nfc – Is it possible to have a "Profile Owner" app in Android Lollipop that is not co-present-ThrowExceptions

Exception or error:

The Lollipop API provides 2 new features “Profile Owner” and “Device Owner” (http://developer.android.com/about/versions/android-5.0.html#Enterprise). Between them, they offer just the features I need for an app that parents can use to control their children’s device activity. The setup flow for each is:

Device Owner

During device setup, using NFC, you can tell Android that you want your app to be a Device Owner. Android then downloads the app from a URL, and the device is encrypted and is provisioned with the app as a Device Owner. So for someone installing my app from Google Play, I would need the app to prompt them to factory reset their device, then install another app on another device, and then NFC bump them together. As setup flows go, this is far from from ideal. But once setup, the Device Owner APIs provide a very rich feature set for this use case.

Profile Owner

The setup for this is a little more straight forward: the user installs the app from Google Play, and can then be prompted to give the app Profile Owner privileges. If the user agrees, the device is encrypted by Android, and after a reboot the device has 2 “co-present” profiles that use the same launcher (home screen). The setup may be more straight forward, but the end result is not really what I need, as the app only has control over the apps under the managed profile.

Question

So I guess I actually have 2 questions: Is it possible to make a Profile Owner app that controls the entire user profile i.e. not a co-present managed profile? Or is it possible to make a Device Owner app with a simpler setup flow that does not require a factory reset and NFC bump (rooting is not an option)? Some middle ground between the two approaches would be ideal.

How to solve:

Answer (1): Managed profile works as separate persona, all the apps under profile are distinct(they are different independent application instance),it is similar to new user.
Profile owner is owner app of managed profile hence it doesn’t have much power and functionality compare to device owner thus it cannot control the entire user profile.

Answer (2): For creating the device owner one has to go with the NFC method because once your device is setup it gets provisioned, after that you cannot make your app as device owner(unless you go with the rooting method).
You can follow the given links for making device owner

1) Create device owner with NFC

2) With rooting

###

As rightfully said there can only be 1 device owner on the device but there can be multiple profile owners on the device. Each profile owner will be active for 1 user.

This can be achieved by making a call to createAndInitializeUser api in DevicePolicyManager.

http://developer.android.com/reference/android/app/admin/DevicePolicyManager.html#createAndInitializeUser%28android.content.ComponentName,%20java.lang.String,%20java.lang.String,%20android.content.ComponentName,%20android.os.Bundle%29

I was able to create multiple profile owners but am still struggling to find out if there is a way i can make device owner talk to profile owner.

###

Is it possible to make a Profile Owner app that controls the entire user profile i.e. not a co-present managed profile?

ACTION_PROVISION_MANAGED_PROFILE

A profile-owner app creates a managed profile by sending an intent with action DevicePolicyManager.ACTION_PROVISION_MANAGED_PROFILE. (Source.)

Let’s open up DevicePolicyManager.java.

The Javadoc comment for ACTION_PROVISION_MANAGED_PROFILE says:

/**
 * ... Starts the provisioning flow which sets up a managed profile.
 * ...
 * ... The user which provisioning is started from and
 * the managed profile share a launcher. ...
 */

So ACTION_PROVISION_MANAGED_PROFILE probably won’t help to do what you want.

Hmmm.

ACTION_PROVISION_MANAGED_USER

The only other action in that file which looks like it might help is ACTION_PROVISION_MANAGED_USER.

Let’s look at the Javadoc comment. It says:

/**
 * ... Starts the provisioning flow which sets up a managed user.
 * ...
 * This intent will typically be sent by a mobile device management application (MDM).
 * Provisioning configures the user as managed user and sets the MDM as the profile
 * owner who has full control over the user.

Great! What’s the catch?

 * ... Provisioning can only happen before user setup has
 * been completed. ...
 */

Oh. 🙁 So, if your device is not rooted, I think you’d have to somehow install your profile-owner app right after a factory reset, and before the Setup Wizard is done.

Side note

I looked at Page 13 of a certain white paper. It says: “During the managed provisioning process, the intent known as ACTION_PROVISION_MANAGED_PROFILE is called. If the user has a preexisting personal account, the managed profile is separate, but copresent.” This seems to me to imply that, if you call ACTION_PROVISION_MANAGED_PROFILE on a device with no user accounts, your app might control the entire user profile. But again, I guess you’d have to somehow install your profile-owner app right after a factory reset, and before the Setup Wizard is done.

Doing what you want

I think that what you want is sadly not possible. If you want, you can file a feature request against Android and ask them to make it possible. If you do, please leave a comment below with the feature request’s URL. If you don’t have enough reputation points to comment, email me at tealhill at gmail.com and ask me to leave a comment on your behalf.

A workaround

I theorize that a possible workaround might be for your app to download and launch a third-party app which roots the phone. Most phones are rootable. Once the phone is rooted, your app can become device owner. Afterwards, maybe your app can unroot the phone and still remain device owner. Or maybe not. I don’t know.

If your app fails to unroot the phone, or if it doesn’t try, the phone will remain rooted forever. This might be a security risk. You should probably warn the user.

Leave a Reply

Your email address will not be published. Required fields are marked *