1 page.title=Employing Managed Profiles 2 @jd:body 3 4 <!-- 5 Copyright 2015 The Android Open Source Project 6 7 Licensed under the Apache License, Version 2.0 (the "License"); 8 you may not use this file except in compliance with the License. 9 You may obtain a copy of the License at 10 11 http://www.apache.org/licenses/LICENSE-2.0 12 13 Unless required by applicable law or agreed to in writing, software 14 distributed under the License is distributed on an "AS IS" BASIS, 15 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 See the License for the specific language governing permissions and 17 limitations under the License. 18 --> 19 <div id="qv-wrapper"> 20 <div id="qv"> 21 <h2>In this document</h2> 22 <ol id="auto-toc"> 23 </ol> 24 </div> 25 </div> 26 27 <p>A <em>managed profile</em> or <em>work profile</em> is an Android <a 28 href="multi-user.html">user</a> with some additional special properties around 29 management and visual aesthetic.</p> 30 31 <h2 id=purpose>DevicePolicyManager APIs</h2> 32 33 <p>Android 5.x or newer offers a greatly improved DevicePolicyManager with dozens of new 34 APIs to support both corporate-owned and bring your own device (BYOD) 35 administration use cases. Examples include app restrictions, silent 36 installation of certificates, and cross-profile sharing intent access control. 37 You may use the sample Device Policy Client (DPC) app, <a 38 href="https://developer.android.com/samples/BasicManagedProfile/index.html">BasicManagedProfile.apk</a>, 39 as a starting point. See <a 40 href="https://developer.android.com/training/enterprise/work-policy-ctrl.html">Building 41 a Work Policy Controller</a> for additional details. 42 43 <h2 id=purpose>Purpose</h2> 44 45 <p>The primary goal of a managed profile is to create a segregated and secure 46 space for managed (for example, corporate) data to reside. The administrator of 47 the profile has full control over scope, ingress, and egress of data as well as 48 its lifetime. These policies offer great powers and therefore fall upon the 49 managed profile instead of the device administrator.</p> 50 51 <ul> 52 <li><strong>Creation</strong> - Managed profiles can be created by any application in the primary user. The 53 user is notified of managed profile behaviors and policy enforcement before 54 creation. 55 <li><strong>Management</strong> - Management is performed by applications that programmatically invoke APIs in 56 the <a href="http://developer.android.com/reference/android/app/admin/DevicePolicyManager.html">DevicePolicyManager</a> class to restrict use. Such applications are referred to as <em>profile owners</em> and are defined at initial profile setup. Policies unique to managed profile 57 involve app restrictions, updatability, and intent behaviors. 58 <li><strong>Visual treatment</strong> - Applications, notifications, and widgets from the managed profile are always 59 badged and typically made available inline with user interface (UI) elements 60 from the primary user. 61 </ul> 62 63 <h2 id=data_segregation>Data Segregation </h2> 64 65 <h3 id=applications>Applications</h3> 66 67 <p>Applications are scoped with their own segregated data when the same app exists 68 in the primary user and managed profile. Generally, applications cannot 69 communicate directly with one another across the profile-user boundary and act 70 independently of one another.</p> 71 72 <h3 id=accounts>Accounts</h3> 73 74 <p>Accounts in the managed profile are distinctly unique from the primary user. 75 There is no way to access credentials across the profile-user boundary. Only 76 apps in their respective context are able to access their respective accounts.</p> 77 78 <h3 id=intents>Intents</h3> 79 80 <p>The administrator controls whether intents are resolved in/out of managed 81 profile or not. Applications from the managed profile are default scoped to 82 stay within the managed profile exception of the Device Policy API.</p> 83 84 <h3 id=settings>Settings</h3> 85 86 <p>Enforcement of settings is generally scoped to the managed profile with a few 87 exceptions. Specifically, lockscreen and encryption settings are still scoped 88 to the device and shared between the primary user and managed profile. 89 Otherwise, a profile owner does not have any device administrator privileges 90 outside the managed profile.</p> 91 92 <p>Managed profiles are implemented as a new kind of secondary user, such that:</p> 93 94 <pre> 95 uid = 100000 * userid + appid 96 </pre> 97 98 99 <p>They have separate app data like regular users:</p> 100 101 <pre> 102 /data/user/<userid> 103 </pre> 104 105 <p>The UserId is calculated for all system requests using <code>Binder.getCallingUid()</code>, and all system state and responses are separated by userId. You may consider 106 instead using <code>Binder.getCallingUserHandle</code> rather than <code>getCallingUid</code> to avoid confusion between uid and userId.</p> 107 108 <p>The AccountManagerService maintains a separate list of accounts for each user.</p> 109 110 <p>The main differences between a managed profile and a regular secondary user are 111 as follows:</p> 112 113 <ul> 114 <li> The managed profile is associated with its parent user and started alongside 115 the primary user at boot time. 116 <li> Notifications for managed profiles are enabled by ActivityManagerService 117 allowing the managed profile to share the activity stack with the primary user. 118 <li> Some other system services shared are: IME, A11Y services, Wi-Fi, and NFC. 119 <li> New Launcher APIs allow launchers to display badged apps and whitelisted 120 widgets from the managed profile alongside apps in the primary profile without 121 switching users. 122 </ul> 123 124 <h2 id=device_administration>Device administration</h2> 125 126 <p>Android device administration includes two new types of device administrators for 127 enterprises:</p> 128 129 <ul> 130 <li><em>Profile owner</em>Designed for bring your own device (BYOD) environments 131 <li><em>Device Owner</em>Designed for corp-liable environments 132 </ul> 133 134 <p>The majority of the new device administrator APIs that have been added for 135 Android 5.0 are available only to profile or device owners. Traditional device 136 administrators remain but are applicable to the simpler consumer-only case 137 (e.g. find my device).</p> 138 139 <h3 id=profile_owners>Profile owners</h3> 140 141 <p>A Device Policy Client (DPC) app typically functions as the profile owner. The 142 DPC app is typically provided by an enterprise mobility management (EMM) 143 partner, such as Google Apps Device Policy.</p> 144 145 <p>The profile owner app creates a managed profile on the device by sending the 146 <code>ACTION_PROVISION_MANAGED_PROFILE</code> intent. This profile is 147 distinguished by the appearance of badged instances of 148 apps, as well as personal instances. That badge, or Android device 149 administration icon, identifies which apps are work apps.</p> 150 151 <p>The EMM has control only over the managed profile (not personal space) with some 152 exceptions, such as enforcing the lock screen.</p> 153 154 <h3 id=device_owners>Device owners</h3> 155 156 <p>The device owner can be set only in an unprovisioned device:</p> 157 158 <ul> 159 <li>Can be provisioned only at initial device setup 160 <li>Enforced disclosure always displayed in quick-settings 161 </ul> 162 163 <p>Device owners can conduct some tasks profile owners cannot, and here are a few examples:</p> 164 165 <ul> 166 <li>Wipe device data 167 <li>Disable Wi-Fi/ BT 168 <li>Control <code>setGlobalSetting</code> 169 <li><code>setLockTaskPackages</code> (the ability to whitelist packages that can pin themselves to the foreground) 170 <li>Set <code>DISALLOW_MOUNT_PHYSICAL_MEDIA</code> (<code>FALSE</code> by default. 171 When <code>TRUE</code>, physical media, both portable and adoptable, cannot be mounted.) 172 </ul> 173
