0

I am creating a personal application that can locally manage/control an android device. In particular, I want to be able to do things such as lock down the device, enforce password policies, and wipe the device according to the local state of the device. I have reviewed a number of possible ways of doing this, but that is where I run into trouble.

According to this documentation, DeviceAdmin is essentially deprecated (i.e. the device must be Managed or have Managed Profile to access most of the DeviceAdmin API).

According to this documentation, creating a custom Device Policy Controller (DPC) is essentially deprecated. Side note: from context I am assuming a DPC is essentially a DeviceAdmin with a Managed device/profile but I can't find anywhere that explicitly states that (please correct me if I am wrong).

And finally I'm lead to the Android Management API, which at first seems to be what I want. Until I go through the quickstart and find out that I have to create a server and manage the device through a client-server relationship. As a reminder, I am looking for a way to locally manage the device. Now there are release notes indicating that local management may be coming in the future, but that is not now.

So here is my question: is there a currently supported way to locally manage a device?

I am aware of a developer hack that can set an application as a device owner. And while this may be able to work for my personal use, that seems like a pretty big hole in terms of enterprise management.

PocoDot108
  • 1
  • 1
  • What's the point of locally admining the device? If you want to enforce a password policy, just don't pick a bad one. If you want to wipe the device, hit factory reset. Or do so on the web via android device finder. It seems rather pointless to programatically enforce rules on your own device like that, just follow the rules. If you're enforcing them on someone else, you want a remote policy so you can role out changes as needed without physical access. – Gabe Sechan Mar 21 '22 at 01:47
  • @GabeSechan the reason is automation. Dependent on the given local state of the device (i.e. location, wifi, local UI such as a panic button/dead man trigger, etc) I want the device to do certain things. I agree that policies like password complexity don't gain much use from this. But other things that require device owner do. For example: lockNow, setLocationDisabled, setWifiEnabled, setSystemSettings, *wipeData*, and much more. And to emphasize, I want to be able to wipe the device without user interaction, in cases like a 10 minute timer dead man trigger. – PocoDot108 Mar 21 '22 at 02:06
  • @GabeSechan for the majority of the method listed the application does need to be a device/profile owner, per the [documentation](https://developer.android.com/reference/android/app/admin/DevicePolicyManager). And, to get into the specifics, the target API of my application is 31 and so setWifiEnabled requires device owner, per the [documentation](https://developer.android.com/reference/android/net/wifi/WifiManager#setWifiEnabled(boolean)). As a correction to my previous comment, lockNow does not require device owner. – PocoDot108 Mar 21 '22 at 02:16
  • No, you need a system app. WHich is also listed in the exceptions. A system app can do everything you've asked for, with the appropriate permissions. Well, possibly a system app and root for factory reset – Gabe Sechan Mar 21 '22 at 02:18
  • @GabeSechan system privileges are not granted to user applications. While I don't have the documentation open in front of, I believe the only way to grant an app system privileges is to bake it into the OEM which is not possible (unless you're the manufacturer of the phone, which I am not). Also, I am looking for non-root solutions. – PocoDot108 Mar 21 '22 at 02:21
  • Admin owner privlidges aren't granted to user apps either. There's only one owner app allowed per phone, and Google's app is that owner for anyone who installed a google account. Even using dpm by command line, you had to factory reset the phone first and not install a google account at provisioning to be able to use it. – Gabe Sechan Mar 21 '22 at 02:26
  • Also, you can make any app a system app by installing it in the sys/priv-app directory (IIRC, its been a while I may get the directory wrong). Now doing that typically required root. But device ownership was even more restrictive and harder to use than a system app – Gabe Sechan Mar 21 '22 at 02:29
  • @GabeSechan I don't know what you mean by "Google's app". Maybe you're referring to the Android Management API with its own DPC? But I've already stated thats not a solution. Either way, you got to the reason why I asked this question. Besides the developer hack I referred to in my question, I have found no other way to accomplish what I want to do. Hence the existence of this question. – PocoDot108 Mar 21 '22 at 02:34
  • I mean the Google app on the phone is the device policy owner of a user who has a Google account on the phone. There can't be two. So if you want this to work as a normal user app, device owner wouldn't have worked either. There is no answer to your question, because what you want can't be done. The closest you can get is a system app, which you also rejected. – Gabe Sechan Mar 21 '22 at 02:48
  • And the "hack" you posted isn't a hack. It's the correct way to set a policy owner, other than doing it as an OEM. However it doesn't work if one is already set. It only works if no previous owner has been set. – Gabe Sechan Mar 21 '22 at 02:48

1 Answers1

0

It is correct that, as of today, Android Enterprise has no way to manage a device locally. There is an open feature request to add support for the local execution of commands as part of our push for extensibility integration with the AMAPI SDK. But as mentioned, it is not currently supported.

Despite Android Enterprise no longer accepting new registrations/validations for custom device policy controllers (DPCs), developers can still build a device policy controller to lock down a device, enforce password policies, and wipe the device according to the local device state. You can still build one and deploy it to your device with a QR or NFC. That said, it's important to note that the DPC would NOT be able to use the Play EMM APIs (so, no app management via the Play Store). This limitation may disqualify the solution for you.

Rey V. Aquino
  • 316
  • 1
  • 2
  • 5