From my last posted question below,
Not getting any idea about the workflow of managing an android device from another device using an pre installed android in both devices
I am here today with new problem. I used android management api to create enterprise, enrolling a device with device policies(Used the sample provided in here a link. But what I am trying to achieve I am not getting it. I want the app to be able to disable all normal apps and camera when parent app blocks them in childs device from its own device using android management api. But what I am getting is that upon upload of enrollment of the policy using enrollment token I see a separate work profile is being created in android device which is not my requirement in the app.
So if anyone out here can help me out in this one be very thankful.
TL DR:
To fully control a device you must enroll it in DEVICE OWNER mode.
I'll try to stick only to this question and address your other concerns answering the other.
You can enroll a device mainly in two modes WORK PROFILE and DEVICE OWNER, one is thought for enterprises that want to allow a BYOD model, the other for enterprises that provide company owned terminals and who wants exert full control on them.
From the docs: https://developers.google.com/android/management/provision-device
The work profile provisioning methods create a work profile on a device. A work profile is a self-contained space that separates work apps from personal apps (see employee-owned devices for more information). On devices with work profiles:
Android Device Policy is installed within the work profile.
devices.managementMode is set to PROFILE_OWNER.
Most policies and commands apply to the work profile only.
The fully managed and dedicated device provisioning methods provide enterprises with full management control over a device:
Android Device Policy is installed on the device's personal (primary) profile.
devices.managementMode is set to DEVICE_OWNER.
Policies and commands apply to the entire device.
Your idea probably needs DEVICE_OWNER mode but here there is the big problem, to enable them you must enroll a device that is factory reset!
So you need a much specific process to prepare a device before use, you cannot achieve a so strict control on a device just installing an app and control it from outside permissions or not. It's against the logic of a "personal device".
Related
I have developed an app that communicates with our machine via Wi-Fi. You can think of it like an app that is used at car gas stations, such as Shell, Fillibri or the ryd app. This means that the app can only be used when the customer is in front of our machine. If the customer is not directly in front of our machine, the app cannot be used and the customer only sees a message.
My question:
How can I implement an access for the app review in the app stores, since the app only works when the app is connected to or machine via Wi-Fi.
I didn't find something in google.
Had same problem:
Apple: Rejected the app, then we provided them with a video link that show every feature in the app and we explained that it is can not be used without the related hardware. we had to film a user using the app from another phone (not screen recording). make sure the video is clear and not shaky, and provide a full text step-by-step explanation of the cycle.
Google Play: Did not reject the app, but we provided the link to the same video anyway in the "Needed credentials" section
We had a similar product. The solution is not exactly simple. We shipped the machine to Apple / Google so the reviewers can use it to test / validate your releases.
in the guide for Android Management API it is said
Fully managed mode
In fully managed mode the entire device is managed and
the device needs to be factory reset before setup.
To set up a device in fully managed mode you need to use a QR code.
For devices running Android 7.0 or above:
Turn on a new or factory-reset device.
Tap the same spot on the welcome screen six times to enter QR code mode.
Connect to a WiFi network.
Scan the QR code.
My question is how to add TV that does not have touch support. Are TVs possible at all?
I am not sure if TVs are supported.
You can get more information at the below link :
https://www.android.com/intl/en_in/enterprise/devices/
You can also try DPC identifier method
If Android Device Policy can't be added via QR code or NFC a user or IT admin can follow these steps to provision a company-owned device:
Follow the setup wizard on a new or factory-reset device.
Enter Wi-Fi login details to connect the device to the internet.
When prompted to sign in, enter afw#setup, which downloads Android Device Policy.
Scan a QR code or manually enter an enrollment token to provision
the device.
No. Android Management API won't work on TV
I'm new to android enterprise development world, and I have some misconception of how different pieces in the android enterprise ecosystem relate to one another. Let me explain.
The solution that I'm trying to achieve is being able to lock the device into kiosk mode both remotely, and also based on some business logic do it even when the user is offline. I started investigating EMM and particularly Android Management API to solve the problem. I was able to lock the device remotely into kiosk mode using the API. The steps that I take is following
Factory reset the android device
Reach the screen where user needs to enter their credentials
Instead of real credentials I enter afw#setup
Device enters into work profile mode and android device policy is being installed
I create an enrollment token in the management API (the steps for that are described in the quick start guide
I generate a QR code and scan it using the factory reset device as soon as I'm prompted
The device will be linked to the enterprise, and I'm successfully being able to control it and put the device into kiosk mode by creating special kiosk mode policy and patching the device to comply to that policy using a combination of patch policy (to create a policy) and patch device APIs.
The next step was finding out a way to lock the device into kiosk mode even when user is offline. I assume that it's going to happen by creating an android enterprise custom DPC (device policy controller) application. I assumed that by reading the following documentation, where one of the 3 ways of provisioning "single purpose" devices is creating a custom DPC application. Here's another quote from different url
As an EMM, you develop a DPC app that can be used by your customers in conjunction with your EMM console and server. Your customer deploys the DPC to the user devices that they manage. The DPC acts as the bridge between your EMM console (and server) and the device. An admin uses the EMM console to perform a range of tasks, including configuring device settings and apps.
And here's where all of my confusions arise.
First question that naturally arises - was the author of the previous quote referring to EMM management API when talking about EMM console and server?
Further, there are more questions that I couldn't find an answer to
In the guide for creating a custom DPC there are no mentions about what role EMM API will play in custom DPC, and consequently there's no place I could find that describes how exactly the custom DPC is a bridge between the EMM console (presumably EMM API) and the device?
Then, let's assume I've developed a custom DPC application and uploaded it to google play alpha channel. The documentation states that during the setup process instead of entering afw#setup I should enter afw#DPC_NAME, and I have no idea how to generate that name? Is it the bundle ID of the DPC app? Or perhaps it's being set somewhere in google settings? For instance, google has developed the TestDPC application to test enterprise solutions, and I was able to go through the steps I described above and enter afw#testdpc and successfully scanned the QR code in the git readme file and I saw that TestDPC was installed and device was launched into work profile mode. So, I assume somehow I need to register my own "testdpc" and enter afw#my_dpc instead.
Basically I have different pieces working stand alone and I want to form a broader picture in my mind to understand how to stitch those pieces together.
Thanks for your answers
UPDATE 1:
Today I found a way of turning custom DPC into device owner without going through NFC or other provisioning process. This is particularly useful for development purposes. Follow this link for instructions.This is both huge time saver, and also, in my case, we still are waiting for google's approval, but finally we can start testing some stuff without the need of custom provisioning process.
There are two distinct ways of managing Android devices:
The new way: the Android Management API. It is the way recommended by Google and it's significantly simpler than the old way, you don't need to call other APIs or to create a custom DPC. If your use case is not addressed by this API you can send feedback to Google so they can add the missing features.
The old way (no longer available for new deployments as of 2019-12-20): using custom DPC. For that you need to:
create a custom DPC,
register your custom DPC with Google by joining the EMM Community (this is how you get the afw#DPC_NAME),
use the Google Play EMM API to install apps.
In the documentation you - the developer using these APIs - are referred as "the EMM". "EMM server" refers to the server that you own and that calls these API, and "EMM console" refers to the UI console that you expose to your IT admins, if any.
https://developer.android.com/work/dpc/build-dpc
Caution: Android Enterprise is no longer accepting new registrations
for custom device policy controllers (DPCs). Learn more.
Hi #Fred,
I found this above information from the mentioned path.
I have some questions regarding the above conversation.
If we use Android management API to develop EMM, we don't need to implement Custom DPC app?
Whether we can register a account in EMM community with Custom DPC app?
Is it possible to use a custom DPC app with Android management API?
We have android app as an Enterprise App which disables the camera of the Device. This functionality breaks when user switch to Guest user or similar functionality. Having app as Device Administer is not enough, We have found one solution to it i.e making app Device owner with nfc-Provisioning and similar approach but this requires the device to be in factory reset mode. So is there any other approach than this which will help us to disable camera across all profiles without factory resetting of the app. I believe this is not an idle approach as per users point of view.
Here is the guide for android Mobile as Administrator here you can disable the camera programmatic ally. You can refer to this link
https://developer.android.com/guide/topics/admin/device-admin.html
You can't and, while it restrains developers, it is actually a good thing for user's security.
Among other things, a Device Admin app cannot
prevent the user from revoking the Device Admin rights,
enforce policies across users,
prevent the creation of new users.
It is relatively easy to lure Android users into giving Device Admin rights and many malwares have already tried to exploit this vulnerability through clickjacking or other means. So it is a good thing for users that Device Admin gives limited management capabilities and can be revoked.
In comparison Device Owner gives full management capabilities but requires factory reset which ensures there is a clear intent from the user.
I need to create an application that scans fingerprints and authenticates them. I can't find anything about fingerprint permissions on the Android website.
Is it possible to use a phone's fingerprint scanner for a regular application? If so, what is the limit on the number of fingerprints it can store (I'd prefer to store them on the phone itself)
Thanks
Fingerprint scanner is not a feature in Android (Now available on Android M).
So each company as Samsung, Motorola, HTC create is own API and SDK to access to fingerprint sensor.
For instance Samsung provide a SDK http://developer.samsung.com/galaxy#pass
Pass SDK allows you to use fingerprint recognition features in your
application. With Pass SDK, you can provide reinforced security, since
you can identify whether the current user actually is the authentic
owner of the device.
If you want to enroll multiple users and check users in your app, it's not possible with Samsung device. You could only check owner of device.
I don't know SDK of other companies.
UPDATE
Android M have new FingerPrint API:
https://developer.android.com/about/versions/marshmallow/android-6.0.html#fingerprint-authentication
Android M preview introducing FingerPrint scanner API.
You can checkout example for this here :
https://github.com/googlesamples/android-FingerprintDialog/
I needed a similar functionality and my solution was to use an external scanner instead of use a device with integrated fingerprint scanner. There are several companies which offer integration with mobile phones through SDKs. You should research through out the next companies on google:
Nitgen: http://www.nitgen.com/eng/product/Hamster3.html#a2
Secugen: http://www.secugen.com/products/sdk_pro.htm#android
Tactivo: http://precisebiometrics.com/smart-card-reader/android/
In my case I used Secugen, but feel free to use the suitable device for your solution. Notice that this solution could make your project cheaper because you don't need to use an expensive mobile phone, the only feature that the phone needs it's having a USB OTG (On-The-Go).
I know this solution it's a bit different from what your were asking for but I believe that it could be interesting for you too.
You can opt to use an external Fingerprint Scanner and be able to Enrol Biometric Fingerprints from Persons you are Registering then proceed to save the Biometric Fingerprint Data and Person's particulars in your Android Phone. In my case I used a DigitalPersona type 4500 Fingerprint Scanner and used the Crossmatch API for Fingerprint Capture.
This is actually the easiest and feasible way for you if you want to succeed at Capturing Biometric Fingerprint Data and Save it in your Android Phone from more than one Individual. In fact what can limit you from enrolling more Biometric Data from various Enrollees will be the memory size constraints of your Android Mobile Phone / Device. This you can however easily circumvent by integrating your Android Biometric Authentication App with an external RDBMs Centralized Database of your Organisation like an MSSQL, Oracle, MySQL, PostgreSQL etc.
If it pleases you, you can choose to use the Source AFIS API to implement it with much ease. For motivation you can check out this project's web page here at [Android Biometric Authentication using External USB Fingerprint Scanner][2] that I developed [here][2].
See screenshots I have attached below for Fingerprint Authentication when the result is a MATCH FOUND and when the result is MATCH NOT FOUND. I have also included a screenshot for when FINGERPRINT ENROLLED.
I designed the User Interface ( GUI) that is reusable on Android Mobile Phone screens of various screen sizes for both Fingerprint Enrollment and Fingerprint Authentication. You can design your own interface anyway but in my case I wanted to be able to display the Person's Fingerprint during Authentication and I added an Activity for swapping Fingerprint Images on display after Finger Touch event is fired if Person places Finger on Fingerprint Scanner.
Happy coding.
[2]: https://jomutech.com/androidexternalfingerprintscanner/
Simple answer is NO.
But you can integrate it by Implementing Google's fingerprint recognition introduced in Android M which only supports 5 attempts at a time, if all the attempt fails your device finger print reader will be blocked for 30 seconds, then after that duration you can authenticate with the fingerprint again.
For example you are using an 2 app(A & B) with finger print support. Then you enter 3 incorrect fingerprints and then you close the app A, then you open the app B so there are total 5 attempts available within 30 seconds so your app can only authenticate 2 times because app A took 3 attempts hence after 2 unauthorized attempts the OS blocks the reader for all apps.
So wait for 30 seconds or ask the user to enter pin or passcode accordingly if the user doesn't wants to wait for that amount of time.
Hope this helps.