Docs: Add Device Admin contents
Bug: 19155580
Change-Id: I42d13461627e40463912067189db2759de8531e1
diff --git a/src/devices/tech/admin/provision.jd b/src/devices/tech/admin/provision.jd
new file mode 100644
index 0000000..62b898e
--- /dev/null
+++ b/src/devices/tech/admin/provision.jd
@@ -0,0 +1,168 @@
+page.title=Provisioning for Device Administration
+@jd:body
+
+<!--
+ Copyright 2015 The Android Open Source Project
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<div id="qv-wrapper">
+ <div id="qv">
+ <h2>In this document</h2>
+ <ol id="auto-toc">
+ </ol>
+ </div>
+</div>
+
+<p>This page describes the process for deploying devices to corporate users.</p>
+
+<p>Device owner provisioning can be accomplished over NFC or with an activation
+code. See <a href="implement.html">Implementing Device Administration</a> for
+the complete list of requirements.</p>
+
+<p>Download the <a
+href="https://github.com/googlesamples/android-NfcProvisioning">NfcProvisioning
+APK</a> and <a
+href="https://github.com/googlesamples/android-DeviceOwner">Android-DeviceOwner
+APK</a>.</p>
+
+<h2 id=managed_provisioning>Managed Provisioning</h2>
+
+<p>Managed Provisioning is a framework UI flow to ensure users are adequately
+informed of the implications of setting a device owner or managed profile. You can
+think of it as a setup wizard for managed profiles.</p>
+
+<p class="note"><strong>Note:</strong> Remember, the device owner can be set
+only from an unprovisioned device. If
+<code>Settings.Secure.USER_SETUP_COMPLETE</code> has ever been set, then the
+device is considered provisioned & device owner cannot be set.</p>
+
+<p>Please note, devices that enable default encryption offer considerably
+simpler/quicker device administration provisioning flow. The managed provisioning
+component:</p>
+
+<ul>
+ <li>Encrypts the device</li>
+ <li>Creates the managed profile</li>
+ <li>Disables non-required applications</li>
+ <li>Sets the enterprise mobility management (EMM) app as profile owner</li>
+</ul>
+
+<p>In turn, the EMM app:</p>
+
+<ul>
+ <li>Adds user accounts</li>
+ <li>Enforces device compliance</li>
+ <li>Enables any additional system applications</li>
+</ul>
+
+<p>In this flow, managed provisioning triggers device encryption. The framework
+ copies the EMM app into the managed profile as part of managed provisioning.
+ The instance of the EMM app inside of the managed profile gets a callback from the
+framework when provisioning is done.</p>
+
+<p>The EMM can then add accounts and enforce policies; it then calls
+<code>setProfileEnabled()</code>, which makes the launcher icons visible.</p>
+
+<h2 id=profile_owner_provisioning>Profile Owner Provisioning</h2>
+
+<p>Profile owner provisioning assumes the user of the device oversees its
+management (and not a company IT department). To enable, profile owner
+provisioning, you must send an intent with appropriate extras. See the <a href="https://developer.android.com/samples/BasicManagedProfile/index.html">BasicManagedProfile.apk</a> for an example.</p>
+
+<p>Mobile Device Management (MDM) applications trigger the creation of the managed
+profile by sending an intent with action:</p>
+
+<p><a href="https://android.googlesource.com/platform/frameworks/base/+/master/core/java/android/app/admin/DevicePolicyManager.java">DevicePolicyManager.ACTION_PROVISION_MANAGED_PROFILE</a></p>
+
+<p>Here is a sample intent that will trigger the creation of the managed profile
+and set the DeviceAdminSample as the profile owner:</p>
+
+<pre>
+adb shell am start -a android.app.action.PROVISION_MANAGED_PROFILE \
+ -c android.intent.category.DEFAULT \
+ -e wifiSsid $(printf '%q' \"GoogleGuest\") \
+ -e deviceAdminPackage "com.google.android.deviceadminsample" \
+ -e android.app.extra.deviceAdminPackageName $(printf '%q'
+ .DeviceAdminSample\$DeviceAdminSampleReceiver) \
+ -e android.app.extra.DEFAULT_MANAGED_PROFILE_NAME "My Organisation"
+</pre>
+
+<h2 id=device_owner_provisioning_via_nfc>Device Owner Provisioning via NFC</h2>
+
+<p>Device owner provisioning via NFC is similar to the profile owner method but
+requires more bootstrapping before managed provisioning.</p>
+
+<p>To use this method, <a href="http://developer.android.com/guide/topics/connectivity/nfc/nfc.html">NFC bump</a> the device from the first page of setup wizard (SUW). This offers a low-touch
+flow and configures Wi-Fi, installs the DPC, and sets the DPC as device owner.</p>
+
+<p>Here is the typical NFC bundle:</p>
+
+<pre>
+ EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_NAME
+ EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_LOCATION
+ EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_CHECKSUM
+ EXTRA_PROVISIONING_WIFI_SSID
+ EXTRA_PROVISIONING_WIFI_SECURITY_TYPE
+</pre>
+
+<p>The device must have NFC configured to accept the managed provisioning mimetype
+from SUW:</p>
+
+<pre>
+/packages/apps/Nfc/res/values/provisioning.xml
+
+ <bool name="enable_nfc_provisioning">true</bool>
+ <item>application/com.android.managedprovisioning</item>
+</pre>
+
+<h2 id=device_owner_provisioning_with_activation_code>Device Owner Provisioning with Activation Code</h2>
+
+<p>Select <em>Add Work Account</em> from the setup wizard. This triggers a
+lookup of the EMM from Android servers.</p>
+
+<p>The device installs the EMM app and starts provisioning flow. As an extra
+option, Android device administration supports the option of using email
+address with a six-digit activation code to bootstrap the process as part of
+setup wizard.</p>
+
+<h2 id=emm_benefits>EMM benefits</h2>
+
+<p>An EMM can help by conducting these tasks for you:</p>
+
+<ul>
+ <li>Provision managed profile
+ <li>Apply security policies
+ <ul>
+ <li>Set password complexity
+ <li>Lockdowns: disable screenshots, sharing from managed profile, etc.
+ </ul>
+ <li>Configure enterprise connectivity
+ <ul>
+ <li>Use WifiEnterpriseConfig to configure corporate Wi-Fi
+ <li>Configure VPN on the device
+ <li>Use DPM.setApplicationRestrictions() to configure corporate VPN
+ </ul>
+ <li>Enable corporate app Single Sign-On (SSO)
+ <ul>
+ <li>Install desired corporate apps
+ <li>Use DPM.installKeyPair()to silently install corp client certs
+ <li>Use DPM.setApplicationRestrictions() to configure hostnames, cert alias’ of
+corporate apps
+ </ul>
+</ul>
+
+<p>Managed provisioning is just one piece of the EMM end-to-end workflow, with the
+ end goal being to make corporate data accessible to apps in the managed profile.</p>
+
+<p>See <a href="https://docs.google.com/document/d/1xWdZHjsDB_4FWQcHfPh84EuTvljoMgrc2JINGMBtDQg/edit#">Manual Setup for Device Owner Testing</a> for testing instructions.</p>