Manage your Internal Apps Permissions on Android Enterprise Work Managed Device

When managing an Android Enterprise work managed device, you may want to deploy internal applications (called side-loaded) onto your devices. One of the challenges with internal apps is the possibility to grant permissions of the app on behalf of the user.

In order to do so, you will need to prepare the Android code with the specified permission you want to Grant, Deny or Prompt user. You will then need to compile this in base code 64 and add it to our custom xml script that you will push down to the devices using profile in Workspace One Console. Please see the breakdown of the steps below:

1. Below a sample code with permissions set. Please note that you are only required to insert the permission you want to with the right value: 0 to Prompt the user, 1 to Grant and 2 to Deny. Adjust the code below as your need (Don’t forget to change the bundle ID of your app).

[{“packageName”:”com.evernote”,”permissions”:[{“name”:”android.permission.ACCESS_COARSE_LOCATION”,”value”:”0″},

{“name”:”android.permission.ACCESS_FINE_LOCATION”,”value”:”1″},

{“name”:”android.permission.ACCESS_NETWORK_STATE”,”value”:”2″},

{“name”:”android.permission.ACCESS_WIFI_STATE”,”value”:”0″},

{“name”:”android.permission.AUTHENTICATE_ACCOUNTS”,”value”:”0″},

{“name”:”android.permission.CAMERA”,”value”:”0″},

{“name”:”android.permission.FOREGROUND_SERVICE”,”value”:”0″},

{“name”:”android.permission.GET_ACCOUNTS”,”value”:”0″},

{“name”:”android.permission.INTERNET”,”value”:”0″},

{“name”:”android.permission.MANAGE_ACCOUNTS”,”value”:”0″},

{“name”:”android.permission.READ_CALENDAR”,”value”:”0″},

{“name”:”android.permission.READ_CONTACTS”,”value”:”0″},

{“name”:”android.permission.READ_EXTERNAL_STORAGE”,”value”:”0″},

{“name”:”android.permission.READ_PHONE_STATE”,”value”:”0″},

{“name”:”android.permission.READ_SYNC_SETTINGS”,”value”:”0″},

{“name”:”android.permission.READ_SYNC_STATS”,”value”:”0″},

{“name”:”android.permission.RECEIVE_BOOT_COMPLETED”,”value”:”0″},

{“name”:”android.permission.RECORD_AUDIO”,”value”:”0″},

{“name”:”android.permission.USE_BIOMETRIC”,”value”:”0″},

{“name”:”android.permission.USE_CREDENTIALS”,”value”:”0″},

{“name”:”android.permission.USE_FINGERPRINT”,”value”:”0″},

{“name”:”android.permission.VIBRATE”,”value”:”0″},

{“name”:”android.permission.WAKE_LOCK”,”value”:”0″},

{“name”:”android.permission.WRITE_EXTERNAL_STORAGE”,”value”:”0″},

{“name”:”android.permission.WRITE_SYNC_SETTINGS”,”value”:”0″},

{“name”:”com.android.launcher.permission.INSTALL_SHORTCUT”,”value”:”0″},

{“name”:”com.android.vending.BILLING”,”value”:”0″},

{“name”:”com.evernote.android.permission.APP_EVENT”,”value”:”0″},

{“name”:”com.evernote.permission.C2D_MESSAGE”,”value”:”0″},

{“name”:”com.google.android.c2dm.permission.RECEIVE”,”value”:”0″},

{“name”:”com.google.android.finsky.permission.BIND_GET_INSTALL_REFERRER_SERVICE”,”value”:”0″},

{“name”:”com.sonymobile.permission.CAMERA_ADDON”,”value”:”0″},

{“name”:”samsung.snote.permission.EVERNOTE”,”value”:”0″}]}]
2. Now select/copy your code and you will encode it with base64 using any online tool like for example: https://www.base64encode.net/

screen-shot-2021-03-07-at-1.43.49-pm

3. Take the encoded string and insert into the applevelruntimepermission value field of the following xml custom script:

<characteristic uuid=”ece876fd-da7d-424f-9bab-85a1b483e95d” type=”com.airwatch.android.androidwork.permissions” target=”1″><parm name=”MasterRuntimePermission” value=”1″ type=”integer” /><parm name=”AppLevelRuntimePermissions” value=”W3sicGFja2FnZU5hbWUiOiJjb20uZjUuZWRnZS5jbGllbnRfaWNzIiwicGVybWlzc2lvbnMiOlt7Im5hbWUiOiJhbmRyb2lkLnBlcm1pc3Npb24uQUNDRVNTX05FVFdPUktfU1RBVEUiLCJ2YWx1ZSI6IjEifSx7Im5hbWUiOiJhbmRyb2lkLnBlcm1pc3Npb24uQUNDRVNTX1dJRklfU1RBVEUiLCJ2YWx1ZSI6IjEifSx7Im5hbWUiOiJhbmRyb2lkLnBlcm1pc3Npb24uQkxVRVRPT1RIIiwidmFsdWUiOiIxIn0seyJuYW1lIjoiYW5kcm9pZC5wZXJtaXNzaW9uLkNBTUVSQSIsInZhbHVlIjoiMSJ9LHsibmFtZSI6ImFuZHJvaWQucGVybWlzc2lvbi5JTlRFUk5FVCIsInZhbHVlIjoiMSJ9LHsibmFtZSI6ImFuZHJvaWQucGVybWlzc2lvbi5SRUFEX0VYVEVSTkFMX1NUT1JBR0UiLCJ2YWx1ZSI6IjEifSx7Im5hbWUiOiJhbmRyb2lkLnBlcm1pc3Npb24uUkVBRF9QSE9ORV9TVEFURSIsInZhbHVlIjoiMSJ9LHsibmFtZSI6ImFuZHJvaWQucGVybWlzc2lvbi5VU0VfRklOR0VSUFJJTlQiLCJ2YWx1ZSI6IjEifSx7Im5hbWUiOiJhbmRyb2lkLnBlcm1pc3Npb24uV1JJVEVfRVhURVJOQUxfU1RPUkFHRSIsInZhbHVlIjoiMSJ9LHsibmFtZSI6ImNvbS5mNS5lZGdlLmNsaWVudF9pY3MucGVybWlzc2lvbi5FREdFX0xPQ0FMX1NFUlZJQ0VfQlJPQURDQVNUIiwidmFsdWUiOiIxIn0seyJuYW1lIjoiY29tLmY1LmVkZ2UuY2xpZW50X2ljcy5wZXJtaXNzaW9uLkY1X0JST0FEQ0FTVCIsInZhbHVlIjoiMSJ9LHsibmFtZSI6ImNvbS5mNS5lZGdlLmNsaWVudF9pY3MucGVybWlzc2lvbi5TRVJWSUNFX1JFUVVFU1RfQlJPQURDQVNUIiwidmFsdWUiOiIxIn1dfSx7InBhY2thZ2VOYW1lIjoiY29tLm1pY3Jvc29mdC5vZmZpY2UubHluYzE1IiwicGVybWlzc2lvbnMiOlt7Im5hbWUiOiJhbmRyb2lkLnBlcm1pc3Npb24uQUNDRVNTX05FVFdPUktfU1RBVEUiLCJ2YWx1ZSI6IjEifSx7Im5hbWUiOiJhbmRyb2lkLnBlcm1pc3Npb24uQUNDRVNTX1dJRklfU1RBVEUiLCJ2YWx1ZSI6IjEifSx7Im5hbWUiOiJhbmRyb2lkLnBlcm1pc3Npb24uQVVUSEVOVElDQVRFX0FDQ09VTlRTIiwidmFsdWUiOiIxIn0seyJuYW1lIjoiYW5kcm9pZC5wZXJtaXNzaW9uLkJMVUVUT09USCIsInZhbHVlIjoiMSJ9LHsibmFtZSI6ImFuZHJvaWQucGVybWlzc2lvbi5CUk9BRENBU1RfU1RJQ0tZIiwidmFsdWUiOiIxIn0seyJuYW1lIjoiYW5kcm9pZC5wZXJtaXNzaW9uLkNBTExfUEhPTkUiLCJ2YWx1ZSI6IjEifSx7Im5hbWUiOiJhbmRyb2lkLnBlcm1pc3Npb24uQ0FNRVJBIiwidmFsdWUiOiIxIn0seyJuYW1lIjoiYW5kcm9pZC5wZXJtaXNzaW9uLkNIQU5HRV9ORVRXT1JLX1NUQVRFIiwidmFsdWUiOiIxIn0seyJuYW1lIjoiYW5kcm9pZC5wZXJtaXNzaW9uLkNIQU5HRV9XSUZJX01VTFRJQ0FTVF9TVEFURSIsInZhbHVlIjoiMSJ9LHsibmFtZSI6ImFuZHJvaWQucGVybWlzc2lvbi5DSEFOR0VfV0lGSV9TVEFURSIsInZhbHVlIjoiMSJ9LHsibmFtZSI6ImFuZHJvaWQucGVybWlzc2lvbi5HRVRfQUNDT1VOVFMiLCJ2YWx1ZSI6IjEifSx7Im5hbWUiOiJhbmRyb2lkLnBlcm1pc3Npb24uR0VUX1RBU0tTIiwidmFsdWUiOiIxIn0seyJuYW1lIjoiYW5kcm9pZC5wZXJtaXNzaW9uLklOVEVSTkVUIiwidmFsdWUiOiIxIn0seyJuYW1lIjoiYW5kcm9pZC5wZXJtaXNzaW9uLk1BTkFHRV9BQ0NPVU5UUyIsInZhbHVlIjoiMSJ9LHsibmFtZSI6ImFuZHJvaWQucGVybWlzc2lvbi5NT0RJRllfQVVESU9fU0VUVElOR1MiLCJ2YWx1ZSI6IjEifSx7Im5hbWUiOiJhbmRyb2lkLnBlcm1pc3Npb24uUkVBRF9DQUxFTkRBUiIsInZhbHVlIjoiMSJ9LHsibmFtZSI6ImFuZHJvaWQucGVybWlzc2lvbi5SRUFEX0NPTlRBQ1RTIiwidmFsdWUiOiIxIn0seyJuYW1lIjoiYW5kcm9pZC5wZXJtaXNzaW9uLlJFQURfRVhURVJOQUxfU1RPUkFHRSIsInZhbHVlIjoiMSJ9LHsibmFtZSI6ImFuZHJvaWQucGVybWlzc2lvbi5SRUFEX1BIT05FX1NUQVRFIiwidmFsdWUiOiIxIn0seyJuYW1lIjoiYW5kcm9pZC5wZXJtaXNzaW9uLlJFQURfU1lOQ19TRVRUSU5HUyIsInZhbHVlIjoiMSJ9LHsibmFtZSI6ImFuZHJvaWQucGVybWlzc2lvbi5SRUFEX1NZTkNfU1RBVFMiLCJ2YWx1ZSI6IjEifSx7Im5hbWUiOiJhbmRyb2lkLnBlcm1pc3Npb24uUkVDT1JEX0FVRElPIiwidmFsdWUiOiIxIn0seyJuYW1lIjoiYW5kcm9pZC5wZXJtaXNzaW9uLlVTRV9DUkVERU5USUFMUyIsInZhbHVlIjoiMSJ9LHsibmFtZSI6ImFuZHJvaWQucGVybWlzc2lvbi5WSUJSQVRFIiwidmFsdWUiOiIxIn0seyJuYW1lIjoiYW5kcm9pZC5wZXJtaXNzaW9uLldBS0VfTE9DSyIsInZhbHVlIjoiMSJ9LHsibmFtZSI6ImFuZHJvaWQucGVybWlzc2lvbi5XUklURV9DT05UQUNUUyIsInZhbHVlIjoiMSJ9LHsibmFtZSI6ImFuZHJvaWQucGVybWlzc2lvbi5XUklURV9FWFRFUk5BTF9TVE9SQUdFIiwidmFsdWUiOiIxIn0seyJuYW1lIjoiYW5kcm9pZC5wZXJtaXNzaW9uLldSSVRFX1NZTkNfU0VUVElOR1MiLCJ2YWx1ZSI6IjEifSx7Im5hbWUiOiJjb20uZ29vZ2xlLmFuZHJvaWQuYzJkbS5wZXJtaXNzaW9uLlJFQ0VJVkUiLCJ2YWx1ZSI6IjEifSx7Im5hbWUiOiJjb20uZ29vZ2xlLmFuZHJvaWQuZmluc2t5LnBlcm1pc3Npb24uQklORF9HRVRfSU5TVEFMTF9SRUZFUlJFUl9TRVJWSUNFIiwidmFsdWUiOiIxIn1dfV0=” type=”string” /></characteristic>

4. Before you can deploy the permission script you need to ensure that your app has been deployed to the device first. You can then go into the console under Devices –> Profiles & Ressources –> Profiles then create Android profile and add the above Custom Settings as per below:

Screen Shot 2021-03-07 at 1.50.02 pm

Special credits to Monalisa for helping me with this procedure!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Blog at WordPress.com.

Up ↑

%d bloggers like this: