Device Owner

sravanthi
Level 2.0: Eclair

Hi ,

I am working on a MDM application which is a Device admin app, Now I am trying to move it to Device Owner. I used Android Management API and generated Enrolment Token. I have uploaded my APK in  S3 bucket and given that downloadable link In QR code Json.  After factory reset, I am clicking 6 times on the screen and scanning the QR code, after connecting to WIFI, it says "Device belongs to your organization" . When I click on Next button, I an getting a popup saying that "CAN"T SETUP DEVICE, CONTACT YOUR IT ADMIN FOR HELP". How to fix this. what all things I need to handle in my android code. How will my app get downloading when scanned the QR code. Here is my Json for QR code. 

 

{
"android.app.extra.PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME": "com.android.client/com.android.utils.AdminReceiver",
"android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_CHECKSUM": "checksum generated from dowloaded APK",
"android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION": "https://android-android.s3.eu-1.amazonaws.com/Android-74.apk",
"android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE": {
"com.google.android.apps.work.clouddpc.EXTRA_ENROLLMENT_TOKEN": "YLEHSBDKDBDWTJESJGOLAFKN"
}
}

 

Hoping you will help me resolve this issue.

Thanks in advance.

1 ACCEPTED SOLUTION

jasonbayton
Level 4.0: Ice Cream Sandwich

If you want to use your own Device Policy Controller, you will do nothing with AMAPI what so ever. You'll be responsible for building policies and sending them to devices, for app installation (APK only), and user management. The AMAPI does not support custom device owner apps.

 

{
"android.app.extra.PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME": "com.android.client/com.android.utils.AdminReceiver",
"android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_CHECKSUM": "checksum generated from dowloaded APK",
"android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION": "https://android-android.s3.eu-1.amazonaws.com/Android-74.apk",
"android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE": {
"com.google.android.apps.work.clouddpc.EXTRA_ENROLLMENT_TOKEN": "YLEHSBDKDBDWTJESJGOLAFKN"
}
}

 

To get this working, you'll need to generate the package checksum (or use the admin signature checksum in its place), and remove the bolded section, as your DPC won't support that. 

 

From this json you can create a QR code, then tap 6 times on the welcome screen of the device (not the button) until the camera comes up. Scan the code and it'll set your app to DO. 

 

Your app will have to talk to your own server application, and fetch the policies and configurations from that accordingly. 

View solution in original post

12 REPLIES 12

jeremy
Level 2.3: Gingerbread

I think you got it all wrong, when you are using Android Management API, the device owner is the Google Device Policy Controller.

If you want to create your own device owner you can do so, but the device won't be manageable with the Android management API.

To create your own device owner you can read this blog article https://medium.com/@codybrookshear/creating-an-android-device-owner-app-in-2023-b7e7b9fb3aca

sravanthi
Level 2.0: Eclair

In this example they are setting device owner using ADB command, but I want to do it for live devices. 

So can't I make my Device admin app as Device owner? So using this ANdroid Management API, can I install/ push my admin APK to the device? How do I push the policies. 

 

Sorry for asking so many questions, I am completely new to this feature.

jasonbayton
Level 4.0: Ice Cream Sandwich

If you want to use your own Device Policy Controller, you will do nothing with AMAPI what so ever. You'll be responsible for building policies and sending them to devices, for app installation (APK only), and user management. The AMAPI does not support custom device owner apps.

 

{
"android.app.extra.PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME": "com.android.client/com.android.utils.AdminReceiver",
"android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_CHECKSUM": "checksum generated from dowloaded APK",
"android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION": "https://android-android.s3.eu-1.amazonaws.com/Android-74.apk",
"android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE": {
"com.google.android.apps.work.clouddpc.EXTRA_ENROLLMENT_TOKEN": "YLEHSBDKDBDWTJESJGOLAFKN"
}
}

 

To get this working, you'll need to generate the package checksum (or use the admin signature checksum in its place), and remove the bolded section, as your DPC won't support that. 

 

From this json you can create a QR code, then tap 6 times on the welcome screen of the device (not the button) until the camera comes up. Scan the code and it'll set your app to DO. 

 

Your app will have to talk to your own server application, and fetch the policies and configurations from that accordingly. 

Hi, 

you mentioned

"Your app will have to talk to your own server application, and fetch the policies and configurations from that accordingly"  this, 

in the above what is server application?. From where I should fetch policies and configuration. Any sample snippet ? will really help.
what changes or implementations I need to do in my app. (currently we have only one app which is Device admin app (with Kiosk ), we want to make that as Device Owner, this app should get downloaded and installed once we scan the QR core.

 

I am worried if I understood the whole process wrongly. Please help with this

jasonbayton
Level 4.0: Ice Cream Sandwich

I fear you may have.

 

If your app has one function and everything is hard-coded to behave a certain way - push the device into kiosk, show one app or perform one function, etc, then you could perhaps get away with no server component controlling the DPC remotely, but if your intention is to remotely configure these devices, you'll need a server application that the DPC checks into from every configured device in order to get instructions on policies (APIs) to set. 

For a traditional EMM, the app on the device is only half of the solution, the rest of it comes from a command server that allows admins to create and save the policies that are sent down to the DPC app. 

Heard that when we move to Device Owner using Android Enterprise or with few third party EMM's who are partners with AE, we get more features in terms of managing devices. For Example, 1) setting Mobile data always on. 2)allowing user to give special permissions in kiosk mode where settings is blocked. etc.

Can we achieve it with our application now?

jasonbayton
Level 4.0: Ice Cream Sandwich

Yup as a device owner you get a considerable amount more - all of the following (and more) is in scope -

 

https://developer.android.com/reference/android/app/admin/DevicePolicyManager

 

For special permissions there are still limitations in place as Google restricts them, (accessibility etc), but you'll do way more than on DA.

Thank you So much Jason, it is working, App got installed. 

Now how do  I uninstall it, I worried about it, previously we have a policy to deactivate the admin then I use to uninstall , bit now the uninstall button is disabled in the device

jasonbayton
Level 4.0: Ice Cream Sandwich

An uninstall is a device wipe. There's no option to disable a device owner from a provisioned device today like you could with DA.

Thank you so much Jason, you saved my day. It is working perfectly.

Hi Jason,

 

How do I become an Android Enterprise EMM? in the official site it says AE is not accepting any new registrations, then how do I become an AE EMM. what should I do if I want to use  all the advanced features by becoming Device Owner. 

By using the above QR code, my application is becoming Device Owner and it is talking to our own traditional EMM(server app) to push the policies. what is the difference between both.

 

jasonbayton
Level 4.0: Ice Cream Sandwich

Hi @sravanthi,

That's right, it's no longer possible to register as a Play EMM API based EMM (with a custom DPC). You won't be able to leverage app and account based API features. 

 

If you'd like to lean on Google's AMAPI, you'll have to discard work on the custom DPC and leverage the Android Device Policy app instead.