get Device identifier from Android Device Policy

2.4k views Asked by At

We are trying out the EMM MDM app using Android Enterprise. So we enroll using Android Enterprise in Fully managed mode.

We'll be having a per device policy mechanism, so every device will have a separate policy. Now at the start, we don't have any info about who's the user, so we apply the default policy and then during setup (using setupActions), we open our custom app and ask the user to log in using username and password, that way we know who's the user.

The issue is, we know the user, but we don't know on which device the user has logged into since we can't query IMEI/SerialNumber (https://developer.android.com/training/articles/user-data-ids#best-practices-android-identifiers)

The issue is we make users log in from our app but in AndroidEnterprise, the device name is different.

We want to create a mapping of username <---> device info from AE.

Can we query the Android Device Policy app someway to get any identifier so that we can map deviceId <---> username? or any other suggested way?

We can not send deviceName or anything in Managed configuration since, at that time, the user is not enrolled in AnroidEnterprise thus, we don't have that info. see ref

Also, anyone knows how can we interact with Android Device Policy somehow? to know which policy is applied? etc.

2

There are 2 answers

2
Linh Pham Ai On

From Android 10 to read device Identifiers numbers, it required READ_PRIVILEGED_PHONE_STATE permission. However, apps installed from the Google Play Store cannot declare privileged permissions.

If you work with Android Management API, you can set policy DelegatedScope: CERT_INSTALL for your application to have a special permission that access to certificate installation and management. So that we can use READ_PHONE_STATE permission on your app's manifest.

  1. From your application, you can got IMEI/SerialNumber
  2. From your default policy, you have to set delegate scopes for your application
"applications": [
    {
      "packageName": "your-app-package-name",
      "delegatedScopes": [
        "CERT_INSTALL"
      ]
    }
  ]
0
TJ Domingo On

device.list can be used to check the list of devices enrolled in a specific enterprise, while devices.get may be used to check the details of a specific device. You may want to check this link for the list information you may get using device.get.