1 page.title=Building a Work Policy Controller 2 page.metaDescription=Learn how to develop a Work Policy Controller to create and administer a managed profile on an employee's device. 3 @jd:body 4 5 <div id="tb-wrapper"> 6 <div id="tb"> 7 8 <h2>This lesson teaches you to</h2> 9 <ol> 10 <li><a href="#after_creating_profile">Create a Managed Profile</a></li> 11 <li><a href="#set_up_policies">Set Up Device Policies</a></li> 12 <li><a href="#apply_restrictions">Apply App Restrictions</a></li> 13 </ol> 14 15 <!-- related docs (NOT javadocs) --> 16 17 <h2> 18 You should also read 19 </h2> 20 21 <ul> 22 <li> 23 <a href="{@docRoot}guide/topics/admin/device-admin.html">Device 24 Administration</a> 25 </li> 26 </ul> 27 28 <h2>Resources</h2> 29 <ul> 30 31 <li> 32 <a href= 33 "{@docRoot}samples/BasicManagedProfile/index.html">BasicManagedProfile</a> 34 </li> 35 36 <li> 37 <a href= 38 "{@docRoot}samples/AppRestrictionEnforcer/index.html">AppRestrictionEnforcer</a> 39 </li> 40 </ul> 41 42 </div> 43 </div> 44 45 46 <p> 47 In an Android for Work deployment, an enterprise needs to maintain control 48 over certain aspects of the employees' devices. The enterprise needs to 49 ensure that work-related information is encrypted and is kept separate from 50 employees' personal data. The enterprise may also need to limit device 51 capabilities, such as whether the device is allowed to use its camera. And 52 the enterprise may require that approved apps provide app restrictions, so 53 the enterprise can turn app capability on or off as needed. 54 </p> 55 56 <p> 57 To handle these tasks, an enterprise develops and deploys a Work Policy 58 Controller app. This app is installed on each employee's device. The 59 controller app installed on each employee's device and creates a work user 60 profile, which accesses enterprise apps and data separately from the user's 61 personal account. The controller app also acts as the 62 bridge between the enterprise's management software and the device; the 63 enterprise tells the controller app when it needs to make configuration 64 changes, and the controller app makes the appropriate settings changes for the 65 device and for other apps. 66 </p> 67 68 <p> 69 This lesson describes how to develop a Work Policy Controller app for devices 70 in an Android for Work deployment. The lesson describes how to create a work 71 user profile, how to set device policies, and how to apply 72 restrictions to other apps running on the managed profile. 73 </p> 74 75 <p class="note"> 76 <strong>Note:</strong> This lesson does not cover the situation where the 77 only profile on the device is the managed profile, under the enterprise's 78 control. 79 </p> 80 81 <h2 id="overview">Device Administration Overview</h2> 82 83 <p> 84 In an Android for Work deployment, the enterprise administrator can set 85 policies to control the behavior of employees' devices and apps. The 86 enterprise administrator sets these policies with software provided by their 87 Enterprise Mobility Management (EMM) provider. The EMM software communicates 88 with a Work Policy Controller on each device. The Work Policy Controller, in 89 turn, manages the settings and behavior of the work user profile on each 90 individuals device. 91 </p> 92 93 <p class="note"> 94 <strong>Note:</strong> A Work Policy Controller is built on the existing 95 model used for device administration applications, as described in <a href= 96 "{@docRoot}guide/topics/admin/device-admin.html">Device Administration</a>. 97 In particular, your app needs to create a subclass of {@link 98 android.app.admin.DeviceAdminReceiver}, as described in that document. 99 </p> 100 101 <h3 id="managed_profiles">Managed profiles</h3> 102 103 <p> 104 Users often want to use their personal devices in an enterprise setting. This 105 situation can present enterprises with a dilemma. If the user can use their 106 own device, the enterprise has to worry that confidential information (like 107 employee emails and contacts) are on a device the enterprise does not 108 control. 109 </p> 110 111 <p> 112 To address this situation, Android 5.0 (API level 21) allows enterprises to 113 set up a special work user profile using the Managed Profile API. This 114 user profile is called a <em>managed profile</em>, or a <em>work profile</em> 115 in the Android for Work program. If a device has a 116 managed profile for work, the profile's settings are under the control of the 117 enterprise administrator. The administrator can choose which apps are allowed 118 for that profile, and can control just what device features are available to 119 the profile. 120 </p> 121 122 <h2 id="create_profile">Create a Managed Profile</h2> 123 124 <p>To create a managed profile on a device that already has a personal profile, 125 first check that the device can support a managed profile, by seeing if the 126 device supports the {@link 127 android.content.pm.PackageManager#FEATURE_MANAGED_USERS FEATURE_MANAGED_USERS} 128 system feature:</p> 129 130 <pre>PackageManager pm = getPackageManager(); 131 if (!pm.hasSystemFeature(PackageManager.FEATURE_MANAGED_USERS)) { 132 133 // This device does not support native managed profiles! 134 135 }</pre> 136 137 <p>If the device supports managed profiles, create one by sending an intent with 138 an {@link android.app.admin.DevicePolicyManager#ACTION_PROVISION_MANAGED_PROFILE 139 ACTION_PROVISION_MANAGED_PROFILE} action. Include the device admin package 140 name as an extra.</p> 141 142 <pre>Activity provisioningActivity = getActivity(); 143 144 // You'll need the package name for the WPC app. 145 String myWPCPackageName = "com.example.myWPCApp"; 146 147 // Set up the provisioning intent 148 Intent provisioningIntent = 149 new Intent("android.app.action.PROVISION_MANAGED_PROFILE"); 150 intent.putExtra(myWPCPackageName, 151 provisioningActivity.getApplicationContext().getPackageName()); 152 153 if (provisioningIntent.resolveActivity(provisioningActivity.getPackageManager()) 154 == null) { 155 156 // No handler for intent! Can't provision this device. 157 // Show an error message and cancel. 158 } else { 159 160 // REQUEST_PROVISION_MANAGED_PROFILE is defined 161 // to be a suitable request code 162 startActivityForResult(provisioningIntent, 163 REQUEST_PROVISION_MANAGED_PROFILE); 164 provisioningActivity.finish(); 165 }</pre> 166 167 <p>The system responds to this intent by doing the following:</p> 168 169 <ul> 170 <li>Verifies that the device is encrypted. If it is not, the system prompts 171 the user to encrypt the device before proceeding. 172 </li> 173 174 <li>Creates a managed profile. 175 </li> 176 177 <li>Removes non-required applications from the managed profile. 178 </li> 179 180 <li>Copies the Work Policy Controller application into the managed profile and 181 sets it as the profile owner. 182 </li> 183 </ul> 184 185 <p>Override {@link android.app.Activity#onActivityResult onActivityResult()} to 186 see whether the provisioning was successful, as shown in the following 187 example code:</p> 188 189 <pre>@Override 190 public void onActivityResult(int requestCode, int resultCode, Intent data) { 191 192 // Check if this is the result of the provisioning activity 193 if (requestCode == REQUEST_PROVISION_MANAGED_PROFILE) { 194 195 // If provisioning was successful, the result code is 196 // Activity.RESULT_OK 197 if (resultCode == Activity.RESULT_OK) { 198 // Hurray! Managed profile created and provisioned! 199 } else { 200 // Boo! Provisioning failed! 201 } 202 return; 203 204 } else { 205 // This is the result of some other activity, call the superclass 206 super.onActivityResult(requestCode, resultCode, data); 207 } 208 }</pre> 209 210 <h3 id="after_creating_profile">After Creating the Managed Profile</h3> 211 212 <p>When the profile has been provisioned, the system calls the Work Policy 213 Controller app's {@link 214 android.app.admin.DeviceAdminReceiver#onProfileProvisioningComplete 215 DeviceAdminReceiver.onProfileProvisioningComplete()} method. Override this 216 callback method to finish enabling the managed profile.</p> 217 218 <p>Typically, your {@link 219 android.app.admin.DeviceAdminReceiver#onProfileProvisioningComplete 220 DeviceAdminReceiver.onProfileProvisioningComplete()} callback implementation 221 would perform these tasks:</p> 222 223 <ul> 224 <li>Verify that the device is complying with the EMM's device policies, as 225 described in <a href="#set_up_policies">Set Up Device Policies</a> 226 </li> 227 228 <li>Enable any system applications that the administrator chooses to make 229 available within the managed profile, using {@link 230 android.app.admin.DevicePolicyManager#enableSystemApp 231 DevicePolicyManager.enableSystemApp()} </li> 232 233 <li>If the device uses Google Play for Work, add the Google account 234 to the managed profile with {@link android.accounts.AccountManager#addAccount 235 AccountManager.addAccount()}, so administrators can install 236 applications to the device 237 </li> 238 </ul> 239 240 <p>Once you have completed these tasks, call the device policy manager's 241 {@link android.app.admin.DevicePolicyManager#setProfileEnabled 242 setProfileEnabled()} method to activate the managed profile:</p> 243 244 245 <pre>// Get the device policy manager 246 DevicePolicyManager myDevicePolicyMgr = 247 (DevicePolicyManager) getSystemService(Context.DEVICE_POLICY_SERVICE); 248 249 ComponentName componentName = myDeviceAdminReceiver.getComponentName(this); 250 251 // Set the name for the newly created managed profile. 252 myDevicePolicyMgr.setProfileName(componentName, "My New Managed Profile"); 253 254 // ...and enable the profile 255 manager.setProfileEnabled(componentName);</pre> 256 257 <h2 id="set_up_policies">Set Up Device Policies</h2> 258 259 <p> 260 The Work Policy Controller app is responsible for applying the enterprise's 261 device policies. For example, a particular enterprise might require that all 262 devices become locked after a certain number of failed attempts to enter the 263 device password. The controller app queries the EMM to find out what 264 the current policies are, then uses the <a href= 265 "{@docRoot}guide/topics/admin/device-admin.html">Device Administration</a> 266 API to apply those policies. 267 </p> 268 269 <p>For information on how to apply device policies, see the 270 <a href="{@docRoot}guide/topics/admin/device-admin.html#policies">Device 271 Administration</a> guide.</p> 272 273 274 <h2 id="apply_restrictions">Apply App Restrictions</h2> 275 276 <p>Enterprise environments may require that approved apps implement apps 277 implement security or feature restrictions. App developers must implement these 278 restrictions and declare them for use by enterprise administrators, as described 279 in <a href="{@docRoot}training/enterprise/app-restrictions.html">Implementing 280 App Restrictions</a>. The Work Policy Controller receives restriction changes 281 from the enterprise administrator, and forwards those restriction changes to the 282 apps.</p> 283 284 <p>For example, a particular news app might have a restriction setting that 285 controls whether the app is allowed to download videos over a cellular 286 network. When the EMM wants to disable cellular downloads, it sends a 287 notification to the controller app. The controller app, in turn, 288 notifies the news app that the restriction setting has changed.</p> 289 290 <p class="note"><strong>Note:</strong> This document covers how the Work Policy 291 Controller app changes the restriction settings for the other apps on the 292 managed profile. Details on how the Work Policy Controller app communicates with 293 the EMM are out of scope for this document.</p> 294 295 <p>To change an app's restrictions, call the {@link 296 android.app.admin.DevicePolicyManager#setApplicationRestrictions 297 DevicePolicyManager.setApplicationRestrictions()} method. This method is passed 298 three parameters: the controller app's {@link 299 android.app.admin.DeviceAdminReceiver}, the package name of the app whose 300 restrictions are being changed, and a {@link android.os.Bundle Bundle} that 301 contains the restrictions you want to set.</p> 302 303 <p>For example, suppose there's an app on the managed profile with the package 304 name <code>"com.example.newsfetcher"</code>. This app has a single boolean 305 restriction that can be configured, with the key 306 <code>"downloadByCellular"</code>. If this restriction is set to 307 <code>false</code>, the newsfetcher app is not allowed to download data through 308 a cellular network; it must use a Wi-Fi network instead.</p> 309 310 <p> 311 If your Work Policy Controller app needs to turn off cellular downloads, it 312 would first fetch the device policy service object, as described above. It 313 then assembles a restrictions bundle and passes this bundle to {@link 314 android.app.admin.DevicePolicyManager#setApplicationRestrictions 315 setApplicationRestrictions()}: 316 </p> 317 318 <pre>// Fetch the DevicePolicyManager 319 DevicePolicyManager myDevicePolicyMgr = 320 (DevicePolicyManager) thisActivity 321 .getSystemService(Context.DEVICE_POLICY_SERVICE); 322 323 // Set up the restrictions bundle 324 bundle restrictionsBundle = new Bundle(); 325 restrictionsBundle.putBoolean("downloadByCellular", false); 326 327 // Pass the restrictions to the policy manager. Assume the WPC app 328 // already has a DeviceAdminReceiver defined (myDeviceAdminReceiver). 329 myDevicePolicyMgr.setApplicationRestrictions( 330 myDeviceAdminReceiver, "com.example.newsfetcher", restrictionsBundle);</pre> 331 332 333 <p class="note"><strong>Note:</strong> The device policy service conveys the restrictions 334 change to the app you name. However, it is up to that app to actually implement 335 the restriction. For example, in this case, the app would be responsible for 336 disabling its ability to use cellular networks for video downloads. Setting the 337 restriction does not cause the system to enforce this restriction on the app. 338 For more information, see <a href="{@docRoot}training/enterprise/app- 339 restrictions.html">Implementing App Restrictions</a>.</p> 340
