My question is specifically about one line in Android documentation here. https://developers.google.com/android/work/prov-devices#set_up_device_owner_mode_google_account . Particularly item #2 where it says
The DPC is automatically downloaded to the device and launched.
How?
Specifically, what is the trigger that launches the DPC after download while still in the context of the startup wizard? I'm asking because it isn't working for me.
I've got Corporate-Owned Single Use (COSU) application, but I'm getting tripped up on deployment -- specifically the part where the DPC app sets itself as the device-owner. So far, I've loaded the app in Google Play Store as a private application. G-Suite exists in the same domain and Google is registered as the EMM for the account. The COSU app is whitelisted and installs as part of the setup wizard... but it doesn't launch.
To the best of my understanding, it has to launch within the context of factory-reset so that I can reset the device owner to the downloaded app.
Is there a specific Activity or BroadcastIntent I should be looking for? I'm new to Android, so I've been pouring through the TestDPC code, Android docs, and SO posts, but this deployment thing is a pain.
As a secondary query. How would you debug this situation? Its all factory-reset and install by wire, I don't have the opportunity to turn on developer mode and watch logs through Android Studio as it happens. And pushing new builds to Google Play and resetting hardware to download and install has a very long cycle time.
Thanks in Advance
For your DPC to be downloaded and launched after an account is added you need to register as your own EMM along with your DPC, and enroll your G-Suite domain with this EMM.
It might be simpler for you to instead use Google's new Android Management API which doesn't require implementing a DPC or registering as an EMM.
Related
I have a question about admin apps on Android that I can't find the answer to. I followed the guide on creating an admin app from here:
https://developer.android.com/guide/topics/admin/device-admin#java
I successfully created an admin app but there's something that's confusing me. I have a fresh device (Moto G6) and when I go into Settings->Security&Location->DeviceAdminApps I see a list of admin apps on the device. Right now it lists my app and a Google Play Services app titled "Find My Device". The only difference, though, is that the google app was on by default. Normally, and including in my app, when I try to use an admin feature (through DevicePolicyManager), an android page pops up asking me to enable it as an admin app. Since the Google app is already enabled, that pop up doesn't need to appear.
So, my question is how do I make an app an admin app by default (without needing the pop up page)? I assume something needs to be done on boot up but I have no idea what that Google app does. Does anyone out there have any idea?
So, my question is how do I make an app an admin app by default (without needing the pop up page)?
Build your own firmware with your own custom build of Android, where you pre-install your device admin app and set things up for it to be pre-enabled.
Alternatively, I think if you create a device owner app, it will be enabled upon installation, but that installation happens when the device is being first set up.
Ordinary device admin apps require users to agree to enable them, for blindingly obvious security reasons.
I need some help with my app that I build for Android TV.
I already make a COSU app for Android TV, but the problem is I need to use adb shell to make my app as device owner. Is there a way to make my app as device owner programmatically? Because I will install my app in +100 STB devices. I tried a method from SO answer, but it's not working.
I still can't figure it out how to update my app later if there is a new version of my app, because like it said in here, I can't use Android Management API on Android TV and also I think I can't use Google Play to update a COSU app. Is there a better approach to update my app?
Need help.
Thank you.
Since your app got device admin permissions, your app can update itself silently in background using PackageInstaller API. All you have to do is to just download the new apk when available and forward it to PackageInstaller which can update and install your new apk.
Here's a sample if you wanna look how to implement it: author's link is dead (after edit link - I think they are similar).
You can't make your app device owner programmatically unless the device is rooted. Here's a list of options by Google to make device owner remotely.
Provisioning google dev docs.
I'm new to android enterprise development world, and I have some misconception of how different pieces in the android enterprise ecosystem relate to one another. Let me explain.
The solution that I'm trying to achieve is being able to lock the device into kiosk mode both remotely, and also based on some business logic do it even when the user is offline. I started investigating EMM and particularly Android Management API to solve the problem. I was able to lock the device remotely into kiosk mode using the API. The steps that I take is following
Factory reset the android device
Reach the screen where user needs to enter their credentials
Instead of real credentials I enter afw#setup
Device enters into work profile mode and android device policy is being installed
I create an enrollment token in the management API (the steps for that are described in the quick start guide
I generate a QR code and scan it using the factory reset device as soon as I'm prompted
The device will be linked to the enterprise, and I'm successfully being able to control it and put the device into kiosk mode by creating special kiosk mode policy and patching the device to comply to that policy using a combination of patch policy (to create a policy) and patch device APIs.
The next step was finding out a way to lock the device into kiosk mode even when user is offline. I assume that it's going to happen by creating an android enterprise custom DPC (device policy controller) application. I assumed that by reading the following documentation, where one of the 3 ways of provisioning "single purpose" devices is creating a custom DPC application. Here's another quote from different url
As an EMM, you develop a DPC app that can be used by your customers in conjunction with your EMM console and server. Your customer deploys the DPC to the user devices that they manage. The DPC acts as the bridge between your EMM console (and server) and the device. An admin uses the EMM console to perform a range of tasks, including configuring device settings and apps.
And here's where all of my confusions arise.
First question that naturally arises - was the author of the previous quote referring to EMM management API when talking about EMM console and server?
Further, there are more questions that I couldn't find an answer to
In the guide for creating a custom DPC there are no mentions about what role EMM API will play in custom DPC, and consequently there's no place I could find that describes how exactly the custom DPC is a bridge between the EMM console (presumably EMM API) and the device?
Then, let's assume I've developed a custom DPC application and uploaded it to google play alpha channel. The documentation states that during the setup process instead of entering afw#setup I should enter afw#DPC_NAME, and I have no idea how to generate that name? Is it the bundle ID of the DPC app? Or perhaps it's being set somewhere in google settings? For instance, google has developed the TestDPC application to test enterprise solutions, and I was able to go through the steps I described above and enter afw#testdpc and successfully scanned the QR code in the git readme file and I saw that TestDPC was installed and device was launched into work profile mode. So, I assume somehow I need to register my own "testdpc" and enter afw#my_dpc instead.
Basically I have different pieces working stand alone and I want to form a broader picture in my mind to understand how to stitch those pieces together.
Thanks for your answers
UPDATE 1:
Today I found a way of turning custom DPC into device owner without going through NFC or other provisioning process. This is particularly useful for development purposes. Follow this link for instructions.This is both huge time saver, and also, in my case, we still are waiting for google's approval, but finally we can start testing some stuff without the need of custom provisioning process.
There are two distinct ways of managing Android devices:
The new way: the Android Management API. It is the way recommended by Google and it's significantly simpler than the old way, you don't need to call other APIs or to create a custom DPC. If your use case is not addressed by this API you can send feedback to Google so they can add the missing features.
The old way (no longer available for new deployments as of 2019-12-20): using custom DPC. For that you need to:
create a custom DPC,
register your custom DPC with Google by joining the EMM Community (this is how you get the afw#DPC_NAME),
use the Google Play EMM API to install apps.
In the documentation you - the developer using these APIs - are referred as "the EMM". "EMM server" refers to the server that you own and that calls these API, and "EMM console" refers to the UI console that you expose to your IT admins, if any.
https://developer.android.com/work/dpc/build-dpc
Caution: Android Enterprise is no longer accepting new registrations
for custom device policy controllers (DPCs). Learn more.
Hi #Fred,
I found this above information from the mentioned path.
I have some questions regarding the above conversation.
If we use Android management API to develop EMM, we don't need to implement Custom DPC app?
Whether we can register a account in EMM community with Custom DPC app?
Is it possible to use a custom DPC app with Android management API?
I am currently investigating ways of remotely updating an Android app installed on a number of devices. The app in question is to be used on phones which we will provide to a number of demonstrators as part of product presentations. For this reason we don't want to publish the app on Google Play to be available for the public at large.
I've read that you can restrict access to the device on Google Play, but only according to criteria such as location, device type, android version, etc. Another way is to set up a version for beta testing, for which you can select testers, however this is only available to those who are part of a Google group or a Google+ community (according to here).
I've come across another post which details how to install an apk programmatically, however it appears to install the apk automatically, ie it doesn't appear to check whether or not the update is actually a new version.
One idea I have in mind is to upload new version on a repository and broadcast to devices which have the app installed, of which we have stored device ids. Is this possible?
What we do is sync periodically to a remote server during data entry on the app. During this sync, we check to see whether the device has the latest version of the software. If it doesn't, the new apk is downloaded and the user is prompted to install the software.
This is accomplished using a separate installer app we created. We have a service that keeps the app alive in the background, so it looks like the user never actually leaves the app during the install.
Would be happy to post code on the installer.
You can see the self installer here: https://github.com/techartist/SelfInstall-Jelly-Bean/
You should try Beta by Crashlytics, it's email-based.
You should try beta or alfa testing in gplay.
Also you can hardcode the date of ending and not to open application after this date.
From what I read on SO, it seems that I want the impossible (?)
I have a kiosk-like app that is supposed to run 24/24, 7/7, 365/365. This makes it hard/impossible to update the app. As far as I know, Google Play will not start the update (even if Autoupdate is set for my app) while my app is running.
I read across SO and several forums an found a lot of NO's and CON's. My current answer is that is not possible without rooting the device or without some system certificates and so on.
But still, I have the following scenario:
I created a google account myGoogleAccount#gmail.com
On my device I add this account and install my application from Google Play store.
On my desktop machine I log into GPlay with the same account and I go to my application and I see that my app is Installed. If I click on the Installed button I can see my device.
I publish a new version of the app, when the app becomes available, from my application's page open on desktop I can send a command to update the app.
I get the prompt to accept the terms bla-bla, and once I accept it, the app is automatically updated even if it is currently running.
Basically this is the behavior I am interested in. My question is: can I run this scenario from my device [invoking some GPlay api's] given the fact that I can provide the google account credentials to the app, so that no user intervention is required to update the app and to accept whatever unchanged permissions?