page.title=Android for Work Developer Guide page.tags="work", "android for work", "afw", "developer", "android" page.metaDescription=Android for Work provides organizations with a secure, flexible, and unified Android mobility platform combining devices, applications, and management. page.image=images/work/cards/android-studio_600px.png @jd:body
Android for Work provides organizations with a secure, flexible, and unified Android mobility platform—combining devices, applications, and management. By default, Android apps are compatible with Android for Work. However, there are additional features you can use to make your Android app work best on a managed device:
Note: Android for Work functions natively on most Android 5.0 devices; however, Android 6.0 and later offers additional features for Android for Work, especially with regard to COSU.
You can manage a user’s business data and applications through a work profile. A work profile is a managed corporate profile associated with the primary user account on an Android device. A work profile securely isolates work apps and data from personal apps and data. This work profile is in a separate container from the personal profile, which your user controls. These separate profiles allow organizations to manage the business data they care about, but leave everything else on a user’s device under the user’s control. For a deep dive into best practices, see the Set up Managed Profiles guide. For an overview of those best practices, see below.
It’s difficult to know which intents can cross between profiles, and
which ones are blocked. The only way to know for sure is by testing.
Before your app starts an activity, you should verify that the
request is resolved by calling
Intent.resolveActivity()
.
null
, the request doesn’t resolve.Note: For detailed testing instructions, see Prevent Failed Intents.
Some developers use URIs to mark file paths in Android. However, with Android for Work, because there are separate profiles, we recommend:
Use: Content URIs |
|
Don't use: File URI |
|
Next steps: Once your app supports managed profiles, test it in a work profile. See Test your app with Android for Work.
Managed configurations are a set of instructions that IT administrators can use to manage their users’ mobile devices in a specific way. These instructions are universal and work across any EMM, allowing administrators to remotely configure applications on their users’ phones.
If you’re developing apps for business or government, you may need to satisfy your industry’s specific set of requirements. Using managed configurations, the IT administrator can remotely specify settings and enforce policies for their users’ Android apps; for example:
The Set up Managed Configurations guide is the key source for information on how to build and deploy managed configurations. After you’ve reviewed this documentation, see recommendations below for additional guidance.
As soon as you launch an application, you can see if managed
configurations are already set for this app in onStart()
or
onResume()
. Additionally, you can find out if your
application is managed or unmanaged. For example, if
getApplicationRestrictions()
returns:
KEY_RESTRICTIONS_PENDING
set to true—your
application is being managed, but the DPC isn’t configured
correctly. You should block this user from your app, and direct
them to their IT administrator.IT administrators can change managed configurations and what policies they want to enforce on their users at any time. Because of this, we recommend you ensure that your app can accept new restrictions for your managed configuration as follows:
getApplicationRestrictions()
in onStart()
and onResume()
, and compare against old restrictions
to see if changes are required.ACTION_APPLICATION_RESTRICTIONS_CHANGED
in your
running activities or services, after you’ve checked for new
restrictions. This intent is sent only to listeners that are
dynamically registered, and not to listeners declared in the app
manifest.onPause()
,
you should unregister for the broadcast of
ACTION_APPLICATION_RESTRICTIONS_CHANGED
.Corporate-owned, single-use devices (COSU) are kiosk devices used for a single purpose, such as digital signage displays, ticket printing kiosks, or checkout registers.
When an Android device is configured as a COSU device, the user sees an application locked to the screen with no Home or Recent Apps buttons to escape the app. COSU can also be configured to show a set of applications, such as a library kiosk with an app for the library catalog and a web browser.
For instructions, see Set up Single-Purpose Devices.
Enterprise users often have multiple apps on their device, and they prefer to sign in once to access all of their work applications. Typically, users sign in through a WebView; however, there are a couple reasons why this isn’t ideal:
A solution to both problems is to authenticate users using browser Custom Tabs, instead of WebView. This ensures that authentication:
Custom Tabs are supported back to API level 15 (Android 4.0.3). To use Custom Tabs you need a supported browser, such as Chrome. Chrome 45 and later implement this feature as Chrome Custom Tabs.
Google has open sourced an OAuth client library that uses Custom Tabs, contributing it to the OpenID Connect working group of the OpenID Foundation. To set up Custom Tabs for SSO with the AppAuth library, see the documentation and sample code on GitHub, or try the codelab.
Once you’ve developed your app, you’ll want to test it in a work profile—both as a profile owner and device owner. See the instructions below.
TestDPC is a tool you can use to test your Android app in a variety of Android for Work environments. You can configure it as a profile owner or a device owner to launch management APIs on your device, using one of these methods:
For more information on how to configure TestDPC, see the instructions below and the TestDPC User Guide.
REQUIRED: Your test Android device needs to run Android 5.0 or later and be able to natively support Android for Work.
To test your app in a work profile, you need to first provision a profile owner on the TestDPC app:
Testing your app as a device owner requires more steps than testing as a profile owner. You first need to provision the device owner on your test device using the NfcProvisioning sample app. For complete instructions to provision TestDPC in device owner mode using the NfcProvisioning app, see the TestDPC User Guide.
cd
to the project directory.local.properties
name
and the following content:
sdk.dir=/path/to/your/android/sdk
./gradlew init ./gradlew buildThe NfcProvisioning APK you need is now located in
./Application/build/outputs/apk
.
nfcprovisioning.txt
and
include the following information:
android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_NAME=com.afwsamples.testdpc android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION=https://testdpc-latest-apk.appspot.com android.app.extra.PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM=gJD2YwtOiWJHkSMkkIfLRlj-quNqG1fb6v100QmzM9w= # note: checksum must be URL-safe android.app.extra.PROVISIONING_LOCALE=en_US android.app.extra.PROVISIONING_TIME_ZONE=America/New_York
Note: If you’re developing for Android 5.0 Lollipop, see the instructions in the TestDPC User Guide.
adb push <path-to-nfcprovisioning.txt> /sdcard/
The NFC Provisioning app will automatically pass those Wi-Fi credentials onto the target device.
com.google.android.testdpc
is auto-populated.After you’ve finished testing your app in the environments above, you’ll likely want to test your app in an end-to-end production environment. This process includes the steps a customer needs to take to deploy your app in their organization, including:
You need to access an EMM console to complete the end-to-end testing. The easiest way to get one is to request a testing console from your EMM. Once you have access, complete these tasks:
This process will differ based on your EMM. Please consult your EMM’s documentation for further details. Congrats! You’ve completed these steps and verified that your app works well with Android for Work.