1page.title=Building a Work Policy Controller
2page.metaDescription=Learn how to develop a Work Policy Controller to create and administer a managed profile on an employee's device.
3@jd:body
4
5<div id="tb-wrapper">
6<div id="tb">
7
8<h2>This lesson teaches you to</h2>
9<ol>
10 <li><a href="#after_creating_profile">Create a Managed Profile</a></li>
11 <li><a href="#set_up_policies">Set Up Device Policies</a></li>
12 <li><a href="#apply_restrictions">Apply App Restrictions</a></li>
13</ol>
14
15<!-- related docs (NOT javadocs) -->
16
17<h2>
18  You should also read
19</h2>
20
21<ul>
22  <li>
23    <a href="{@docRoot}guide/topics/admin/device-admin.html">Device
24    Administration</a>
25  </li>
26</ul>
27
28<h2>Resources</h2>
29<ul>
30
31  <li>
32    <a href=
33    "{@docRoot}samples/BasicManagedProfile/index.html">BasicManagedProfile</a>
34  </li>
35
36  <li>
37    <a href=
38    "{@docRoot}samples/AppRestrictionEnforcer/index.html">AppRestrictionEnforcer</a>
39  </li>
40</ul>
41
42</div>
43</div>
44
45
46<p>
47  In an Android for Work deployment, an enterprise needs to maintain control
48  over certain aspects of the employees' devices. The enterprise needs to
49  ensure that work-related information is encrypted and is kept separate from
50  employees' personal data. The enterprise may also need to limit device
51  capabilities, such as whether the device is allowed to use its camera. And
52  the enterprise may require that approved apps provide app restrictions, so
53  the enterprise can turn app capability on or off as needed.
54</p>
55
56<p>
57  To handle these tasks, an enterprise develops and deploys a Work Policy
58  Controller app. This app is installed on each employee's device. The
59  controller app installed on each employee's device and creates a work user
60  profile, which accesses enterprise apps and data separately from the user's
61  personal account. The controller app also acts as the
62  bridge between the enterprise's management software and the device; the
63  enterprise tells the controller app when it needs to make configuration
64  changes, and the controller app makes the appropriate settings changes for the
65  device and for other apps.
66</p>
67
68<p>
69  This lesson describes how to develop a Work Policy Controller app for devices
70  in an Android for Work deployment. The lesson describes how to create a work
71  user profile, how to set device policies, and how to apply
72  restrictions to other apps running on the managed profile.
73</p>
74
75<p class="note">
76  <strong>Note:</strong> This lesson does not cover the situation where the
77  only profile on the device is the managed profile, under the enterprise's
78  control.
79</p>
80
81<h2 id="overview">Device Administration Overview</h2>
82
83<p>
84  In an Android for Work deployment, the enterprise administrator can set
85  policies to control the behavior of employees' devices and apps. The
86  enterprise administrator sets these policies with software provided by their
87  Enterprise Mobility Management (EMM) provider. The EMM software communicates
88  with a Work Policy Controller on each device. The Work Policy Controller, in
89  turn, manages the settings and behavior of the work user profile on each
90  individual’s device.
91</p>
92
93<p class="note">
94  <strong>Note:</strong> A Work Policy Controller is built on the existing
95  model used for device administration applications, as described in <a href=
96  "{@docRoot}guide/topics/admin/device-admin.html">Device Administration</a>.
97  In particular, your app needs to create a subclass of {@link
98  android.app.admin.DeviceAdminReceiver}, as described in that document.
99</p>
100
101<h3 id="managed_profiles">Managed profiles</h3>
102
103<p>
104  Users often want to use their personal devices in an enterprise setting. This
105  situation can present enterprises with a dilemma. If the user can use their
106  own device, the enterprise has to worry that confidential information (like
107  employee emails and contacts) are on a device the enterprise does not
108  control.
109</p>
110
111<p>
112  To address this situation, Android 5.0 (API level 21) allows enterprises to
113  set up a special work user profile using the Managed Profile API. This
114  user profile is called a <em>managed profile</em>, or a <em>work profile</em>
115  in the Android for Work program. If a device has a
116  managed profile for work, the profile's settings are under the control of the
117  enterprise administrator. The administrator can choose which apps are allowed
118  for that profile, and can control just what device features are available to
119  the profile.
120</p>
121
122<h2 id="create_profile">Create a Managed Profile</h2>
123
124<p>To create a managed profile on a device that already has a personal profile,
125first check that the device can support a managed profile, by seeing if the
126device supports the {@link
127android.content.pm.PackageManager#FEATURE_MANAGED_USERS FEATURE_MANAGED_USERS}
128system feature:</p>
129
130<pre>PackageManager pm = getPackageManager();
131if (!pm.hasSystemFeature(PackageManager.FEATURE_MANAGED_USERS)) {
132
133    // This device does not support native managed profiles!
134
135}</pre>
136
137<p>If the device supports managed profiles, create one by sending an intent with
138an {@link android.app.admin.DevicePolicyManager#ACTION_PROVISION_MANAGED_PROFILE
139ACTION_PROVISION_MANAGED_PROFILE} action. Include the device admin package
140name as an extra.</p>
141
142<pre>Activity provisioningActivity = getActivity();
143
144// You'll need the package name for the WPC app.
145String myWPCPackageName = "com.example.myWPCApp";
146
147// Set up the provisioning intent
148Intent provisioningIntent =
149        new Intent("android.app.action.PROVISION_MANAGED_PROFILE");
150intent.putExtra(myWPCPackageName,
151        provisioningActivity.getApplicationContext().getPackageName());
152
153if (provisioningIntent.resolveActivity(provisioningActivity.getPackageManager())
154         == null) {
155
156    // No handler for intent! Can't provision this device.
157    // Show an error message and cancel.
158} else {
159
160    // REQUEST_PROVISION_MANAGED_PROFILE is defined
161    // to be a suitable request code
162    startActivityForResult(provisioningIntent,
163            REQUEST_PROVISION_MANAGED_PROFILE);
164    provisioningActivity.finish();
165}</pre>
166
167<p>The system responds to this intent by doing the following:</p>
168
169<ul>
170  <li>Verifies that the device is encrypted. If it is not, the system prompts
171  the user to encrypt the device before proceeding.
172  </li>
173
174  <li>Creates a managed profile.
175  </li>
176
177  <li>Removes non-required applications from the managed profile.
178  </li>
179
180  <li>Copies the Work Policy Controller application into the managed profile and
181    sets it as the profile owner.
182  </li>
183</ul>
184
185<p>Override {@link android.app.Activity#onActivityResult onActivityResult()} to
186see whether the provisioning was successful, as shown in the following
187example code:</p>
188
189<pre>&#64;Override
190public void onActivityResult(int requestCode, int resultCode, Intent data) {
191
192    // Check if this is the result of the provisioning activity
193    if (requestCode == REQUEST_PROVISION_MANAGED_PROFILE) {
194
195        // If provisioning was successful, the result code is
196        // Activity.RESULT_OK
197        if (resultCode == Activity.RESULT_OK) {
198            // Hurray! Managed profile created and provisioned!
199        } else {
200            // Boo! Provisioning failed!
201        }
202        return;
203
204    } else {
205        // This is the result of some other activity, call the superclass
206        super.onActivityResult(requestCode, resultCode, data);
207    }
208}</pre>
209
210<h3 id="after_creating_profile">After Creating the Managed Profile</h3>
211
212<p>When the profile has been provisioned, the system calls the Work Policy
213Controller app's {@link
214android.app.admin.DeviceAdminReceiver#onProfileProvisioningComplete
215DeviceAdminReceiver.onProfileProvisioningComplete()} method. Override this
216callback method to finish enabling the managed profile.</p>
217
218<p>Typically, your {@link
219android.app.admin.DeviceAdminReceiver#onProfileProvisioningComplete
220DeviceAdminReceiver.onProfileProvisioningComplete()} callback implementation
221would perform these tasks:</p>
222
223<ul>
224  <li>Verify that the device is complying with the EMM's device policies, as
225  described in <a href="#set_up_policies">Set Up Device Policies</a>
226  </li>
227
228  <li>Enable any system applications that the administrator chooses to make
229  available within the managed profile, using {@link
230  android.app.admin.DevicePolicyManager#enableSystemApp
231  DevicePolicyManager.enableSystemApp()}   </li>
232
233  <li>If the device uses Google Play for Work, add the Google account
234  to the managed profile with {@link android.accounts.AccountManager#addAccount
235  AccountManager.addAccount()}, so administrators can install
236  applications to the device
237  </li>
238</ul>
239
240<p>Once you have completed these tasks, call the device policy manager's
241{@link android.app.admin.DevicePolicyManager#setProfileEnabled
242setProfileEnabled()} method to activate the managed profile:</p>
243
244
245<pre>// Get the device policy manager
246DevicePolicyManager myDevicePolicyMgr =
247        (DevicePolicyManager) getSystemService(Context.DEVICE_POLICY_SERVICE);
248
249ComponentName componentName = myDeviceAdminReceiver.getComponentName(this);
250
251// Set the name for the newly created managed profile.
252myDevicePolicyMgr.setProfileName(componentName, "My New Managed Profile");
253
254// ...and enable the profile
255manager.setProfileEnabled(componentName);</pre>
256
257<h2 id="set_up_policies">Set Up Device Policies</h2>
258
259<p>
260  The Work Policy Controller app is responsible for applying the enterprise's
261  device policies. For example, a particular enterprise might require that all
262  devices become locked after a certain number of failed attempts to enter the
263  device password. The controller app queries the EMM to find out what
264  the current policies are, then uses the <a href=
265  "{@docRoot}guide/topics/admin/device-admin.html">Device Administration</a>
266  API to apply those policies.
267</p>
268
269<p>For information on how to apply device policies, see the
270<a href="{@docRoot}guide/topics/admin/device-admin.html#policies">Device
271Administration</a> guide.</p>
272
273
274<h2 id="apply_restrictions">Apply App Restrictions</h2>
275
276<p>Enterprise environments may require that approved apps implement apps
277implement security or feature restrictions. App developers must implement these
278restrictions and declare them for use by enterprise administrators, as described
279in <a href="{@docRoot}training/enterprise/app-restrictions.html">Implementing
280App Restrictions</a>. The Work Policy Controller receives restriction changes
281from the enterprise administrator, and forwards those restriction changes to the
282apps.</p>
283
284<p>For example, a particular news app might have a restriction setting that
285controls whether the app is allowed to download videos over a cellular
286network. When the EMM wants to disable cellular downloads, it sends a
287notification to the controller app. The controller app, in turn,
288notifies the news app that the restriction setting has changed.</p>
289
290<p class="note"><strong>Note:</strong> This document covers how the Work Policy
291Controller app changes the restriction settings for the other apps on the
292managed profile. Details on how the Work Policy Controller app communicates with
293the EMM are out of scope for this document.</p>
294
295<p>To change an app's restrictions, call the {@link
296android.app.admin.DevicePolicyManager#setApplicationRestrictions
297DevicePolicyManager.setApplicationRestrictions()} method. This method is passed
298three parameters: the controller app's {@link
299android.app.admin.DeviceAdminReceiver}, the package name of the app whose
300restrictions are being changed, and a {@link android.os.Bundle Bundle} that
301contains the restrictions you want to set.</p>
302
303<p>For example, suppose there's an app on the managed profile with the package
304name <code>"com.example.newsfetcher"</code>. This app has a single boolean
305restriction that can be configured, with the key
306<code>"downloadByCellular"</code>. If this restriction is set to
307<code>false</code>, the newsfetcher app is not allowed to download data through
308a cellular network; it must use a Wi-Fi network instead.</p>
309
310<p>
311  If your Work Policy Controller app needs to turn off cellular downloads, it
312  would first fetch the device policy service object, as described above. It
313  then assembles a restrictions bundle and passes this bundle to {@link
314  android.app.admin.DevicePolicyManager#setApplicationRestrictions
315  setApplicationRestrictions()}:
316</p>
317
318<pre>// Fetch the DevicePolicyManager
319DevicePolicyManager myDevicePolicyMgr =
320        (DevicePolicyManager) thisActivity
321                .getSystemService(Context.DEVICE_POLICY_SERVICE);
322
323// Set up the restrictions bundle
324bundle restrictionsBundle = new Bundle();
325restrictionsBundle.putBoolean("downloadByCellular", false);
326
327// Pass the restrictions to the policy manager. Assume the WPC app
328// already has a DeviceAdminReceiver defined (myDeviceAdminReceiver).
329myDevicePolicyMgr.setApplicationRestrictions(
330        myDeviceAdminReceiver, "com.example.newsfetcher", restrictionsBundle);</pre>
331
332
333<p class="note"><strong>Note:</strong> The device policy service conveys the restrictions
334change to the app you name. However, it is up to that app to actually implement
335the restriction. For example, in this case, the app would be responsible for
336disabling its ability to use cellular networks for video downloads. Setting the
337restriction does not cause the system to enforce this restriction on the app.
338For more information, see <a href="{@docRoot}training/enterprise/app-
339restrictions.html">Implementing App Restrictions</a>.</p>
340