1 <html devsite> 2 <head> 3 <title>Provisioning for Device Administration</title> 4 <meta name="project_path" value="/_project.yaml" /> 5 <meta name="book_path" value="/_book.yaml" /> 6 </head> 7 <body> 8 <!-- 9 Copyright 2017 The Android Open Source Project 10 11 Licensed under the Apache License, Version 2.0 (the "License"); 12 you may not use this file except in compliance with the License. 13 You may obtain a copy of the License at 14 15 http://www.apache.org/licenses/LICENSE-2.0 16 17 Unless required by applicable law or agreed to in writing, software 18 distributed under the License is distributed on an "AS IS" BASIS, 19 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 20 See the License for the specific language governing permissions and 21 limitations under the License. 22 --> 23 24 25 26 <p>This page describes the process for deploying devices to corporate users 27 using NFC or via cloud services (for a complete list of requirements, see 28 <a href="/devices/tech/admin/implement.html">Implementing Device 29 Administration</a>).</p> 30 31 <p>To get started, download the 32 <a href="https://github.com/googlesamples/android-NfcProvisioning">NfcProvisioning 33 APK</a> 34 and 35 <a href="https://github.com/googlesamples/android-DeviceOwner">Android-DeviceOwner 36 APK</a>. 37 </p> 38 39 <p class="caution"><strong>Caution:</strong> If provisioning has already 40 started, affected devices must be factory reset first.</p> 41 42 <h2 id=managed_provisioning>Managed provisioning</h2> 43 44 <p>Managed Provisioning is a framework UI flow to ensure users are adequately 45 informed of the implications of setting a device owner or managed profile. It is 46 designed to act as a setup wizard for managed profiles.</p> 47 48 <p class="note"><strong>Note:</strong> The device owner can be set only from an 49 unprovisioned device. If <code>Settings.Secure.USER_SETUP_COMPLETE</code> has 50 ever been set, the device is considered provisioned and the device owner cannot 51 be set.</p> 52 53 <p>Devices that enable default encryption offer a considerably simpler and 54 quicker device administration provisioning flow. The managed provisioning 55 component:</p> 56 57 <ul> 58 <li>Encrypts the device</li> 59 <li>Creates the managed profile</li> 60 <li>Disables non-required applications</li> 61 <li>Sets the enterprise mobility management (EMM) app as profile owner</li> 62 </ul> 63 64 <p>In turn, the EMM app:</p> 65 66 <ul> 67 <li>Adds user accounts</li> 68 <li>Enforces device compliance</li> 69 <li>Enables any additional system applications</li> 70 </ul> 71 72 <p>In this flow, managed provisioning triggers device encryption. The framework 73 copies the EMM app into the managed profile as part of managed provisioning. The 74 instance of the EMM app inside of the managed profile gets a callback from the 75 framework when provisioning is done. The EMM can then add accounts and enforce 76 policies; it then calls <code>setProfileEnabled()</code>, which makes the 77 launcher icons visible.</p> 78 79 <h2 id=profile_owner_provisioning>Profile owner provisioning</h2> 80 81 <p>Profile owner provisioning assumes the user of the device (and not a company 82 IT department) oversees device management. To enable profile owner provisioning, 83 you must send an intent with appropriate extras. For an example, use the TestDPC 84 application 85 (<a href="https://play.google.com/store/apps/details?id=com.afwsamples.testdpc&hl=en">Download 86 from Google Play</a> or <a href="https://github.com/googlesamples/android-testdpc/">Build 87 from GitHub</a>). Install TestDPC on the device, launch the app from the 88 launcher, then follow the app instructions. Provisioning is complete when badged 89 icons appear in the launcher drawer.</p> 90 91 <p>Mobile Device Management (MDM) applications trigger the creation of the 92 managed profile by sending an intent with action: 93 <a href="https://android.googlesource.com/platform/frameworks/base/+/master/core/java/android/app/admin/DevicePolicyManager.java">DevicePolicyManager.ACTION_PROVISION_MANAGED_PROFILE</a> 94 . Below is a sample intent that triggers the creation of the managed profile 95 and sets the DeviceAdminSample as the profile owner:</p> 96 97 <pre class="devsite-click-to-copy"> 98 <code class="devsite-terminal">adb shell am start -a android.app.action.PROVISION_MANAGED_PROFILE \ 99 -c android.intent.category.DEFAULT \ 100 -e wifiSsid $(printf '%q' \"WifiSSID\") \ 101 -e deviceAdminPackage "com.google.android.deviceadminsample" \ 102 -e android.app.extra.deviceAdminPackageName $(printf '%q' 103 .DeviceAdminSample\$DeviceAdminSampleReceiver) \ 104 -e android.app.extra.DEFAULT_MANAGED_PROFILE_NAME "My Organisation"</code> 105 </pre> 106 107 <h2 id=device_owner_provisioning_via_nfc>Device owner provisioning</h2> 108 <p>Use one of the following methods to set up device owner (DO) 109 provisioning.</p> 110 111 <h3 id=do_provision_nfc>Provisioning via NFC</h3> 112 <p>DO provisioning via NFC is similar to the profile owner method but requires 113 more bootstrapping. To use this method, 114 <a href="http://developer.android.com/guide/topics/connectivity/nfc/nfc.html">NFC 115 bump</a> the device during the initial setup step (i.e., first page of the setup 116 wizard). This low-touch flow configures Wi-Fi, installs the DPC, and sets the 117 DPC as device owner.</p> 118 119 <p>A typical NFC bundle includes the following:</p> 120 121 <pre class="devsite-click-to-copy"> 122 EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_NAME 123 EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_LOCATION 124 EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_CHECKSUM 125 EXTRA_PROVISIONING_WIFI_SSID 126 EXTRA_PROVISIONING_WIFI_SECURITY_TYPE 127 </pre> 128 129 <p>Devices must have NFC configured to accept the managed provisioning 130 mimetype from the setup experience:</p> 131 132 <pre class="devsite-click-to-copy"> 133 /packages/apps/Nfc/res/values/provisioning.xml 134 </pre> 135 <pre class="devsite-click-to-copy"> 136 <bool name="enable_nfc_provisioning">true</bool> 137 <item>application/com.android.managedprovisioning</item> 138 </pre> 139 140 <h3 id=do_provision_cs>Provisioning via Cloud Services</h3> 141 <p>Device owner provisioning via cloud services is another method through which 142 a device can be provisioned in device owner mode during out-of-the-box setup. 143 The device can collect credentials (or tokens) and use them to perform a lookup 144 to a cloud service, which can then be used to initiate the device owner 145 provisioning process.</p> 146 147 <h2 id=emm_benefits>EMM benefits</h2> 148 149 <p>An enterprise mobility management (EMM) app can help by conducting the 150 following tasks:</p> 151 152 <ul> 153 <li>Provision managed profile</li> 154 <li>Apply security policies 155 <ul> 156 <li>Set password complexity</li> 157 <li>Lockdowns: disable screenshots, sharing from managed profile, etc.</li> 158 </ul></li> 159 <li>Configure enterprise connectivity 160 <ul> 161 <li>Use WifiEnterpriseConfig to configure corporate Wi-Fi</li> 162 <li>Configure VPN on the device</li> 163 <li>Use <code>DPM.setApplicationRestrictions()</code> to configure corporate 164 VPN</li> 165 </ul></li> 166 <li>Enable corporate app Single Sign-On (SSO) 167 <ul> 168 <li>Install desired corporate apps 169 <li>Use <code>DPM.installKeyPair()</code> to silently install corp client 170 certs</li> 171 <li>Use <code>DPM.setApplicationRestrictions()</code> to configure 172 hostnames, cert alias of corporate apps</li> 173 </ul></li> 174 </ul> 175 176 <p>Managed provisioning is just one part of the EMM end-to-end workflow, with 177 the end goal of making corporate data accessible to apps in the managed 178 profile. For testing guidance, see 179 <a href="/devices/tech/admin/testing-setup.html">Setting up Device 180 Testing</a>.</p> 181 182 <h2 id=automate>Automated provisioning testing</h2> 183 <p>To automate the testing of enterprise provisioning processes, use 184 the Android for Work (AfW) Test Harness. For details, see 185 <a href="/devices/tech/admin/testing-provision.html">Testing Device 186 Provisioning</a>.</p> 187 188 </body> 189 </html> 190
