3

With the latest changes in Android 12, there is no way on work profile to obtain any kind of device identifier. In this post specifies to use the Enrollment ID in work profile with Custom DPC:

if(VERSION.SDK_INT >= VERSION_CODES.S) {

   // getEnrollmentSpecificId will return an empty string ("") 

   // when organization id is not set

   devicePolicyManager.setOrganizationId(organizationId);

   devicePolicyManager.getEnrollmentSpecificId();

} else {

   // existing functionality to retrieve device identifier(s)

}

But without custom DPC in Android Management API we can´t call setOrganizationId as it requires Profile owner scope... Is any way to have the enterprise id, enrollment id, or some idenfifier on Android 12 in work profile mode?

Kind regards

Josue Yeray
  • 1,163
  • 1
  • 11
  • 12

2 Answers2

0

This seems to be supported by default: DevicePolicyManager#setOrganizationId(java.lang.String)

Sets the Enterprise ID for the work profile or managed device. This is a requirement for generating an enrollment-specific ID for the device, see getEnrollmentSpecificId(). It is recommended that the Enterprise ID is at least 6 characters long, and no more than 64 characters.

There's still an alternate option available:

  • To grant permission DELEGATION_CERT_INSTALL and to use Build.getSerial().

Guess you'd be looking for a "Work Policy Controller": https://developer.android.com/work/dpc/build-dpc

But there it reads:

Note: This guide does not cover the situation where the work profile, under the enterprise's control, is the only profile on the device.

See Deployment scenarios for more information.

Since I don't know which scenario is given, that's probably the best I can offer. This part of the documentation at least explains the scenarios which are being considered and explains them in detail. As EMM provider, you might be able to directly reach out for their support. It still may help to determine the given scenario, to begin with - because it dictates what and how it can be done.

Martin Zeitler
  • 1
  • 19
  • 155
  • 216
  • Hi, thank you for your answer, but as is specified in my post, the getEnrollmentSpecificId depends upon setOrganizationId, and on work profile only profile owners can call setOrganizationId, with Android management API you cannot set your own app as profile owner... and the DELEGATION_CERT_INSTALL make build.getSerial Work only on fully managed, not work profile scenarios... The problem here is, as stated in the original question, we are using Android Management API, not EMM API with custom dpc... The specific scenario is work profile with AM API. – Josue Yeray May 19 '22 at 09:36
  • The [Android Management API](https://developers.google.com/android/management) seemingly depends on EMM; one cannot have the one without the other, in case I'm not mistaken. Not working in enterprise IT anymore, so I could not even gain access to the documentation you've linked. You could only hope some Google employee may pick this up and leaves a better answer. Only know that it's possible, because I've seen Android 12 screenshots with org ID, but please don't ask how they did it - as I have no chance to try. – Martin Zeitler May 19 '22 at 10:08
  • There it reads: "Android Device Policy is the only device policy controller compatible with Android Management API." – Martin Zeitler May 19 '22 at 10:57
0

For Android Management API, I suggest reviewing HardwareInfo.serialNumber. This API returns information about device hardware, specifically the device serial number or ESID (enrollment-specific ID) on newly enrolled Android 12 Work Profile devices.

HardwareInfo.enterpriseSpecificId will also report ESID (enrollment-specific ID) that uniquely identifies a personally-owned device in a particular organization. When enrolled with the same organization, this ID persists across setups, and even factory resets on the same physical device. Note that this ID is available on personally-owned devices with a work profile on Android 12 and above devices.

Rey V. Aquino
  • 316
  • 1
  • 2
  • 5