Forum Discussion

BS's avatar
BS
Level 1.6: Donut
3 months ago

Questions Regarding Fully Company-Owned and Managed Devices with AMAPI

I have a few questions regarding the capabilities and limitations of AMAPI for fully company-owned and managed devices: Granting System-Level Permissions: Is it possible to grant system-level pe...
Alex_Muc's avatar
Alex_Muc
Level 2.3: Gingerbread
3 months ago

Hi!

 

These use cases and current solutions can have an extreme impact on device security and data protection for users and customers. I can only strongly advise against processing personal data on rooted devices, whose security patches should also be prevented as far as possible.
I haven't studied some of the questions in depth so far, but maybe some information will help.

 

1) System-Level Permissions

Privileged apps must be located in specific ./priv-app/ directories.

https://source.android.com/docs/core/permissions/perms-allowlist

 

3rd party apps (pre-installed apps, user-installed apps) are installed in /data/app/.
If I am correctly informed, system apps that do not require system-level permissions are installed in /system/app/.
System apps with system permissions are installed in /system/priv-app/.
Privileged apps can also be located in other, special partitions. For example in /product/priv-app/

https://source.android.com/docs/core/architecture/partitions/product-partitions

 

If UEM admins could give system-level permissions to a third-party app via AMAPI, this could undermine the entire device security in the event of a faulty configuration or in cases of a potentially harmful apps.
To be honest, I would never use rooted devices in the enterprise. I would rather approach the OEM to see if they can provide suitable firmware with preloaded system apps. (In case of doubt, however, this is extremely expensive)


2) Granting Special Permissions
Unfortunately, this is not possible. See this topic for more information:
https://www.androidenterprise.community/t5/general-discussions/granting-special-permissions-for-fully-managed-devices/m-p/3735


3) Enforcing Default Applications
With Android 15, COPE now has the ability of enforcing the default apps for dialer, messaging and browser:
https://www.androidenterprise.community/t5/news-info/stronger-management-of-company-owned-devices-with-android-15-for/ba-p/8667

With Fully Managed, you may be able to work with app blacklists.

 

4) Disabling Wi-Fi Calling
We are currently using a CustomDPC and not AMAPI. Neither with the CustomDPC nor with an OEM config can we explicitly control Wi-Fi calling.

 

5) Freeze Periods
Android does not allow continuous freeze periods. A freeze period may be a maximum of 90 days long and the interval between freeze periods must be at least 60 days. Permanent blocking of updates could be possible with OEM-specific solutions.

https://developer.android.com/work/dpc/system-updates

 

6) DeviceID
A device can have different identifiers. IMEI, serial number, MAC, etc. What is “the” deviceID?