Today let’s have a look at Behind-The-Scenes activities that take place during the Android Enterprise Work Profile provisioning process with Microsoft Intune a.k.a Microsoft Endpoint Manager.
So without wasting any time, let’s get started.
The previous articles of the MEM Android series with Joy are listed below for your quick reference. Post #1 – Evolution of Android management for Enterprise use Post #2 – 9 myths regarding the use of Android in Enterprise Post #3 – Android Enterprise: An ultimate use-case guide for the different management modes available with Intune Post #4 - Android Enterprise Work Profile management with MEM Intune – Facts You Should Know
Table of Contents
Managed Profile (Work Profile) Provisioning Process – Brief Overview
For Intune, we already know that the Company Portal app acts as the Device Policy Controller (DPC) on the device which is responsible for provisioning the work-profile on the devices.
What is a Device Policy Controller (DPC)? Device Policy Controller (DPC) is an application created by an EMM solution that forms the bridge between the EMM server and the android device being managed. EMM server sends instructions to the DPC in proprietary code, which the DPC then implements on the device using the platform-defined process.
Quick and short, the end-user
- installs the Company Portal app in the device primary profile (user’s personal profile) and launches it,
- performs auth,
- follows the guided steps
which in turn
- provisions a work profile on the device,
- registers the device with the organization,
- checks for security requirements, and
- enforces policies to the work profile as provisioned.
From an overview, the process looks quite simple, however, there is a lot of work happening behind the scenes.
In the following section, I have tried to put light onto all those behind the scenes activity that is actually happening to get the work profile provisioned on the device.
Behind The Scenes: Managed Profile (Work Profile) Provisioning Process
Note that for Intune as an EMM solution, the Company Portal app is the EMM DPC app and as such, any mention of the DPC app in the below steps refer to the Company Portal app.
- User downloads the EMM DPC app and launches it from the device’s primary profile (user personal profile).
- DPC app starts running in the personal profile and presents the end-user with the sign-in screen.
- User performs authentication using corporate credentials.
- On success, user is presented with a screen with option to begin setting up the work profile.
- With user consent, DPC app initiates the process to create a work profile, while itself running in the device primary profile (user personal profile).
The set of activity that follows is shown as below.
- DPC app first checks if the device supports work profile provisioning.
This is done by the DPC app by firing an intent to check for the existence of theFEATURE_MANAGED_USERSsystem feature. Typically this is a call to the DPC app'sisProvisioningAllowed()method. The DPC app will know if the device supports managed profile by checking the callback value as returned by the method call.
Considering that the device supports work profile,
- DPC app triggers the provisioning of the work profile on the device.
Done by the DPC app by firing an action intent ACTION_PROVISION_MANAGED_PROFILE Intent provisioningIntent = new Intent("android.app.action.PROVISION_MANAGED_PROFILE");
Note: The DPC triggers the action intent to provision managed profile while itself running in the device primary profile.
The system responds to this intent by doing the following:
- Verifies that the device is encrypted. If not, system prompts user to encrypt the device before proceeding.
- Creates a work profile.
- Removes non-required applications from the work profile.
- Copies the DPC app into the work profile and sets it as the profile owner.
Post completion of the last step as mentioned above is when we see the Company Portal app running in the personal profile closing itself and work badged instance of the Company Portal app coming into life.
The Company Portal app instance in the personal profile enters into waiting state and continues to listen for system broadcast to know if the work profile provisioning completed successfully.
Provisioning of the managed profile (work profile) continues with the work badged DPC app (running within the work profile as created).
Upon completion of managed profile provisioning, system calls the DPC app's onProfileProvisioningComplete() method.
An EMM typically overrides the callback to this method in its DPC app to finish enabling the work profile. Typical implementation does the following
- Enables the system applications that the admin has made available within the work profile using enableSystemApp() method of the DevicePolicyManager class.
- Adds the managed Google Play Account to the work profile, utilizing the Android framework’s AccountManager class public method addAccount() so that approved apps can be installed on the device.
- Verifies that the managed profile is complying with the policies as enforced by the EMM service.
Profile owner (work badged instance of the DPC app) receives the broadcast activity intent ACTION_PROFILE_PROVISIONING_COMPLETE indicating that provisioning of a managed profile has completed successfully.
From Android Oreo, the profile owner also receives the activity intent ACTION_PROVISIONING_SUCCESSFUL sent at the same time as ACTION_PROFILE_PROVISIONING_COMPLETE.
Above intents are handled as part of the onProfileProvisioningComplete() method callback implementation in the DPC app.
Till this point, the work profile (managed profile) as provisioned is not yet enabled and as such remains hidden. (Not visible to the end-user.)
- Again as part of the onProfileProvisioningComplete() method callback, the work badged instance of the DPC app (profile owner) enables the work profile by using the setProfileEnabled() method.
The above results in the work profile being enabled on the device and is now visible to the end-user.
However, the provisioning process is not over yet.
Remember that the DPC app instance running in the personal profile, the actual initiator of the action intent ACTION_PROVISION_MANAGED_PROFILE is still in a waiting state, waiting for system broadcast to know if the provisioning succeeded or not.
A broadcast action intent ACTION_MANAGED_PROFILE_PROVISIONED (for Android 5.0) is sent to the DPC app in the personal profile. This is sent at the same time as ACTION_PROFILE_PROVISIONING_COMPLETE.
From Android 5.1, broadcast action intent ACTION_MANAGED_PROFILE_ADDED is sent instead of ACTION_MANAGED_PROFILE_PROVISIONED.
- Upon receiving the broadcast action intent, the DPC app instance in the device personal profile disables itself.
The user can later re-enable the DPC in the personal profile from Google Play.
The DPC app instance in user's personal profile initiates a setApplicationEnabledSetting method call requesting newState COMPONENT_ENABLED_STATE_DISABLED.
With the DPC app instance in the device primary profile disabled, completes the provisioning process of the managed work profile on the device (personally-owned).
Behind The Scenes: How Intune provisions the work profile with a managed Google Play Account.
A lot of activity also happens behind the scenes to add the managed Google Play account. Since this is a deep dive post, let’s dig in to know the same.
All the activities as listed below occurs to add the managed Google Play account to the provisioned work profile and as such is related to the AccountManager.addAccount() method call as mentioned above.
[1] DPC app initializes the DPC Support Library to ensure the device can support Managed Google Play account.
AndroidForWorkAccountSupport androidForWorkAccountSupport = new AndroidForWorkAccountSupport(context, admin); androidForWorkAccountSupport.ensureWorkingEnvironment(callback);
[2] DPC app requests EMM for managed Google Play Account credentials for the particular EMM user.
[3] EMM checks if it already has a managed Google Play account resource for the EMM user.
[4] If not, EMM creates a managed Google Play account (obfuscated account) for the EMM user.
This is a Play EMM API call that Intune makes in the backend. Ref Users.insert()
HTTP Request POST https://www.googleapis.com/androidenterprise/v1/enterprises/enterpriseId/users Request Body { accountIdentifier (String) accountType (String) } Response Body of this API call returns the created User resource (managed Google Play account idenitfied by unique userId) to Intune. { "id": string, (unique ID for the user in managed Google Play accounts DB) "managementType": "emmManaged" "accountType": string, (userAccount/deviceAccount) "accountIdentifier": string, (EMM created unique Identifier created for the user/device) "displayName": string, (This is the name that displays on the UI) }
Intune has its own logic to maintain the mapping of the obfuscated account (userId) as created to the actual user identity in Azure. This is opaque to Google.
[5] Upon receiving the created managed Google Play account (userId), EMM requests credentials for the account.
Another Play EMM API call made by Intune. Ref Users.generateAuthenticationToken()
HTTP Request POST https://www.googleapis.com/androidenterprise/v1/enterprises/enterpriseId/users/userId/authenticationToken Response Body of this API call returns a auth token to Intune. { "token": string }
This authentication token is short-lived and must be used by the EMM DPC app to add the account programmatically. This is of no use to the actual end-user.
[6] EMM sends the managed Google Play account details along with the authentication token to the DPC app.
[7] DPC app adds the managed Google Play account as received from EMM to the managed profile that is being provisioned.
The Android framework's AccountManager class public method addAccount() is used to add a managed Google Play Account to a device (or work profile). However, to simplify interaction with AccountManager, a helper function is used as below from the DPC Support Library. androidForWorkAccountSupport.addAndroidForWorkAccount(token, accountAddedCallback);
The callback for this function method reports the success or failure of this process. If success, the work profile is provisioned successfully with the managed Google Play account.
The End
That was all for today. Hope you would find this post useful.