android-management-apidevice-admindevice-owner

How to set an app as device admin/owner in the android management api?


I'm in an MDM development project, we are integrating MDM with an Android management API, our application is mandatory to install on devices and is included in all policies that are created. the problem occurs when trying to set the app as device owner (to make it impossible to remove it without formatting the device or cleaning its data), all the attempts I made to create Google policies were failures, the most functional json I have gives some instructions to the our app but does not own the device.

const appConfig = {
            packageName: "com.datadike.mdm",
            installType: "FORCE_INSTALLED",
            defaultPermissionPolicy: "GRANT",
            permissionGrants: [
                { permission: "android.permission.READ_CONTACTS", policy: "GRANT" },
                { permission: "android.permission.ACCESS_FINE_LOCATION", policy: "GRANT" },
                { permission: "android.permission.POST_NOTIFICATIONS", policy: "GRANT" },
                { permission: "android.permission.READ_CALL_LOG", policy: "GRANT" },
                { permission: "android.permission.READ_PHONE_STATE", policy: "GRANT" }
            ]
        };

I saw in some forums that it is at the time of provisioning that it must be defined as device onwer, embedding the configuration via QR code, all attempts at this were also failures.

I tried the way below, the app is installed but does not receive device owner, I was hoping that the installType field: "FORCE_INSTALLED" would resolve this

const appConfig = {
            packageName: "com.datadike.mdm",
            installType: "FORCE_INSTALLED",
            defaultPermissionPolicy: "GRANT",
            permissionGrants: [
                { permission: "android.permission.READ_CONTACTS", policy: "GRANT" },
                { permission: "android.permission.ACCESS_FINE_LOCATION", policy: "GRANT" },
                { permission: "android.permission.POST_NOTIFICATIONS", policy: "GRANT" },
                { permission: "android.permission.READ_CALL_LOG", policy: "GRANT" },
                { permission: "android.permission.READ_PHONE_STATE", policy: "GRANT" }
            ]
        };

Solution

  • Note that Android Device Policy is the only device policy controller compatible with Android Management API. Hence, you will not be able to make any other app as the device owner when using Android Management API. You can, however, use your existing application as an extension app to communicate directly with Android Device Policy offline via ExtensionConfig or provide additional privileges (e.g. grant access to blocking uninstallation, managed configuration management etc.) to your app by using DelegatedScope. Manually set USER_CONTROL_DISALLOWED for the UserControSettings associated with your application will also prevent users from being able to force stop and uninstall your application on devices running Android 11 and higher.