An overview of equipment management
Device admin is outdated. Since Android 2.2, some admin policies will be reported as obsolete when device admin calls them. It is recommended to be ready to accept changes from now on. For more integration suggestions, please refer to Device admin deprecation
Android provides support for enterprise applications through the Android Device Administration API. The Android Device Management API provides system-level device management features. The APIs allow IT professionals to create secure applications when they need to control employees' devices. For example, the built-in Android Mail application uses this API to improve exchange support. Through the Mail app, administrators can enforce password policies (alphanumeric passwords or numeric PINs) through the device. Administrators can also remotely wipe lost or stolen phone information (ie factory reset). Users can also sync their mail and calendar data.
This article is for developers who intend to develop enterprise applications on Android devices. This article discusses various features of the device management API that provide high security for employees' Android devices.
1. Overview of Device administration API
The following are the types of applications that might use the Device Administration API:
--mail client
--Security software to wipe data remotely
--Management software for managing services or applications
2. How does it work?
Use the device management API to write device management applications installed on the user's phone. Device management apps enforce these policies. Here's how it works:
--System administrators can implement remote security policies through device management applications. These policies can be hard-coded into the app or dynamically pulled from third-party servers.
-- The app is installed on the user's device. Android currently has no solution for automatic terms. System administrators can distribute applications to users in the following ways.
----Google Play
----Third Party App Store
----Through other means, such as email or website
-the system prompts the user to activate the application. How and when to ask to see how the application is implemented.
--Once the user activates the application, it will be controlled by the activated policy. Complying with these policies will grant privileges, such as access to sensitive system data.
In enterprise-level settings, employees' devices typically must be strictly adhered to a set of policies for using their phones. The policies supported by the Device Management API are listed below.
It should be noted that the device management API currently only supports the lock screen password.
If the user does not activate the app, it remains on the device, but in an inactive state. Users will not be subject to these policies, nor will they be given any privileges -- for example, data may not be synchronized
If the user does not comply with the policy (for example, if the user sets a password that violates the know-how policy), it is up to the application to decide what to do. However, usually this will result in data not being synced.
If the device attempts to use a device management API that is not supported by this device, the connection will be refused. The Device Management API currently does not support partial permission. In other words, if a device (such as an older device) cannot support all the policies declared, then all policies will not be supported.
If there are multiple device management applications on the device, the strictest policy will be enforced.
To uninstall a device management app, the user first needs to deregister the app's administrator privileges.
3. Strategy
In the setup of an enterprise application, a user's device must adhere to a set of policies that govern the user's device. The Device Management API supports the policies listed below.
Policy Description Enable Password Device pop-up PIN or password challenge Minimum password length Set the length of the password. For example, set a PIN or password with a minimum length of 6 alphanumeric passwords and a combination of numbers and letters. May contain symbols Complex password From Android3.0, complex password can be set. At least one letter, one number and one special character Minimum letter length in the password Starting from Android 3.0, all device administrators or a member can be required to set the number of letters contained in the password Settings How many lowercase letters are required in password Minimum number of non-letters in password Set how many non-alphabetic characters are required in password Minimum number of numbers How many numbers are required in password Minimum number of special characters Minimum number of special characters required in password Minimum The number of uppercase letters that the password needs to contain at least. Password expiration time Set the password expiration time, in milliseconds . Password input failure times Set the number of wrong passwords. Through this API, administrators can remotely reset the device to factory settings to prevent data leakage when the phone is lost or stolenSet the lock screen time When the user locks the screen after the phone does not interact, if the time exceeds, the user needs to re-enter the PIN or password to regain access to the phone and data
Storage encryption Set data encryption for a specific storage area
Disable camera Set disable camera
Others Features
In addition to the features listed in the table above, the following things can be done through the device management API:
--Prompt the user to set a new password --Lock the
screen immediately --Clear
phone data (ie, restore factory settings)
Examples Examples in
this article Taken from Device Admimistration API Sample, it can be downloaded through SDK Manager. The downloaded location is
<sdk_root>/ApiDemos/app/src/main/java/com/example/android/apis/app/DeviceAdminSample.java
This example demonstrates Features of device management. Provides an interface for the user to activate the device management app.
Once the application is activated, the following operations can be performed:
--set password quality
--set password requirements, such as minimum length, minimum number of numbers or letters to contain, etc
.--set password. If the password matches the set policy part, the system returns an error
-- set the number of failed password input
-- set the password expiration time
-- set the historical password length (the length of the used password is stored). Prevent users from reusing passwords that have been used in the last n times
--Set storage encryption
--Set maximum stop interaction time
--Lock screen immediately
--Clear data
--Disable camera
Application screenshot
System administrators can use the device management API to write applications to enforce remote/local device security policies. Here are the steps to create
1. Create MainFest
To use the Device Management API, the application's mainfest must contain the following settings:
--A subclass of DeviceAdminReceiver with the following options
----Permission BIND_DEVICE_ADMIN
----The filter of the intent is configured in the mainfest to respond to the intent ACTION_DEVICE_ADMIN_ENABLED
--declare security policy in metadata
The following is excerpted from the example
<activity android:name=".app.DeviceAdminSample"
android:label="@string/activity_sample_device_admin">
<intent-filter>
<action android:name="android.intent.action.MAIN" />
<category android:name="android.intent.category.SAMPLE_CODE" />
</intent-filter>
</activity>
<receiver android:name=".app.DeviceAdminSample$DeviceAdminSampleReceiver"
android:label="@string/sample_device_admin"
android:description="@string/sample_device_admin_description"
android:permission="android.permission.BIND_DEVICE_ADMIN">
<meta-data android:name="android.app.device_admin"
android:resource="@xml/device_admin_sample" />
<intent-filter>
<action android:name="android.app.action.DEVICE_ADMIN_ENABLED" />
</intent-filter>
</receiver>
have to be aware of is:
--The following tags from characters are located in ApiDemos/res/values/strings.xml. For more information, see Application Resources
----android:label="@string/activity_sample_device_admin", the label of the activity that the user sees
----android:label="@string/sample_device_admin", the permissions seen by the user
----android:description="@string/sample_device_admin_description", the permission description that the user sees. Descriptions tend to be more informative than labels
--android:permission="android.permission.BIND_DEVICE_ADMIN", in order to ensure that only the system can interact with this broadcast receiver (no application can be granted this permission), the subclass of DeviceAdminReceiver must include this permission. Prevents other apps from abusing your device management app.
--android.app.action.DEVICE_ADMIN_ENABLED is the action that the subclass of DeviceAdminReceiver must handle to manage the phone. Fired when the user activates the app. Your code usually handles this in the onEnabled() method. In addition to this, it must be used with the permission BIND_DEVICE_ADIN to prevent other applications from abusing it.
--When the user activates the application, the broadcast receiver is granted the permission to respond to the events that the system responds to. When the corresponding event occurs, the application can use the corresponding strategy. For example, if the user sets a password that does not match the policy, the app can prompt the user for another password that matches the policy.
-- Avoid modifying the broadcast receiver's name after the app is published. If the name is changed, device management will not work when the app is updated.
--android:resource="@xml/device_admin_sample" declares the security policy declared in the metadata. metadata provides additional information about device management, which is parsed by the class DeviceAdminInfo. Following is the content of device_admin_sample.xml
<device-admin xmlns:android="http://schemas.android.com/apk/res/android">
<uses-policies>
<limit-password />
<watch-login />
<reset-password />
<force-lock />
<wipe-data />
<expire-password />
<encrypted-storage />
<disable-camera />
</uses-policies>
</device-admin>
You only need to add the required policies in your application, you do not need to add all the policies.
2. Implement the code
The device management API contains the following classes
DeviceAdminReceiver
A base class that implements a device's management component. This class can conveniently interact with actions sent by the system. The application must contain a subclass of DeviceAdminReceiver.
DevicePolicyManager
A class that manages policies enforced on devices. Most clients must publish the DeviceAdminReceier that the user is now allowed to. DevicePolicyManager is used to manage one or more DeviceAdminReceiver instances.
DeviceAdminInfo
Metadata for declaring device management components.
These classes provide a complete functional basis for device management applications. The following is how to write device management applications through the APIs of DeviceAdminReceiver and DevicePolicyManager.
子类DeviceAdminReceiver
A device management application must include a subclass of DeviceAdminReceiver. DeviceAdminReceiver contains a series of callbacks when special events are triggered.
The following pops a toast in the callback when the corresponding event is fired
public class DeviceAdminSample extends DeviceAdminReceiver {
void showToast(Context context, String msg) {
String status = context.getString(R.string.admin_receiver_status, msg);
Toast.makeText(context, status, Toast.LENGTH_SHORT).show();
}
@Override
public void onEnabled(Context context, Intent intent) {
showToast(context, context.getString(R.string.admin_receiver_status_enabled));
}
@Override
public CharSequence onDisableRequested(Context context, Intent intent) {
return context.getString(R.string.admin_receiver_status_disable_warning);
}
@Override
public void onDisabled(Context context, Intent intent) {
showToast(context, context.getString(R.string.admin_receiver_status_disabled));
}
@Override
public void onPasswordChanged (Context context, Intent intent) {
showToast(context, context.getString(R.string.admin_receiver_status_pw_changed));
}
...
}
Activate the app
The user must explicitly activate the app for the policy to be enforced. If the user does not activate the application on the device, the application is on the device but does not gain any additional convenience.
When the intent of the action ACTION_ADD_DEVICE_ADMIN is fired, the interface that activates the app is fired. Activated when the user clicks "Activate App".
The following figure is the interface to activate the application:
Below is the code that is executed when the user clicks "Activate App". onPreferenceChange() is a callback function that fires when the value of the Preference is changed.
If the user activates the application, the interface shown above will pop up, otherwise the device management application will be disabled.
@Override
public boolean onPreferenceChange(Preference preference, Object newValue) {
if (super.onPreferenceChange(preference, newValue)) {
return true;
}
boolean value = (Boolean) newValue;
if (preference == mEnableCheckbox) {
if (value != mAdminActive) {
if (value) {
// Launch the activity to have the user enable our admin.
Intent intent = new Intent(DevicePolicyManager.ACTION_ADD_DEVICE_ADMIN);
intent.putExtra(DevicePolicyManager.EXTRA_DEVICE_ADMIN, mDeviceAdminSample);
intent.putExtra(DevicePolicyManager.EXTRA_ADD_EXPLANATION,
mActivity.getString(R.string.add_admin_extra_app_text));
startActivityForResult(intent, REQUEST_CODE_ENABLE_ADMIN);
// return false - don't update checkbox until we're really active
return false;
} else {
mDPM.removeActiveAdmin(mDeviceAdminSample);
enableDeviceCapabilitiesArea(false);
mAdminActive = false;
}
}
} else if (preference == mDisableCameraCheckbox) {
mDPM.setCameraDisabled(mDeviceAdminSample, value);
...
}
return true;
}
intent.putExtra(DevicePolicyManager.EXTRA_DEVICE_ADMIN, mDeviceAdminSample); indicates that mDeviceAdminSample (a component of DeviceAdminReceiver) is a target policy. Contains steps for the user to interact with the prompt shown above, allow or deny.
When the application needs to perform operations related to activating the application, it needs to detect that the application is activated, using the method isAdminActive() in DevicePolicyManager; it should be noted that this method requires DeviceAdminReceiver as a parameter.
DevicePolicyManager mDPM;
...
private boolean isActiveAdmin() {
return mDPM.isAdminActive(mDeviceAdminSample);
}
management strategy
DevicePolicyManager user manages enforced policies and can manage one or more instances of DeviceAdminReceiver
The way to get it is as follows:
evicePolicyManager mDPM =
(DevicePolicyManager)getSystemService(Context.DEVICE_POLICY_SERVICE);
Set password policy
Only valid for lock screen password.
The interface for setting the password is displayed:
Intent intent = new Intent(DevicePolicyManager.ACTION_SET_NEW_PASSWORD); startActivity(intent);
The password command can be any of the following:
PASSWORD_QUALITY_ALPHABETIC: Password must contain at least one letter or special character
PASSWORD_QUALITY_ALPHANUMERIC: Password must contain at least one number and one letter (or special character)
PASSWORD_QUALITY_NUMERIC: Password must contain a number
PASSWORD_QUALITY_COMPLEX: Password must contain a letter, a number and a special character
PASSWORD_SOMETHING: Need a password but don't care what's in the password
PASSWORD_QUALITY_UNSPECIFIED: No password required
Here is the code to set the password policy:
DevicePolicyManager mDPM; ComponentName mDeviceAdminSample; ... mDPM.setPasswordQuality(mDeviceAdminSample, DevicePolicyManager.PASSWORD_QUALITY_ALPHANUMERIC);
Set password content:
Starting with Android 3.0, DevicePolicyManager includes methods that can adjust the content of the password. For example, you can set a policy stating that passwords must contain at least n letters. Here's how to adjust your content
setPasswordMinimumLetters() setPasswordMinimumLowerCase() setPasswordMinimumUpperCase() setPasswordMinimumNonLetter() setPasswordMinimumNumeric() setPasswordMinimumSymbols()
Here is the code snippet of the method to set the password must contain two uppercase letters:
DevicePolicyManager mDPM; ComponentName mDeviceAdminSample; int pwMinUppercase = 2; ... mDPM.setPasswordMinimumUpperCase(mDeviceAdminSample, pwMinUppercase);
Set the password minimum length to pwLenght:
DevicePolicyManager mDPM; ComponentName mDeviceAdminSample; int pwLength; ... mDPM.setPasswordMinimumLength(mDeviceAdminSample, pwLength);
Set the maximum number of incorrect password input to maxFailedPw:
DevicePolicyManager mDPM; ComponentName mDeviceAdminSample; int maxFailedPw; ... mDPM.setMaximumFailedPasswordsForWipe(mDeviceAdminSample, maxFailedPw);
Set the password expiration time pwExpiration in milliseconds
DevicePolicyManager mDPM; ComponentName mDeviceAdminSample; long pwExpiration; ... mDPM.setPasswordExpirationTimeout(mDeviceAdminSample, pwExpiration);
Disallow reuse of old passwords:
Starting with Android 3.0, users can be restricted from using the old password through the method setPasswordHistoryLength(). This method needs to pass in the number of passwords to be saved as a parameter. When this policy is activated, the user can enter a new password that matches the last n passwords. This policy prevents users from using the same password repeatedly. Usually this strategy is used in conjunction with the method setPsswordExpirationTimeout() to force the user to update their password after a certain time has elapsed.
Disallow reuse of any password from the last 5 times:
DevicePolicyManager mDPM; ComponentName mDeviceAdminSample; int pwHistoryLength = 5; ... mDPM.setPasswordHistoryLength(mDeviceAdminSample, pwHistoryLength);
Set screen lock time:
DevicePolicyManager mDPM; ComponentName mDeviceAdminSample; ... long timeMs = 1000L*Long.parseLong(mTimeout.getText().toString()); mDPM.setMaximumTimeToLock(mDeviceAdminSample, timeMs);
Lock the screen now:
DevicePolicyManager mDPM; mDPM.lockNow();
clear data:
Use the method wipeData() of DevicePolicyManager to restore the factory settings of the phone. Useful when the phone is lost or stolen. Usually clearing phone data is for a specific need. For example, seeMaximumFailedPasswordsForWipe() to declare how many times the password should be retried before clearing the data.
Code to clear data:
DevicePolicyManager mDPM; mDPM.wipeData (0);
The argument to wipeData() is a bitmask of additional options, which must currently be 0.
Disable the camera:
As of Andorid 4.0, the camera can be disabled. Note that this is not a permanent disable. Cameras can be enabled/disabled based on context, time, etc.
private CheckBoxPreference mDisableCameraCheckbox; DevicePolicyManager mDPM; ComponentName mDeviceAdminSample; ... mDPM.setCameraDisabled(mDeviceAdminSample, mDisableCameraCheckbox.isChecked());
Storage encryption:
Starting with Android 3.0, you can use the setStorageEncryption() method to set a policy for encrypted storage areas.
DevicePolicyManager mDPM; ComponentName mDeviceAdminSample; ... mDPM.setStorageEncryption(mDeviceAdminSample, true);
See the complete code with the device management API example.
More code samples:
Android AppRestrictionsEnforcer and Android DeviceOwner provide more code for the device management API
Original address:
https://developer.android.com/guide/topics/admin/device-admin