本文旨在为开发者提供企业级Android设备管理与安全解决方案,通过介绍Android 2.2版本引入的企业应用支持和Device Administration API,阐述如何利用API和系统能力管理Android设备并控制访问,以增强员工设备的安全性。
If you are an enterprise administrator, you can take advantage of APIs and system capabilities to manage Android devices and control access.
Android 2.2 introduces support for enterprise applications by offering the Android Device Administration API. The Device Administration API provides device administration features at the system level. These APIs allow you to create security-aware applications that are useful in enterprise settings, in which IT professionals require rich control over employee devices.
> This document is intended for developers who want to develop enterprise solutions for Android-powered devices. It discusses the various features provided by the Device Administration API to provide stronger security for employee devices that are powered by Android.
Note For information on building a Work Policy Controller for Android for Work deployments, see Building a Work Policy Controller.
To use the Device Administration API, the application's manifest must include the following:
- A subclass of
DeviceAdminReceiverthat includes the following:- The
BIND_DEVICE_ADMINpermission. - The ability to respond to the
ACTION_DEVICE_ADMIN_ENABLEDintent, expressed in the manifest as an intent filter.
- The
- A declaration of security policies used in metadata.
Here is an excerpt from the Device Administration sample manifest:
<activity android:name=".app.DeviceAdminSample" android:label="@string/activity_sample_device_admin"> <intent-filter> <action android:name="android.intent.action.MAIN" /> <category android:name="android.intent.category.SAMPLE_CODE" /> </intent-filter> </activity> <receiver android:name=".app.DeviceAdminSample$DeviceAdminSampleReceiver" android:label="@string/sample_device_admin" android:description="@string/sample_device_admin_description" android:permission="android.permission.BIND_DEVICE_ADMIN"> <meta-data android:name="android.app.device_admin" android:resource="@xml/device_admin_sample" /> <intent-filter> <action android:name="android.app.action.DEVICE_ADMIN_ENABLED" /> </intent-filter> </receiver>>
android:permission="android.permission.BIND_DEVICE_ADMIN"
is a permission that a
DeviceAdminReceiver
subclass must have, to ensure that only the system can interact with the receiver (no application can be granted this permission). This prevents other applications from abusing your device admin app.
<device-admin xmlns:android="http://schemas.android.com/apk/res/android"> <uses-policies> <limit-password /> <watch-login /> <reset-password /> <force-lock /> <wipe-data /> <expire-password /> <encrypted-storage /> <disable-camera /> </uses-policies> </device-admin>The Device Administration API includes the following classes: DeviceAdminReceiver, DevicePolicyManager, DeviceAdminInfo
public class DeviceAdminSample extends DeviceAdminReceiver { void showToast(Context context, String msg) { String status = context.getString(R.string.admin_receiver_status, msg); Toast.makeText(context, status, Toast.LENGTH_SHORT).show(); } @Override public void onEnabled(Context context, Intent intent) { showToast(context, context.getString(R.string.admin_receiver_status_enabled)); } @Override public CharSequence onDisableRequested(Context context, Intent intent) { return context.getString(R.string.admin_receiver_status_disable_warning); } @Override public void onDisabled(Context context, Intent intent) { showToast(context, context.getString(R.string.admin_receiver_status_disabled)); } @Override public void onPasswordChanged(Context context, Intent intent) { showToast(context, context.getString(R.string.admin_receiver_status_pw_changed)); } ... }
Otherwise, the device admin application is disabled.
@Override public boolean onPreferenceChange(Preference preference, Object newValue) { if (super.onPreferenceChange(preference, newValue)) { return true; } boolean value = (Boolean) newValue; if (preference == mEnableCheckbox) { if (value != mAdminActive) { if (value) { // Launch the activity to have the user enable our admin. Intent intent = new Intent(DevicePolicyManager.ACTION_ADD_DEVICE_ADMIN); intent.putExtra(DevicePolicyManager.EXTRA_DEVICE_ADMIN, mDeviceAdminSample); intent.putExtra(DevicePolicyManager.EXTRA_ADD_EXPLANATION, mActivity.getString(R.string.add_admin_extra_app_text)); startActivityForResult(intent, REQUEST_CODE_ENABLE_ADMIN); // return false - don't update checkbox until we're really active return false; } else { mDPM.removeActiveAdmin(mDeviceAdminSample); enableDeviceCapabilitiesArea(false); mAdminActive = false; } } } else if (preference == mDisableCameraCheckbox) { mDPM.setCameraDisabled(mDeviceAdminSample, value); ... } return true; }>
DeviceAdminReceiver
component
To do this it uses the DevicePolicyManager methodisAdminActive(). Notice that the DevicePolicyManager method isAdminActive() takes aDeviceAdminReceiver component as its argument:
DevicePolicyManager mDPM; ... private boolean isActiveAdmin() { return mDPM.isAdminActive(mDeviceAdminSample); }
This section describes how to use DevicePolicyManager to perform administrative tasks:
DevicePolicyManager
class includes methods that let you fine-tune the contents of the password.
Beginning with Android 3.0, you can use the setPasswordExpirationTimeout() method to set when a password will expire, expressed as a delta in milliseconds from when a device admin sets the expiration timeout.
Beginning with Android 3.0, you can use the setPasswordHistoryLength() method to limit users' ability to reuse old passwords.
扫一扫
413
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
