Android device owner concepts

With Android 5.0, Google has introduced Device owner and device profile concepts to make android enterprise ready. Device owner app is an application with special privileges to perform task such as monitor and manage settings and other privileged tasks. This means in a literal sense,the devices ownership is given to the organization managing it making the device owner concept ideal for COPE scenario. Once the device ownership is assigned to an app, in order to remove it, the device needs to be factory reseted, for example in a situation where the device needs to be given to a different user. 

When the device ownership is given to a specific app, the app gets access to a set of Android APIs that are only available to device owner app. These APIs are not available to regular Android apps. At a given time there can only be one device owner app in a device, which prevents another device owner app overriding the policies enforced by the first device owner app. 

The service app provided with WSO2 EMM is an application that is capable of working as a device owner app. Since providing device ownership to an app is serious business, Android has limited the ways this can be done, so that there is no possibility that a user can give out device ownership to a malicious app. Before we discuss the ways device ownership can be assigned to an app, let's see how in device level the device ownership is maintained.

Device ownership is given to an app by adding a special xml file to data/system directory of the device's file system. This xml file contains the package name of the device owner app. This file must have the name device_owner.xml for it to be identified properly. For example as bellow,




When Android boots up, it will check if this file exist and if so the given package will have device ownership. Since this file needs to exist in system/data directory, there is no way any non system app can modify this file unless the device is rooted. Therefore Android guarantees that any non intended app doesn't get this privileged status. Now let's see how we can assign an app as the device owner,
There are threes this can be achieved,

1. Through a special NFC(Near field communication) message.
2. A command issued through android debug bridge(adb)
3. Through the integration with Android for work[1].

For obvious reasons such as most of the Android devices are not yet equipped with NFC, WSO2 EMM doesn't yet support this method.
Through adb, this can be done by issuing the following command,

shell dpm set-device-owner org.wso2.emm.system.service/.ServiceDeviceAdminReceiver

With Android 6.0, Google has implemented a new mechanism, which is quite similar to Apple DEP, where the user's Google account which they are using to sign in to a device is associated with an EMM provider and at the time the user is first starting up the device, this means in the device configuration wizard, Android will download the relevant service app of the EMM provider and install on the device with device owner permission. This method will also be available through WSO2 EMM in the near future.

For successful integration of service app with WSO2 EMM; the regular Android is also needed. The  following describes, how the message flow and command execution happens, when the service app with device owner is in place.



[1]. https://developers.google.com/android/work/prov-devices#google_account_method


Comments

  1. Glenn HannanApril 24, 2021 at 9:15 AM

    Thanks for this. I really like what you've posted here and wish you the best of luck with this blog and thanks for sharing. Apple Developer Support

    ReplyDelete

Post a Comment

Popular posts from this blog

MDM vendor singing and MDM APNS certificate generation for WSO2 Iot server

Image
When we look at how Apple has created the device management protocol for iOS devices, one thing that we notice is they have tried to make the process as secure as possible. In this article, we will look at what is the MDM APNS certificate and how we can generate and use them. When managing iOS devices, the device management commands are typically executed by a native client available in the iOS operating system itself. When a device management server needs to send a command to this client, the command has to be sent though Apple APNS server. However, since these commands are executed by the operating system it self, using a general APNS certificate, does not make sense. Therefore Apple has made it mandatory that the device management servers use a special MDM APNS certificate when sending commands to a device. These certificates expire annually and the admins have to renew then annually. MDM APNS certificate generation is bit of a complex process and to make things simpler, I ha
Read more

[APIM] Send emails to users upon self-sign up aproval

When using the self sign up of WSO2 API manager, the user needs to wait for the admin to approve their signup request. However when the admin approves/rejects the request, users may like to receive an email with the status of the approval. This can be achieved by the extension points provided by APIM. In this article we will consider how this can be achieved, First step is to set up the user sign up work flow as described in the documentation[1]. After following the documentation, you should be able to self sign up and attach a workflow to the to the self sign up process. After self signup, you can login to the admin portal of APIM and approve or reject a request to sign up. This portal can be address through https://HOSTNAME :PORT /admin for example https://10.100.9.174:9443/admin Next we need to extend from UserSignUpWSWorkflowExecutor of APIM and write your own logic to send out an email. In this case, we have overriden the complete method of UserSignUpWSWorkflowExecutor. In the
Read more