Provisioning for Device Administration

最新推荐文章于 2024-10-10 10:17:26 发布
最新推荐文章于 2024-10-10 10:17:26 发布
阅读量157 收藏
点赞数
文章标签: 移动开发 shell ui

Provisioning for Device Administration

This page describes the process for deploying devices to corporate users.

Device owner provisioning can be accomplished over NFC or with an activation code. See Implementing Device Administration for the complete list of requirements.

Download the NfcProvisioning APK and Android-DeviceOwner APK.

Caution: If provisioning has already started, affected devices will first need to be factory reset.

Managed Provisioning

Managed Provisioning is a framework UI flow to ensure users are adequately informed of the implications of setting a device owner or managed profile. You can think of it as a setup wizard for managed profiles.

Note: Remember, the device owner can be set only from an unprovisioned device. If Settings.Secure.USER_SETUP_COMPLETE has ever been set, then the device is considered provisioned & device owner cannot be set.

Please note, devices that enable default encryption offer considerably simpler/quicker device administration provisioning flow. The managed provisioning component:

  • Encrypts the device
  • Creates the managed profile
  • Disables non-required applications
  • Sets the enterprise mobility management (EMM) app as profile owner

In turn, the EMM app:

  • Adds user accounts
  • Enforces device compliance
  • Enables any additional system applications

In this flow, managed provisioning triggers device encryption. The framework copies the EMM app into the managed profile as part of managed provisioning. The instance of the EMM app inside of the managed profile gets a callback from the framework when provisioning is done.

The EMM can then add accounts and enforce policies; it then calls setProfileEnabled(), which makes the launcher icons visible.

Profile Owner Provisioning

Profile owner provisioning assumes the user of the device oversees its management (and not a company IT department). To enable, profile owner provisioning, you must send an intent with appropriate extras. See the BasicManagedProfile.apk for an example.

Mobile Device Management (MDM) applications trigger the creation of the managed profile by sending an intent with action:

DevicePolicyManager.ACTION_PROVISION_MANAGED_PROFILE

Here is a sample intent that will trigger the creation of the managed profile and set the DeviceAdminSample as the profile owner:

adb shell am start -a android.app.action.PROVISION_MANAGED_PROFILE \
          -c android.intent.category.DEFAULT \
              -e wifiSsid $(printf '%q' \"GoogleGuest\") \
          -e deviceAdminPackage "com.google.android.deviceadminsample" \
              -e android.app.extra.deviceAdminPackageName $(printf '%q'
                        .DeviceAdminSample\$DeviceAdminSampleReceiver) \
              -e android.app.extra.DEFAULT_MANAGED_PROFILE_NAME "My Organisation"

Device Owner Provisioning via NFC

Device owner provisioning via NFC is similar to the profile owner method but requires more bootstrapping before managed provisioning.

To use this method, NFC bump the device from the first page of setup wizard (SUW). This offers a low-touch flow and configures Wi-Fi, installs the DPC, and sets the DPC as device owner.

Here is the typical NFC bundle:

                EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_NAME
                EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_LOCATION
                EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_CHECKSUM
                EXTRA_PROVISIONING_WIFI_SSID
                EXTRA_PROVISIONING_WIFI_SECURITY_TYPE

The device must have NFC configured to accept the managed provisioning mimetype from SUW:

/packages/apps/Nfc/res/values/provisioning.xml

      <bool name="enable_nfc_provisioning">true</bool>
      <item>application/com.android.managedprovisioning</item>

Device Owner Provisioning with Activation Code

Select Add Work Account from the setup wizard. This triggers a lookup of the EMM from Android servers.

The device installs the EMM app and starts provisioning flow. As an extra option, Android device administration supports the option of using email address with a six-digit activation code to bootstrap the process as part of setup wizard.

EMM benefits

An EMM can help by conducting these tasks for you:

  • Provision managed profile
  • Apply security policies
    • Set password complexity
    • Lockdowns: disable screenshots, sharing from managed profile, etc.
  • Configure enterprise connectivity
    • Use WifiEnterpriseConfig to configure corporate Wi-Fi
    • Configure VPN on the device
    • Use DPM.setApplicationRestrictions() to configure corporate VPN
  • Enable corporate app Single Sign-On (SSO)
    • Install desired corporate apps
    • Use DPM.installKeyPair()to silently install corp client certs
    • Use DPM.setApplicationRestrictions() to configure hostnames, cert alias’ of corporate apps

Managed provisioning is just one piece of the EMM end-to-end workflow, with the end goal being to make corporate data accessible to apps in the managed profile.

See Setting up Device Testing for testing instructions.

weixin_34265814
关注
Android 10.0 第三方app授予DeviceOwner权限调用系统reboot,显示隐藏app,锁屏,禁用app等功能系统层部分实现
安卓兼职framework和app工程师的博客
08-01 425
在10.0的系统rom定制化开发中,在有些客户开发app的功能中,需要系统授予app的DeviceOwner权限,然后app就可以实现 重启关机禁用下拉通知栏,显示隐藏app,等功能,首选需要在app和framework中配置相关功能,接下来具体分析相关功能的实现
Android 11.0 第三方app授予DeviceOwner权限调用系统reboot,显示隐藏app,锁屏,禁用app等功能系统层部分实现
安卓兼职framework和app工程师的博客
10-08 175
在11.0的系统rom定制化开发中,在有些客户开发app的功能中,需要系统授予app的DeviceOwner权限,然后app就可以实现 重启关机禁用下拉通知栏,显示隐藏app,等功能,首选需要在app和framework中配置相关功能,接下来具体分析相关功能的实现
Device_Provisioning_Protocol_Specification_v1.1_1.pdf
04-13
WiFi Easy Connect Spec. This document is the technical specification for Wi-Fi CERTIFIED Easy Connect™, the Wi-Fi Alliance certification program for Device Provisioning Protocol (DPP).This specification defines the architecture, protocols, and functionality for Device Provisioning Protocol devices.
cts-verify中BYOD Managed Provisioning ,涉及到low_memorykiller问题
哈喽沃德
09-08 6113
CTS Verifier 中执行 BYOD Managed Provisioning测试项时 camera support cross profile video capture测试项,返回后之前所有的测试结果消失。 跟踪log发现有low_memorykiller的相关信息: I/KERNEL ( 88): [ 276.370260] lowmemo
Android 5.0 API 的变化——开发人员注意
weixin_34379433的博客
11-17 431
Android 5.0 API变化译自http://developer.android.com/intl/zh-cn/about/versions/android-5.0.html—— ByNashLegendSample示例在这里找:https://github.com/googlesamples/原译文在我的github上:https://github.com/Na...
Android兼容性测试CTS Verifier-环境搭建、测试执行、结果分析
weixin_30466953的博客
04-24 1188
CTS Verifier算是CTS的一部分,需要手动进行,主要用于测试那些自动测试系统无法测试的功能,比如相机、传感器等。由于硬件配置或其他原因,不同手机上部分测试项目被隐藏,也就是说CTS Verifier中case的总数,取决于测试机支持哪些功能, CTS Verifier总共包含以下15个功能: · Camera · Clock · Device administr...
Android for work总结(上)
热门推荐
光着脚丫行一生的专栏
07-25 2万+
Android for work是什么Android for Work(以下简称Afw)是由google主导开发的一套旨在支持Android在企业中运用的一套方案。这套方案可以实现在同一台设备上同时支持工作应用和个人应用。基于afw方案的设备有以下优点: 数据安全 工作数据通过work profile和个人数据隔离出来,并且受到work profile的保护, IT可以部署工作数据被保护的策略
Intel Virtualization Technology for Directed I/O (Intel VT-d)
hotsolaris的专栏
08-08 5557
Intel® Virtualization Technology for Directed I/O (Intel® VT-d) IntroductionIntels holistic approach to virtualization has resulted in several hardware assists throughout the platform, which
Cloud.Computing.Design.Patterns.9332557306.epub
04-27
The authors address topics covering scalability, elasticity, reliability, resiliency, recovery, data management, storage, virtualization, monitoring, provisioning, administration, and much more....
CTS延伸--主用户和被管理用户(Managed Profile)
金超21的博客
04-21 3628
CTS延伸--主用户和被管理用户(Managed Profile)0.起因在进行CtsVerifier测试时,发现在手动验证"Cross profile intent filters are set"这一项时失败了。查看Log如下:10:46:45.111 10694 10694 E IntentFiltersTestHelper: Intent { act=android.intent.acti...
对HUAWEI-ManagedProvisioning的一次不完整分析
weixin_30496751的博客
06-14 1241
分析思路 关注点1:AndroidManifest.xml是Android应用的入口文件,包含有APP服务的权限、广播和启动位置。 关注点2:涉及到修改系统的函数,setWifiEnabled()、InstallPackage()。 1.样本概况 在Android 7.0的系统里捕获到这个APK包。但不确定是否是病毒。通过Android模拟器安装这个APK,确认这个APK只适用于an...
cts verity:BYOD Managed Provisioning - Camera support cross profile video capture (without extra out
qq_37610155的博客
12-27 1309
BYOD Managed Provisioning - Camera support cross profile video capture (without extra output path)  => After recording, video can not be played. 请贵司参考如下diff修改验证,若第三方相机也要做类似的修改已避免权限问题不能播放,感谢~ di
Android for work总结(下)
光着脚丫行一生的专栏
07-26 1万+
Afw流程演示 Device OwnerL平台恢复出厂设置 连接翻墙Wifi直到出现如下界面 点击”Set up work device”,输入账号和激活码 这一步会发送Intent: com.android.managedprovisioning.ACTION_PROVISION_MANAGED_DEVICE来调用ManagedProvison App 如果手机没有加密则要加密手机 通过M
Android O device owner&zero touch
Mis_wenwen的博客
09-17 7430
最近manager让研究下device owner和zero touch。部分心得如下。 1.zero touch相关网址 https://support.google.com/androidpartners_gms/answer/9178208?hl=en# 这个网址普通的google账号是看不了,需要申请GMS partner权限,这个可以找gms认证机构来帮助申请,我司找的harman...
Setting up Device Testing
weixin_33796205的博客
04-20 133
Setting up Device Testing These are the essential elements that must exist for OEM devices to ensure minimal support for managed profiles: Profile Owner as described in Ensuring Compatibility with...
android Q
lyglostangel的专栏
05-30 5551
Android Q features and APIs Android Q introduces great new features and capabilities for users and developers. This document highlights what's new for developers. To learn about the new APIs, read t...
一键设置 DeviceAdmin/ProfileOwner/DeviceOwner 应用
visionliao的专栏
12-03 1万+
一键设置DeviceOwner 概述 Android提供了三种设备管理方案,Device Administration(设备管理员), ProfileOwner(配置文件所有者)和 DeviceOwner(设备所有者)。这三种管理方案对应三种等级的管理权限,相对的,等级越高所拥有的管理权限越高,面临的风险也对大,所以,要将一个应用设置成为这些管理设备,也需要不同的权限等级。 设置 Device ...
Android 编译使用哪个key签名?
最新发布
m0_63526467的博客
10-10 586
Android 编译使用哪个key签名?
IBM Tivoli Provisioning Manager for OS Deployment 安装指南
IBM Tivoli Provisioning Manager for OS Deployment,简称IBM TPM,是一款强大的自动化操作系统部署工具,特别设计用于IBM System Director Edition。本手册详述了IBM TPM的安装和配置过程,旨在帮助用户高效地在...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值