1 page.title=Provisioning for Device Administration 2 @jd:body 3 4 <!-- 5 Copyright 2015 The Android Open Source Project 6 7 Licensed under the Apache License, Version 2.0 (the "License"); 8 you may not use this file except in compliance with the License. 9 You may obtain a copy of the License at 10 11 http://www.apache.org/licenses/LICENSE-2.0 12 13 Unless required by applicable law or agreed to in writing, software 14 distributed under the License is distributed on an "AS IS" BASIS, 15 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 See the License for the specific language governing permissions and 17 limitations under the License. 18 --> 19 <div id="qv-wrapper"> 20 <div id="qv"> 21 <h2>In this document</h2> 22 <ol id="auto-toc"> 23 </ol> 24 </div> 25 </div> 26 27 <p>This page describes the process for deploying devices to corporate users.</p> 28 29 <p>Device owner provisioning can be accomplished over NFC or with an activation 30 code. See <a href="implement.html">Implementing Device Administration</a> for 31 the complete list of requirements.</p> 32 33 <p>Download the <a 34 href="https://github.com/googlesamples/android-NfcProvisioning">NfcProvisioning 35 APK</a> and <a 36 href="https://github.com/googlesamples/android-DeviceOwner">Android-DeviceOwner 37 APK</a>.</p> 38 39 <p class="caution"><strong>Caution:</strong> If provisioning has already 40 started, affected devices will first need to be factory reset.</p> 41 42 <h2 id=managed_provisioning>Managed Provisioning</h2> 43 44 <p>Managed Provisioning is a framework UI flow to ensure users are adequately 45 informed of the implications of setting a device owner or managed profile. You can 46 think of it as a setup wizard for managed profiles.</p> 47 48 <p class="note"><strong>Note:</strong> Remember, the device owner can be set 49 only from an unprovisioned device. If 50 <code>Settings.Secure.USER_SETUP_COMPLETE</code> has ever been set, then the 51 device is considered provisioned & device owner cannot be set.</p> 52 53 <p>Please note, devices that enable default encryption offer considerably 54 simpler/quicker device administration provisioning flow. The managed provisioning 55 component:</p> 56 57 <ul> 58 <li>Encrypts the device</li> 59 <li>Creates the managed profile</li> 60 <li>Disables non-required applications</li> 61 <li>Sets the enterprise mobility management (EMM) app as profile owner</li> 62 </ul> 63 64 <p>In turn, the EMM app:</p> 65 66 <ul> 67 <li>Adds user accounts</li> 68 <li>Enforces device compliance</li> 69 <li>Enables any additional system applications</li> 70 </ul> 71 72 <p>In this flow, managed provisioning triggers device encryption. The framework 73 copies the EMM app into the managed profile as part of managed provisioning. 74 The instance of the EMM app inside of the managed profile gets a callback from the 75 framework when provisioning is done.</p> 76 77 <p>The EMM can then add accounts and enforce policies; it then calls 78 <code>setProfileEnabled()</code>, which makes the launcher icons visible.</p> 79 80 <h2 id=profile_owner_provisioning>Profile Owner Provisioning</h2> 81 82 <p>Profile owner provisioning assumes the user of the device oversees its 83 management (and not a company IT department). To enable, profile owner 84 provisioning, you must send an intent with appropriate extras. See the <a href="https://developer.android.com/samples/BasicManagedProfile/index.html">BasicManagedProfile.apk</a> for an example.</p> 85 86 <p>Mobile Device Management (MDM) applications trigger the creation of the managed 87 profile by sending an intent with action:</p> 88 89 <p><a href="https://android.googlesource.com/platform/frameworks/base/+/master/core/java/android/app/admin/DevicePolicyManager.java">DevicePolicyManager.ACTION_PROVISION_MANAGED_PROFILE</a></p> 90 91 <p>Here is a sample intent that will trigger the creation of the managed profile 92 and set the DeviceAdminSample as the profile owner:</p> 93 94 <pre> 95 adb shell am start -a android.app.action.PROVISION_MANAGED_PROFILE \ 96 -c android.intent.category.DEFAULT \ 97 -e wifiSsid $(printf '%q' \"GoogleGuest\") \ 98 -e deviceAdminPackage "com.google.android.deviceadminsample" \ 99 -e android.app.extra.deviceAdminPackageName $(printf '%q' 100 .DeviceAdminSample\$DeviceAdminSampleReceiver) \ 101 -e android.app.extra.DEFAULT_MANAGED_PROFILE_NAME "My Organisation" 102 </pre> 103 104 <h2 id=device_owner_provisioning_via_nfc>Device Owner Provisioning via NFC</h2> 105 106 <p>Device owner provisioning via NFC is similar to the profile owner method but 107 requires more bootstrapping before managed provisioning.</p> 108 109 <p>To use this method, <a href="http://developer.android.com/guide/topics/connectivity/nfc/nfc.html">NFC bump</a> the device from the first page of setup wizard (SUW). This offers a low-touch 110 flow and configures Wi-Fi, installs the DPC, and sets the DPC as device owner.</p> 111 112 <p>Here is the typical NFC bundle:</p> 113 114 <pre> 115 EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_NAME 116 EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_LOCATION 117 EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_CHECKSUM 118 EXTRA_PROVISIONING_WIFI_SSID 119 EXTRA_PROVISIONING_WIFI_SECURITY_TYPE 120 </pre> 121 122 <p>The device must have NFC configured to accept the managed provisioning mimetype 123 from SUW:</p> 124 125 <pre> 126 /packages/apps/Nfc/res/values/provisioning.xml 127 128 <bool name="enable_nfc_provisioning">true</bool> 129 <item>application/com.android.managedprovisioning</item> 130 </pre> 131 132 <h2 id=device_owner_provisioning_with_activation_code>Device Owner Provisioning with Activation Code</h2> 133 134 <p>Select <em>Add Work Account</em> from the setup wizard. This triggers a 135 lookup of the EMM from Android servers.</p> 136 137 <p>The device installs the EMM app and starts provisioning flow. As an extra 138 option, Android device administration supports the option of using email 139 address with a six-digit activation code to bootstrap the process as part of 140 setup wizard.</p> 141 142 <h2 id=emm_benefits>EMM benefits</h2> 143 144 <p>An EMM can help by conducting these tasks for you:</p> 145 146 <ul> 147 <li>Provision managed profile 148 <li>Apply security policies 149 <ul> 150 <li>Set password complexity 151 <li>Lockdowns: disable screenshots, sharing from managed profile, etc. 152 </ul> 153 <li>Configure enterprise connectivity 154 <ul> 155 <li>Use WifiEnterpriseConfig to configure corporate Wi-Fi 156 <li>Configure VPN on the device 157 <li>Use DPM.setApplicationRestrictions() to configure corporate VPN 158 </ul> 159 <li>Enable corporate app Single Sign-On (SSO) 160 <ul> 161 <li>Install desired corporate apps 162 <li>Use DPM.installKeyPair()to silently install corp client certs 163 <li>Use DPM.setApplicationRestrictions() to configure hostnames, cert alias of 164 corporate apps 165 </ul> 166 </ul> 167 168 <p>Managed provisioning is just one piece of the EMM end-to-end workflow, with the 169 end goal being to make corporate data accessible to apps in the managed profile.</p> 170 171 <p>See <a href="testing-setup.html">Setting up Device Testing</a> for testing instructions.</p> 172
