VMware Workspace ONE Community
J4yJ4y
Enthusiast
Enthusiast

Android Restriction Profile

One of the end users has downloaded and wants to run an Application from Google Play store on his device.
He can download the App, but receives a message popping up that device management does not allow running the App when opening it.


The device got a Restriction profile deployed, that is not specifically denying permission to run this App.
There's also no Application blacklist present etc.


When I remove the Restriction profile from the device, the App run's normal.
I can't find any setting in the Restriction Profile blocking the App.
Even configured a restriction profile allowing everything and pushed that to the device, but that still blocked the Application.


The permissions that are listed for the Application.
(there are no switches available for these permissions, cannot turn them on or off).
-full network access
-show network connections
-prevent sleep mode
-play install referrer api
-receive internet data
-read Google service configuration


Question is if I am overlooking a setting in the Restriction Profile?
Or is there an implicit deny when a Restriction Profile is deployed? 

Labels (1)
Reply
0 Kudos
7 Replies
MikkiLoder
Contributor
Contributor

Is the device a company owned device?  Has the device been set as Corporate owned?  If so, Is your application approved in the google play store?   goto apps and Books Select the public tab,  Add application.  Select your platform (Android) Search App store and the name of the application. Here you will need to approve the application in order for users to use the application on a managed device.
If the device is an employee owned device you need to set the device as employee owned so they can still run applications on their device that is not work managed. 

Reply
0 Kudos
J4yJ4y
Enthusiast
Enthusiast

Device is corporate owned.
The App is downloaded from an added Google ID (personal) account on the device , which is allowed.


I 've configured both
-fully managed-
and
-corporate owned personally enabled-
in the Settings section for Android (all settings/devices and users/android EMM registration / Enrollment settings).


Both give the same result.
Meaning the App can run normally in both setups, only when the Restriction profile (which allows anything) , is removed.


Reply
0 Kudos
chengtmskcc
Expert
Expert

Sounds like you might have a conflicting profile(s) somewhere. While it's not best practice, there may be times when it's necessary to have more than one payload configured within the same profile. As such, the most restricted setting wins. I would start with that first.
Reply
0 Kudos
CieLogement
Contributor
Contributor

Hello,

Did you find what was causing this ? I'm looking to replicate this behavior on my side because I don't want users running apps from their personal play store.

Regards
Reply
0 Kudos
J4yJ4y
Enthusiast
Enthusiast

Hi Cie,


In a test environment this was solved by allowing accounts to be added, in the restriction profile payload. As the App starts a wizard that creates an account on the device this was a required setting to make the App work.


In production this was solved after factory reset and reenrollment of the device, with restriction profile described above, allowing add/remove accounts.

Reply
0 Kudos
CMocco
Contributor
Contributor

Hi Johan, can you post the Payload in here I have the same Problem on customer side.  Thanks.
Reply
0 Kudos
J4yJ4y
Enthusiast
Enthusiast

here's the Restriction profile payload in xml


 ' <wap-provisioningdoc id=' a0b30531-1f28-485c-81c0-38e7486cbc34'  name=' Restriction/V_11'  allowRemoval=' True' ><characteristic uuid=' 9aa55b56-2e5f-4336-8212-1d3d9d8342ca'  type=' com.airwatch.android.androidwork.restrictions'  target=' 2' ><parm name=' allowCamera'  value=' True'  /><parm name=' SkipFirstUseHints'  value=' False'  /><parm name=' allowFactoryReset'  value=' False'  /><parm name=' allowBluetooth'  value=' True'  /><parm name=' allowBluetoothAndroidO'  value=' True'  /><parm name=' allowOutgoingBluetoothConnections'  value=' True'  /><parm name=' allowUSBDebugging'  value=' False'  /><parm name=' allowBackupService'  value=' True'  /><parm name=' allowWifiChanges'  value=' True'  /><parm name=' allowAllTethering'  value=' True'  /><parm name=' allowNonMarketAppInstall'  value=' False'  /><parm name=' allowUSBMassStorage'  value=' True'  /><parm name=' allowGooglePlay'  value=' True'  /><parm name=' allowChrome'  value=' True'  /><parm name=' allowScreenCapture'  value=' True'  /><parm name=' allowAccountChanges'  value=' True'  /><parm name=' allowRemoveWorkAccount'  value=' False'  /><parm name=' allowOutgoingPhoneCalls'  value=' True'  /><parm name=' allowSMS'  value=' True'  /><parm name=' allowCredentialsChanges'  value=' True'  /><parm name=' allowKeyguardFeatures'  value=' True'  /><parm name=' allowKeyguardCamera'  value=' True'  /><parm name=' allowKeyguardNotifications'  value=' True'  /><parm name=' allowKeyguardFingerprint'  value=' True'  /><parm name=' allowKeyguardTrustAgent'  value=' True'  /><parm name=' allowKeyguardUnredacted'  value=' True'  /><parm name=' allowModifyingAppsSettings'  value=' True'  /><parm name=' allowInstallingApps'  value=' True'  /><parm name=' allowUninstallingApps'  value=' True'  /><parm name=' allowDisableAppVerify'  value=' False'  /><parm name=' allowUSBFileTransfer'  value=' True'  /><parm name=' allowVPNChanges'  value=' True'  /><parm name=' allowMobileChanges'  value=' True'  /><parm name=' forceScreenOnPluggedAC'  value=' False'  /><parm name=' forceScreenOnPluggedUSB'  value=' False'  /><parm name=' forceScreenOnPluggedWireless'  value=' False'  /><parm name=' allowStatusBar'  value=' True'  /><parm name=' allowKeyguard'  value=' True'  /><parm name=' allowAddingUsers'  value=' True'  /><parm name=' allowRemovingUsers'  value=' True'  /><parm name=' allowSafeBoot'  value=' True'  /><parm name=' allowNFC'  value=' True'  /><parm name=' allowManagedWifiChanges'  value=' True'  /><parm name=' allowSetWallpaper'  value=' True'  /><parm name=' allowSetUserIcon'  value=' True'  /><parm name=' allowNonGoogleAccounts'  value=' True'  /><parm name=' whitelistPermittedAccessibilityServices'  value=' False'  /><parm name=' AllowSystemWindows'  value=' True'  /><parm name=' AllowSystemErrorDialogs'  value=' False'  /></characteristic><characteristic uuid=' ba6973dd-2506-4f1f-ac9f-03ef71887302'  type=' com.airwatch.android.androidwork.restrictions'  target=' 1' ><parm name=' SkipFirstUseHints'  value=' False'  /><parm name=' allowCamera'  value=' True'  /><parm name=' allowOutgoingBluetoothConnections'  value=' True'  /><parm name=' allowUSBDebugging'  value=' False'  /><parm name=' allowNonMarketAppInstall'  value=' False'  /><parm name=' allowGooglePlay'  value=' True'  /><parm name=' allowChrome'  value=' True'  /><parm name=' allowScreenCapture'  value=' True'  /><parm name=' allowAccountChanges'  value=' True'  /><parm name=' allowKeyguardFingerprint'  value=' True'  /><parm name=' allowKeyguardTrustAgent'  value=' True'  /><parm name=' allowKeyguardUnredacted'  value=' True'  /><parm name=' allowInstallingApps'  value=' True'  /><parm name=' allowUninstallingApps'  value=' True'  /><parm name=' allowDisableAppVerify'  value=' False'  /><parm name=' allowWorkPersonalPaste'  value=' False'  /><parm name=' allowWorkToAccessPersonal'  value=' True'  /><parm name=' allowPersonalToAccessWork'  value=' False'  /><parm name=' allowPersonalShareWithWork'  value=' True'  /><parm name=' allowWorkShareWithPersonal'  value=' False'  /><parm name=' allowWorkContactsInPhone'  value=' True'  /><parm name=' allowWorkWidgetsToPersonal'  value=' True'  /><parm name=' allowContacts'  value=' True'  /><parm name=' allowNFC'  value=' True'  /><parm name=' allowBluetoothContactSharing'  value=' True'  /><parm name=' allowNonGoogleAccounts'  value=' True'  /><parm name=' whitelistPermittedAccessibilityServices'  value=' False'  /></characteristic></wap-provisioningdoc>'


Reply
0 Kudos