问题
I'm trying to apply a policy to a few tablets via the Android Management API. I've been able to create my enterprise, web app, policy, and add the devices without issue.
The trouble I'm having is with my policy. I've tried various versions from SO and the documentation, but it's either not locking the tablet down or I'm getting non-compliance errors.
Policies I've Tried
Version 1 (source)
{
"version": 1,
"applications": [
{
"packageName": "com.google.my.webapp",
"installType": "KIOSK",
"defaultPermissionPolicy": "GRANT"
},
{
"packageName": "com.android.chrome",
"installType": "FORCE_INSTALLED",
"managedConfiguration": {
"URLBLacklist": ["*"],
"URLWhitelist": ["my.whitelabeled.url.com"]
},
"defaultPermissionPolicy": "GRANT"
}
]
}
Version 2 (source)
{
"version": 2,
"applications": [
{
"packageName": "com.android.chrome",
"installType": "FORCE_INSTALLED",
"defaultPermissionPolicy": "GRANT",
"managedConfiguration": {
"URLBlacklist": [
"*"
],
"URLWhitelist": [
"my.whitelabeled.url.com"
]
}
},
{
"packageName": "com.google.my.webapp",
"installType": "KIOSK",
"defaultPermissionPolicy": "GRANT"
}
],
"statusBarDisabled": true,
"keyguardDisabled": true
}
Version 3 (source)
{
"version": 3,
"applications": [
{
"packageName": "com.google.my.webapp",
"installType": "KIOSK",
"defaultPermissionPolicy": "GRANT"
}
],
"cameraDisabled": true,
"defaultPermissionPolicy": "GRANT",
"debuggingFeaturesAllowed": true
}
Along with a few other variations of the above and from other examples. None of them lock down the device. It looks like I'm getting some errors when I view my devices (output below) that indicate there are MANAGEMENT_MODE issues, which makes sense since it looks like the policy is just PROFILE_OWNER.
"devices": [
{
"name": "enterprises/__enterpriseid__/devices/__deviceid__",
"managementMode": "PROFILE_OWNER",
"state": "ACTIVE",
"appliedState": "ACTIVE",
"nonComplianceDetails": [
{
"settingName": "applications",
"nonComplianceReason": "MANAGEMENT_MODE",
"packageName": "com.google.my.webapp"
},
{
"settingName": "systemErrorDialogsDisabled",
"nonComplianceReason": "MANAGEMENT_MODE"
},
{
"settingName": "lockTaskFeatures",
"nonComplianceReason": "MANAGEMENT_MODE"
},
{
"settingName": "persistentPreferredActivities",
"nonComplianceReason": "INVALID_VALUE",
"packageName": "com.google.my.webapp"
},
{
"settingName": "statusBarDisabled",
"nonComplianceReason": "MANAGEMENT_MODE"
},
{
"settingName": "wifiConfigsLockdownEnabled",
"nonComplianceReason": "MANAGEMENT_MODE"
}
],
...
}
]
I'm sure I should've specified that somewhere, but I'm unable to find it.
Does anyone have a working policy that:
- Boots up Chrome and/or a web app on start
- Locks Chrome, without the weird pinning options
- Hides the status menu/buttons
- Doesn't let the tablet sleep
Thank you!
回答1:
If you want to dedicate a device to a single app, then you need managementMode: "DEVICE_OWNER". You enroll the device on initial setup (you can't enrol the device later with this management mode).
You can think of PROFILE_OWNER as the following ... employee has their own Android device, but wants access to employer maintained apps and data etc. Employer wants to control access to those apps, and does so via the Android Management API policies.
So the IT staff associate the employee owned device with a work policy. This process installs a separate profile on the device that's only used for work, and can later be wiped (which won't wipe the users personal profile from the device). So if the employee leaves, the work access is revoked, but their phone is as it was before.
If the device is fully owned by an employer and is designed to run one app, you should absolutely be running in DEVICE_OWNER management mode. This allows you to lock and pin a single application, and stop users breaking out and doing other stuff they shouldn't be doing with the device.
来源:https://stackoverflow.com/questions/59235208/single-webapp-kiosk-mode-via-android-management-api