| Clay Murphy | 648990e | 2015-04-08 17:58:14 -0700 | [diff] [blame] | 1 | page.title=Provisioning for Device Administration |
| 2 | @jd:body |
| 3 | |
| 4 | <!-- |
| 5 | Copyright 2015 The Android Open Source Project |
| 6 | |
| 7 | Licensed under the Apache License, Version 2.0 (the "License"); |
| 8 | you may not use this file except in compliance with the License. |
| 9 | You may obtain a copy of the License at |
| 10 | |
| 11 | http://www.apache.org/licenses/LICENSE-2.0 |
| 12 | |
| 13 | Unless required by applicable law or agreed to in writing, software |
| 14 | distributed under the License is distributed on an "AS IS" BASIS, |
| 15 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 16 | See the License for the specific language governing permissions and |
| 17 | limitations under the License. |
| 18 | --> |
| 19 | <div id="qv-wrapper"> |
| 20 | <div id="qv"> |
| 21 | <h2>In this document</h2> |
| 22 | <ol id="auto-toc"> |
| 23 | </ol> |
| 24 | </div> |
| 25 | </div> |
| 26 | |
| 27 | <p>This page describes the process for deploying devices to corporate users.</p> |
| 28 | |
| 29 | <p>Device owner provisioning can be accomplished over NFC or with an activation |
| 30 | code. See <a href="implement.html">Implementing Device Administration</a> for |
| 31 | the complete list of requirements.</p> |
| 32 | |
| 33 | <p>Download the <a |
| 34 | href="https://github.com/googlesamples/android-NfcProvisioning">NfcProvisioning |
| 35 | APK</a> and <a |
| 36 | href="https://github.com/googlesamples/android-DeviceOwner">Android-DeviceOwner |
| 37 | APK</a>.</p> |
| 38 | |
| 39 | <h2 id=managed_provisioning>Managed Provisioning</h2> |
| 40 | |
| 41 | <p>Managed Provisioning is a framework UI flow to ensure users are adequately |
| 42 | informed of the implications of setting a device owner or managed profile. You can |
| 43 | think of it as a setup wizard for managed profiles.</p> |
| 44 | |
| 45 | <p class="note"><strong>Note:</strong> Remember, the device owner can be set |
| 46 | only from an unprovisioned device. If |
| 47 | <code>Settings.Secure.USER_SETUP_COMPLETE</code> has ever been set, then the |
| 48 | device is considered provisioned & device owner cannot be set.</p> |
| 49 | |
| 50 | <p>Please note, devices that enable default encryption offer considerably |
| 51 | simpler/quicker device administration provisioning flow. The managed provisioning |
| 52 | component:</p> |
| 53 | |
| 54 | <ul> |
| 55 | <li>Encrypts the device</li> |
| 56 | <li>Creates the managed profile</li> |
| 57 | <li>Disables non-required applications</li> |
| 58 | <li>Sets the enterprise mobility management (EMM) app as profile owner</li> |
| 59 | </ul> |
| 60 | |
| 61 | <p>In turn, the EMM app:</p> |
| 62 | |
| 63 | <ul> |
| 64 | <li>Adds user accounts</li> |
| 65 | <li>Enforces device compliance</li> |
| 66 | <li>Enables any additional system applications</li> |
| 67 | </ul> |
| 68 | |
| 69 | <p>In this flow, managed provisioning triggers device encryption. The framework |
| 70 | copies the EMM app into the managed profile as part of managed provisioning. |
| 71 | The instance of the EMM app inside of the managed profile gets a callback from the |
| 72 | framework when provisioning is done.</p> |
| 73 | |
| 74 | <p>The EMM can then add accounts and enforce policies; it then calls |
| 75 | <code>setProfileEnabled()</code>, which makes the launcher icons visible.</p> |
| 76 | |
| 77 | <h2 id=profile_owner_provisioning>Profile Owner Provisioning</h2> |
| 78 | |
| 79 | <p>Profile owner provisioning assumes the user of the device oversees its |
| 80 | management (and not a company IT department). To enable, profile owner |
| 81 | provisioning, you must send an intent with appropriate extras. See the <a href="https://developer.android.com/samples/BasicManagedProfile/index.html">BasicManagedProfile.apk</a> for an example.</p> |
| 82 | |
| 83 | <p>Mobile Device Management (MDM) applications trigger the creation of the managed |
| 84 | profile by sending an intent with action:</p> |
| 85 | |
| 86 | <p><a href="https://android.googlesource.com/platform/frameworks/base/+/master/core/java/android/app/admin/DevicePolicyManager.java">DevicePolicyManager.ACTION_PROVISION_MANAGED_PROFILE</a></p> |
| 87 | |
| 88 | <p>Here is a sample intent that will trigger the creation of the managed profile |
| 89 | and set the DeviceAdminSample as the profile owner:</p> |
| 90 | |
| 91 | <pre> |
| 92 | adb shell am start -a android.app.action.PROVISION_MANAGED_PROFILE \ |
| 93 | -c android.intent.category.DEFAULT \ |
| 94 | -e wifiSsid $(printf '%q' \"GoogleGuest\") \ |
| 95 | -e deviceAdminPackage "com.google.android.deviceadminsample" \ |
| 96 | -e android.app.extra.deviceAdminPackageName $(printf '%q' |
| 97 | .DeviceAdminSample\$DeviceAdminSampleReceiver) \ |
| 98 | -e android.app.extra.DEFAULT_MANAGED_PROFILE_NAME "My Organisation" |
| 99 | </pre> |
| 100 | |
| 101 | <h2 id=device_owner_provisioning_via_nfc>Device Owner Provisioning via NFC</h2> |
| 102 | |
| 103 | <p>Device owner provisioning via NFC is similar to the profile owner method but |
| 104 | requires more bootstrapping before managed provisioning.</p> |
| 105 | |
| 106 | <p>To use this method, <a href="http://developer.android.com/guide/topics/connectivity/nfc/nfc.html">NFC bump</a> the device from the first page of setup wizard (SUW). This offers a low-touch |
| 107 | flow and configures Wi-Fi, installs the DPC, and sets the DPC as device owner.</p> |
| 108 | |
| 109 | <p>Here is the typical NFC bundle:</p> |
| 110 | |
| 111 | <pre> |
| 112 | EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_NAME |
| 113 | EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_LOCATION |
| 114 | EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_CHECKSUM |
| 115 | EXTRA_PROVISIONING_WIFI_SSID |
| 116 | EXTRA_PROVISIONING_WIFI_SECURITY_TYPE |
| 117 | </pre> |
| 118 | |
| 119 | <p>The device must have NFC configured to accept the managed provisioning mimetype |
| 120 | from SUW:</p> |
| 121 | |
| 122 | <pre> |
| 123 | /packages/apps/Nfc/res/values/provisioning.xml |
| 124 | |
| 125 | <bool name="enable_nfc_provisioning">true</bool> |
| 126 | <item>application/com.android.managedprovisioning</item> |
| 127 | </pre> |
| 128 | |
| 129 | <h2 id=device_owner_provisioning_with_activation_code>Device Owner Provisioning with Activation Code</h2> |
| 130 | |
| 131 | <p>Select <em>Add Work Account</em> from the setup wizard. This triggers a |
| 132 | lookup of the EMM from Android servers.</p> |
| 133 | |
| 134 | <p>The device installs the EMM app and starts provisioning flow. As an extra |
| 135 | option, Android device administration supports the option of using email |
| 136 | address with a six-digit activation code to bootstrap the process as part of |
| 137 | setup wizard.</p> |
| 138 | |
| 139 | <h2 id=emm_benefits>EMM benefits</h2> |
| 140 | |
| 141 | <p>An EMM can help by conducting these tasks for you:</p> |
| 142 | |
| 143 | <ul> |
| 144 | <li>Provision managed profile |
| 145 | <li>Apply security policies |
| 146 | <ul> |
| 147 | <li>Set password complexity |
| 148 | <li>Lockdowns: disable screenshots, sharing from managed profile, etc. |
| 149 | </ul> |
| 150 | <li>Configure enterprise connectivity |
| 151 | <ul> |
| 152 | <li>Use WifiEnterpriseConfig to configure corporate Wi-Fi |
| 153 | <li>Configure VPN on the device |
| 154 | <li>Use DPM.setApplicationRestrictions() to configure corporate VPN |
| 155 | </ul> |
| 156 | <li>Enable corporate app Single Sign-On (SSO) |
| 157 | <ul> |
| 158 | <li>Install desired corporate apps |
| 159 | <li>Use DPM.installKeyPair()to silently install corp client certs |
| 160 | <li>Use DPM.setApplicationRestrictions() to configure hostnames, cert alias’ of |
| 161 | corporate apps |
| 162 | </ul> |
| 163 | </ul> |
| 164 | |
| 165 | <p>Managed provisioning is just one piece of the EMM end-to-end workflow, with the |
| 166 | end goal being to make corporate data accessible to apps in the managed profile.</p> |
| 167 | |
| 168 | <p>See <a href="https://docs.google.com/document/d/1xWdZHjsDB_4FWQcHfPh84EuTvljoMgrc2JINGMBtDQg/edit#">Manual Setup for Device Owner Testing</a> for testing instructions.</p> |