Device Ownership Application

A device owner is an application that runs as a device administrator on your Android device. But it has more control over the device than a device administrator as it get's access to a set of unique APIs. This new concept was introduced for Android 5.0 and above, and this type of enrollment is most suitable for Corporate Owned, Personally Enabled (COPE) device enrolments.

Wondering when to use the device ownership application? You can define the WSO2 Android agent as the Device Ownership application for devices that are enrolled with WSO2 IoT Server and don't have the system service application installed. This way you can impose restrictions on the device that you weren't able to impose when the device in the device administrator state. For more information on the restrictions that can be imposed by the device ownership application, see Available Android Mobile Device Management Policies.

Let's get started!

Device ownership application functionality

Let's take a look at how an application having the device ownership settings enabled, function.

• Once the device ownership is assigned to an application, it gets access to a set of Android APIs, such as adding a user restriction policy on Android devices. These APIs are only accessible by the device ownership application.
• At a given time a device can only have one application with the device ownership settings. It prevents another device ownership application from overriding the policies that have already been enforced on the device. 
• If you wish to remove the device ownership from the application, you need to factory reset the device. For example, in a situation where the device needs to be given to a different user, you need to factory reset the device to remove the application.

Configuring the WSO2 Android agent

Let's take a look at how WSO2 IoT Server configures the device ownership settings on the agent.

Assign the device ownership to the WSO2 Android agent using one of the following methods.

• A command issued through the Android Debug Bridge (adb).

   Click here for more information.

  1. Make sure to have your Android device enrolled with WSO2 IoT Server.
     

  2. If you have set up a Google account for your device, make sure to remove it before proceeding to the next step.

  3. Connect the device to your PC and run the command given below:

     adb shell dpm set-device-owner org.wso2.iot.agent/.services.AgentDeviceAdminReceiver

     The above command is not supported by SDK API levels below 21 because it does not support Device Policy Manager (dpm) that is used in the command.

      Click here for more information on what happens when you run the adb command

     The Android system creates an XML file in the device's <DEVICE>/data/system directory once you run the command to assign the device ownership settings in the agent application as shown in step1.
     The name of the XML will be device_owner and it contains the package name of the service application having the device ownership.

     Example:

     device_owner.xml

     <device-owner package="org.wso2.iot.agent" name="Your app name" />

     A non-system application cannot modify the XML file that is in the device's <DEVICE>/data/system  directory unless it's rooted. Therefore Android guarantees that only the configured application gets the privileged device ownership status.

• Integrating Android for work. 

  For more information on how this is done, see the content under Google account method in the Android Developer Guide.

Integrating the service application with WSO2 IoT Server

To successfully integrate the service application with WSO2 IoT Server you need to have the WSO2 Android agent installed as well. Take a look at the diagram given below to clearly understand the role of the Android agent in this scenario.