Granting special permissions for fully managed devices?

Go to solution
krishnaylk
Level 1.5: Cupcake

3 weeks ago

Hey,

 

Is it possible to grant special permissions like `SYSTEM_ALERT_WINDOW` to a device if it is fully managed using Android management API?

 

We tried adding it to the permissionGrants but it is not enforced for some reason.

 

Thanks!

0 Kudos
1 ACCEPTED SOLUTION

Go to solution
Lizzie
Google Community Manager
Google Community Manager

2 weeks ago

Hello @krishnaylk,

 

Welcome to the Customer Community, it's nice to meet you. 

 

I've asked my teammate about this. Unfortunately,  it is not possible to grant permissions directly through AMAPI, especially sensitive permissions like SYSTEM_ALERT_WINDOW. AMAPI focuses on delegated management tasks that prioritize user security and privacy.

Here's a breakdown of why AMAPI restricts permission granting:


Security Focus: Granting app permissions, particularly sensitive ones, requires user awareness and consent. Bypassing this through AMAPI could introduce security vulnerabilities.

 

Delegated Management: AMAPI offers functionalities for managing aspects like app deployment and security certificates, tasks that benefit from centralized control. Permissions, however, are best handled with user involvement.

 

Possible alternatives for managing permissions on fully managed devices:

OEMConfig (if available): Some device manufacturers offer OEMConfig tools for advanced configuration. In specific cases, OEMConfig might allow enabling permissions like SYSTEM_ALERT_WINDOW. However, this functionality depends on the manufacturer and may not be widely available.

 

I hope this helps. To add, regarding AMAPI questions, you might also find this Stakeoverflow forum useful. 

 

Thanks so much,

Lizzie


Welcome to the Community everyone!

Have a question or want to start a conversation, click here.

View solution in original post

5 REPLIES 5

Go to solution
Lizzie
Google Community Manager
Google Community Manager

2 weeks ago

Hello @krishnaylk,

 

Welcome to the Customer Community, it's nice to meet you. 

 

I've asked my teammate about this. Unfortunately,  it is not possible to grant permissions directly through AMAPI, especially sensitive permissions like SYSTEM_ALERT_WINDOW. AMAPI focuses on delegated management tasks that prioritize user security and privacy.

Here's a breakdown of why AMAPI restricts permission granting:


Security Focus: Granting app permissions, particularly sensitive ones, requires user awareness and consent. Bypassing this through AMAPI could introduce security vulnerabilities.

 

Delegated Management: AMAPI offers functionalities for managing aspects like app deployment and security certificates, tasks that benefit from centralized control. Permissions, however, are best handled with user involvement.

 

Possible alternatives for managing permissions on fully managed devices:

OEMConfig (if available): Some device manufacturers offer OEMConfig tools for advanced configuration. In specific cases, OEMConfig might allow enabling permissions like SYSTEM_ALERT_WINDOW. However, this functionality depends on the manufacturer and may not be widely available.

 

I hope this helps. To add, regarding AMAPI questions, you might also find this Stakeoverflow forum useful. 

 

Thanks so much,

Lizzie


Welcome to the Community everyone!

Have a question or want to start a conversation, click here.

Go to solution
mattdermody
Level 2.0: Eclair

2 weeks ago

This is possible for certain manufacturers. I know for example it is possible on Zebra Android devices as I regularly silently grant special permissions silently with their MX layer. 

Go to solution
Lizzie
Google Community Manager
Google Community Manager
In response to mattdermody

2 weeks ago

aw, interesting - thanks for sharing @mattdermody 


Welcome to the Community everyone!

Have a question or want to start a conversation, click here.

0 Kudos

Go to solution
jasonbayton
Level 3.0: Honeycomb
In response to mattdermody

2 weeks ago

Fun fact, Android 15 looks set to restrict this - banning OEMs from bypassing inbuilt protections through custom APIs. It does *not* apply for dedicated devices, but OEMs have to declare them as such. 

0 Kudos

Go to solution
mattdermody
Level 2.0: Eclair
In response to jasonbayton

2 weeks ago

Great... Thankfully have 2 years before that will be an issue given that Zebra is only currently getting to A13. Hopefully they'll also be able to declare their devices as "dedicated" since they are almost 100% of the time used in that scenario.

0 Kudos