VMware Workspace ONE Community
Dany86
VMware Employee
VMware Employee

Manage your Internal Apps Permissions on Android Enterprise Work Managed Device

When managing an Android Enterprise work managed device, you may want to deploy internal applications (called sideloaded) onto your devices. One of the challenges with internal apps is the possibility to grant permissions of the app on behalf of the user. 

In order to do so, you will need to prepare the Android code with the specified permission you want to Grant, Deny or Prompt user. You will then need to compilate this in base code 64 and add it to our custom xml script that you will push down to the devices using profile in Workspace One Console. Please see the breakdown of the steps below:

1. Below a sample code with permissions set. Please note that you are only required to insert the permission you want to with the right value: 0 to Prompt the user, 1 to Grant and 2 to Deny. Adjust the code below as your need (Don’t forget to change the bundle ID of your app).

[{"packageName":"com.evernote","permissions":[{"name":"android.permission.ACCESS_COARSE_LOCATION","value":"0"},

{"name":"android.permission.ACCESS_FINE_LOCATION","value":"1"},

{"name":"android.permission.ACCESS_NETWORK_STATE","value":"2"},

{"name":"android.permission.ACCESS_WIFI_STATE","value":"0"},

{"name":"android.permission.AUTHENTICATE_ACCOUNTS","value":"0"},

{"name":"android.permission.CAMERA","value":"0"},

{"name":"android.permission.FOREGROUND_SERVICE","value":"0"},

{"name":"android.permission.GET_ACCOUNTS","value":"0"},

{"name":"android.permission.INTERNET","value":"0"},

{"name":"android.permission.MANAGE_ACCOUNTS","value":"0"},

{"name":"android.permission.READ_CALENDAR","value":"0"},

{"name":"android.permission.READ_CONTACTS","value":"0"},

{"name":"android.permission.READ_EXTERNAL_STORAGE","value":"0"},

{"name":"android.permission.READ_PHONE_STATE","value":"0"},

{"name":"android.permission.READ_SYNC_SETTINGS","value":"0"},

{"name":"android.permission.READ_SYNC_STATS","value":"0"},

{"name":"android.permission.RECEIVE_BOOT_COMPLETED","value":"0"},

{"name":"android.permission.RECORD_AUDIO","value":"0"},

{"name":"android.permission.USE_BIOMETRIC","value":"0"},

{"name":"android.permission.USE_CREDENTIALS","value":"0"},

{"name":"android.permission.USE_FINGERPRINT","value":"0"},

{"name":"android.permission.VIBRATE","value":"0"},

{"name":"android.permission.WAKE_LOCK","value":"0"},

{"name":"android.permission.WRITE_EXTERNAL_STORAGE","value":"0"},

{"name":"android.permission.WRITE_SYNC_SETTINGS","value":"0"},

{"name":"com.android.launcher.permission.INSTALL_SHORTCUT","value":"0"},

{"name":"com.android.vending.BILLING","value":"0"},

{"name":"com.evernote.android.permission.APP_EVENT","value":"0"},

{"name":"com.evernote.permission.C2D_MESSAGE","value":"0"},

{"name":"com.google.android.c2dm.permission.RECEIVE","value":"0"},

{"name":"com.google.android.finsky.permission.BIND_GET_INSTALL_REFERRER_SERVICE","value":"0"},

{"name":"com.sonymobile.permission.CAMERA_ADDON","value":"0"},

{"name":"samsung.snote.permission.EVERNOTE","value":"0"}]}]


2. Now select/copy your code and you will encode it with base64 using any online tool like for example: https://www.base64encode.net/

pastedImage_12.png


3. Take the encoded string and insert into the applevelruntimepermission value field of the following xml custom script:

<characteristic uuid="ece876fd-da7d-424f-9bab-85a1b483e95d" type="com.airwatch.android.androidwork.permissions" target="1"><parm name="MasterRuntimePermission" value="1" type="integer" /><parm name="AppLevelRuntimePermissions" value="W3sicGFja2FnZU5hbWUiOiJjb20uZjUuZWRnZS5jbGllbnRfaWNzIiwicGVybWlzc2lvbnMiOlt7Im5hbWUiOiJhbmRyb2lkLnBlcm1pc3Npb24uQUNDRVNTX05FVFdPUktfU1RBVEUiLCJ2YWx1ZSI6IjEifSx7Im5hbWUiOiJhbmRyb2lkLnBlcm1pc3Npb24uQUNDRVNTX1dJRklfU1RBVEUiLCJ2YWx1ZSI6IjEifSx7Im5hbWUiOiJhbmRyb2lkLnBlcm1pc3Npb24uQkxVRVRPT1RIIiwidmFsdWUiOiIxIn0seyJuYW1lIjoiYW5kcm9pZC5wZXJtaXNzaW9uLkNBTUVSQSIsInZhbHVlIjoiMSJ9LHsibmFtZSI6ImFuZHJvaWQucGVybWlzc2lvbi5JTlRFUk5FVCIsInZhbHVlIjoiMSJ9LHsibmFtZSI6ImFuZHJvaWQucGVybWlzc2lvbi5SRUFEX0VYVEVSTkFMX1NUT1JBR0UiLCJ2YWx1ZSI6IjEifSx7Im5hbWUiOiJhbmRyb2lkLnBlcm1pc3Npb24uUkVBRF9QSE9ORV9TVEFURSIsInZhbHVlIjoiMSJ9LHsibmFtZSI6ImFuZHJvaWQucGVybWlzc2lvbi5VU0VfRklOR0VSUFJJTlQiLCJ2YWx1ZSI6IjEifSx7Im5hbWUiOiJhbmRyb2lkLnBlcm1pc3Npb24uV1JJVEVfRVhURVJOQUxfU1RPUkFHRSIsInZhbHVlIjoiMSJ9LHsibmFtZSI6ImNvbS5mNS5lZGdlLmNsaWVudF9pY3MucGVybWlzc2lvbi5FREdFX0xPQ0FMX1NFUlZJQ0VfQlJPQURDQVNUIiwidmFsdWUiOiIxIn0seyJuYW1lIjoiY29tLmY1LmVkZ2UuY2xpZW50X2ljcy5wZXJtaXNzaW9uLkY1X0JST0FEQ0FTVCIsInZhbHVlIjoiMSJ9LHsibmFtZSI6ImNvbS5mNS5lZGdlLmNsaWVudF9pY3MucGVybWlzc2lvbi5TRVJWSUNFX1JFUVVFU1RfQlJPQURDQVNUIiwidmFsdWUiOiIxIn1dfSx7InBhY2thZ2VOYW1lIjoiY29tLm1pY3Jvc29mdC5vZmZpY2UubHluYzE1IiwicGVybWlzc2lvbnMiOlt7Im5hbWUiOiJhbmRyb2lkLnBlcm1pc3Npb24uQUNDRVNTX05FVFdPUktfU1RBVEUiLCJ2YWx1ZSI6IjEifSx7Im5hbWUiOiJhbmRyb2lkLnBlcm1pc3Npb24uQUNDRVNTX1dJRklfU1RBVEUiLCJ2YWx1ZSI6IjEifSx7Im5hbWUiOiJhbmRyb2lkLnBlcm1pc3Npb24uQVVUSEVOVElDQVRFX0FDQ09VTlRTIiwidmFsdWUiOiIxIn0seyJuYW1lIjoiYW5kcm9pZC5wZXJtaXNzaW9uLkJMVUVUT09USCIsInZhbHVlIjoiMSJ9LHsibmFtZSI6ImFuZHJvaWQucGVybWlzc2lvbi5CUk9BRENBU1RfU1RJQ0tZIiwidmFsdWUiOiIxIn0seyJuYW1lIjoiYW5kcm9pZC5wZXJtaXNzaW9uLkNBTExfUEhPTkUiLCJ2YWx1ZSI6IjEifSx7Im5hbWUiOiJhbmRyb2lkLnBlcm1pc3Npb24uQ0FNRVJBIiwidmFsdWUiOiIxIn0seyJuYW1lIjoiYW5kcm9pZC5wZXJtaXNzaW9uLkNIQU5HRV9ORVRXT1JLX1NUQVRFIiwidmFsdWUiOiIxIn0seyJuYW1lIjoiYW5kcm9pZC5wZXJtaXNzaW9uLkNIQU5HRV9XSUZJX01VTFRJQ0FTVF9TVEFURSIsInZhbHVlIjoiMSJ9LHsibmFtZSI6ImFuZHJvaWQucGVybWlzc2lvbi5DSEFOR0VfV0lGSV9TVEFURSIsInZhbHVlIjoiMSJ9LHsibmFtZSI6ImFuZHJvaWQucGVybWlzc2lvbi5HRVRfQUNDT1VOVFMiLCJ2YWx1ZSI6IjEifSx7Im5hbWUiOiJhbmRyb2lkLnBlcm1pc3Npb24uR0VUX1RBU0tTIiwidmFsdWUiOiIxIn0seyJuYW1lIjoiYW5kcm9pZC5wZXJtaXNzaW9uLklOVEVSTkVUIiwidmFsdWUiOiIxIn0seyJuYW1lIjoiYW5kcm9pZC5wZXJtaXNzaW9uLk1BTkFHRV9BQ0NPVU5UUyIsInZhbHVlIjoiMSJ9LHsibmFtZSI6ImFuZHJvaWQucGVybWlzc2lvbi5NT0RJRllfQVVESU9fU0VUVElOR1MiLCJ2YWx1ZSI6IjEifSx7Im5hbWUiOiJhbmRyb2lkLnBlcm1pc3Npb24uUkVBRF9DQUxFTkRBUiIsInZhbHVlIjoiMSJ9LHsibmFtZSI6ImFuZHJvaWQucGVybWlzc2lvbi5SRUFEX0NPTlRBQ1RTIiwidmFsdWUiOiIxIn0seyJuYW1lIjoiYW5kcm9pZC5wZXJtaXNzaW9uLlJFQURfRVhURVJOQUxfU1RPUkFHRSIsInZhbHVlIjoiMSJ9LHsibmFtZSI6ImFuZHJvaWQucGVybWlzc2lvbi5SRUFEX1BIT05FX1NUQVRFIiwidmFsdWUiOiIxIn0seyJuYW1lIjoiYW5kcm9pZC5wZXJtaXNzaW9uLlJFQURfU1lOQ19TRVRUSU5HUyIsInZhbHVlIjoiMSJ9LHsibmFtZSI6ImFuZHJvaWQucGVybWlzc2lvbi5SRUFEX1NZTkNfU1RBVFMiLCJ2YWx1ZSI6IjEifSx7Im5hbWUiOiJhbmRyb2lkLnBlcm1pc3Npb24uUkVDT1JEX0FVRElPIiwidmFsdWUiOiIxIn0seyJuYW1lIjoiYW5kcm9pZC5wZXJtaXNzaW9uLlVTRV9DUkVERU5USUFMUyIsInZhbHVlIjoiMSJ9LHsibmFtZSI6ImFuZHJvaWQucGVybWlzc2lvbi5WSUJSQVRFIiwidmFsdWUiOiIxIn0seyJuYW1lIjoiYW5kcm9pZC5wZXJtaXNzaW9uLldBS0VfTE9DSyIsInZhbHVlIjoiMSJ9LHsibmFtZSI6ImFuZHJvaWQucGVybWlzc2lvbi5XUklURV9DT05UQUNUUyIsInZhbHVlIjoiMSJ9LHsibmFtZSI6ImFuZHJvaWQucGVybWlzc2lvbi5XUklURV9FWFRFUk5BTF9TVE9SQUdFIiwidmFsdWUiOiIxIn0seyJuYW1lIjoiYW5kcm9pZC5wZXJtaXNzaW9uLldSSVRFX1NZTkNfU0VUVElOR1MiLCJ2YWx1ZSI6IjEifSx7Im5hbWUiOiJjb20uZ29vZ2xlLmFuZHJvaWQuYzJkbS5wZXJtaXNzaW9uLlJFQ0VJVkUiLCJ2YWx1ZSI6IjEifSx7Im5hbWUiOiJjb20uZ29vZ2xlLmFuZHJvaWQuZmluc2t5LnBlcm1pc3Npb24uQklORF9HRVRfSU5TVEFMTF9SRUZFUlJFUl9TRVJWSUNFIiwidmFsdWUiOiIxIn1dfV0=" type="string" /></characteristic>

4. Before you can deploy the permission script you need to ensure that your app has been deployed to the device first. You can then go into the console under Devices --> Profiles & Ressources --> Profiles then create Android profile and add a Custom Settings as per below:

pastedImage_17.png

Special credits to Monalisa for helping me with this procedure!

Labels (2)
Reply
0 Kudos
1 Reply
Sionet
Contributor
Contributor

For Android 11 is there a way to Disable "Remove permissions if app is'nt used" permission settings?