Skip to main content
krishnaylk
krishnaylk
New Member
May 2, 2024
Solved

Granting special permissions for fully managed devices?

  • May 2, 2024
  • 2 replies
  • 11 views

Hey,

 

Is it possible to grant special permissions like `SYSTEM_ALERT_WINDOW` to a device if it is fully managed using Android management API?

 

We tried adding it to the permissionGrants but it is not enforced for some reason.

 

Thanks!

Best answer by Lizzie

Hello @krishnaylk,

 

Welcome to the Customer Community, it's nice to meet you. 

 

I've asked my teammate about this. Unfortunately,  it is not possible to grant permissions directly through AMAPI, especially sensitive permissions like SYSTEM_ALERT_WINDOW. AMAPI focuses on delegated management tasks that prioritize user security and privacy.

Here's a breakdown of why AMAPI restricts permission granting:


Security Focus: Granting app permissions, particularly sensitive ones, requires user awareness and consent. Bypassing this through AMAPI could introduce security vulnerabilities.

 

Delegated Management: AMAPI offers functionalities for managing aspects like app deployment and security certificates, tasks that benefit from centralized control. Permissions, however, are best handled with user involvement.

 

Possible alternatives for managing permissions on fully managed devices:

OEMConfig (if available): Some device manufacturers offer OEMConfig tools for advanced configuration. In specific cases, OEMConfig might allow enabling permissions like SYSTEM_ALERT_WINDOW. However, this functionality depends on the manufacturer and may not be widely available.

 

I hope this helps. To add, regarding AMAPI questions, you might also find this Stakeoverflow forum useful. 

 

Thanks so much,

Lizzie

2 replies

Lizzie
LizzieCommunity ManagerAnswer
Community Manager
May 8, 2024

Hello @krishnaylk,

 

Welcome to the Customer Community, it's nice to meet you. 

 

I've asked my teammate about this. Unfortunately,  it is not possible to grant permissions directly through AMAPI, especially sensitive permissions like SYSTEM_ALERT_WINDOW. AMAPI focuses on delegated management tasks that prioritize user security and privacy.

Here's a breakdown of why AMAPI restricts permission granting:


Security Focus: Granting app permissions, particularly sensitive ones, requires user awareness and consent. Bypassing this through AMAPI could introduce security vulnerabilities.

 

Delegated Management: AMAPI offers functionalities for managing aspects like app deployment and security certificates, tasks that benefit from centralized control. Permissions, however, are best handled with user involvement.

 

Possible alternatives for managing permissions on fully managed devices:

OEMConfig (if available): Some device manufacturers offer OEMConfig tools for advanced configuration. In specific cases, OEMConfig might allow enabling permissions like SYSTEM_ALERT_WINDOW. However, this functionality depends on the manufacturer and may not be widely available.

 

I hope this helps. To add, regarding AMAPI questions, you might also find this Stakeoverflow forum useful. 

 

Thanks so much,

Lizzie

Welcome to the Community everyone!
    M
    mattdermody
    Level 3.0: Honeycomb
    May 8, 2024

    This is possible for certain manufacturers. I know for example it is possible on Zebra Android devices as I regularly silently grant special permissions silently with their MX layer. 

      Lizzie
      LizzieCommunity Manager
      Community Manager
      May 8, 2024

      aw, interesting - thanks for sharing @mattdermody 

      Welcome to the Community everyone!
      Terms & ConditionsCookie settingsAccessibility statement