I have tested build applications for corporate-owned, single-use (COSU) code from google for single app use case where there will be one app locked on the screen. It works well, but the app need to be device owner to use lockTask. For testing purpose i have use adb shell command which can not be used for production, how do i manage provisioning process for production?
You no longer need to implement a Device Policy Controller to manage Android devices, Google has recently released the Android Management API which allows you to set up a COSU device with just a few Cloud API calls. With the Android Management API you can set up devices using a QR code, with NFC, or entering a manual token, as you prefer.
For once you can use a NFC provisioning. You will need another phone with "programmer app" that will beam the Bundle of data including wifi SSID, PASSWORD and APK PATH for the "production device" to download install and set as device owner. There are another ways of doing that (apart from the one you used with adb command, but that only works on rooted devices). Please get back to me if you need any more info.
Check this out:
http://florent-dupont.blogspot.com/2015/02/10-things-to-know-about-device-owner.html
and this :
https://www.youtube.com/watch?v=GGDpShew3aA&t=278s
For testing purposes I've actually used the programmer's app from the second link I posted.
Related
I have an app for my company(Enterprise) owned devices , which works as single use app, so it locks itself and becomes single use app, for that it needs to be enabled as device owner, for testing i am using adb shell command and it works.
my problem is how do i achieve it for production so my enterprise will be able to install and use this as required.
This answer will work if your Android 5.0 devices have NFC. Otherwise, Google supported a method using a Google Account with an activiation code within the Google Setup Wizard, but you need to be a Google EMM partner. I also don't know if they still support activation codes in 5.0/5.1. It was a Lollipop specific implementation.
If your devices DON'T have NFC, this link might help you set the device-owner programmatically, but it's not a recommended solution for production apps:
How to make my app device owner without NFC and ADB shell command
But finally, if your devices DO have NFC:
You will need a provisioning wifi network that can connect to a server hosting the app that will be the device owner.
You can modify this project to create a quick provisioning app:
https://github.com/googlesamples/android-NfcProvisioning
Be sure the NFC provisioning app sends, at a minimum, this information over NFC for an Android 5.0 device:
EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_NAME
EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_CHECKSUM
EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION
EXTRA_PROVISIONING_LOCALE
EXTRA_PROVISIONING_TIME_ZONE
EXTRA_PROVISIONING_WIFI_SSID
EXTRA_PROVISIONING_WIFI_SECURITY_TYPE
EXTRA_PROVISIONING_WIFI_PASSWORD
When your corporate owned device is at the welcome screen of the Google Setup Wizard, place this device back-to-back with the provisioner device with the NFC provisioning app running. You will then tap the NFC provisioning app when it senses another NFC device. This sends across all the information the Google Setup Wizard requires to get on the network, download the app, verify the app, and then installs the app as the device owner.
Here's a good reference for creating package checksum:
Checksum Error while provisioning Android Lollipop
I am developing an app that will work in 2 different Android environments (consumer & corporate markets). Lets say it is a texting app with a dozen configuration parameters to manage.
The first environment is a standard Android device that has no Android Enterprise (AfW) features enabled. So there is no EMM (MDM) to supply an Android Agent/Client app to be a device/profile owner implementing a Managed Configurations Provider.
The second environment is within a corporation. An EMM (MDM) is used to manage all their corporate owned devices. The EMM is either a device or profile owner. They are set up to use Managed Configurations and require remote configuration of this app.
To support both of these cases, how should this app retrieve configurations?
My current thought is to check if the instance of my app belongs to a device or profile owner. If it does, I will use managed configurations. If it doesn't, it will allow on-device, within-the-app configuration using SharedPreferences.
I believe this will work, but seems too much like a hack. It also restricts a company using a device/profile owner from giving their users control. I imagine other Android apps must be starting to encounter this situation with the adoption-rate of Managed Configurations increasing. Is there a better solution for this scenario?
You can always call RestrictionsManager.getApplicationRestrictions(), whether the device is managed or not:
if the device is managed and the company has configured the app, it will return the configuration,
if the device is not managed or if the company has not configured the app, it will return an empty Bundle and you can give control to the user.
I want to create an apk for only one devices. I have to send an apk to my client. I want to send him the apk for only one device as we do in IOS using UUID(device id). it is an enterprise level app. He don't need to upload it , he may just make copy of it and use it in his office.
How could i solve this issue?
Is there any way.
As we create some software which can run on particular computer who have paid and other have to pay before using these software.
We also do this thing in IOS in which we take device id of user and create an ipa only for that user.
Bind it with the IMEI of the device.
Just check the IMEI of the device running your app with the provided IMEI and open your activity only if the IMEI is correct.
Can any one help me out how to do MDM Integration in Android from client and server prespective?
I want to do an enterprise application which having lock and wipe functionality. I have no any clue of workflow of MDM in Android.
Thanks.
Android Device Admin API will do both things what you want to do (lock/wipe device and even more). An example is given and also you can find this complete source code in your Android SDK directory.
Now as client server perspective:
You have to implement your task (lock and wipe) in your android application (in client, i.e. known as agent). Now your application should be capable to communicate with your server or vice-verse.
I am 100% agree with adamk as he said "Remote controlling your application remains exclusively your responsibility - the Android framework does not provide (or enforce) any solution for that."
And Android gives your this feature too, as adamk said to use C2DM, he was right but now C2DM is deprecated, and GCM has been introduced, “a service that helps developers send data from servers to their Android applications on Android devices.” The service can send a message of up to 4 kb to an application on an Android device, most often to tell the application to retrieve a larger set of data. GCM will now handle all queueing and delivery for messages to Android applications.
You should read how to use GCM, and you can find sample code too. Download GCM Android Library from SDK Manager
and check android-sdk/extras/google/GCM directory
After establishing successful communication between your agent and server, evaluate msg in agent sent by server and perform desire action (lock/ wipe). This is again up to you how you define your message payload and how you handle those payloads in agent application.
Here is an article about Android MDM.
Happy Coding :)
You can use DeviceAdmin to gain privileges for managing the Lock preferences and performing device wipe (among other stuff).
(The user must add your app as a device administrator beforehand)
Remote controlling your application remains exclusively your responsibility - the Android framework does not provide (or enforce) any solution for that.
You may want to consider using Google's C2DM API, which is a convenient push mechanism.
As mentioned in the above answer, DeviceAdmin API can help. If you are using an Android device, you might know about the Android Device Manager (the web-based version) which allows you to manage your device. Basically, you can track, locate, lock, and wipe your device, some of the basic features of an MDM solution. So, in coding (though I am not a coding expert), you need to get access to the Device Manager (I guess, using some listener codes, or notification access).
Apart from this, MDM allows creating policies and groups of users (which would be a part of the coding in the app itself), then pushing the command over the internet (or OTA) to the connected device.
MDM also allows managing Apps and Data on the device, for which, you need the app to get access to the internal as well as external device storage.
Hope this helps. Good luck creating your MDM software
I would like to build an enterprise application. So in these case. i want remotely manage my Android Device,
Example. I want to disable USB port my office users device & New application installation. Since device will be provided by us , So in order to main security.
How to achieve this. Did Google Provides any APIS
From the Dev Guide:
http://developer.android.com/guide/topics/admin/device-admin.html
Android 2.2 provides a Device Administration API that allows you to set certain policies for the device on which your app gets installed. There is also a step-by-step tutorial on the same page.
This API has been used in some of the existing apps that come bundled with the Android source code. For eg: Exchange Email.
The Device Administration API only supports certainpolicies. If you need to restrict the use of the device, it might also be a good idea to tie in your app with the Exchange Email (or a corporate account, since you mentioned it's for office users). A typical corporate Exchange account has a much larger policy set.