11

I'm new to android enterprise development world, and I have some misconception of how different pieces in the android enterprise ecosystem relate to one another. Let me explain.

The solution that I'm trying to achieve is being able to lock the device into kiosk mode both remotely, and also based on some business logic do it even when the user is offline. I started investigating EMM and particularly Android Management API to solve the problem. I was able to lock the device remotely into kiosk mode using the API. The steps that I take is following

  1. Factory reset the android device
  2. Reach the screen where user needs to enter their credentials
  3. Instead of real credentials I enter afw#setup
  4. Device enters into work profile mode and android device policy is being installed
  5. I create an enrollment token in the management API (the steps for that are described in the quick start guide
  6. I generate a QR code and scan it using the factory reset device as soon as I'm prompted
  7. The device will be linked to the enterprise, and I'm successfully being able to control it and put the device into kiosk mode by creating special kiosk mode policy and patching the device to comply to that policy using a combination of patch policy (to create a policy) and patch device APIs.

The next step was finding out a way to lock the device into kiosk mode even when user is offline. I assume that it's going to happen by creating an android enterprise custom DPC (device policy controller) application. I assumed that by reading the following documentation, where one of the 3 ways of provisioning "single purpose" devices is creating a custom DPC application. Here's another quote from different url

As an EMM, you develop a DPC app that can be used by your customers in conjunction with your EMM console and server. Your customer deploys the DPC to the user devices that they manage. The DPC acts as the bridge between your EMM console (and server) and the device. An admin uses the EMM console to perform a range of tasks, including configuring device settings and apps.

And here's where all of my confusions arise. First question that naturally arises - was the author of the previous quote referring to EMM management API when talking about EMM console and server?

Further, there are more questions that I couldn't find an answer to

In the guide for creating a custom DPC there are no mentions about what role EMM API will play in custom DPC, and consequently there's no place I could find that describes how exactly the custom DPC is a bridge between the EMM console (presumably EMM API) and the device?

Then, let's assume I've developed a custom DPC application and uploaded it to google play alpha channel. The documentation states that during the setup process instead of entering afw#setup I should enter afw#DPC_NAME, and I have no idea how to generate that name? Is it the bundle ID of the DPC app? Or perhaps it's being set somewhere in google settings? For instance, google has developed the TestDPC application to test enterprise solutions, and I was able to go through the steps I described above and enter afw#testdpc and successfully scanned the QR code in the git readme file and I saw that TestDPC was installed and device was launched into work profile mode. So, I assume somehow I need to register my own "testdpc" and enter afw#my_dpc instead.

Basically I have different pieces working stand alone and I want to form a broader picture in my mind to understand how to stitch those pieces together.

Thanks for your answers

UPDATE 1:

Today I found a way of turning custom DPC into device owner without going through NFC or other provisioning process. This is particularly useful for development purposes. Follow this link for instructions.This is both huge time saver, and also, in my case, we still are waiting for google's approval, but finally we can start testing some stuff without the need of custom provisioning process.

kyurkchyan
  • 2,260
  • 2
  • 23
  • 37

2 Answers2

10

There are two distinct ways of managing Android devices:

The new way: the Android Management API. It is the way recommended by Google and it's significantly simpler than the old way, you don't need to call other APIs or to create a custom DPC. If your use case is not addressed by this API you can send feedback to Google so they can add the missing features.

The old way (no longer available for new deployments as of 2019-12-20): using custom DPC. For that you need to:

In the documentation you - the developer using these APIs - are referred as "the EMM". "EMM server" refers to the server that you own and that calls these API, and "EMM console" refers to the UI console that you expose to your IT admins, if any.

Fred
  • 2,191
  • 1
  • 12
  • 14
  • Fred your answered cleared out many vague things, thanks. Is there some way for me to enforce the kiosk mode while user is offline? – kyurkchyan Apr 06 '18 at 12:11
  • 1
    If you change the policy when the device is offline the new policy will be applied when the device is back online. Can you tell me more about your use case? – Fred Apr 06 '18 at 12:52
  • Yes that makes sense. We don't want our users stay offline for too long, and in case they do, we want to lock them down from using the phone into kiosk mode until they turn the data back on. Do you think there might be a way of using custom DPC in conjunction with the EMM API, so for those cases when we need to enforce policy offline we would use DPC as a fallback, and for online usage EMM Api? – kyurkchyan Apr 06 '18 at 17:00
  • 1
    At the moment the Android Management API doesn't support this kind of offline logic, and you could indeed implement it in a custom DPC and use the Google Play EMM API to install apps. Just beware that implementing a custom DPC is quite complex, and I'd recommend joining the EMM Community early so you can get advice and support. – Fred Apr 06 '18 at 17:22
  • 1
    Thanks a lot Fred. you really helped me out :) – kyurkchyan Apr 07 '18 at 06:52
  • @Fred Can you please tell me how can I update COSU/Kiosk app without user interface. I mean in the background? I can installed the app using QR code and app will be in Kiosk mode but now How can I update it? Please guide me – Ashish Jain Apr 25 '19 at 12:18
  • @Fred without DPC app how I can enroll for zero-touch enrollment. – Mayank Jain Mar 10 '20 at 03:43
  • @Fred I understand your answer, but what I don't understand is why there are new features announced in Android Enterprise that are not supported in the Android Management API. The private DNS settings for example noted in https://developer.android.com/work/versions/android-10 It appears the feature can only be used from a DPC or other privileged app. Google has also been updating their Test DPC repo which supports this feature: https://github.com/googlesamples/android-testdpc Can I use the private DNS enforcement through the AM API, or is a DPC necessary? – King Holly Oct 29 '20 at 23:59
  • @Fred Hi Fred, could you take a look at my question https://stackoverflow.com/questions/72133389/how-to-manage-certificates-on-android-devices-using-android-management-api ? I have looked at the Android Management API doc but I did not find the information about cert management. Thank you for your time. – Peter Zhou May 06 '22 at 19:14
0

https://developer.android.com/work/dpc/build-dpc

Caution: Android Enterprise is no longer accepting new registrations for custom device policy controllers (DPCs). Learn more.

Hi @Fred,

I found this above information from the mentioned path. I have some questions regarding the above conversation.

  1. If we use Android management API to develop EMM, we don't need to implement Custom DPC app?

  2. Whether we can register a account in EMM community with Custom DPC app?

  3. Is it possible to use a custom DPC app with Android management API?

GUNASEELAN N GS
  • 35
  • 4