- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-02-2024 10:25 AM
Hey,
Is it possible to grant special permissions like `SYSTEM_ALERT_WINDOW` to a device if it is fully managed using Android management API?
We tried adding it to the permissionGrants but it is not enforced for some reason.
Thanks!
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-08-2024 08:22 AM
Hello @krishnaylk,
Welcome to the Customer Community, it's nice to meet you.
I've asked my teammate about this. Unfortunately, it is not possible to grant permissions directly through AMAPI, especially sensitive permissions like SYSTEM_ALERT_WINDOW. AMAPI focuses on delegated management tasks that prioritize user security and privacy.
Here's a breakdown of why AMAPI restricts permission granting:
Security Focus: Granting app permissions, particularly sensitive ones, requires user awareness and consent. Bypassing this through AMAPI could introduce security vulnerabilities.
Delegated Management: AMAPI offers functionalities for managing aspects like app deployment and security certificates, tasks that benefit from centralized control. Permissions, however, are best handled with user involvement.
Possible alternatives for managing permissions on fully managed devices:
OEMConfig (if available): Some device manufacturers offer OEMConfig tools for advanced configuration. In specific cases, OEMConfig might allow enabling permissions like SYSTEM_ALERT_WINDOW. However, this functionality depends on the manufacturer and may not be widely available.
I hope this helps. To add, regarding AMAPI questions, you might also find this Stakeoverflow forum useful.
Thanks so much,
Lizzie
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-08-2024 08:22 AM
Hello @krishnaylk,
Welcome to the Customer Community, it's nice to meet you.
I've asked my teammate about this. Unfortunately, it is not possible to grant permissions directly through AMAPI, especially sensitive permissions like SYSTEM_ALERT_WINDOW. AMAPI focuses on delegated management tasks that prioritize user security and privacy.
Here's a breakdown of why AMAPI restricts permission granting:
Security Focus: Granting app permissions, particularly sensitive ones, requires user awareness and consent. Bypassing this through AMAPI could introduce security vulnerabilities.
Delegated Management: AMAPI offers functionalities for managing aspects like app deployment and security certificates, tasks that benefit from centralized control. Permissions, however, are best handled with user involvement.
Possible alternatives for managing permissions on fully managed devices:
OEMConfig (if available): Some device manufacturers offer OEMConfig tools for advanced configuration. In specific cases, OEMConfig might allow enabling permissions like SYSTEM_ALERT_WINDOW. However, this functionality depends on the manufacturer and may not be widely available.
I hope this helps. To add, regarding AMAPI questions, you might also find this Stakeoverflow forum useful.
Thanks so much,
Lizzie
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-08-2024 08:54 AM
This is possible for certain manufacturers. I know for example it is possible on Zebra Android devices as I regularly silently grant special permissions silently with their MX layer.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-08-2024 09:10 AM
aw, interesting - thanks for sharing @mattdermody
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-08-2024 10:21 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-08-2024 10:57 AM
Great... Thankfully have 2 years before that will be an issue given that Zebra is only currently getting to A13. Hopefully they'll also be able to declare their devices as "dedicated" since they are almost 100% of the time used in that scenario.