1

I'm trying to apply a policy to a few tablets via the Android Management API. I've been able to create my enterprise, web app, policy, and add the devices without issue.

The trouble I'm having is with my policy. I've tried various versions from SO and the documentation, but it's either not locking the tablet down or I'm getting non-compliance errors.

Policies I've Tried

Version 1 (source)

{
  "version": 1,
  "applications": [
   {
     "packageName": "com.google.my.webapp",
     "installType": "KIOSK",
     "defaultPermissionPolicy": "GRANT"
   },
   {
     "packageName": "com.android.chrome",
     "installType": "FORCE_INSTALLED",
     "managedConfiguration": {
       "URLBLacklist": ["*"],
       "URLWhitelist": ["my.whitelabeled.url.com"]
     },
     "defaultPermissionPolicy": "GRANT"
   }
  ]
}

Version 2 (source)

{
  "version": 2,
  "applications": [
    {
      "packageName": "com.android.chrome",
      "installType": "FORCE_INSTALLED",
      "defaultPermissionPolicy": "GRANT",
      "managedConfiguration": {
        "URLBlacklist": [
          "*"
        ],
        "URLWhitelist": [
          "my.whitelabeled.url.com"
        ]
      }
    },
    {
      "packageName": "com.google.my.webapp",
      "installType": "KIOSK",
      "defaultPermissionPolicy": "GRANT"
    }
  ],
  "statusBarDisabled": true,
  "keyguardDisabled": true
}

Version 3 (source)

{
  "version": 3,
  "applications": [
    {
      "packageName": "com.google.my.webapp",
      "installType": "KIOSK",
      "defaultPermissionPolicy": "GRANT"
    }
  ],
  "cameraDisabled": true,
  "defaultPermissionPolicy": "GRANT",
  "debuggingFeaturesAllowed": true
}

Along with a few other variations of the above and from other examples. None of them lock down the device. It looks like I'm getting some errors when I view my devices (output below) that indicate there are MANAGEMENT_MODE issues, which makes sense since it looks like the policy is just PROFILE_OWNER.

  "devices": [
    {
      "name": "enterprises/__enterpriseid__/devices/__deviceid__",
      "managementMode": "PROFILE_OWNER",
      "state": "ACTIVE",
      "appliedState": "ACTIVE",
      "nonComplianceDetails": [
        {
          "settingName": "applications",
          "nonComplianceReason": "MANAGEMENT_MODE",
          "packageName": "com.google.my.webapp"
        },
        {
          "settingName": "systemErrorDialogsDisabled",
          "nonComplianceReason": "MANAGEMENT_MODE"
        },
        {
          "settingName": "lockTaskFeatures",
          "nonComplianceReason": "MANAGEMENT_MODE"
        },
        {
          "settingName": "persistentPreferredActivities",
          "nonComplianceReason": "INVALID_VALUE",
          "packageName": "com.google.my.webapp"
        },
        {
          "settingName": "statusBarDisabled",
          "nonComplianceReason": "MANAGEMENT_MODE"
        },
        {
          "settingName": "wifiConfigsLockdownEnabled",
          "nonComplianceReason": "MANAGEMENT_MODE"
        }
      ],
      ...
    }
  ]

I'm sure I should've specified that somewhere, but I'm unable to find it.

Does anyone have a working policy that:

  • Boots up Chrome and/or a web app on start
  • Locks Chrome, without the weird pinning options
  • Hides the status menu/buttons
  • Doesn't let the tablet sleep

Thank you!

Lauren
  • 743
  • 3
  • 12
  • 24
  • Hello, Do know how to create policies runtime and apply to device? – Chirag Savsani Dec 09 '19 at 07:00
  • Hi! Yep I've been able to apply all of the ones listed above and they load onto the devices properly, the results just aren't what I want (e.g. apps not locked down) – Lauren Dec 09 '19 at 07:11
  • @Lauren Did you ever figure out how to do it? – Hugo Jul 23 '20 at 23:33
  • @Hugo No, was never able to get it working. I contacted Android and it seemed like I would've needed to go through their enterprise solution to do it. – Lauren Jul 27 '20 at 12:42

1 Answers1

0

If you want to dedicate a device to a single app, then you need managementMode: "DEVICE_OWNER". You enroll the device on initial setup (you can't enrol the device later with this management mode).

You can think of PROFILE_OWNER as the following ... employee has their own Android device, but wants access to employer maintained apps and data etc. Employer wants to control access to those apps, and does so via the Android Management API policies.

So the IT staff associate the employee owned device with a work policy. This process installs a separate profile on the device that's only used for work, and can later be wiped (which won't wipe the users personal profile from the device). So if the employee leaves, the work access is revoked, but their phone is as it was before.

If the device is fully owned by an employer and is designed to run one app, you should absolutely be running in DEVICE_OWNER management mode. This allows you to lock and pin a single application, and stop users breaking out and doing other stuff they shouldn't be doing with the device.

S.Thomson
  • 240
  • 1
  • 9
  • Thanks S - I think the problem is that I'm unable to set `managementMode` in my policy, so when I scan the QR code to enroll it is applying it as a profile and not as the owner. Based on the documentation (https://developers.google.com/android/management/reference/rest/v1/enterprises.policies#managedconfigurationtemplate) it doesn't look like `managementMode` is an option in the policy, do you know where I set that? – Lauren Dec 17 '19 at 08:11
  • The `managementMode` is determined by the way you provision the device. [This page](https://developers.google.com/android/management/provision-device#provisioning_methods) explains in more detail, but in a nutshell to get `DEVICE_OWNER` (i.e Fully Managed / Dedicated Device), it needs to be done on initial device setup. What you are setting up just now is `PROFILE_OWNER` (i.e Work Profile).You need to factory reset the device and provision it on initial setup. You can't provision later for a dedicated device. – S.Thomson Dec 18 '19 at 09:13
  • Do you know if there is a way to investigate further if my `managementMode` is already `DEVICE_OWNER` but I am still getting the same `INVALID_VALUE` error. This is part of the response for my device : `"managementMode": "DEVICE_OWNER", "state": "ACTIVE", "appliedState": "ACTIVE", "nonComplianceDetails": [ { "settingName": "persistentPreferredActivities", "nonComplianceReason": "INVALID_VALUE", "packageName": "com.android.chrome" } ],` – H.T. Koo Jun 06 '20 at 06:05
  • Just FYI I had [solved my error by adding some `intent-filter` for the `MainActivity`](https://stackoverflow.com/a/62275564/10734272) – H.T. Koo Jun 09 '20 at 05:23