Forum Discussion
[Feedback] App installs: share your experiences & suggestions
Hi melanie , I believe overlay permissions and location permissions cannot be set at this point.
Google has designated multiple permissions as "Dangerous" and transitioned them to Run time permissions that are prompted to the end user. Examples inlcude Manage External Storage, System Alert Window (overlay), Package Usage Stats, Notifications, etc. These permissions are often critical for business apps on DO managed devices to function and yet we have to trust and rely on end users to accept them. It makes no sense because the end users themselves likely will never see the prompt as an IT admin is likely granting them for them, or if they do see it they may inadvertently dismiss it as they don't even stop to read what they say. Thankfully some OEMs have built proprietary methods for silently granting these permissions that we leverage heavily, but it is still strange that a DO DPC doesn't have these controls.
thanks for the additional info mattdermody !
Thanks for the additional context mattdermody. You mention that some OEMs have built additional methods on this, I imagine there are varying ways this has been implemented.
Do you have a suggestion/idea in mind of how you'd like these controls to work if implemented DO DPC to address this at a base level (potentially with OEMs then providing further steps)?
Anyone else feel free to add to this. Thanks so much :)
The OEM proprietary methods are highly technical to accomplish and likely using workarounds that Google probably doesn't even official endorse. I'm worried about sharing more details for risk of Google closing those "vulnerabilities", which is the opposite effect of what I'm ultimately looking for. A similar situation is Google stepping in and stopping OEMs from automating their way through the Setup Wizard (SUW). We used to be able to bypass the SUW and skip straight to our OEM specific enrollment method and now are stuck manually tapping through numerous setup wizard prompts that slow down the process.
How would I want the dangerous permissions to work in an ideal world? Any DO DPC installing apps should just be able to automatically silently grant those dangerous permissions. There simply should not be the idea of a runtime permission presented for any app for a shared line of business fully managed Android Enterprise device. It is otherwise ironic to continue to call it "Fully Managed" or "Device Owner" if we continue to give the end users some level of agency.
