App Permissions and Configurations
Customizing an app to cater to the needs of your organization can now be done seamlessly using MDM. Android Enterprise supports modification of any permission or configuration, designated to an app.
Learn how to install Play Store and Enterprise apps silently on Android devices from here
You can manage the permissions requested by an app. The permissions (to access functionalities like Local Storage, Camera, Contacts etc.,) can be enabled/disabled or can be user-controlled. This ensures confidential data stays protected. When permissions of an app are configured by the admin, employee cannot revert the changes as it is restricted by MDM. For example, if the admin restricts the usage of camera in an app, user would not be allowed to use the camera and they cannot modify the permission This is supported for Samsung devices running Android 6.0 and above, and for Non Samsung devices that are provisioned as Device Owner/Profile Owner.
Advanced App Permissions
Advanced App Permissions are a set of permissions given to an app by MDM. When an app is provisioned with these permissions, it can control functions like managing certificates, uninstalling apps, etc on the device. These advanced app permissions are supported for specific apps only. Advanced App Permissions can only be configured via MDM and these permissions are not visible on the user's device. It is recommended to give these permissions only to required apps.
MDM provides the advanced app permissions listed below.
- Install and manage certificates-Certificates can be distributed from the app when enabled.
- Manage configurations for other apps-This lets the app to manage configurations of other apps on the device.
- Block app uninstallation-The app prevents the uninstallation of other apps.
- Manage permission for other applications-The app can allow or deny permission of other apps.
- Suspend other applications-The app can suspend any app when this permission is enabled.
- Enable system apps-System apps can be enabled from this app.
Follow the steps below to modify app permissions.
- Click on Device Management.
- Click App Repository and select the app whose permissions are to be modified.
- Click the Permissions tab and modify the permissions.(Advanced app permissions can be applied only if required ,please refer to the above description.)
- Click Save to finish.
For devices running on Android 11 and above, when location permissions is set to Allow for a specific app via MDM, Android displays an alert to notify the user that the IT admin is allowing the app to use location services. This alert appears every time the app uses the location services of the device. This notification cannot be disabled by MDM.
Regular permissions provisioned in the app can be availed by managing app permissions from the MDM server. Certain permissions have to be enabled/disabled by the user on the device. The user can select the app, and enable or disable the required permissions. For example, optimizing the battery usage or managing local storage in Samsung devices.
App Permissions for Enterprise apps
For enterprise apps, on uploading the .apk file to the App Repository, if app permissions are supported for the app, Permissions tab will be displayed. If this tab is not available, it indicates that app permissions are not supported for the selected enterprise app. Contact the app developer to provision app permissions.
If you cannot pre-configure the enterprise app permissions, check if the permissions required are provided in the .apk file. Manually install the .apk file on the device and then navigate to Settings -> Apps -> App name -> Permission and check if the permissions are listed. If they are not listed in the Settings app, the permissions tab will also not be displayed on MDM server.
You can configure the app to suit the needs of your organization and to ensure the apps are pre-configured before they get distributed to devices. This saves time as for both users who needn't configure the app after installation and the admins who can configure the app once and distribute it to multiple users.
Follow the steps below to modify app configurations.
- Click Device Management in MDM Web Console.
- Click App Repository and select the app whose configurations are to be modified.
- Click the Configurations tab and modify the configurations.
- Click Save to finish.
NOTE: Only if the app is provisioned with configurations by the app developer(s), can the configurations be modified using MDM.
To meet the needs of your organization, you can create app configurations for applications. A few examples of apps that support app configurations are:
The app whose configurations can be modified can be identified by the text This app offers managed configuration, present below the app on the approval screen.
App Configurations for Enterprise apps
For enterprise apps, on uploading the .apk file to the App Repository, if app configurations are supported for the app, Configurations tab will be displayed. If this tab is not available, it indicates that app configurations are not supported for the selected enterprise app. Contact the app developer to provision app configurations. For enterprise apps, the app configurations should be specified in the app's res/xml directory. Refer to this document for more information about managing app configurations for enterprise apps.
According to Android Developer documentation, it is advised to give another string directly in the string resource instead of referring to another string resource.
Note: Regular permissions provisioned in the app can be availed by managing app permissions from the MDM server. Certain permissions have to be enabled/disabled by the user on the device. The user can select the app, and enable or disable the required permissions. For example, optimizing the battery usage or managing local storage in Samsung devices.
You can use dynamic variables to ease the process setting up App Configurations. You can use dynamic variables to set up App Configurations for the first time before distributing it to devices/groups. Dynamic variables automatically prefetch the required data from enrollment information, thus easing the process for IT admins. The following dynamic variables are supported in MDM:
- %username% - Fetches the user name of the device user.
- %upn% - Fetches User Principal Name(UPN) associated to the user.
- %email% - Fetches the e-mail address of the user.
- %udid% - Fetches the UDID associated with the device
- %imei% - Fetches the IMEI number associated with the device
- %serialnumber% - Fetches the serial number associated with the device
- %devicename% - Fetches the name associated with the device
- %domainname% - Fetches the org domain, of which the user is a part of.
- %apn_username% - Fetches the APN user name of the user.
- %apn_password% - Fetches the APN password of the user.
- %easid% - Fetches the EAS ID associated with the user.