Prelude:
The client wants to install EMM for his owner devices. Sometimes the user wants to use the device as work device (only taxi and couriers apps) and sometimes the user wants to use the device as his own (install games, social apps, and his own Google accounts).
Situation:
The client wants to store his gsuite accounts in FRP storage (to have the ability to unlock a phone in case employee leave organization) but doesn't want an employee to unlock the phone after FR entering his personal account credentials.
Example:
I added two work account programmatically (like described here). But after the user gets the phone he entered his personal Gmail account to use Gmail, other apps. How can I programmatically or maybe from DPC app prevents user recover access to the phone using his personal account after Factory Reset?
I found the answer, finally. The link to the documentation. I need just to create a bundle with google plus ids of accounts that will have the opportunity to recover device after factory reset.
And after that need to send a broadcast to notify the system that these values were changed.
val bundle = Bundle()
// list of recovery accounts
val recoveryAccounts = arrayOf(
"115273111154663031432",
"110369192556268846321",
)
bundle.putStringArray("factoryResetProtectionAdmin", recoveryAccounts)
mAdminComponentName = DeviceAdminReceiver.getComponentName(context)
// set restrictions
mDevicePolicyManager.setApplicationRestrictions(mAdminComponentName, "com.google.android.gms", bundle)
// send broadcast
val broadcastIntent = Intent("com.google.android.gms.auth.FRP_CONFIG_CHANGED")
broadcastIntent.setPackage("com.google.android.gms")
broadcastIntent.addFlags(Intent.FLAG_RECEIVER_FOREGROUND)
applicationContext.sendBroadcast(broadcastIntent)