Login/Register
Is it possible to have a "Profile Owner" app in Android Lollipop that is not co-present
Asked Answered
androidnfcandroid-5.0-lollipopdevice-policy-managerdevice-owner
H

3

9

The Lollipop API provides 2 new features "Profile Owner" and "Device Owner" (http://developer.android.com/about/versions/android-5.0.html#Enterprise). Between them, they offer just the features I need for an app that parents can use to control their children's device activity. The setup flow for each is:

Device Owner

During device setup, using NFC, you can tell Android that you want your app to be a Device Owner. Android then downloads the app from a URL, and the device is encrypted and is provisioned with the app as a Device Owner. So for someone installing my app from Google Play, I would need the app to prompt them to factory reset their device, then install another app on another device, and then NFC bump them together. As setup flows go, this is far from from ideal. But once setup, the Device Owner APIs provide a very rich feature set for this use case.

Profile Owner

The setup for this is a little more straight forward: the user installs the app from Google Play, and can then be prompted to give the app Profile Owner privileges. If the user agrees, the device is encrypted by Android, and after a reboot the device has 2 "co-present" profiles that use the same launcher (home screen). The setup may be more straight forward, but the end result is not really what I need, as the app only has control over the apps under the managed profile.

Question

So I guess I actually have 2 questions: Is it possible to make a Profile Owner app that controls the entire user profile i.e. not a co-present managed profile? Or is it possible to make a Device Owner app with a simpler setup flow that does not require a factory reset and NFC bump (rooting is not an option)? Some middle ground between the two approaches would be ideal.

Householder answered 25/10, 2014 at 17:28 Comment(4)
I haven't looked at the NFC requirements, but I would hope that they could be implemented using an NFC tag, rather than a peer NFC device.Liberal
Yes, I'm considering an NFC card or sticker, but it still leaves a pretty clunky setup flow where devices already in use need to be factory reset.Householder
The device owner system is designed for enterprises pre-configuring phones for employees.Liberal
Both Device and Profile Owner fall under Lollipop's Enterprise feature-set, but there are many similarities between enterprise and family use-cases. The Screen Pinning feature is also classed as Enterprise, but is described as useful "if you are developing an education app to support high stakes assessment requirements" so I think the classification is intended to be pretty broad.Householder
M
3

Answer (1): Managed profile works as separate persona, all the apps under profile are distinct(they are different independent application instance),it is similar to new user. Profile owner is owner app of managed profile hence it doesn't have much power and functionality compare to device owner thus it cannot control the entire user profile.

Answer (2): For creating the device owner one has to go with the NFC method because once your device is setup it gets provisioned, after that you cannot make your app as device owner(unless you go with the rooting method). You can follow the given links for making device owner

1) Create device owner with NFC

2) With rooting

Marabout answered 12/12, 2014 at 10:55 Comment(1)
There's another alternative using adb that doesn't need root access (but is still fiddly for an average user), see here: https://mcmap.net/q/138121/-how-to-make-my-app-a-device-ownerIpecac
N
1

Is it possible to make a Profile Owner app that controls the entire user profile i.e. not a co-present managed profile?

ACTION_PROVISION_MANAGED_PROFILE

A profile-owner app creates a managed profile by sending an intent with action DevicePolicyManager.ACTION_PROVISION_MANAGED_PROFILE. (Source.)

Let's open up DevicePolicyManager.java.

The Javadoc comment for ACTION_PROVISION_MANAGED_PROFILE says:

/**
 * ... Starts the provisioning flow which sets up a managed profile.
 * ...
 * ... The user which provisioning is started from and
 * the managed profile share a launcher. ...
 */

So ACTION_PROVISION_MANAGED_PROFILE probably won't help to do what you want.

Hmmm.

ACTION_PROVISION_MANAGED_USER

The only other action in that file which looks like it might help is ACTION_PROVISION_MANAGED_USER.

Let's look at the Javadoc comment. It says:

/**
 * ... Starts the provisioning flow which sets up a managed user.
 * ...
 * This intent will typically be sent by a mobile device management application (MDM).
 * Provisioning configures the user as managed user and sets the MDM as the profile
 * owner who has full control over the user.

Great! What's the catch?

 * ... Provisioning can only happen before user setup has
 * been completed. ...
 */

Oh. :( So, if your device is not rooted, I think you'd have to somehow install your profile-owner app right after a factory reset, and before the Setup Wizard is done.

Side note

I looked at Page 13 of a certain white paper. It says: "During the managed provisioning process, the intent known as ACTION_PROVISION_MANAGED_PROFILE is called. If the user has a preexisting personal account, the managed profile is separate, but copresent." This seems to me to imply that, if you call ACTION_PROVISION_MANAGED_PROFILE on a device with no user accounts, your app might control the entire user profile. But again, I guess you'd have to somehow install your profile-owner app right after a factory reset, and before the Setup Wizard is done.

Doing what you want

I think that what you want is sadly not possible. If you want, you can file a feature request against Android and ask them to make it possible. If you do, please leave a comment below with the feature request's URL. If you don't have enough reputation points to comment, email me at tealhill at gmail.com and ask me to leave a comment on your behalf.

A workaround

I theorize that a possible workaround might be for your app to download and launch a third-party app which roots the phone. Most phones are rootable. Once the phone is rooted, your app can become device owner. Afterwards, maybe your app can unroot the phone and still remain device owner. Or maybe not. I don't know.

If your app fails to unroot the phone, or if it doesn't try, the phone will remain rooted forever. This might be a security risk. You should probably warn the user.

Namnama answered 23/3, 2017 at 18:24 Comment(0)
H
0

As rightfully said there can only be 1 device owner on the device but there can be multiple profile owners on the device. Each profile owner will be active for 1 user.

This can be achieved by making a call to createAndInitializeUser api in DevicePolicyManager.

http://developer.android.com/reference/android/app/admin/DevicePolicyManager.html#createAndInitializeUser%28android.content.ComponentName,%20java.lang.String,%20java.lang.String,%20android.content.ComponentName,%20android.os.Bundle%29

I was able to create multiple profile owners but am still struggling to find out if there is a way i can make device owner talk to profile owner.

Hayrack answered 22/1, 2015 at 11:36 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.