B4A Library Device Administrator library

Status
Not open for further replies.
Starting from Android 2.2 (api level 8), Android allows application to be registered as administrators.
Administrator apps have the following special features:
- Manually lock the screen
- Set the minimum password length and quality
- Wipe the entire device
- Set the maximum allowed time before the device locks
- Request the user to change password
- Manually set a new password
- Disable the camera
- Track password changes
- Some other security features as described here.

Note that the password is the screen lock password (other passwords are not affected).

The user needs to enable the admin app before it can have any special privileges.
This is done either by calling Manager.Enable or from the Security settings page.
The user will see a message with the policies that this app requests:

SS-2012-07-02_17.35.01.png


The user can always disable an administrator app from the Security settings page. The idea is that in your app you should check whether the admin is enabled and the password meets the requirements. If they don't then you do not give access to some resource such as the company's server.

How to
A working example is attached to this project. It is recommended to start with it.
Add the following code to the manifest editor:

B4X:
AddApplicationText(<receiver android:name="anywheresoftware.b4a.objects.AdminReceiver2"
  android:permission="android.permission.BIND_DEVICE_ADMIN"
  android:exported="true">
  <meta-data android:name="android.app.device_admin"
  android:resource="@xml/device_admin" />
  <intent-filter>
  <action android:name="android.app.action.DEVICE_ADMIN_ENABLED" />
  </intent-filter>
</receiver>)

CreateResource(xml, device_admin.xml,
<device-admin xmlns:android="http://schemas.android.com/apk/res/android">
  <uses-policies>
  <limit-password />
  <reset-password />
  <force-lock />
  </uses-policies>
</device-admin>
)

3. Declare an AdminManager object. With this object you can ask the user to enable the admin app and access the special privileges.

4. (optional) Add a service named ManagerService. This service will allow you to track password changes and changes to the admin app enabled status. See the attached example.


The latest version of this library is included in the IDE.

Upgrading from v1.00

The receiver name has changed. You need to update the manifest editor code.
The user will probably need to re-enable the admin app. V1.00 library is attached to allow developers to keep the previous version if prefered.
 

Attachments

  • Administrator1.00.zip
    4.8 KB · Views: 1,312
  • AdminExample.zip
    8.2 KB · Views: 377
Last edited:

echapeta

Member
Licensed User
Longtime User
Problem solved after adding the indicated file:

1. An xml file named device_admin.xml with the required policies (special permissions) should be added to Objects\res\xml. Don't forget to set the file to be read-only.
The available policies are listed here.


Thank You.
 

chefe82

Member
Licensed User
Longtime User
Hello,
How or where can i specify when a password needs to be changed?
(E.g. Every 90 days and it must not be the previous one.

. I have activated <expire-password /> in the xml.

Thank You
 

Erel

B4X founder
Staff member
Licensed User
Longtime User
You can call setPasswordExpirationTimeout: https://developer.android.com/refer...nTimeout(android.content.ComponentName, long)
And:
setPasswordHistoryLength: https://developer.android.com/refer...oryLength(android.content.ComponentName, int)

Supported by Android 4+.
B4X:
Dim days As Long = 90 * DateTime.TicksPerDay
Dim r As Reflector
r.Target = Admin
Dim cm As Object
cm = r.GetField("rec")
r.Target = r.GetField("dm")
r.RunMethod4("setPasswordExpirationTimeout", Array As Object(cm, days), _
Array As String("android.content.ComponentName", "java.lang.long")
r.RunMethod4("setPasswordHistoryLength", Array As Object(cm, 2), _
Array As String("android.content.ComponentName", "java.lang.int")
 

chefe82

Member
Licensed User
Longtime User
You can call setPasswordExpirationTimeout: https://developer.android.com/reference/android/app/admin/DevicePolicyManager.html#setPasswordExpirationTimeout(android.content.ComponentName, long)
And:
setPasswordHistoryLength: https://developer.android.com/reference/android/app/admin/DevicePolicyManager.html#setPasswordHistoryLength(android.content.ComponentName, int)

Supported by Android 4+.
B4X:
Dim days As Long = 90 * DateTime.TicksPerDay
Dim r As Reflector
r.Target = Admin
Dim cm As Object
cm = r.GetField("rec")
r.Target = r.GetField("dm")
r.RunMethod4("setPasswordExpirationTimeout", Array As Object(cm, days), _
Array As String("android.content.ComponentName", "java.lang.long")
r.RunMethod4("setPasswordHistoryLength", Array As Object(cm, 2), _
Array As String("android.content.ComponentName", "java.lang.int")


Is it also possible to read out the remaining days when the password has to be changed? Would be for the user a small info.
 

Mark Hollingworth

Member
Licensed User
Longtime User
I have had an app working for quite a while that removes the lockscreen password when connected to a user approved wifi network (so that when your on your home wifi network you dont need to enter a password everytime), it then turns on a password lockscreen when disconnected from that network.

It has been working fine with no issues, I have just got a new phone and decided to enable encryption (so a pin is required before the phone starts up).

I have installed my app but its now not able to remove the lockscreen password but I am not getting any errors in the log and if I run in debug mode it just run past the line of code as if it worked.

Is there a limitation with the Device Administration when using a encrypted phone?

Thanks
 

Mark Hollingworth

Member
Licensed User
Longtime User
Worth checking the unfiltered logs. It is probably a security limitation.

Hi Erel,

I have checked the logs and all I can see is the following:

resetPassword() : Not a MDM client
.registerListener : success. listener count = 0->1, motion_events=1,

Cannot call with null password

So I am guessing that if encryption is on you cant set the password as null/nothing? I have the full log if you think it might help to see it?
 

Mark Hollingworth

Member
Licensed User
Longtime User

Mark Hollingworth

Member
Licensed User
Longtime User
Thanks Erel,

I gave it a try but it had no affect so I have reset my phone and removed the encryption, however my app still is unable to remove the lock screen! I am going to do some more investigation but I am now wondering if something has changed with Android 7.0 which is running on my new Samsung S8. If I can't figure anything out I will create a test app that I can upload for testing.
 

Mark Hollingworth

Member
Licensed User
Longtime User
I have just updated the example from the first post to include the password reset option but I am now not able to get it working on my new device or my previous device (running Android 6.0.1) so not sure if I have done something wrong or not now.
 

Attachments

  • AdminWithPasswordReset.zip
    8.5 KB · Views: 357

Mark Hollingworth

Member
Licensed User
Longtime User
I've run your app on an Android 7 device. If you check the unfiltered logs (with USB debug mode) you will see this message:

Admin cannot change current password

Seems like only device owner apps can reset the password now:
https://issuetracker.google.com/issues/37088699

Thanks Erel,

So it looks like this is not going to be possible anymore as there is no way to set an app as a device owner (from what I can see).. Thats a bit of a pain :(
 
Status
Not open for further replies.
Top