This document describes the new Android for Work features provided in -Android N.
- -- Android for Work now supports using QR codes to provision corporate-liable - devices. The setup wizard now allows you to scan a QR code to provision - the device. -
- -- Profile owners can require users to specify a security challenge for apps - running in the work profile. The system shows the security challenge when the - user attempts to open any work apps. If the user successfully completes the - security challenge, the system unlocks the work profile and decrypts it if - necessary. -
- -
- If a profile owner sends an {@link
- android.app.admin.DevicePolicyManager#ACTION_SET_NEW_PASSWORD} intent, the
- system prompts a user to set up a security challenge. The profile owner can
- also send an ACTION_SET_NEW_PARENT_PROFILE_PASSWORD intent to
- prompt the user to set a device lock.
-
- Profile owners can choose to set the password policies for the work challenge
- differently from the policies for other device passwords. For example, the
- minimum length for the device challenge response can be different from the
- length required for other passwords. Profile owners set the challenge
- policies using the usual {@link android.app.admin.DevicePolicyManager}
- methods, such as {@link
- android.app.admin.DevicePolicyManager#setPasswordQuality
- setPasswordQuality()} and {@link
- android.app.admin.DevicePolicyManager#setPasswordMinimumLength
- setPasswordMinimumLength()}. The profile owner can also set the device lock,
- by using the {@link android.app.admin.DevicePolicyManager} instance returned
- by the new DevicePolicyManager.getParentProfileInstance()
- method. Additionally, profile owners can customize the credentials screen for
- the work challenge by using the {@link android.app.admin.DevicePolicyManager}
- class's new setOrganizationColor() and
- setOrganizationName() methods.
-
- For details on the new methods and constants, see the
- DevicePolicyManager reference page in the N Preview SDK Reference.
-
- Device owners and profile owners can temporarily suspend access to packages
- by calling the new DevicePolicyManager.setPackagesSuspended()
- method. Owners can use the same method to re-enable those packages.
-
- While a package is suspended, it cannot start activities, notifications to - the package are suppressed, and the app's entry in the overview screen is hidden. - Suspended packages do not show in the overview screen, and they - cannot show dialogs (including toasts and snackbars). They also cannot play - audio or vibrate the device. -
- -
- Launchers should apply a distinctive UI to suspended apps to show that the
- apps aren't currently available; for example, they might render the app icon
- in gray. Launchers can find out if an app is suspended by calling the new
- DevicePolicyManager.getPackageSuspended() method.
-
- On dual-profile devices, users can toggle work mode on and off. While work - mode is turned off, the managed profile is temporarily shut down. Work - profile apps, background sync, and notifications are all disabled, including - the profile owner app. While the work profile is disabled, the system - displays a persistent status icon to remind users that they can't launch work - apps. The system launcher indicates that work apps and widgets are not - accessible. -
- -- Device owners and profile owners can require that work apps always connect to - the network through a specified VPN. If owners set this requirement, the - device automatically starts that VPN at boot time. -
- -
- Owners can require use of a VPN by calling the new
- DevicePolicyManager.setAlwaysOnVpnPackage() method. To find out
- if the owner has set a VPN requirement, call the new
- DevicePolicyManager.GetAlwaysOnVpnPackage() method.
-
- Because the system can directly bind VPN services without app interaction, - VPN clients need to handle new entry points for always-on VPN. As before, you - can find active services by using an intent filter that matches the action - {@link android.net.VpnService android.net.VpnService}. -
- -- Users can manually set an always-on VPN client that implement {@link - android.net.VpnService} by using the Settings > More > - VPN screen. -
- -- Profile owners can allow local search and directory lookup of work contacts - from the primary user. For example, a user can access both personal and work - directory contacts from their personal dialer or contacts application (if - permitted by their profile administrator). -
- -- Developers that leverage the Contact Provider can use the Enterprise Contacts - API to access work profile directory entries from the primary user if allowed - by policy: -
- -ContactsContract.Contacts.ENTERPRISE_CONTENT_FILTER_URI
- ContactsContract.Phone.ENTERPRISE_CONTENT_FILTER_URI
- ContactsContract.Email.ENTERPRISE_CONTENT_FILTER_URI
- ContactsContract.Callable.ENTERPRISE_CONTENT_FILTER_URI
- ContactsContract.Directory.ENTERPRISE_CONTENT_URI
- ContactsContract.Directory.isEntepriseDirectoryId()
- - Profile owners can control the visibility of work contacts in the primary - user using the following new methods: -
- -DevicePolicyManager.setCrossProfileContactsSearchDisabled()
- DevicePolicyManager.getCrossProfileContactsSearchDisabled()
-
- Device owners can remotely reboot devices. In some cases, devices deployed in
- public places inside enclosures can prevent access to the power button. If a
- device needs to be rebooted, administrators can do so using the new
- DevicePolicyManager.reboot() method.
-
- Device owners can disable data roaming using the new {@link
- android.os.UserManager} user restriction DISALLOW_DATA_ROAMING.
-
- Device owners can identify suspicious activity by remotely tracking device
- activity, including app launches, adb activity, and screen unlocks. Process
- logs don’t require user consent. To retrieve logs, device owners enable
- device logging using DevicePolicyManager.setSecurityLoggingEnabled().
-
- API changes include: -
- -android.app.admin.SecurityLog and its
- methods
- void DevicePolicyManager.setSecurityLoggingEnabled()
- boolean DevicePolicyManager.isSecurityLoggingEnabled()
- List<SecurityEvent>
- DevicePolicyManager.retrieveSecurityLogs()
- List<SecurityEvent>
- DevicePolicyManager.retrievePreRebootSecurityLogs()
- void DeviceAdminReceiver.onSecurityLogsAvailable()
- - Device owners can remotely trigger and retrieve a bug report that contains a - device state dump file, which allows forensic investigation of a known - incident or compromised device. Due to the detailed nature of the bug report, - user consent is required. -
- -- Android N includes the following API additions to support this feature. For - details, see the N Preview SDK - Reference. -
- -DevicePolicyManager.requestBugreport()
- DeviceAdminReceiver.onBugreportFailed()
- DeviceAdminReceiver.onBugreportShared()
- DeviceAdminReceiver.onBugreportSharingDeclined()
- DeviceAdminReceiver.BUGREPORT_FAILURE_FAILED_COMPLETING
- DeviceAdminReceiver.BUGREPORT_FAILURE_FILE_NO_LONGER_AVAILABLE
-
- Profile owners and device owners can now remove client certificates that were
- installed through {@link android.app.admin.DevicePolicyManager#installKeyPair
- installKeyPair()} by calling the new method
- DevicePolicyManager.removeKeyPair().
-
- If a profile owner or device owner grants a third-party app the ability to - manage certificates, the app can grant itself access to certificates it - installs without any intervention by the owner. -
- -- The existing API for managing certificates is extended to include: -
- -DevicePolicyManager.installKeyPair()
- - Policies that affect the user experience or restrict user Settings are fully - disclosed to the user, and profile owners and device owners can attribute the - policy to their company’s IT department. In addition to a consistent “Action - not allowed” message in Settings, IT administrators can set an - organization-specific support message in device settings with the following - new {@link android.app.admin.DevicePolicyManager} methods: -
- -DevicePolicyManager.setShortSupportMessage()
- DevicePolicyManager.setLongSupportMessage()
-
- The device or profile owner can enable another application to manage
- configurations via the new
- DevicePolicyManager.setApplicationRestrictionsManagingPackage()
- method. The nominated application can check whether this permission has been
- granted by calling
- DevicePolicyManager.isCallerApplicationRestrictionsManagingPackage().
-
- An application nominated to manage configurations can call {@link - android.app.admin.DevicePolicyManager#setApplicationRestrictions - setApplicationRestrictions()} and {@link - android.app.admin.DevicePolicyManager#getApplicationRestrictions - getApplicationRestrictions()} for any packages within that user or profile. -
- -- Users can disable location permissions for work apps while continuing to - access location information in their personal apps. A separate location - access switch in Location Settings allows users to deny location updates or - last-location queries for apps running in the work profile. -
- -- The top level location off switch disables location access for both the - primary profile and the managed profile. -
- -- An application can customize the profile owner and device owner provisioning - flows with corporate colors and logos. -
- -DevicePolicyManager.EXTRA_PROVISIONING_MAIN_COLOR
- DevicePolicyManager.EXTRA_PROVISIONING_LOGO_URI
-
- Profile owners and device owners can set multiple CA certificates for a given
- Wi-Fi configuration. When corporate Wi-Fi networks have separate CAs for
- separate access points with the same SSID, IT administrators can include all
- relevant CAs in the Wi-Fi configuration using the new method
- setCaCertificates().
-
- APIs added are: -
- -WifiEnterpriseConfig.setCaCertificates()
- WifiEnterpriseConfig.getCaCertificates()
- - Device owners can provide owner information to be shownon the lockscreen. - This information takes precedence over the user lock screen message (if one is - set). New {@link android.app.admin.DevicePolicyManager} methods are: -
- -setDeviceOwnerLockScreenInfo()
- getDeviceOwnerLockScreenInfo()
- - Profile owners can specify a work dialer application that uses a - work-specific {@link android.telecom.ConnectionService} for the calling - backend (calling accounts). The work dialer maintains a work-only call log - and relies on work contacts only. Users have a consistent in-call UI - experience regardless of dialing application. Incoming work calls to the work - calling accounts are distinguished from personal incoming calls to the - personal calling accounts. -
- -
- The dialer should check for the new flag
- android.telecom.Call.PROPERTY_ENTERPRISE_CALL to determine if a call
- is a work call. If a call is a work call, the dialer should indicate this,
- such as by adding a work badge.
-
- A new user restriction (DISALLOW_SET_WALLPAPER) prevents the
- user from changing their wallpaper. The device owner or profile owner can
- still change the wallpaper, but they can only change the wallpaper for the
- user or profile they control. For example, a profile owner can’t change the
- wallpaper of the parent user, but a profile owner in the primary profile or
- device owner can. A profile owner or device owner that wants to change the
- wallpaper should check whether the the user or profile they manage has a
- wallpaper ({@link android.app.WallpaperManager#isWallpaperSupported
- isWallpaperSupported()}) and whether they are allowed to change it (with the
- new method WallpaperManager.isWallpaperSettingAllowed())
-
- A new user restriction (DISALLOW_SET_USER_ICON) prevents the
- user from changing their user icon. The user’s device owner or profile owner
- can still change the icon. However, a profile owner can only change the user
- icon for the profile it controls.
-
- A device owner or profile owner can use the new
- HardwarePropertiesManager interface to retrieve information
- about device health, such as CPU or GPU temperatures and CPU usage. The new
- monitoring interface is especially useful for monitoring unattended devices
- running in a remote location.
-