Provisioning for Device Administration
This page describes the process for deploying devices to corporate users.
Device owner provisioning can be accomplished over NFC or with an activation code. See Implementing Device Administration for the complete list of requirements.
Download the NfcProvisioning APK and Android-DeviceOwner APK.
Caution: If provisioning has already started, affected devices will first need to be factory reset.
Managed Provisioning
Managed Provisioning is a framework UI flow to ensure users are adequately informed of the implications of setting a device owner or managed profile. You can think of it as a setup wizard for managed profiles.
Note: Remember, the device owner can be set only from an unprovisioned device. If Settings.Secure.USER_SETUP_COMPLETE
has ever been set, then the device is considered provisioned & device owner cannot be set.
Please note, devices that enable default encryption offer considerably simpler/quicker device administration provisioning flow. The managed provisioning component:
- Encrypts the device
- Creates the managed profile
- Disables non-required applications
- Sets the enterprise mobility management (EMM) app as profile owner
In turn, the EMM app:
- Adds user accounts
- Enforces device compliance
- Enables any additional system applications
In this flow, managed provisioning triggers device encryption. The framework copies the EMM app into the managed profile as part of managed provisioning. The instance of the EMM app inside of the managed profile gets a callback from the framework when provisioning is done.
The EMM can then add accounts and enforce policies; it then calls setProfileEnabled()
, which makes the launcher icons visible.
Profile Owner Provisioning
Profile owner provisioning assumes the user of the device oversees its management (and not a company IT department). To enable, profile owner provisioning, you must send an intent with appropriate extras. See the BasicManagedProfile.apk for an example.
Mobile Device Management (MDM) applications trigger the creation of the managed profile by sending an intent with action:
DevicePolicyManager.ACTION_PROVISION_MANAGED_PROFILE
Here is a sample intent that will trigger the creation of the managed profile and set the DeviceAdminSample as the profile owner:
adb shell am start -a android.app.action.PROVISION_MANAGED_PROFILE \
-c android.intent.category.DEFAULT \
-e wifiSsid $(printf '%q' \"GoogleGuest\") \
-e deviceAdminPackage "com.google.android.deviceadminsample" \
-e android.app.extra.deviceAdminPackageName $(printf '%q'
.DeviceAdminSample\$DeviceAdminSampleReceiver) \
-e android.app.extra.DEFAULT_MANAGED_PROFILE_NAME "My Organisation"
Device Owner Provisioning via NFC
Device owner provisioning via NFC is similar to the profile owner method but requires more bootstrapping before managed provisioning.
To use this method, NFC bump the device from the first page of setup wizard (SUW). This offers a low-touch flow and configures Wi-Fi, installs the DPC, and sets the DPC as device owner.
Here is the typical NFC bundle:
EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_NAME
EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_LOCATION
EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_CHECKSUM
EXTRA_PROVISIONING_WIFI_SSID
EXTRA_PROVISIONING_WIFI_SECURITY_TYPE
The device must have NFC configured to accept the managed provisioning mimetype from SUW:
/packages/apps/Nfc/res/values/provisioning.xml
<bool name="enable_nfc_provisioning">true</bool>
<item>application/com.android.managedprovisioning</item>
Device Owner Provisioning with Activation Code
Select Add Work Account from the setup wizard. This triggers a lookup of the EMM from Android servers.
The device installs the EMM app and starts provisioning flow. As an extra option, Android device administration supports the option of using email address with a six-digit activation code to bootstrap the process as part of setup wizard.
EMM benefits
An EMM can help by conducting these tasks for you:
- Provision managed profile
- Apply security policies
- Set password complexity
- Lockdowns: disable screenshots, sharing from managed profile, etc.
- Configure enterprise connectivity
- Use WifiEnterpriseConfig to configure corporate Wi-Fi
- Configure VPN on the device
- Use DPM.setApplicationRestrictions() to configure corporate VPN
- Enable corporate app Single Sign-On (SSO)
- Install desired corporate apps
- Use DPM.installKeyPair()to silently install corp client certs
- Use DPM.setApplicationRestrictions() to configure hostnames, cert alias’ of corporate apps
Managed provisioning is just one piece of the EMM end-to-end workflow, with the end goal being to make corporate data accessible to apps in the managed profile.
See Setting up Device Testing for testing instructions.