I'm trying to build a kiosk app using android 5's screen pinning feature. It seems that all I need to do in the app was to call startLockTask(), but this still allows the user to leave the app by pressing the recent and back buttons.
To pin the app in a way that does not allow the user to leave it requires the app to be a device owner. Based on sites such as this one, one needs to run
adb shell dpm set-device-owner my.package.name/.MyAdminReceiver
in order to set the device owner. However, that command failed with
java.lang.IllegalStateException: Trying to set device owner but device is already provisioned.
which, I heard, is caused by the file /data/system/device_owner.xml already being present on the device.
Since the device had just been freshly factory-reset, I suspect that it had come with an app already provisioned by the manufacturer, so I rooted the device. I would rather do it without rooting (since there will be some 70 devices I have to run the procedure on) but for research purposes, it can't be helped.
After rooting the device, I tried to find the device_owner.xml file but it wasn't there. I tried creating one anyway based on this answer, but the app still shows the pinning message and the recent+back buttons still unpinned the app.
So why can't I set the device owner? is there any way around it?
While it's true that I tried dpm provisioning on a newly reset device, #basilisk's comment hinted me at the answer. The device comes loaded with bloatware that provides default accounts. Disabling these apps finally allowed me to provision the device with dpm.
Related
Can I "register" a (already installed) specific app to be launched when android device get physically connected to a specific usb device ?
Eg.
I connect a keyboard (of a certain brand or with a special USBid/class) and it automatically launch a text editor app
I connect an USB soundcard and it launches an audio app.
And "better", is there an autolaunch on Android ? I plug a keyboard+storage device to my smartphone and Android will ask me if I want to install the apk from the storage (or download it from predefined url)
Obviously for security reasons I understand installing the app from the storage will need confirmation by user. But, once the app has been "registered" would it be possible to launch the app automatically without having a confirmation screen ?
I know I could get USB info with android.hardware.usb.usbdevice. My question is more about how I can tell Android to launch this app rather than another when usb device is connected.
I think you could register your app to receive a system broadcast like USB_ACCESSORY_ATTACHED and make the logic to launch your app when this happens.
Check https://developer.android.com/guide/components/broadcasts
https://developer.android.com/reference/android/hardware/usb/UsbManager.html#ACTION_USB_DEVICE_ATTACHED
I'm trying to create an application that can disable or hide other applications. After going through some online resources i found out that i have to make my application the device owner to do so.
I would like to know, if i make my application the device owner, will that permission be removed when i uninstall the application?
You can't uninstall the device owner. You also can't become the device owner if you're a Play Store app. Device ownership really is only possible if its a device you physically own and can set up.
0
I've been using my app as a deviceOwner App since lollipop. I have a new device here which I want to be DeviceOwner too.
It is a Samsung galaxy Tab A 10.5(2018) SM-T590.
I am currently running this Version of the rom: T590XXU2ASC1.
I am not using NFC method. I usualy create the /data/system/device_owner.xml file by myself. But since it is not working I tryed this method:
1-Factory reset the tablet in recovery mode
2-Pass through the annoying startup menus
3-Set lock screen to none
4-Enable Usb Debugging
5-Install my app adb install MyApplicaton.apk
6-adb shell dpm set-device-owner com.example.myapplication/.MyApplicationReceiver It always says success when i execute the command.
7-Start my app, i can pin/unpin my app without problem.
8-Reboot, and then the famous message appears everytime: Workspace has been locked Unauthorized software has been installed on your device.Workspace has been locked to prevent any unauthorized access. Contact your admin.
Then if i press on the FACTORY DATA RESET button the workspace app crashes then pops back.
I tryed the kioskModeDemo app and the androidDeviceOwner sample app and they all do the same problem.
Anybody have any hints of why this is not working anymore on Android 8(oreo)?
Thanks
I found the problem: Once you oem unlock(custom os) your device on a certain samsung knox level API, you can't be device owner anymore on this device.
This is from Samsung Knox page: "Cannot create work profile" "The security policy prevents the creation of a managed device because a custom OS is or has been installed on this device". https://seap.samsung.com/forum-topic/knox-and-nfc-device-owner-provisioning
The device could be vulnerable to potential attacks with custom os.
I am developing an app with requirement that one app can be there in android system. No other app can be installed or remove google play store application as well. How can i achieve this?
As long as your device runs Lollipop or greater, you will want to set your app as a device owner. Note, this is different than device administrator. An app is granted device owner permissions only during device provisioning at the welcome screen of the Google Setup Wizard. The device owner is restricted when it can be set because of the control it has. Only one app can be the device owner.
A kiosk solution will set a device up with an app as the device owner. It will suspend all packages that shouldn't be available using setPackagesSuspended.
Some additional links you may find helpful (all require device owner for a COSU/kiosk-mode solution):
setApplicationHidden
addUserRestriction
DISALLOW_INSTALL_APPS
Look into the TestDPC app. Google provides source code to it and it will have most, if not everything of what you need.
https://developers.google.com/android/work/build-dpc
https://github.com/googlesamples/android-testdpc
Other solutions I've seen (mostly on pre-Lollipop releases) are to use a custom launcher to hide non-approved apps. This custom launcher is sometimes referred to as a secure launcher, but hiding apps instead of suspending them as the device owner is much less effective. Secure launcher, IMO, is a misnomer.
I've just found an app that allows to disable Samsung apps without root, and in the background:
https://play.google.com/store/apps/details?id=com.hecorat.packagedisabler
And also this free one:
https://play.google.com/store/apps/details?id=com.ospolice.packagedisabler
How could this be? It doesn't even show a system-type alertDialog to ask the user if it's ok to disable the app. Did they find a flaw that allows doing so?
Is it only for Some Samsung apps? What about other apps and other companies? Is is possible there too?
Could the same mechanism be used for other operations? Like enabling apps?
I currently don't have a Samsung device, so I can't even check this app.
You can hide or unhide the apps provided you make your app as device owner with the api setApplicationHidden of DevicePolicyManager
Your app needs to be the device owner of the device. In order to become a device owner, you either need to do an NFC configuration or adb command shell. You can find a very well written blog by Florent here.
However, there is a new method of getting your application to become a device owner starting with Android Marshmallow. With a lot of limitations though. You have to be an EMM provider and your client has to have a google business or edu licensing for this to work.
There is no application on the google play store that allows your app to become device admin. As a device owner you have a lot of things you can control on the device and hence, I believe Google may not want to provide this kind of control without proper safeguards.
With regards to Samsung Devices, they provide their knox sdk as mentioned with other answers here which gives you access to certain APIs that are not allowed via stock Android.