Android NFC Provisioning and installing in house corporate apps

Question

My company wants to distribute tablets to employees for company use only, but wants to set them up with certain permissions, custom applications and a custom launcher.

So I have the basics down as I have an app that will use NFC to provision an new tablet. I've looked through the DevicePolicyManager API page and I'm not seeing some things I want to do. What I'm not sure on is the following so if people can point me in the right direction that would be great!

1) can I use this provisioning process to install a custom launcher and make it the default?

2) can I push multiple corporate apps through this process? i.e. set the EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_NAME property multiple times for all the apps I need installed? Reading the API it sounds like you only set it once.

3) Does the apps being send have to be through a URL or can the original tablet be used to initiate the provisioning process have the apps and they are send through the given API somehow? Right now I am using a URL and have a test app hosted, but if there are other ways that would be great to know.

4) A more basic questions but does it exactly mean to set an app as the device owner? What should this app be doing in relation to the other corporate apps that will be installed? If it's just managing policies then does it ever need to be executed manually or is it always running in a way so policies are set even after a reboot?

5) if some apps want to be in a kiosk mode when executed until a reboot is the proper way to ask the device owner app to call setLockTaskPackages() with the probably app to kiosk?

I probably have more questions, but this is all I can think of for now. Thanks for any answers.

Answer 1

Most of the questions have already been answered by Marek. I hope you figured out that you can silently install an APK under certain circumstances.

An example is shown here: https://github.com/wso2/product-emm/blob/master/modules/mobile-agents/android/system-service/app/src/main/java/org/wso2/emm/system/service/utils/AppUtils.java

Basically you simply invoke the PackageManagers installPackage Method through reflection - and when the app that does that has the required rights to do so (depends on android version, user the app is running as, signature of the app, etc), it will be performed in the background.

I know it work(ed) for system-apps / signed apps. And as the example above is from an EMM/MDM solution I assume you can invoke this when you're the DO/PO.

Answer 2

Yes, you can use NFC to setup your own Device Owner (DO) or Profile Owner (PO) device admin, see:

Activate a device owner using NFC on Android Lollipop

1. Using NFC, you cannot directly provision a custom launcher, but you can provision a device admin application that downloads and installs a launcher. The device admin application can also use all policies in DevicePolicyManager as well as all standard public APIs to e.g. install applications, see:

Install Application programmatically on Android

2. No, there can only be one DO or PO in the device. The can however be multiple device admin applications that are neither DO or PO.

3. You can either send an URL or give a package name of an already installed application.

4. Policies set by the device admin are stored by DevicePolicyManager in an xml file. The policies are preserved during re-boot.

5. Yes, the device admin can use the setLockTaskPackages() to enable kiosk mode of an application.

Hope this helps.

/Marek Pola, Sony Mobile.