Skip to content

Most visited

Recently visited

navigation

Android for Work Updates

This document describes the new Android for Work features provided in Android N.

QR Code Provisioning

Android for Work now supports using QR codes to provision corporate-liable devices. The setup wizard now allows you to scan a QR code to provision the device.

Work Profile Security Challenge

Profile owners can require users to specify a security challenge for apps running in the work profile. The system shows the security challenge when the user attempts to open any work apps. If the user successfully completes the security challenge, the system unlocks the work profile and decrypts it if necessary.

If a profile owner sends an ACTION_SET_NEW_PASSWORD intent, the system prompts a user to set up a security challenge. The profile owner can also send an ACTION_SET_NEW_PARENT_PROFILE_PASSWORD intent to prompt the user to set a device lock.

Profile owners can choose to set the password policies for the work challenge differently from the policies for other device passwords. For example, the minimum length for the device challenge response can be different from the length required for other passwords. Profile owners set the challenge policies using the usual DevicePolicyManager methods, such as setPasswordQuality() and setPasswordMinimumLength(). The profile owner can also set the device lock, by using the DevicePolicyManager instance returned by the new DevicePolicyManager.getParentProfileInstance() method. Additionally, profile owners can customize the credentials screen for the work challenge by using the DevicePolicyManager class's new setOrganizationColor() and setOrganizationName() methods.

For details on the new methods and constants, see the DevicePolicyManager reference page in the N Preview SDK Reference.

Disable Access to Apps

Device owners and profile owners can temporarily suspend access to packages by calling the new DevicePolicyManager.setPackagesSuspended() method. Owners can use the same method to re-enable those packages.

While a package is suspended, it cannot start activities, notifications to the package are suppressed, and the app's entry in the overview screen is hidden. Suspended packages do not show in the overview screen, and they cannot show dialogs (including toasts and snackbars). They also cannot play audio or vibrate the device.

Launchers should apply a distinctive UI to suspended apps to show that the apps aren't currently available; for example, they might render the app icon in gray. Launchers can find out if an app is suspended by calling the new DevicePolicyManager.getPackageSuspended() method.

Toggle Work Mode

On dual-profile devices, users can toggle work mode on and off. While work mode is turned off, the managed profile is temporarily shut down. Work profile apps, background sync, and notifications are all disabled, including the profile owner app. While the work profile is disabled, the system displays a persistent status icon to remind users that they can't launch work apps. The system launcher indicates that work apps and widgets are not accessible.

Always-On VPN

Device owners and profile owners can require that work apps always connect to the network through a specified VPN. If owners set this requirement, the device automatically starts that VPN at boot time.

Owners can require use of a VPN by calling the new DevicePolicyManager.setAlwaysOnVpnPackage() method. To find out if the owner has set a VPN requirement, call the new DevicePolicyManager.GetAlwaysOnVpnPackage() method.

Because the system can directly bind VPN services without app interaction, VPN clients need to handle new entry points for always-on VPN. As before, you can find active services by using an intent filter that matches the action android.net.VpnService.

Users can manually set an always-on VPN client that implement VpnService by using the Settings > More > VPN screen.

Contacts Integration with Work Profile

Profile owners can allow local search and directory lookup of work contacts from the primary user. For example, a user can access both personal and work directory contacts from their personal dialer or contacts application (if permitted by their profile administrator).

Developers that leverage the Contact Provider can use the Enterprise Contacts API to access work profile directory entries from the primary user if allowed by policy:

  • ContactsContract.Contacts.ENTERPRISE_CONTENT_FILTER_URI
  • ContactsContract.Phone.ENTERPRISE_CONTENT_FILTER_URI
  • ContactsContract.Email.ENTERPRISE_CONTENT_FILTER_URI
  • ContactsContract.Callable.ENTERPRISE_CONTENT_FILTER_URI
  • ContactsContract.Directory.ENTERPRISE_CONTENT_URI
  • ContactsContract.Directory.isEntepriseDirectoryId()

Profile owners can control the visibility of work contacts in the primary user using the following new methods:

  • DevicePolicyManager.setCrossProfileContactsSearchDisabled()
  • DevicePolicyManager.getCrossProfileContactsSearchDisabled()

Remote Reboot

Device owners can remotely reboot devices. In some cases, devices deployed in public places inside enclosures can prevent access to the power button. If a device needs to be rebooted, administrators can do so using the new DevicePolicyManager.reboot() method.

Disable Data Roaming

Device owners can disable data roaming using the new UserManager user restriction DISALLOW_DATA_ROAMING.

Enterprise Process Logging

Device owners can identify suspicious activity by remotely tracking device activity, including app launches, adb activity, and screen unlocks. Process logs don’t require user consent. To retrieve logs, device owners enable device logging using DevicePolicyManager.setSecurityLoggingEnabled().

API changes include:

  • The new class android.app.admin.SecurityLog and its methods
  • void DevicePolicyManager.setSecurityLoggingEnabled()
  • boolean DevicePolicyManager.isSecurityLoggingEnabled()
  • List<SecurityEvent> DevicePolicyManager.retrieveSecurityLogs()
  • List<SecurityEvent> DevicePolicyManager.retrievePreRebootSecurityLogs()
  • void DeviceAdminReceiver.onSecurityLogsAvailable()

Remote Bug Reports

Device owners can remotely trigger and retrieve a bug report that contains a device state dump file, which allows forensic investigation of a known incident or compromised device. Due to the detailed nature of the bug report, user consent is required.

Android N includes the following API additions to support this feature. For details, see the N Preview SDK Reference.

  • DevicePolicyManager.requestBugreport()
  • DeviceAdminReceiver.onBugreportFailed()
  • DeviceAdminReceiver.onBugreportShared()
  • DeviceAdminReceiver.onBugreportSharingDeclined()
  • DeviceAdminReceiver.BUGREPORT_FAILURE_FAILED_COMPLETING
  • DeviceAdminReceiver.BUGREPORT_FAILURE_FILE_NO_LONGER_AVAILABLE

Remove a Client Certificate

Profile owners and device owners can now remove client certificates that were installed through installKeyPair() by calling the new method DevicePolicyManager.removeKeyPair().

Grant Access to Client Certificate on Installation

If a profile owner or device owner grants a third-party app the ability to manage certificates, the app can grant itself access to certificates it installs without any intervention by the owner.

The existing API for managing certificates is extended to include:

  • DevicePolicyManager.installKeyPair()

System UI Policy Transparency

Policies that affect the user experience or restrict user Settings are fully disclosed to the user, and profile owners and device owners can attribute the policy to their company’s IT department. In addition to a consistent “Action not allowed” message in Settings, IT administrators can set an organization-specific support message in device settings with the following new DevicePolicyManager methods:

  • DevicePolicyManager.setShortSupportMessage()
  • DevicePolicyManager.setLongSupportMessage()

Managed Configurations Enhancements

The device or profile owner can enable another application to manage configurations via the new DevicePolicyManager.setApplicationRestrictionsManagingPackage() method. The nominated application can check whether this permission has been granted by calling DevicePolicyManager.isCallerApplicationRestrictionsManagingPackage().

An application nominated to manage configurations can call setApplicationRestrictions() and getApplicationRestrictions() for any packages within that user or profile.

Location Off Switch

Users can disable location permissions for work apps while continuing to access location information in their personal apps. A separate location access switch in Location Settings allows users to deny location updates or last-location queries for apps running in the work profile.

The top level location off switch disables location access for both the primary profile and the managed profile.

Customized Provisioning

An application can customize the profile owner and device owner provisioning flows with corporate colors and logos.

DevicePolicyManager.EXTRA_PROVISIONING_MAIN_COLOR
Customizes flow color.
DevicePolicyManager.EXTRA_PROVISIONING_LOGO_URI
Customizes the flow with a corporate logo.

Multiple Wi-Fi CA Certificates

Profile owners and device owners can set multiple CA certificates for a given Wi-Fi configuration. When corporate Wi-Fi networks have separate CAs for separate access points with the same SSID, IT administrators can include all relevant CAs in the Wi-Fi configuration using the new method setCaCertificates().

APIs added are:

  • WifiEnterpriseConfig.setCaCertificates()
  • WifiEnterpriseConfig.getCaCertificates()

Customized Lockscreen Message

Device owners can provide owner information to be shownon the lockscreen. This information takes precedence over the user lock screen message (if one is set). New DevicePolicyManager methods are:

  • setDeviceOwnerLockScreenInfo()
  • getDeviceOwnerLockScreenInfo()

Work Profile ConnectionService

Profile owners can specify a work dialer application that uses a work-specific ConnectionService for the calling backend (calling accounts). The work dialer maintains a work-only call log and relies on work contacts only. Users have a consistent in-call UI experience regardless of dialing application. Incoming work calls to the work calling accounts are distinguished from personal incoming calls to the personal calling accounts.

The dialer should check for the new flag android.telecom.Call.PROPERTY_ENTERPRISE_CALL to determine if a call is a work call. If a call is a work call, the dialer should indicate this, such as by adding a work badge.

Lock Down Wallpaper

A new user restriction (DISALLOW_SET_WALLPAPER) prevents the user from changing their wallpaper. The device owner or profile owner can still change the wallpaper, but they can only change the wallpaper for the user or profile they control. For example, a profile owner can’t change the wallpaper of the parent user, but a profile owner in the primary profile or device owner can. A profile owner or device owner that wants to change the wallpaper should check whether the the user or profile they manage has a wallpaper (isWallpaperSupported()) and whether they are allowed to change it (with the new method WallpaperManager.isWallpaperSettingAllowed())

Lock Down User Icon

A new user restriction (DISALLOW_SET_USER_ICON) prevents the user from changing their user icon. The user’s device owner or profile owner can still change the icon. However, a profile owner can only change the user icon for the profile it controls.

Device Health Monitoring

A device owner or profile owner can use the new HardwarePropertiesManager interface to retrieve information about device health, such as CPU or GPU temperatures and CPU usage. The new monitoring interface is especially useful for monitoring unattended devices running in a remote location.

This site uses cookies to store your preferences for site-specific language and display options.

Hooray!

This class requires API level or higher

This doc is hidden because your selected API level for the documentation is . You can change the documentation API level with the selector above the left navigation.

For more information about specifying the API level your app requires, read Supporting Different Platform Versions.