0

I have recently been reviewing Android's Device Administration API in order to find a way to protect a device from having certain apps forcefully stopped or uninstalled. I came across wipeData() as follows:

http://developer.android.com/reference/android/app/admin/DevicePolicyManager.html#wipeData(int)

What is the point of this if a user can simply wipe the data from the device's "Settings" menu? When I originally posted this question, I didn't realize that one effective use could be to remotely wipe a device. I get that, but what I'm specifically after is protecting certain features so that a user cannot access them outside of an app that has been granted policies that manager those features.

For example, on my particular device, I can choose System Settings->Backup & reset->Factory data reset and clear everything. A similar case can be made for many of the other options exposed by DevicePolicyManager.

When using the Device Administration API, is there a way to disable these built-in features so that only the app registered for the Device Administration API can perform them?

gonzobrains
  • 7,856
  • 14
  • 81
  • 132

1 Answers1

1

what I'm specifically after is protecting certain features so that a user cannot access them outside of an app that has been granted policies that manager those features

There is no meta device administration (i.e., the administration of device admins).

A similar case can be made for many of the other options exposed by DevicePolicyManager

The user has the ability to do nearly nothing offered by DevicePolicyManager.

For example, the user cannot block the camera from the lockscreen, nor can the user block app widgets from the lockscreen, which is why I had to write a utility to do that (as I didn't want to install a closed-source device admin from the Play Store).

Most of the methods on DevicePolicyManager revolve around password quality, and the user cannot set policies for his/her own passwords and have them be enforced.

And so on.

When using the Device Administration API, is there a way to disable these built-in features so that only the app registered for the Device Administration API can perform them?

By definition, only device admins can do device admin things. However, there is no way for one device admin to block another device admin. The only sort-of exception to this is in terms of the various password quality settings, where the strongest setting is applied.

CommonsWare
  • 986,068
  • 189
  • 2,389
  • 2,491
  • I understand your example regarding the camera, but certainly the user can wipe data through the device settings screen. What I'd like to do is prevent the user from doing this outside of an app which has been granted the authority to do so. – gonzobrains Jun 22 '13 at 00:17
  • As an aside, is it possible to allow an app that has been granted DevicePolicyManager priviledges the ability to be uninstalled but not the ability to be forcefully stopped? When viewing Google's Api Demos sample, it appears you get both but not one or the other separately. I'm just wondering if this is configurable or not. – gonzobrains Jun 22 '13 at 00:18
  • @gonzobrains: "but certainly the user can wipe data through the device settings screen" -- agreed. You claimed that "many of the *other* options" are also possible, and I disagree. "What I'd like to do is prevent the user from doing this outside of an app which has been granted the authority to do so" -- that is not possible, except via a modified version of the Settings app that eliminates those options. – CommonsWare Jun 22 '13 at 00:19
  • @gonzobrains: I have not experimented with the combination of device admin and force-stop. – CommonsWare Jun 22 '13 at 00:22
  • please can you solve this issue http://stackoverflow.com/questions/39489830/android-devicepolicymanager-policies-to-setup-password-validations – Achin Sep 15 '16 at 04:32