Reputation: 1
Confusion with Android App Configuration Policy and Permission Grants
I'm trying to understand a discrepancy in the Android App Configuration Policy. The policy has defaultPermissionPolicy set to DENY, yet under the app-level permissionGrants, the camera permission is set to PROMPT. According to the development documentation, permissionGrants should override the policy-level defaultPermissionPolicy. However, when I apply this to a device, it doesn’t seem to work as expected. When I try to access the camera, it directly shows a permission denied message.
"permissionGrants": [{
"autoUpdateMode": "AUTO_UPDATE_DEFAULT",
"defaultPermissionPolicy": "PROMPT",
"installType": "AVAILABLE",
"packageName": "com.mt.mtxx.mtxx",
"permissionGrants": [
{
"permission": "android.permission.CAMERA",
"policy": "PROMPT"
}
]
}]
"defaultPermissionPolicy": "DENY",
Has anyone else encountered this issue or can provide insight into what might be going wrong?
Upvotes: 0
Views: 65
Answers (1)
Reputation: 191
Tested this on my end and it is working as intended.
On Fully Managed Devices (Device Owner), the values set on app level permissionGrants overrides the restriction set using permissionGrants and defaultPermissionPolicy which applies to all apps.
Another thing to note is starting on Android 12, profile owners may no longer grant sensor-related permissions, but may deny them. This is part of the security and privacy enhancements changes that were introduced in Android 12 (API level 31) which are listed here.
You may also want to double check your policy and build it according to our documentation.
Using the policy below, I was able to confirm that android.permission.CAMERA was granted for the app.
{
"applications": [
{
"packageName": "com.android.example",
"installType": "FORCE_INSTALLED",
"permissionGrants": [
{
"permission": "android.permission.CAMERA",
"policy": "GRANT"
}
]
}
],
"permissionGrants": [
{
"permission": "android.permission.CAMERA",
"policy": "PROMPT"
}
],
"defaultPermissionPolicy": "DENY"
}
Upvotes: 2
Related Questions
- Cannot create a work profile The security policy prevents the creation of a managed device because a custom os is or has been installed on this device
- Android management API: find device in list of devices on android Q
- How do accessible track ids get applied to app using Android Management API
- How does designing custom android DPC app relate to Android management API?
- How to get runtime time permissions using android management API?
- Enable Device's Camera App in Android Management API Policy
- Cannot suspend apps with the PACKAGE_ACCESS delegation
- Kiosk app updates when device not online at consistent times
- How to remotely configure an enterprise Android app via an Enterprise Mobility Management tool?
- Cosu app development through Android Management Api or device owner locktask