Building Apps with Device Administration API: Dev’s Guide

Praveen May 16, 2017
The Device Administration API provides device administration features at the system level to a particular application. Android 2.2 introduces support for enterprise applications by offering the Android Device Administration API. Security on any smartphone is an important concern. Device Administration APIs allow you to create security-aware applications that are useful in enterprise settings where IT professionals require rich control over employee devices. For instance, your employer can set a few policies for you to use your official email-id on your mobile device via an App called ‘Google Device Policy’. Google Device Policy uses Device Administration API to take administration access of your device. Admin Level Features Here are a few examples for context of what admin level features in Android are. The application with device administrator enabling can have:
  1. Ability to not to get uninstalled until it is deactivated from administration settings.
  2. Ability to access the device password.
  3. Ability to enable/disable the device camera.
  4. Ability to erase all the device data.
  5. Ability to limit the maximum number of password attempts.
  6. The maximum inactivity time to trigger the screen lock.
And many more… The above-mentioned admin features, however, cannot be accessed directly in an Android app. To access these features in your application, you will have to enable the Device Admin APIs for your application to function as a device administrator.   The Device Administration Classes The Device Administration API includes the following Android classes:  

DeviceAdminReceiver

This is the base class for implementing a device administration component. This class makes interpreting the raw intent actions that are sent by the system convenient. Your Device Administration application must include a DeviceAdminReceiver subclass.

DevicePolicyManager

This is a class for managing policies enforced on a device. Most clients of this class must have published a DeviceAdminReceiver that the user has currently enabled. The DevicePolicyManager manages policies for one or more DeviceAdminReceiver instances.

DeviceAdminInfo

This class is used to specify metadata for a device administrator component. For using Device Administration APIs in an Android app, these APIs must first be registered to access the admin level functionality.

Steps for Registering the Admin API for Your Application

By registering the Admin API for your application, it cannot be uninstalled until the application is deactivated manually. The steps for registering are given below:
  1. Create a sub-class of DeviceAdminReceiver.
Public class MyDeviceAdminReceiver extends DeviceAdminReceiver { // Enable device Admin api @Override  public void onEnabled(Context context, Intent intent) {    super.onEnabled(context, intent);  } }
  1. Register in the manifest.xml.
Register it in the manifest.xml along with BIND_ADMIN_DEVICE permission and ACTION_DEVICE_ADMIN_ENABLE on Intent-filter’s action. The declaration of security policy used in metadata is given below: <receiver            android:name=”com.magic.devicepolicymanager.MyDeviceAdminReceiver”            android:description=”@string/device_admin_description”            android:label=”@string/device_admin”            android:permission=”android.permission.BIND_DEVICE_ADMIN” >         <meta-data                android:name=”android.app.device_admin”                android:resource=”@xml/device_policies” />  <intent-filter>        <action android:name=”android.app.action.DEVICE_ADMIN_ENABLED”>  <intent-filter> </receiver>
  1. Declare the security policies in the xml file.
Implement the following policies in device_policies.xml: <device-admin xmlns:android=”http://schemas.android.com/apk/res/android”>  <uses-policies>    <limit-password />    <watch-login />    <force-lock />    <wipe-data />    <expire-password />    <disable-camera />  </uses-policies> </device-admin>  
  1. Create a Class PolicyManager.java
This will help us define the API to check admin active status and remove admin component. public class PolicyManager {    public static final int PM_ACTIVATION_REQUEST_CODE = 101;    private Context _mContext;    private DevicePolicyManager _mDPM;    private ComponentName _adminComponent;    public PolicyManager(Context context) {        this._mContext = context;        _mDPM = (DevicePolicyManager) _mContext                .getSystemService(Context.DEVICE_POLICY_SERVICE);       _adminComponent = new ComponentName(_mContext.getPackageName(),                _mContext.getPackageName() + “.MyDeviceAdminReceiver”);    }
  1. Enable the Admin
Once you enable this admin, your application cannot be uninstalled from your device. public class MainActivity extends Activity {    private PolicyManager policyManager;    @Override    protected void onCreate(Bundle savedInstanceState) {        super.onCreate(savedInstanceState);        setContentView(R.layout.activity_main); policyManager = new PolicyManager(this); if (!policyManager.isAdminActive()) {               Intent activateDeviceAdmin = new            Intent(DevicePolicyManager.ACTION_ADD_DEVICE_ADMIN);                    activateDeviceAdmin.putExtra(                            DevicePolicyManager.EXTRA_DEVICE_ADMIN,                            policyManager.getAdminComponent());                    activateDeviceAdmin                            .putExtra(DevicePolicyManager.EXTRA_ADD_EXPLANATION,                                    “After activating admin, you will be able to block application uninstallation.”);                    startActivityForResult(activateDeviceAdmin,                            PolicyManager.PM_ACTIVATION_REQUEST_CODE);                } } @Override protected void onActivityResult(int requestCode, int resultCode, Intent data) {   // TODO Auto-generated method stub   if (resultCode == Activity.RESULT_OK           && requestCode == PolicyManager.PM_ACTIVATION_REQUEST_CODE) {       // handle code for successful enable of admin   } else {       super.onActivityResult(requestCode, resultCode, data);   } } }   Device Admin APIs will not be enabled on their own after running in the app. To enable them,  
  • Run the app once
  • Go to device settings -> security -> Device Administrators and tick-box your app there.
 
  • Some screenshots for a quick reference:
          

Real Time Example of Using Device Administration API:

Internet-connected Android mobiles can be tracked with the help of 3rd party apps or the Google official app. The best way is to ask Google, “Where is my phone” or “Find my phone”, after signing in. If you don’t have your laptop with you to track your Android phone then you can also use someone else’s mobile. To do this, download the Android Device Manager App from Google Play Store. Sign in as guest and provide your Google Account info to track your phone online. The Android Device Manager App uses Device Administrator APIs to achieve this. To be able to track the phone, you need to have Administrator access of the Android device, as mentioned in the earlier steps.  

References:

http://developer.android.com/intl/ru/guide/topics/admin/device-admin.html
Device Administration, Device Administration API
Praveen

Has experience in mobile application development in Android and Linux Shell Scripting. He is really passionate about coding and is always looking out for exploring new and multiple innovative ways to approach the same programming problem. He is absolutely crazy about writing blogs. He is currently working as an Android Developer at Magic Software Inc.