Login/Register
Cosu app development through Android Management Api or device owner locktask
Asked Answered
google-playdevice-ownerandroid-for-workcosuandroid-management-api
G

3

5

i have to implement single use application for my Enterprise's devices where there is only one major android app that itself can use 2-3 other apps like call, sms and google maps, other than that user must not be able to use or access other apps and settings,

1) I have considered Corporate owned Single use through Enterprise Management Api which is more sophisticated and big, but more complete solution.

2) I have implemented and tested the sample Lock task with an android device owner app that looks more like being my solution, but there is a problem

How do i provision device owner for production level devices? for my test i was able to provision with adb shell commmand. i know that device must be new/Reset and unprovisioned thats not a problem.

I am seeking some suggestion here, if anybody has implemented it it could help.

Update

going with the android management Api QuickStartGuide, suggested by Fred seems like correct way. where my policy is Multiple app from custom launcher now i am stuck in a situation, i want to publish my launcher app or other app to play store only for my enterprise.

I have followed Upload your own app to the Google Play Store,which led me to publish private app, but i am not able to do so as i am not getting Restrict Distribution option.

I don't know how to perfectly achieve this. for my current policy and enterprise, i have 2 active email ids,

first email_1 is the one which is connected to the initial project Project owner accountand

all the google api call is done under email_1 enter image description here.

and the other is email_2 the one is admin for the enterprise Admin of the enterprise

and connected to managed Google Play Store.Managed play store admin

both email_1 and email_2 has admin access to my company developer account Publish App account.

Now i need to figure out to publish app only for my enterprise, i think there is a issue with correct permission or otherwise, need Help. Thanks

Gonzalez answered 13/10, 2017 at 13:31 Comment(5)
how to use cosu lock task mode when using along with android management api. i was able to add policies and install the app but after setting my cosu app as default launcher i'm still able to navigate to default launcher using back button.Jennings
i want to use cosu mode along with maps application. can u help me through the processJennings
the problem i'm facing is i cant start lock task mode without setting my cosu app as device owner. if i set it as device owner i wont be able to use android device policyJennings
@Akshaykomarla, in the policy you should mAKEGonzalez
Does the app need to be live in google play store to use android device policy?Jennings
P
3

It's easy, once you understand the missing links. The documentation should definitely clarify these steps.

1 Setup the accounts

We created a Google Suite Account for our client and uploaded his app in the Google Play Console account created using a Google Account under their organization, and limited the app distribution to their organization.

We also added Android for Work to our organization here: https://admin.google.com/AdminHome?pli=1&fral=1#SelectServices

And added a role to our organization to manage Google Play Private Uploads: https://admin.google.com/AdminHome#DomainSettings/notab=1&role=new-role&subtab=roles

2 Find the organization ID

This is the key part. You should find your organization ID here: https://play.google.com/work/adminsettings

3 Enroll the organization

When following the steps for the Android Management API, you need to enroll the organization ID found in your Google For Work account.

Follow the step detailed here using your enterpriseID:

enterprises/{enterpriseId}/enrollmentTokens/{enrollmentTokenId}

4 Add your app

Add your app using its PackageName in a ApplicationPolicy. Your devices will now be able to find it and install it.

Popularly answered 27/10, 2017 at 8:58 Comment(8)
while logging in for the for the first setUp, must it be signed in with admin of the GSuite account. I am the employee and once i log in with my account i get this drive.google.com/open?id=0B-eKtGcMxbwQTlJnLVdrcURsNEU.Gonzalez
Yes, you probably need your admin to do thisPopularly
@FrancescoFrapporti Is a Google Suite Account necessary for this method? I was able to publish a private app to an org and provision a device under that org with a policy that includes the private app but the app isn't showing up on the provisioned device. I have posted a question hereJugurtha
@JeremiahZucker Did you find out why the app didn't show up? I have the same problem, but I see that the question you link to has been removed.Galatia
@HenrikSolgaard Sorry for the late reply, but it just showed up after a few days. A lot longer than 24 hours, but as far as I know it just showed up.Jugurtha
Does the app need to be live in google play store to use android device policy?Jennings
Not necessarily, it could be in alpha or beta channels, or only made available to some organizations (add the organization id)Popularly
how can i enroll my organization id with android management API???Weatherman
L
2

You no longer need to implement a Device Policy Controller to manage Android devices, Google has recently released the Android Management API which allows you to set up a COSU device with just a few Cloud API calls.

If you have one main app and want to allow to open a few other apps, you can set the main app as a custom launcher and mark the other apps as lockTaskAllowed. You can simply do so by defining an ApplicationPolicy such as the one below (copied from Create a policy):

"applications": [
  {
    "packageName": "com.example.custom_launcher",
    "installType": "FORCE_INSTALLED",
    "lockTaskAllowed": true,
    "defaultPermissionPolicy": "GRANT",
  },
  {
    "packageName": "com.example.app1",
    "installType": "FORCE_INSTALLED",
    "lockTaskAllowed": true,
    "defaultPermissionPolicy": "GRANT",
  }
],
"persistentPreferredActivities": [
  {
    "receiverActivity": "com.example.custom_launcher",
    "actions": [
      "android.intent.action.MAIN"
    ],
    "categories": [
      "android.intent.category.HOME",
      "android.intent.category.DEFAULT"
    ]
  }
]
Libeler answered 13/10, 2017 at 21:41 Comment(15)
Have you tried this approach, i tried QUICKstart guide where we do these api calls through a google api explorer, i set up my android 7 device but i was able to sign in with my personal account in play store to install other apps successfully. how can i make sure that device does not get to install not whitelisted apps, is there way to get my app automatically installed? i will try once again and see.Gonzalez
To disallow adding a new account you can set modifyAccountsDisabled = true. To automatically install an application you can add it in the applications field of the policy as in the example above or in the quick start example, note that your app needs to be available in Google Play to do so, if it is not already you can add it through the Play Developer Console.Libeler
thanks @fred, how do i use Android Management API Client Library for Java developers.google.com/api-client-library/java/apis/… and implement my mdm. I understand this is to do what quick start does with google api explorer. I am experienced in writing android only, what kind of application that would be?Gonzalez
It depends how you want to deploy your devices. It is common to have a server handle the API calls, this way you can remotely control all the devices from a single server and you can expose a management console from this server. If you don't have a server already you can build one using Google App Engine for example (in Python or in Java).Libeler
what are the ways to install app, one way is to publish the app in play store, are there any other ways like through usb i don't have my app in play store now, and currently after setup of new device, i can use google app without any restriction. with modifyAccountsDisabled = true user can not add account to google or google maps app, while map app was in the policy but google got installed automatically.Gonzalez
Herer is my policy ` "applications": [ { "packageName": "com.goambee.android.kioskexample", "installType": "FORCE_INSTALLED", "lockTaskAllowed": true, "defaultPermissionPolicy": "GRANT" } ], "persistentPreferredActivities": [ { "receiverActivity": "com.goambee.android.kioskexample", "actions": [ "android.intent.action.MAIN" ], "categories": [ "android.intent.category.HOME", "android.intent.category.DEFAULT" ] } ], "modifyAccountsDisabled": true`Gonzalez
is Uploading to alpha is enough my app is not ready to go on production yet.Gonzalez
Alpha only won't be enough, however you can restrict your app to your enterprise (see doc) and it won't be visible publicly.Libeler
In the step - Publish private app -> Click Pricing & Distribution and check the Restrict Distribution box to ensure that the app is only available in your organizationGonzalez
Yes, this is the way.Libeler
hey @Fred, UNABLE TO DO THAT WITH #46846381, POSTED ANOTHR QUESTION.Gonzalez
in anyway GSuite related in my case. it keeps getting coming around creating more confusion.Gonzalez
I agree there is confusion. This is the final step and we're getting stuck in the same way. Maybe there's a way to upload an app into the enterprise that you created during the setup? Maybe there's some way to allow that enterprise to view the app created for another organisation? We're really missing a step here.Popularly
@FrancescoFrapporti, there are 2 account, 1 from which the app belongs the other is used to create enterprise it is like the admin, and i tried to sign in with both account to play.google.com/apps/publish, unable to find information about my enterprise there.Gonzalez
We found the solution. Basically you have to enroll your existing Google Suite enterprise using its ID, doesn't matter the account you use. I'll post it as an answer.Popularly
L
1

Google provides a good feature list here: https://developers.google.com/android/work/requirements/features

If your devices have NFC, I would provision using NFC. You can look at the code here for your own implementation or you might be able to use the app with very few modifications. https://github.com/googlesamples/android-NfcProvisioning

By tapping the welcome screen in the Google Setup Wizard 6 times will allow you to use QR code provisioning. It is a bit more cumbersome in my opinion and requires Android 7.0+.

Those are your only two options unless you become a Google EMM Partner or again, partner with them to support Zero Touch Enrollment on Android 8.0+ devices for your own homebaked solution.

You might want to also look at existing open source EMM/MDM implementations that already exist such as WSO2.

Larcher answered 13/10, 2017 at 19:11 Comment(6)
@fred,@steve, my devices do not have nfc and anyway i tried this approach for testing in my personal devices but while there was a work profile in play store app i was able to install other apps from my personal account.Gonzalez
Which approach did you try? Did you provision your personal device from a factory reset state? It sounds like you just installed a work profile on your personal device. You want your device to be a work managed device with a device owner, not BYOD or personally-enabled device with a profile owner (work profile).Larcher
yes steve, you are right i want my devices to be a work managed device.i tried Android Managment Apis from this source, developers.google.com/android/management/quickstartGonzalez
there is one more problem now, long press of Home button opens up google assistant app, how can in disable this?Gonzalez
Does the app need to be live in google play store to use android device policy?Jennings
No, when provisioning via NFC or QR code, use this to specific the app's location: developer.android.com/reference/android/app/admin/…Larcher

© 2022 - 2024 — McMap. All rights reserved.