Deploying EMS on Android 10 and Android 11
With the introduction of Android 10, Enterprise devices will benefit from improved security. These improvements will have an impact on how a device is ultimately provisioned.
To find out more about Android 10 improvements review the official Android developer documentation at https://developer.android.com/about/versions/10/features.
Relevant Andriod 10 Security Changes
The major changes that affect EMS Applications on Enterprise devices:
- Restrictions on accessing the Device Serial Number.
- Restrictions on an application's ability to start Activities from services.
Device Serial Number
For EMS applications to properly communicate the status of individual devices, the EMS Device ID application will need to be installed and started. This application allows all the EMS device applications to use the same device id. On Zebra and Honeywell devices, this application will be able to use the device Serial Number as the id.
Starting Activities from services
As some of the EMS applications work in the background using services, these applications will need a new permission granted to them: android.permission.SYSTEM_ALERT_WINDOW. This permission will allow the applications to start activities from services.
- EMS Launcher
- EMS Messaging
- EMS Support Agent
- EMS Remote Agent
Note: If running Android 10 on Zebra devices, the BlueFletch Launcher will set this permission, no further work is needed.
Device ID within EMM
Within an EMM Policy, ensure the following steps are completed. The Device ID application will be automatically installed and can not be removed by the user. Additionally this will prevent device setup from completing until installation is done.
1. Setup Actions
Utilize the Setup Action feature within Device Provisioning to install the Device ID application during device provisioning. Note: If your organization utilizes Playbook within device provisioning, the latest version of Playbook will ensure the Device ID application is properly installed and running.
2. Select the application
Ensure the Device ID application is defined within the Account and App Management section.
3. Set Permissions
Within Account and App Management ensure default permissions are allowed for SYSTEM_ALERT_WINDOW.