Search code examples
androidandroid-management-api

How to keep system apps from being removed during device provisioning via Android Management API

I am generating a QR enrollment code using the Android Management API; however, the system apps such as Camera, Calculator etc get removed by the DPC upon enrollment in fully managed mode.

Other posts have mentioned that you must add the following to the object generated by the enrollmentTokens.create() method: "android.app.extra.EXTRA_PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED" = true

What I am currently doing currently is:

  1. Generate the QR code with the following python code:
androidmanagement = build(
    "androidmanagement", "v1", credentials=credentials
)

enrollment_token = (
    androidmanagement.enterprises()
    .enrollmentTokens()
    .create(
        parent=f"enterprises/{enterprise_name}",
        body={
            "policyName": policy_name,
            "user": {"accountIdentifier": f"{some_identifier}"},
            "oneTimeOnly": "TRUE",
        },
    )
    .execute()
)
  1. Then add the property to the generated enrollment_token
res = json.loads(enrollment_token["qrCode"])

res["android.app.extra.EXTRA_PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED"] = True

formatted_object_string = json.dumps(res)

enrollment_obj = formatted_object_string.replace(" ", "")

If you print enrollment_obj you get:

{"android.app.extra.PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME":"com.google.android.apps.work.clouddpc/.receivers.CloudDeviceAdminReceiver","android.app.extra.PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM":"SOME_CHECK_SUM","android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION":"https://play.google.com/managed/downloadManagingApp?identifier=setup","android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE":{"com.google.android.apps.work.clouddpc.EXTRA_ENROLLMENT_TOKEN":"SOME_ENROLLMENT_TOKEN"},"android.app.extra.EXTRA_PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED":true}

This object is used to create a QR code link that looks like the following (without obfuscated data of course):

https://chart.googleapis.com/chart?cht=qr&chs=500x500&chl=%7B%22android.app.extra.PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME%22%3A%22com.google.android.apps.work.clouddpc%2F.receivers.CloudDeviceAdminReceiver%22%2C%22android.app.extra.PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM%22%3A%22<SOME_CHECKSUM>%22%2C%22android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION%22%3A%22https%3A%2F%2Fplay.google.com%2Fmanaged%2FdownloadManagingApp%3Fidentifier%3Dsetup%22%2C%22android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE%22%3A%7B%22com.google.android.apps.work.clouddpc.EXTRA_ENROLLMENT_TOKEN%22%3A%22<SOME_ENROLLMENT_TOKEN>%22%7D%2C%22android.app.extra.EXTRA_PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED%22%3Atrue%7D

This will allow a successful enrollment; however, the DPC does not seem to honor the added property. Can anyone see where I may be going wrong?

EDIT: The problem was I was using the wrong property key. The correct key as mentioned in the answer is: android.app.extra.PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED

Solution

  • It seems that you have used the incorrect key, try using android.app.extra.PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED instead.

    res = json.loads(enrollment_token["qrCode"])

res["android.app.extra.PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED"] = True

formatted_object_string = json.dumps(res)

enrollment_obj = formatted_object_string.replace(" ", "")