method :
IntentFilter restrictionsFilter =
new IntentFilter(Intent.ACTION_APPLICATION_RESTRICTIONS_CHANGED);
BroadcastReceiver restrictionsReceiver = new BroadcastReceiver() {
#Override
public void onReceive(Context context, Intent intent) {
// Get the current configuration bundle
Bundle appRestrictions = myRestrictionsMgr.getApplicationRestrictions();
// Check current configuration settings, change your app's UI and
// functionality as necessary.
Toast.makeText(LoginActivity.this, "Reciever Called", Toast.LENGTH_LONG).show();
RestrictionsManager myRestrictionsMgr =
(RestrictionsManager)
getSystemService(Context.RESTRICTIONS_SERVICE);
if (android.os.Build.VERSION.SDK_INT >= android.os.Build.VERSION_CODES.LOLLIPOP) {
if (myRestrictionsMgr != null) {
Bundle appRestrictions = myRestrictionsMgr.getApplicationRestrictions();
if (appRestrictions != null) {
if (appRestrictions.containsKey("ManagedServer")) {
String mConfigDetails = appRestrictions.getString("Managed Server");
Toast.makeText(LoginActivity.this, "" + mConfigDetails, Toast.LENGTH_LONG).show();
}
}
}
}
}
};
registerReceiver(restrictionsReceiver, restrictionsFilter);
List of Users:
When i am actually trying the other command:
Update:
Created a sample app and published to Play Store. App link as follows,
https://play.google.com/store/apps/details?id=com.manu.samplemdm
Now, its a play store app. When I am sending Application Configuration but unable to receive it in the Application. Its giving me still empty bundle from the application.
Help would be really appreciated.
Help is really appreciated
Beside AirWatch Resources, which tells you how you can create an app and set the app configurations,key-value pairs, to push to your devices, You need to check out Android Restriction Manager API. Follow the steps described in the link.
How the whole process works is, AirWatch controls AndroidForWork environment after you set your MDM as AirWatch. And then, AirWatch manages the device from AirWatch console and it pushes the App Configuration to AndroidForWork in your device. You need to implement Android Restriction Manager to access to these data passed you by your MDM. It goes same for all of the MDMs in the Market.
Update:
In order to install your app into Work Container in the development phase, you can use adb to copy it from Personal Container to Work Container.
First, list all of the active users in the device:
./adb shell pm list users
And later, find the Work User's ID from the List of Users and set it in the command below along with your app's package name and App's Main Activity.
./adb shell am start —user 13 -n “your.apps.package.name/your.main.activity.package.name”
13 up there in the command is the Work User's ID. In my case, it's 13.
For more information about ./adb commands in Managed Profiles, see this link and check the most bottom of the page.
There are a couple of different approaches to integrating with AirWatch. It depends on the technology set you're trying to use. I think these are the 2 that are most relevant to you based on what I see in your post:
AirWatch SDK
AppConfig Standard
Both these approaches can accomplish similar functionality but each have different deployment requirements. It sounds like you have gone with the second approach which is using the AppConfig standard and the native APIs provided by Google to have an app read configuration values delivered through AirWatch.
One important thing to note is the AppConfig standard approach on Android requires the device to support "Android for Work" enrollment which is a relatively newer management protocol released by Google. It's worth noting that AirWatch does support Android for Work enrollment so it may just be a matter of getting your AirWatch test instance configured for "Android for Work enrollment" instead of the traditional older Android enrollment protocol. More information about Android for Work can be found here:
https://enterprise.google.com/android/solutions/personal/
If you're already a customer of AirWatch, it may be helpful to create an account here on their resource portal if you haven't done so already to get access to documentation about how you can setup Android for Work within AirWatch. https://resources.air-watch.com
I hope this helps.
please don't make my post like as duplicate why because am totally confused with those post when i google it.
but i need your valuable statements and real time experience on How to get UNIQUE IDENTIFIER for iOS,Android and Windows Mobiles
i have a scenario that when user login with UserName and Password i send details to server at same time i need to send Device UUID. By using device UUID and User Credentials am going to Restrict second user login when first user is already logged in(Active). but am confused with getting iOS Device UUID but wheen i seen in many post iOS is killing apps in App store when app is Accessing any UUID values.
please suggest me better way to complete mytask.
Link-1
Link-2
sorry for my bad english....!!!
You can use the Unique Device ID plugin.
Install it:
cordova plugin add cordova-plugin-uniquedeviceid
And use it:
window.plugins.uniqueDeviceID.get(function(uuid){
console.log("Unique ID": +uuid);
}, function(error){
console.error(error);
});
This will give you a unique ID per device that persists between installs.
Note that on Android 6 it requires telephony run-time permission to access SIM ID. Also you may need to fork it and update it to get the Windows Phone 8 code working on Windows 10 Mobile.
in the case of angular
you gotta install ngx-device-detector via npm then import it on your module and in the import section add DeviceDetectorModule.forRoot().then in the component you're gonna use import it and add private deviceService: DeviceDetectorService this in the constructor it will generate u a method and add it on the constructor this.epicFunction(), if it doesnt paste this
epicFunction() {
console.log('hello `Home` component');
this.deviceId = this.deviceService.getDeviceInfo();
const isMobile = this.deviceService.isMobile();
const isTablet = this.deviceService.isTablet();
const isDesktopDevice = this.deviceService.isDesktop();
console.log(this.deviceId);
console.log(isMobile); // returns if the device is a mobile device (android / iPhone / windows-phone etc)
console.log(isTablet); // returns if the device us a tablet (iPad etc)
console.log(isDesktopDevice); // returns if the app is running on a Desktop browser.
}
note: the "this.deviceId" is a variable i created in the start of the class
in the case of android just import the security and add the permission on the manifest file
I recently noticed that when a Device Owner application is set, it's not possible to create a restricted profile.
First case : When my device owner app is not set.
From Settings>Users : I can "Add user or Profile", and then choose between a User or a Restricted Profile.
Second case : When my device owner app is set.
From Settings>Users : I can only "Add user", and then i get the confirmation to create a new user. In this second case, it's not possible to create a restricted profile.
I'd like to know why it's not available in this case and how I could possibly create a restricted profile in this case ?
The second part of my question is : how can I programmatically create a restricted profile - or an equivalent behavior - using the existing DevicePolicyManager API (as far as I can see, there's no public API to create restricted profile) ?
UPDATE:
I made a sample app to illustrate this. It's available on Github.
Steps to reproduce :
Compile the app
Upload the application to your device
Set the application as device owner using dpm command line tool: adb shell dpm set-device-owner com.mytest.minimalistdeviceowner/.DeviceAdminRcvr.
Check that the creation of profile is not available in Settings>Users
Unset the application as device owner by clicking, in the app, on "Unset Device Owner".
Check that the creation is now available in Settings>Users
Restricted profiles are not available for tablets with a device owner, or phones. It's shown in the Settings app source code available here :
DevicePolicyManager dpm = (DevicePolicyManager) context.getSystemService(
Context.DEVICE_POLICY_SERVICE);
// No restricted profiles for tablets with a device owner, or phones.
if (dpm.getDeviceOwner() != null || Utils.isVoiceCapable(context)) {
mCanAddRestrictedProfile = false;
mAddUser.setTitle(R.string.user_add_user_menu);
}
So that's not a bug, but a functionnality. It's probably disabled to avoid to interfere with your Device Owner App.
You should be aware of that and because you have more power with your Device Owner App, means you’ll have to restrict your user by yourself from this Device Owner App.
To do that, you could use all restrictions API provided through DevicePolicyManager.addUserRestriction(), DevicePolicyManager.setGlobalSetting(), DevicePolicyManager.setSecureSetting() to configure settings, and also DevicePolicyManager.setApplicationHidden() to limit applications access for your user.
Why can't I create a restricted profile when an owner device app is
set?
Probably because the device owner app manages the profiles already. I guess it was easier to do like that without bypassing the device owner app restrictions.
How can I programmatically create a restricted profile?
The method DevicePolicyManager.createAndInitializeUser() can be used to create a managed profile. This profile cannot be managed directly in the settings, but the device owner app can access nearly the same features.
One feature that I cannot find is the ability to share an app from the owner profile to managed one.