1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
|
page.title=Building a Work Policy Controller
page.metaDescription=Learn how to develop a Work Policy Controller to create and administer a managed profile on an employee's device.
@jd:body
<div id="tb-wrapper">
<div id="tb">
<h2>This lesson teaches you to</h2>
<ol>
<li><a href="#after_creating_profile">Create a Managed Profile</a></li>
<li><a href="#set_up_policies">Set Up Device Policies</a></li>
<li><a href="#apply_restrictions">Apply App Restrictions</a></li>
</ol>
<!-- related docs (NOT javadocs) -->
<h2>
You should also read
</h2>
<ul>
<li>
<a href="{@docRoot}guide/topics/admin/device-admin.html">Device
Administration</a>
</li>
</ul>
<h2>Resources</h2>
<ul>
<li>
<a href=
"{@docRoot}samples/BasicManagedProfile/index.html">BasicManagedProfile</a>
</li>
<li>
<a href=
"{@docRoot}samples/AppRestrictionEnforcer/index.html">AppRestrictionEnforcer</a>
</li>
</ul>
</div>
</div>
<p>
In an Android for Work deployment, an enterprise needs to maintain control
over certain aspects of the employees' devices. The enterprise needs to
ensure that work-related information is encrypted and is kept separate from
employees' personal data. The enterprise may also need to limit device
capabilities, such as whether the device is allowed to use its camera. And
the enterprise may require that approved apps provide app restrictions, so
the enterprise can turn app capability on or off as needed.
</p>
<p>
To handle these tasks, an enterprise develops and deploys a Work Policy
Controller app. This app is installed on each employee's device. The
controller app installed on each employee's device and creates a work user
profile, which accesses enterprise apps and data separately from the user's
personal account. The controller app also acts as the
bridge between the enterprise's management software and the device; the
enterprise tells the controller app when it needs to make configuration
changes, and the controller app makes the appropriate settings changes for the
device and for other apps.
</p>
<p>
This lesson describes how to develop a Work Policy Controller app for devices
in an Android for Work deployment. The lesson describes how to create a work
user profile, how to set device policies, and how to apply
restrictions to other apps running on the managed profile.
</p>
<p class="note">
<strong>Note:</strong> This lesson does not cover the situation where the
only profile on the device is the managed profile, under the enterprise's
control.
</p>
<h2 id="overview">Device Administration Overview</h2>
<p>
In an Android for Work deployment, the enterprise administrator can set
policies to control the behavior of employees' devices and apps. The
enterprise administrator sets these policies with software provided by their
Enterprise Mobility Management (EMM) provider. The EMM software communicates
with a Work Policy Controller on each device. The Work Policy Controller, in
turn, manages the settings and behavior of the work user profile on each
individual’s device.
</p>
<p class="note">
<strong>Note:</strong> A Work Policy Controller is built on the existing
model used for device administration applications, as described in <a href=
"{@docRoot}guide/topics/admin/device-admin.html">Device Administration</a>.
In particular, your app needs to create a subclass of {@link
android.app.admin.DeviceAdminReceiver}, as described in that document.
</p>
<h3 id="managed_profiles">Managed profiles</h3>
<p>
Users often want to use their personal devices in an enterprise setting. This
situation can present enterprises with a dilemma. If the user can use their
own device, the enterprise has to worry that confidential information (like
employee emails and contacts) are on a device the enterprise does not
control.
</p>
<p>
To address this situation, Android 5.0 (API level 21) allows enterprises to
set up a special work user profile using the Managed Profile API. This
user profile is called a <em>managed profile</em>, or a <em>work profile</em>
in the Android for Work program. If a device has a
managed profile for work, the profile's settings are under the control of the
enterprise administrator. The administrator can choose which apps are allowed
for that profile, and can control just what device features are available to
the profile.
</p>
<h2 id="create_profile">Create a Managed Profile</h2>
<p>To create a managed profile on a device that already has a personal profile,
first check that the device can support a managed profile, by seeing if the
device supports the {@link
android.content.pm.PackageManager#FEATURE_MANAGED_USERS FEATURE_MANAGED_USERS}
system feature:</p>
<pre>PackageManager pm = getPackageManager();
if (!pm.hasSystemFeature(PackageManager.FEATURE_MANAGED_USERS)) {
// This device does not support native managed profiles!
}</pre>
<p>If the device supports managed profiles, create one by sending an intent with
an {@link android.app.admin.DevicePolicyManager#ACTION_PROVISION_MANAGED_PROFILE
ACTION_PROVISION_MANAGED_PROFILE} action. Include the device admin package
name as an extra.</p>
<pre>Activity provisioningActivity = getActivity();
// You'll need the package name for the WPC app.
String myWPCPackageName = "com.example.myWPCApp";
// Set up the provisioning intent
Intent provisioningIntent =
new Intent("android.app.action.PROVISION_MANAGED_PROFILE");
intent.putExtra(myWPCPackageName,
provisioningActivity.getApplicationContext().getPackageName());
if (provisioningIntent.resolveActivity(provisioningActivity.getPackageManager())
== null) {
// No handler for intent! Can't provision this device.
// Show an error message and cancel.
} else {
// REQUEST_PROVISION_MANAGED_PROFILE is defined
// to be a suitable request code
startActivityForResult(provisioningIntent,
REQUEST_PROVISION_MANAGED_PROFILE);
provisioningActivity.finish();
}</pre>
<p>The system responds to this intent by doing the following:</p>
<ul>
<li>Verifies that the device is encrypted. If it is not, the system prompts
the user to encrypt the device before proceeding.
</li>
<li>Creates a managed profile.
</li>
<li>Removes non-required applications from the managed profile.
</li>
<li>Copies the Work Policy Controller application into the managed profile and
sets it as the profile owner.
</li>
</ul>
<p>Override {@link android.app.Activity#onActivityResult onActivityResult()} to
see whether the provisioning was successful, as shown in the following
example code:</p>
<pre>@Override
public void onActivityResult(int requestCode, int resultCode, Intent data) {
// Check if this is the result of the provisioning activity
if (requestCode == REQUEST_PROVISION_MANAGED_PROFILE) {
// If provisioning was successful, the result code is
// Activity.RESULT_OK
if (resultCode == Activity.RESULT_OK) {
// Hurray! Managed profile created and provisioned!
} else {
// Boo! Provisioning failed!
}
return;
} else {
// This is the result of some other activity, call the superclass
super.onActivityResult(requestCode, resultCode, data);
}
}</pre>
<h3 id="after_creating_profile">After Creating the Managed Profile</h3>
<p>When the profile has been provisioned, the system calls the Work Policy
Controller app's {@link
android.app.admin.DeviceAdminReceiver#onProfileProvisioningComplete
DeviceAdminReceiver.onProfileProvisioningComplete()} method. Override this
callback method to finish enabling the managed profile.</p>
<p>Typically, your {@link
android.app.admin.DeviceAdminReceiver#onProfileProvisioningComplete
DeviceAdminReceiver.onProfileProvisioningComplete()} callback implementation
would perform these tasks:</p>
<ul>
<li>Verify that the device is complying with the EMM's device policies, as
described in <a href="#set_up_policies">Set Up Device Policies</a>
</li>
<li>Enable any system applications that the administrator chooses to make
available within the managed profile, using {@link
android.app.admin.DevicePolicyManager#enableSystemApp
DevicePolicyManager.enableSystemApp()} </li>
<li>If the device uses Google Play for Work, add the Google account
to the managed profile with {@link android.accounts.AccountManager#addAccount
AccountManager.addAccount()}, so administrators can install
applications to the device
</li>
</ul>
<p>Once you have completed these tasks, call the device policy manager's
{@link android.app.admin.DevicePolicyManager#setProfileEnabled
setProfileEnabled()} method to activate the managed profile:</p>
<pre>// Get the device policy manager
DevicePolicyManager myDevicePolicyMgr =
(DevicePolicyManager) getSystemService(Context.DEVICE_POLICY_SERVICE);
ComponentName componentName = myDeviceAdminReceiver.getComponentName(this);
// Set the name for the newly created managed profile.
myDevicePolicyMgr.setProfileName(componentName, "My New Managed Profile");
// ...and enable the profile
manager.setProfileEnabled(componentName);</pre>
<h2 id="set_up_policies">Set Up Device Policies</h2>
<p>
The Work Policy Controller app is responsible for applying the enterprise's
device policies. For example, a particular enterprise might require that all
devices become locked after a certain number of failed attempts to enter the
device password. The controller app queries the EMM to find out what
the current policies are, then uses the <a href=
"{@docRoot}guide/topics/admin/device-admin.html">Device Administration</a>
API to apply those policies.
</p>
<p>For information on how to apply device policies, see the
<a href="{@docRoot}guide/topics/admin/device-admin.html#policies">Device
Administration</a> guide.</p>
<h2 id="apply_restrictions">Apply App Restrictions</h2>
<p>Enterprise environments may require that approved apps implement apps
implement security or feature restrictions. App developers must implement these
restrictions and declare them for use by enterprise administrators, as described
in <a href="{@docRoot}training/enterprise/app-restrictions.html">Implementing
App Restrictions</a>. The Work Policy Controller receives restriction changes
from the enterprise administrator, and forwards those restriction changes to the
apps.</p>
<p>For example, a particular news app might have a restriction setting that
controls whether the app is allowed to download videos over a cellular
network. When the EMM wants to disable cellular downloads, it sends a
notification to the controller app. The controller app, in turn,
notifies the news app that the restriction setting has changed.</p>
<p class="note"><strong>Note:</strong> This document covers how the Work Policy
Controller app changes the restriction settings for the other apps on the
managed profile. Details on how the Work Policy Controller app communicates with
the EMM are out of scope for this document.</p>
<p>To change an app's restrictions, call the {@link
android.app.admin.DevicePolicyManager#setApplicationRestrictions
DevicePolicyManager.setApplicationRestrictions()} method. This method is passed
three parameters: the controller app's {@link
android.app.admin.DeviceAdminReceiver}, the package name of the app whose
restrictions are being changed, and a {@link android.os.Bundle Bundle} that
contains the restrictions you want to set.</p>
<p>For example, suppose there's an app on the managed profile with the package
name <code>"com.example.newsfetcher"</code>. This app has a single boolean
restriction that can be configured, with the key
<code>"downloadByCellular"</code>. If this restriction is set to
<code>false</code>, the newsfetcher app is not allowed to download data through
a cellular network; it must use a Wi-Fi network instead.</p>
<p>
If your Work Policy Controller app needs to turn off cellular downloads, it
would first fetch the device policy service object, as described above. It
then assembles a restrictions bundle and passes this bundle to {@link
android.app.admin.DevicePolicyManager#setApplicationRestrictions
setApplicationRestrictions()}:
</p>
<pre>// Fetch the DevicePolicyManager
DevicePolicyManager myDevicePolicyMgr =
(DevicePolicyManager) thisActivity
.getSystemService(Context.DEVICE_POLICY_SERVICE);
// Set up the restrictions bundle
bundle restrictionsBundle = new Bundle();
restrictionsBundle.putBoolean("downloadByCellular", false);
// Pass the restrictions to the policy manager. Assume the WPC app
// already has a DeviceAdminReceiver defined (myDeviceAdminReceiver).
myDevicePolicyMgr.setApplicationRestrictions(
myDeviceAdminReceiver, "com.example.newsfetcher", restrictionsBundle);</pre>
<p class="note"><strong>Note:</strong> The device policy service conveys the restrictions
change to the app you name. However, it is up to that app to actually implement
the restriction. For example, in this case, the app would be responsible for
disabling its ability to use cellular networks for video downloads. Setting the
restriction does not cause the system to enforce this restriction on the app.
For more information, see <a href="{@docRoot}training/enterprise/app-
restrictions.html">Implementing App Restrictions</a>.</p>
|
