70

The device policy manager API docs and the android 5.0 overview both mention something about a device owner app. How can I setup my app as a device owner?

Edit: Is there any other ways than rooting and NFC if available please share.

Vishal Santharam
  • 1,963
  • 1
  • 16
  • 30
  • 1
    From the link --->A device owner app is a special device admin that cannot be deactivated by the user, once activated as a device admin. It also cannot be uninstalled. <--- , I just want to know how to set my app as owner app – Vishal Santharam Jan 17 '14 at 10:24
  • 1
    Read http://developer.android.com/guide/topics/admin/device-admin.html for more. – Pankaj Kumar Jan 17 '14 at 10:26
  • The one who uses your app shall be the admin not (you) the developer, so don't think you can make such app which can not be uninstalled! – Saqib Jan 17 '14 at 10:27
  • 1
    Please read the given link there it's mentioned about owner app and not me i just want to know how it is possible. – Vishal Santharam Jan 17 '14 at 10:30
  • 1
    For making your app as device owner without rooting device follow [Device Owner on Android 5.0 (and others) without rooted devices, device provisioning by NFC][1] [1]: http://stackoverflow.com/questions/26906210/device-owner-on-android-5-0-and-others-whitout-rooted-devices-device-provisio/27009164#27009164 – Akhil Nov 19 '14 at 04:53

5 Answers5

76

There's actually a way other than NFC and rooting to set an application as a device owner app. You could use the dpm command line tool from an adb shell.

Usage :

usage: dpm [subcommand] [options]
usage: dpm set-device-owner <COMPONENT>
usage: dpm set-profile-owner <COMPONENT> <USER_ID>

dpm set-device-owner: Sets the given component as active admin, and its package as device owner.
dpm set-profile-owner: Sets the given component as active admin and profile owner for an existing user.

UPDATE : The dpm utility is really simple actually. Its goal is to create a new file called device_owner.xml under /data/system/device_owner.xml that references the Device/Profile owner apps.

The Android platform is then reading this file to check which application is considered as a Device Owner or Profile Owner App.

On a rooted device, you could indeed create this file by yourself, but since the dpm tool is doing it, you'd better use it (DRY principle) :

For example via a Runtime.exec() command: 

Runtime.getRuntime().exec("dpm set-device-owner com.foo.deviceowner/.DeviceAdminRcvr");

Also notice that this tool is working only if no account is set for the user (make sure no account is set in Settings > Accounts) before its use.

Source and more information at Android shell command tool : Device Policy Manager

frogatto
  • 28,539
  • 11
  • 83
  • 129
Florent Dupont
  • 1,758
  • 18
  • 24
  • 3
    The use of the **dpm** command is done through a `adb shell` command, so you first need to provision your device, enable developer mode, enable debugging, install your app as usual (install it with Android Studio for example) and then set it as a device owner app with `dpm`. You can consider the command `dpm` as a tool to facilitate your development of device/profile owner apps. – Florent Dupont Jan 15 '15 at 07:48
  • This solution cannot be used in production but is perfect for development. – Hartok Jan 15 '15 at 15:38
  • 2
    @Hartok Why do you say this can't be used in production? Any solution that doesn't require rooting the device seems better suited for production deployments. – Kevin Krumwiede Feb 12 '15 at 04:58
  • 2
    The solution requires to enable debugging tools on the targeted device, for adb. – Hartok Feb 12 '15 at 05:27
  • 3
    That's typically how enterprise applications are installed. – Kevin Krumwiede Feb 13 '15 at 04:08
  • 3
    Good and short answer which helped me a lot! I just want to add that there are more implementation details that are not shown, such as adding the device admin receiver code, that is required to make the dpm command work. FYI. http://sdgsystems.com/blog/implementing-kiosk-mode-android-part-3-android-lollipop/ – Kevin Lee Apr 25 '15 at 08:18
  • When doing the steps mentiond above I get the following error message: java.lang.IllegalStateException: Trying to set device owner but device is already provisioned. – LairdPleng Oct 22 '15 at 08:52
  • 2
    For me, dpm command only worked when specifying the component name like this: com.example.app/.DeviceOwnerReceiver The part after / is the name of the class that extends DeviceAdminReceiver – AndyB Nov 02 '15 at 14:04
  • 1
    @AndyB you're right. I've updated the article to fix the error. – Florent Dupont Dec 08 '15 at 08:13
  • 7
    When I call from the commandline "adb shell dpm set-device-owner BLAH" things work fine (my app becomes device owner - I don't get a security exception because my app is a system app), but when I call from my program "Runtime.getRuntime().exec("dpm set-device-owner BLAH");" I get a silent failure (not a SecurityException, though I wish I got some feedback). Any idea why? – user3294126 Dec 10 '15 at 20:43
  • Just to add this is run in normal mode, not in recovery mode which I tried it under first – Mark Adamson May 22 '16 at 21:56
  • How do you know what the component name is? – Roel May 31 '17 at 13:49
  • 1
    That's name of the package you set in the manifest.xml of your application. see https://developer.android.com/guide/topics/manifest/manifest-element.html – Florent Dupont Jun 07 '17 at 19:25
  • how to provision my app as device admin for production purpose? – Vikas Pandey Oct 13 '17 at 09:40
  • 1
    Why doesn't the documentation (https://developer.android.com/guide/topics/admin/device-admin) say anything about these steps? It gives rather the impression that the admin app should just work by normal distribution (Play Store, Email, etc.). – User Jan 13 '19 at 09:57
  • In later Android versions, you are forced to create an owner account when first provisioning your tablet, which renders set-device-owner useless since it complains about already existing device owner. And you cannot delete this owner account either. – astralmaster Jan 11 '20 at 22:34
  • Did anyone try to deploy device owner app using Samsung Knox MDM Portal? – Mihodi Lushan Sep 16 '21 at 20:08
  • Where can I find `````` value? – Said Torres Aug 18 '22 at 16:55
19

If you're root on your device, you can follow this method to become device owner.

First, create a file device_owner.xml with following content:

<?xml version="1.0" encoding="utf-8" standalone="yes" ?>
<device-owner package="your.owner.app.package.id" name="Your app name" />

Now do the following steps

  1. adb push device_owner.xml /sdcard/

  2. adb shell

  3. su

  4. cp /sdcard/device_owner.xml /data/system/

  5. cd /data/system/

  6. chown system:system device_owner.xml

  7. reboot

Note : Before rebooting device, make sure that you installed the application, which you are trying to make device owner. If you will not do, you will get boot animation for infinite time.

frogatto
  • 28,539
  • 11
  • 83
  • 129
Akhil
  • 829
  • 1
  • 11
  • 26
3

Update:

On my Android 7.1.2 set-top box (AOSF and rooted), I found a couple things that have evolved over time.

  1. exec("dpm set-device-owner ...") throws and exception unless <uses-permission android:name="android.permission.MANAGE_DEVICE_ADMINS" /> is declared in the AndroidManifest.xml. But that brings other issues, more about that here.
  2. The file /data/system/device_policy.xml doesn't appear anymore. Instead, it's now /data/system/device_policy_2.xml and the schema is slightly different. Running dpm set-device-owner com.myDomain.myPackage/.myComponent through an adb shell generates the file as: 
<?xml version="1.0" encoding="utf-8" standalone="yes" ?>
<root>
    <device-owner package="com.myDomain.myPackage" name="" component="com.myDomain.myPackage/com.myDomain.myPackage.myComponent" userRestrictionsMigrated="true" />
</root>
Gary Kumfert
  • 225
  • 1
  • 2
  • 11
-2

You can also use reflexivity, by calling the DevicePolicyManager method called setProfileOwner which was hidden in the SDK Documentation.

Don't forget to cancel it otherwise you'll have some conflicts with the Google Play ;)

Ektos974
  • 999
  • 10
  • 30
-4

Just tried, and the dpm command requires root privilege on real devices(Samsung T550 for example), otherwise it will fail with SecurityException. adb shell only grants root on android emulators. So you will have to root the device first.

frogatto
  • 28,539
  • 11
  • 83
  • 129
Xavier Lin
  • 328
  • 2
  • 7
  • The OP is asking for a method other that "rooting" the device. – Ani Menon May 14 '16 at 16:23
  • 2
    That's not true on a Nexus 5, dpm works fine for me *WITHOUT* root access, I suspect it's more likely due to some sort of customisation on that specific Samsung device. – Maks Oct 16 '16 at 22:31
  • 2
    I had the same issue (with the same device) and the problem is not that Samsung requires you to root the device. There are Samsung specific permissions (see link) that need to be set in the manifest for device owner to work. I had to add the permission `com.sec.enterprise.permission.CUSTOM_PROKIOSK` to the manifest. https://seap.samsung.com/html-docs/android-customization/Content/KNOX-Customization-SDK-Developer-Guide/To-check-required-permissions.htm – Niklas Ekman Aug 10 '17 at 14:51
  • 1
    Root and/or special permissions are not required on all Samsung devices. I have set up a device owner with adb and via QR code provisioning without special permissions or root. – Stephen M -on strike- Jul 19 '18 at 15:48