Google introduced a new feature in Android Lollipop release, which allows the applications to become corporate network friendly. They call it the Android for work. In a way now with new Android(5.o) release, big organizations can support the BYOD (Bring your own device) concept. As Android apps for work can put an end to corporate data breach. Android for work, is engineered in a way, where organizations can impose various forms restrictions on a device. Although a similar concept was available in the older APIs as well through DevicePolicyManager class. But now Android is backed up by Enterprise Mobility Management (EMM), through which various security policies can be enforced on devices, dynamically.
To implement Android for work, three things are required:
- Develop or modify an application to support Android for work.
- Develop a work policy controller app to enforce restrictions on device.
- Partner with an Enterprise Mobility Management (EMM) solution company.
To develop an application which supports Android for work, first you need to make a managed profile on the device. A managed profile is nothing but a separate profile of your user on the android device. The only difference is, permissions for this profile is managed through the work policy controller app; which is controlled by EMM software.
Now the question is how to provision a managed profile? This is done by sending an intent with
ACTION_PROVISION_MANAGED_PROFILE. When the provisioning is complete onProfileProvisioningComplete method of DeviceAdminReceiver is called. Here we can enable this profile by calling
setProfileEnabled() method. After a device is provisioned with a manged profile, it is imposed with restrictions defined by the work policy controller.
Usually when a device has a managed profile, the restrictions are categorized broadly in three ways:
1) Intent restrictions
Yes the most basic thing Intents, can be restricted on a managed profile. EMMs can impose such restrictions on a device, that if an intent is fired from a profile. It cannot cross that profile and go to an other profile or to the main owner profile. This is one of the most powerful restriction, that can be imposed on a device. There can be many situations where these sort of restrictions will come in handy. For e.g. restricting the user from launching a messaging app, or sharing a link from email to Facebook.
This brings a new area of development for existing apps. According to a basic concept of Android for work, your app may crash when an intent is fired and it is not handled in the profile itself. To make your app, Android for work friendly you may need to put on some checks. Like can the intent which is about to be fired, will be handled? or not? If not you can show a toast message.
2) System app restrictions
Work Policy controller app can also impose restrictions on system apps. Being an admin you can restrict a device from using system apps on a managed profile.
The interesting point for app developers is, when system apps are not present some of the very basic android functionality would be missing. Therefore whenever an intent is fired, it becomes necessary for them to check whether it could be handled.
3) File path restrictions
When work policies are imposed on a device, they also limit the other profiles to access managed profile’s data files. As when a new managed profile is created a different storage area is allocated to it, making files on that area secure from other profiles. If you try and share a file URI to some other profile it would not work.
If you need to share a file across the profiles, you may need to modify your app to support Android for work. To share files across the managed profiles content URIs could be used. Android content URIs are basically file paths through which we can share content in a secure way. When sharing a content URI, it not only provides a file path but also an authority to access that file. Through which files could be accessed outside the profile.
With this I would like to conclude by saying Android has evolved allot since its conception. No body could have thought that one day we would have this much of power in our hands. Recently released Android for work makes this OS even more secure and scalable for large organizations through the usage of EMMs. In recent future we may see all the organizations using Android for work, supporting BYOD.
Born in New Delhi, India. A software engineer by profession, an android enthusiast and an evangelist. My motive here is to create a group of skilled developers, who can develop something new and good. Reason being programming is my passion, and also it feels good to make a device do something you want. In a very short span of time professionally I have worked with many tech firms. As of now too, I am employed as a senior engineer in a leading tech company. In total I may have worked on more than 20 projects professionally, and whenever I get spare time I share my thoughts here at Truiton.