I am new to Android for work features.
I have written a sample app to test the restriction features provided to a profile owner. My sample app creates a managed work profile and sets itself as the profile owner.
I tried to apply some restriction policies after that, e.g., DevicePolicyManager.addUserRestriction(componentName, UserManager.DISALLOW_UNINSTALL_APPS);
It works and I am unable to uninstall any app from the managed profile. But when I try to apply: DevicePolicyManager.addUserRestriction(componentName, UserManager.DISALLOW_INSTALL_UNKNOWN_SOURCES);,
it seems to be not working.
I couldn't find the default settings app enabled in the profile.
But when I log the apps installed in the managed profile, I can see two setting packages (com.android.settings and com.android.providers.settings) in the list.
What my understanding from the above API is after applying the restriction, Setting->security->Unknown Source switch should be disabled. But I couldn't find any Settings app in the managed profile to verify.
Also, after applying the restriction, I am able to install any apk from adb in the managed profile along with the primary user.
Please let me know if i am missing something.
Related
From my last posted question below,
Not getting any idea about the workflow of managing an android device from another device using an pre installed android in both devices
I am here today with new problem. I used android management api to create enterprise, enrolling a device with device policies(Used the sample provided in here a link. But what I am trying to achieve I am not getting it. I want the app to be able to disable all normal apps and camera when parent app blocks them in childs device from its own device using android management api. But what I am getting is that upon upload of enrollment of the policy using enrollment token I see a separate work profile is being created in android device which is not my requirement in the app.
So if anyone out here can help me out in this one be very thankful.
TL DR:
To fully control a device you must enroll it in DEVICE OWNER mode.
I'll try to stick only to this question and address your other concerns answering the other.
You can enroll a device mainly in two modes WORK PROFILE and DEVICE OWNER, one is thought for enterprises that want to allow a BYOD model, the other for enterprises that provide company owned terminals and who wants exert full control on them.
From the docs: https://developers.google.com/android/management/provision-device
The work profile provisioning methods create a work profile on a device. A work profile is a self-contained space that separates work apps from personal apps (see employee-owned devices for more information). On devices with work profiles:
Android Device Policy is installed within the work profile.
devices.managementMode is set to PROFILE_OWNER.
Most policies and commands apply to the work profile only.
The fully managed and dedicated device provisioning methods provide enterprises with full management control over a device:
Android Device Policy is installed on the device's personal (primary) profile.
devices.managementMode is set to DEVICE_OWNER.
Policies and commands apply to the entire device.
Your idea probably needs DEVICE_OWNER mode but here there is the big problem, to enable them you must enroll a device that is factory reset!
So you need a much specific process to prepare a device before use, you cannot achieve a so strict control on a device just installing an app and control it from outside permissions or not. It's against the logic of a "personal device".
I have a question about admin apps on Android that I can't find the answer to. I followed the guide on creating an admin app from here:
https://developer.android.com/guide/topics/admin/device-admin#java
I successfully created an admin app but there's something that's confusing me. I have a fresh device (Moto G6) and when I go into Settings->Security&Location->DeviceAdminApps I see a list of admin apps on the device. Right now it lists my app and a Google Play Services app titled "Find My Device". The only difference, though, is that the google app was on by default. Normally, and including in my app, when I try to use an admin feature (through DevicePolicyManager), an android page pops up asking me to enable it as an admin app. Since the Google app is already enabled, that pop up doesn't need to appear.
So, my question is how do I make an app an admin app by default (without needing the pop up page)? I assume something needs to be done on boot up but I have no idea what that Google app does. Does anyone out there have any idea?
So, my question is how do I make an app an admin app by default (without needing the pop up page)?
Build your own firmware with your own custom build of Android, where you pre-install your device admin app and set things up for it to be pre-enabled.
Alternatively, I think if you create a device owner app, it will be enabled upon installation, but that installation happens when the device is being first set up.
Ordinary device admin apps require users to agree to enable them, for blindingly obvious security reasons.
My question is specifically about one line in Android documentation here. https://developers.google.com/android/work/prov-devices#set_up_device_owner_mode_google_account . Particularly item #2 where it says
The DPC is automatically downloaded to the device and launched.
How?
Specifically, what is the trigger that launches the DPC after download while still in the context of the startup wizard? I'm asking because it isn't working for me.
I've got Corporate-Owned Single Use (COSU) application, but I'm getting tripped up on deployment -- specifically the part where the DPC app sets itself as the device-owner. So far, I've loaded the app in Google Play Store as a private application. G-Suite exists in the same domain and Google is registered as the EMM for the account. The COSU app is whitelisted and installs as part of the setup wizard... but it doesn't launch.
To the best of my understanding, it has to launch within the context of factory-reset so that I can reset the device owner to the downloaded app.
Is there a specific Activity or BroadcastIntent I should be looking for? I'm new to Android, so I've been pouring through the TestDPC code, Android docs, and SO posts, but this deployment thing is a pain.
As a secondary query. How would you debug this situation? Its all factory-reset and install by wire, I don't have the opportunity to turn on developer mode and watch logs through Android Studio as it happens. And pushing new builds to Google Play and resetting hardware to download and install has a very long cycle time.
Thanks in Advance
For your DPC to be downloaded and launched after an account is added you need to register as your own EMM along with your DPC, and enroll your G-Suite domain with this EMM.
It might be simpler for you to instead use Google's new Android Management API which doesn't require implementing a DPC or registering as an EMM.
My question might seem really stupid, to those who have worked on android Airwatch implementation. But their documentation is not very well written, and I have a few doubts.
So I have setup my user, and added my device using airwatch console.
I have added the App restrictions code in my existing android application.
I have also added the key, values to be pushed to application, via Airwatch Agent app.
But I do not receive these key, values, which I should when I execute the following code :
Bundle appRestrictions = myRestrictionsMgr.getApplicationRestrictions();
The appRestrictions bundle is empty.
I read some where in the docs, that the AppConfig requires Android 5.0+ with Android for Work Device.
Does this mean I have to enable android for work capability on my android device? Is this required even for development purpose?
I tried in vain doing so using this link : https://support.google.com/a/answer/6178111?hl=en. Can some one please share a doc, to enable android for work capability on my android device, if this is required.
You will indeed need Android for Work in order to use Airwatch to configure your application.
You should ensure you are using a device that supports AfW. All devices with Android 6.0+ support work profiles, as well as many devices with Android 5.0+. Some recommended devices can be found here
Once you have done so, you should create a new Profile in the Airwatch console that ensure that they will create a work profile on your device. Go to Devices >> Profiles >> List View and Click on "Add" >> "Add Profile" and choose "Android" >> "Android for Work"
This should allow you to create an AfW policy that will apply to any assigned groups. Any apps you push to these devices can be configured using the App Restrictions framework by editing an application, going to the "Deployment" tab and enabling "Send Application Configuration". You should be able to set the key value pairs from there.
All that being said, if you are testing from a development perspective, you are much better off testing with TestDPC, an open source testing tool Google makes available in Google Play (just search for "TestDPC") and on Github
There is a user guide on github, but it is very easy to use for creating work profiles, setting app configurations using app restrictions and more.
I would use Airwatch once you are ready to do production testing, but TestDPC is a much better tool while you are still developing.
On Android the key-value pairs must be validated by Google Play.
There are 2 ways to achieve that:
Publish your app to the Google play store (see Wandera app, for example)
Publish your app in the company private store. To do this you'll need to configure your Android for Work account
On iOS is simpler, just specify the key-value pairs at assignment time.
For AirWatch, your key-value pair information belongs to CustomSettings, so you should use the APi to retrieve CustomSettings, like below:
final boolean isEnrolled = awSDKManager.isEnrolled();
if (isEnrolled) {
final String settings = awSDKManager.getCustomSettings();
}
My android app is not in the app store yet.
Is it possible to send my app to someone, and they install it on their device.
Something like iphone AdHoc?
You can email them your APK. Of course, there are several drawbacks to doing this.
There is not any built in copy protection to lock an APK to a single device so a tester could redistribute your application without your consent. This is something that you will need to deal with even once you are using Market to distribute your application. If you select "Copy Protection On", people will still be able to get at your APK as many people have rooted devices and all this option does is influence where the APK is installed. Google advises, "you may also implement your own copy protection scheme" and I think it's prudent.
Add the READ_PHONE_STATE permission to your manifest so you can retrieve the phone's IMEI, send to your server, and determine if a user should be allowed to run your application.
TelephonyManager telephonyManager =
(TelephonyManager)getSystemService(TELEPHONY_SERVICE);
String imei = telephonyManager.getDeviceId();
Your testers will need to enable "Unknown sources" to allow install of non-Market applications.
Assuming your tester uses Google as their email provider, it is important to note that the Android GMail application doesn't handle APK attachments properly. While this might confuse the recipient of your email, there are easy work-arounds:
Tell them to use the Browser app to download your attachment through the web interface.
Have them download APKatcher first.
Starting in May 2013, Google added Beta and Alpha programs to the Developer Console. You can now upload an APK to either channel and interested users (or users belonging to the specified Google+ Communities or Groups) can now get the application from the Market just like a regular app.
Users cannot provide public feedback so you have to provide them an alternative way to contact you.
At any given time, you can promote (or demote) an app to/from beta/alpha or even Production.
Here's how mine looks:
Effective beta apk distribution, getting crashes as well as feedback from early adopter is known problem in android community. To solve this problem we built a platform Zubhium for developers by developers.
Just upload apk and email address of users whom you want to distribute beta , and click send. That's it . :)
Platform will invite users and keep a track of who, when and where downloaded, Also it will followup with users who downloaded beta for feedback. You can view , reply , communicate back with users from platform.
Optionally you can integrate crash reporting services to get crashes during beta. It will provide granular details like network, device info with exception details. It does bunch of other stuff also.
Have look at www.zubhium.com
There's already an accepted answer three years ago, but let me share a simpler way to deploy your app in present: DeployGate.
With DeployGate, you can deploy your app to your own (or your colleague's) device, in a matter of seconds. All you have to do is uploading your APK file, then send a link or scan a QR code (two-dimensional barcode) with the device. To update, just upload the app again then it will be pushed to all installed devices.
It's carefully designed to eliminate waste in your daily development. The agent app will guides you and/or your colleagues throughout the app installation process, so you can avoid almost all problems you might face, especially if they are non-tech guys. You can even shortcut typing email address and password to associate an account with your devices, just click a button shown on the browser instead. If you want, you can also catch app crashes with a single line of code integration. It magically works to help you keeping your focus on development.
Disclaimer: I'm working on this product. :)
Is it possible to send my app to
someone, and they install it on their
device
Yes, of course. You can share the APK with other people and they can install the application. It's not necessary for the app to be in the Market.
Yes. Upload it to a website or email the ".apk" file to your friend. Have your friend make sure that the option to allow for "Unknown Sources" on the device is checked (Settings > Applications > Unknown Sources). When your friend downloads the application on their device and clicks to run it, it will be installed and should appear in the applications menu ready to be executed.
Dropbox also works (from this answer).
I used it with an .apk file signed with eclipse's debug certificate. You can find this file in your eclipse project's bin folder (from this answer).
You could also user TestFlight that should perfectly fit your needs, for free!