src/devices/tech/admin/provision.jd - platform/docs/source.android.com - Git at Google

 page.title=Provisioning for Device Administration
 @jd:body

 <!--
     Copyright 2015 The Android Open Source Project

     Licensed under the Apache License, Version 2.0 (the "License");
     you may not use this file except in compliance with the License.
     You may obtain a copy of the License at

         http://www.apache.org/licenses/LICENSE-2.0

     Unless required by applicable law or agreed to in writing, software
     distributed under the License is distributed on an "AS IS" BASIS,
     WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
     See the License for the specific language governing permissions and
     limitations under the License.
 -->
 <div id="qv-wrapper">
   <div id="qv">
     <h2>In this document</h2>
     <ol id="auto-toc">
     </ol>
   </div>
 </div>

 <p>This page describes the process for deploying devices to corporate users.</p>

 <p>Device owner provisioning can be accomplished over NFC or with an activation
 code. See <a href="implement.html">Implementing Device Administration</a> for
 the complete list of requirements.</p>

 <p>Download the <a
 href="https://github.com/googlesamples/android-NfcProvisioning">NfcProvisioning
 APK</a> and <a
 href="https://github.com/googlesamples/android-DeviceOwner">Android-DeviceOwner
 APK</a>.</p>

 <h2 id=managed_provisioning>Managed Provisioning</h2>

 <p>Managed Provisioning is a framework UI flow to ensure users are adequately
 informed of the implications of setting a device owner or managed profile. You can
 think of it as a setup wizard for managed profiles.</p>

 <p class="note"><strong>Note:</strong> Remember, the device owner can be set
 only from an unprovisioned device. If
 <code>Settings.Secure.USER_SETUP_COMPLETE</code> has ever been set, then the
 device is considered provisioned & device owner cannot be set.</p>

 <p>Please note, devices that enable default encryption offer considerably
 simpler/quicker device administration provisioning flow. The managed provisioning
 component:</p>

 <ul>
   <li>Encrypts the device</li>
   <li>Creates the managed profile</li>
   <li>Disables non-required applications</li>
   <li>Sets the enterprise mobility management (EMM) app as profile owner</li>
 </ul>

 <p>In turn, the EMM app:</p>

 <ul>
   <li>Adds user accounts</li>
   <li>Enforces device compliance</li>
   <li>Enables any additional system applications</li>
 </ul>

 <p>In this flow, managed provisioning triggers device encryption. The framework
   copies the EMM app into the managed profile as part of managed provisioning.
   The instance of the EMM app inside of the managed profile gets a callback from the
 framework when provisioning is done.</p>

 <p>The EMM can then add accounts and enforce policies; it then calls
 <code>setProfileEnabled()</code>, which makes the launcher icons visible.</p>

 <h2 id=profile_owner_provisioning>Profile Owner Provisioning</h2>

 <p>Profile owner provisioning assumes the user of the device oversees its
 management (and not a company IT department). To enable, profile owner
 provisioning, you must send an intent with appropriate extras. See the <a href="https://developer.android.com/samples/BasicManagedProfile/index.html">BasicManagedProfile.apk</a> for an example.</p>

 <p>Mobile Device Management (MDM) applications trigger the creation of the managed
 profile by sending an intent with action:</p>

 <p><a href="https://android.googlesource.com/platform/frameworks/base/+/master/core/java/android/app/admin/DevicePolicyManager.java">DevicePolicyManager.ACTION_PROVISION_MANAGED_PROFILE</a></p>

 <p>Here is a sample intent that will trigger the creation of the managed profile
 and set the DeviceAdminSample as the profile owner:</p>

 <pre>
 adb shell am start -a android.app.action.PROVISION_MANAGED_PROFILE \
           -c android.intent.category.DEFAULT \
 	      -e wifiSsid $(printf '%q' \"GoogleGuest\") \
           -e deviceAdminPackage "com.google.android.deviceadminsample" \
 	      -e android.app.extra.deviceAdminPackageName $(printf '%q'
                         .DeviceAdminSample\$DeviceAdminSampleReceiver) \
 	      -e android.app.extra.DEFAULT_MANAGED_PROFILE_NAME "My Organisation"
 </pre>

 <h2 id=device_owner_provisioning_via_nfc>Device Owner Provisioning via NFC</h2>

 <p>Device owner provisioning via NFC is similar to the profile owner method but
 requires more bootstrapping before managed provisioning.</p>

 <p>To use this method, <a href="http://developer.android.com/guide/topics/connectivity/nfc/nfc.html">NFC bump</a> the device from the first page of setup wizard (SUW). This offers a low-touch
 flow and configures Wi-Fi, installs the DPC, and sets the DPC as device owner.</p>

 <p>Here is the typical NFC bundle:</p>

 <pre>
                 EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_NAME
                 EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_LOCATION
                 EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_CHECKSUM
                 EXTRA_PROVISIONING_WIFI_SSID
                 EXTRA_PROVISIONING_WIFI_SECURITY_TYPE
 </pre>

 <p>The device must have NFC configured to accept the managed provisioning mimetype
 from SUW:</p>

 <pre>
 /packages/apps/Nfc/res/values/provisioning.xml

       &lt;bool name="enable_nfc_provisioning"&gt;true&lt;/bool&gt;
       &lt;item&gt;application/com.android.managedprovisioning&lt;/item&gt;
 </pre>

 <h2 id=device_owner_provisioning_with_activation_code>Device Owner Provisioning with Activation Code</h2>

 <p>Select <em>Add Work Account</em> from the setup wizard. This triggers a
 lookup of the EMM from Android servers.</p>

 <p>The device installs the EMM app and starts provisioning flow. As an extra
 option, Android device administration supports the option of using email
 address with a six-digit activation code to bootstrap the process as part of
 setup wizard.</p>

 <h2 id=emm_benefits>EMM benefits</h2>

 <p>An EMM can help by conducting these tasks for you:</p>

 <ul>
   <li>Provision managed profile
   <li>Apply security policies
   <ul>
     <li>Set password complexity
     <li>Lockdowns: disable screenshots, sharing from managed profile, etc.
   </ul>
   <li>Configure enterprise connectivity
   <ul>
     <li>Use WifiEnterpriseConfig to configure corporate Wi-Fi
     <li>Configure VPN on the device
     <li>Use DPM.setApplicationRestrictions() to configure corporate VPN
   </ul>
   <li>Enable corporate app Single Sign-On (SSO)
   <ul>
     <li>Install desired corporate apps
     <li>Use DPM.installKeyPair()to silently install corp client certs
     <li>Use DPM.setApplicationRestrictions() to configure hostnames, cert alias’ of
 corporate apps
   </ul>
 </ul>

 <p>Managed provisioning is just one piece of the EMM end-to-end workflow, with the
   end goal being to make corporate data accessible to apps in the managed profile.</p>

 <p>See <a href="https://docs.google.com/document/d/1xWdZHjsDB_4FWQcHfPh84EuTvljoMgrc2JINGMBtDQg/edit#">Manual Setup for Device Owner Testing</a> for testing instructions.</p>
	page.title=Provisioning for Device Administration
	@jd:body

	<!--
	Copyright 2015 The Android Open Source Project

	Licensed under the Apache License, Version 2.0 (the "License");
	you may not use this file except in compliance with the License.
	You may obtain a copy of the License at

	http://www.apache.org/licenses/LICENSE-2.0

	Unless required by applicable law or agreed to in writing, software
	distributed under the License is distributed on an "AS IS" BASIS,
	WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	See the License for the specific language governing permissions and
	limitations under the License.
	-->
	<div id="qv-wrapper">
	<div id="qv">
	<h2>In this document</h2>
	<ol id="auto-toc">
	</ol>
	</div>
	</div>

	<p>This page describes the process for deploying devices to corporate users.</p>

	<p>Device owner provisioning can be accomplished over NFC or with an activation
	code. See <a href="implement.html">Implementing Device Administration</a> for
	the complete list of requirements.</p>

	<p>Download the <a
	href="https://github.com/googlesamples/android-NfcProvisioning">NfcProvisioning
	APK</a> and <a
	href="https://github.com/googlesamples/android-DeviceOwner">Android-DeviceOwner
	APK</a>.</p>

	<h2 id=managed_provisioning>Managed Provisioning</h2>

	<p>Managed Provisioning is a framework UI flow to ensure users are adequately
	informed of the implications of setting a device owner or managed profile. You can
	think of it as a setup wizard for managed profiles.</p>

	<p class="note"><strong>Note:</strong> Remember, the device owner can be set
	only from an unprovisioned device. If
	<code>Settings.Secure.USER_SETUP_COMPLETE</code> has ever been set, then the
	device is considered provisioned & device owner cannot be set.</p>

	<p>Please note, devices that enable default encryption offer considerably
	simpler/quicker device administration provisioning flow. The managed provisioning
	component:</p>

	<ul>
	<li>Encrypts the device</li>
	<li>Creates the managed profile</li>
	<li>Disables non-required applications</li>
	<li>Sets the enterprise mobility management (EMM) app as profile owner</li>
	</ul>

	<p>In turn, the EMM app:</p>

	<ul>
	<li>Adds user accounts</li>
	<li>Enforces device compliance</li>
	<li>Enables any additional system applications</li>
	</ul>

	<p>In this flow, managed provisioning triggers device encryption. The framework
	copies the EMM app into the managed profile as part of managed provisioning.
	The instance of the EMM app inside of the managed profile gets a callback from the
	framework when provisioning is done.</p>

	<p>The EMM can then add accounts and enforce policies; it then calls
	<code>setProfileEnabled()</code>, which makes the launcher icons visible.</p>

	<h2 id=profile_owner_provisioning>Profile Owner Provisioning</h2>

	<p>Profile owner provisioning assumes the user of the device oversees its
	management (and not a company IT department). To enable, profile owner
	provisioning, you must send an intent with appropriate extras. See the <a href="https://developer.android.com/samples/BasicManagedProfile/index.html">BasicManagedProfile.apk</a> for an example.</p>

	<p>Mobile Device Management (MDM) applications trigger the creation of the managed
	profile by sending an intent with action:</p>

	<p><a href="https://android.googlesource.com/platform/frameworks/base/+/master/core/java/android/app/admin/DevicePolicyManager.java">DevicePolicyManager.ACTION_PROVISION_MANAGED_PROFILE</a></p>

	<p>Here is a sample intent that will trigger the creation of the managed profile
	and set the DeviceAdminSample as the profile owner:</p>

	<pre>
	adb shell am start -a android.app.action.PROVISION_MANAGED_PROFILE \
	-c android.intent.category.DEFAULT \
	-e wifiSsid $(printf '%q' \"GoogleGuest\") \
	-e deviceAdminPackage "com.google.android.deviceadminsample" \
	-e android.app.extra.deviceAdminPackageName $(printf '%q'
	.DeviceAdminSample\$DeviceAdminSampleReceiver) \
	-e android.app.extra.DEFAULT_MANAGED_PROFILE_NAME "My Organisation"
	</pre>

	<h2 id=device_owner_provisioning_via_nfc>Device Owner Provisioning via NFC</h2>

	<p>Device owner provisioning via NFC is similar to the profile owner method but
	requires more bootstrapping before managed provisioning.</p>

	<p>To use this method, <a href="http://developer.android.com/guide/topics/connectivity/nfc/nfc.html">NFC bump</a> the device from the first page of setup wizard (SUW). This offers a low-touch
	flow and configures Wi-Fi, installs the DPC, and sets the DPC as device owner.</p>

	<p>Here is the typical NFC bundle:</p>

	<pre>
	EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_NAME
	EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_LOCATION
	EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_CHECKSUM
	EXTRA_PROVISIONING_WIFI_SSID
	EXTRA_PROVISIONING_WIFI_SECURITY_TYPE
	</pre>

	<p>The device must have NFC configured to accept the managed provisioning mimetype
	from SUW:</p>

	<pre>
	/packages/apps/Nfc/res/values/provisioning.xml

	<bool name="enable_nfc_provisioning">true</bool>
	<item>application/com.android.managedprovisioning</item>
	</pre>

	<h2 id=device_owner_provisioning_with_activation_code>Device Owner Provisioning with Activation Code</h2>

	<p>Select <em>Add Work Account</em> from the setup wizard. This triggers a
	lookup of the EMM from Android servers.</p>

	<p>The device installs the EMM app and starts provisioning flow. As an extra
	option, Android device administration supports the option of using email
	address with a six-digit activation code to bootstrap the process as part of
	setup wizard.</p>

	<h2 id=emm_benefits>EMM benefits</h2>

	<p>An EMM can help by conducting these tasks for you:</p>

	<ul>
	<li>Provision managed profile
	<li>Apply security policies
	<ul>
	<li>Set password complexity
	<li>Lockdowns: disable screenshots, sharing from managed profile, etc.
	</ul>
	<li>Configure enterprise connectivity
	<ul>
	<li>Use WifiEnterpriseConfig to configure corporate Wi-Fi
	<li>Configure VPN on the device
	<li>Use DPM.setApplicationRestrictions() to configure corporate VPN
	</ul>
	<li>Enable corporate app Single Sign-On (SSO)
	<ul>
	<li>Install desired corporate apps
	<li>Use DPM.installKeyPair()to silently install corp client certs
	<li>Use DPM.setApplicationRestrictions() to configure hostnames, cert alias’ of
	corporate apps
	</ul>
	</ul>

	<p>Managed provisioning is just one piece of the EMM end-to-end workflow, with the
	end goal being to make corporate data accessible to apps in the managed profile.</p>

	<p>See <a href="https://docs.google.com/document/d/1xWdZHjsDB_4FWQcHfPh84EuTvljoMgrc2JINGMBtDQg/edit#">Manual Setup for Device Owner Testing</a> for testing instructions.</p>