Error making HomerPlayer privileged application, missing intent-filter declaration?

[TheIronMarx]

I've set up multiple tablets in full kiosk mode with homerplayer. I always seem to have issues granting privileges to the app with ADB for one reason or another, but this one is new to me:
Error: DeviceAdminReceiver ComponentInfo{com.studio4plus.homerplayer/com.studio4plus.homerplayer.HomerPlayerDeviceAdmin} must be protected with android.permission.BIND_DEVICE_ADMIN

Reading this, https://developer.android.com/reference/kotlin/android/app/admin/DeviceAdminReceiver, I would guess that the Manifest is missing a specific intent-filter for DEVICE_ADMIN_ENABLED, but why this wouldn't be an issue in the past is beyond me.

Any thoughts?

[DonnKey]

I'm working on a derivative of Homer Player (Aesop Player) (with Marcin's full knowledge and blessing) and ran across the same issue. This issue is specific to Pie (and beyond). This is an irritatingly complicated issue, but not technical. This link probably has the best summary of the nontechnical part of the problem: https://forum.xda-developers.com/general/help/explain-requesting-android-permission-t3656790 Technically it's easy to fix (but NOT intuitive, at least to me): you have to make minor change to AndroidManifest.xml in the receiver for the call that the adb call makes. The critical line is the permission= stuff. Here's how mine looks. <receiver android:name=".AesopPlayerDeviceAdmin" android:description="@string/device_admin_description" android:permission="android.permission.BIND_DEVICE_ADMIN" android:label="@string/device_admin_label"> <meta-data android:name="android.app.device_admin" android:resource="@xml/device_admin_info" /> <intent-filter> <action android:name="android.app.action.DEVICE_ADMIN_ENABLED" /> </intent-filter> </receiver> I don't know of a workaround that doesn't involve tweaking the manifest (well, other than using an older Android Version). As you can infer from the web page and the related discussion, this is Google getting more sensitive about security (in this case "machine theft/ransom", I'm guessing). (There's a lot of tension (and consequently incessant changes) around the issue of kiosk modes and "corporate" devices, and those of us who are using kiosk mode for this sort of accessibility feature are caught in the middle.) There are a lot of interactions between Full Kiosk mode and application pinning that I have fixed in Aesop, but you might try turning on application pinning and see if it works in your circumstances (it would be a nuisance to use). No promises, I haven't tried it with Homer. Donn FWIW: at least on the emulators I'm using, sometimes the adb command to set kiosk mode doesn't work the first time. Repeating it yields an error about the privilege already being owned, but it also fixes whatever went wrong and finally delivers the Device Owner privilege to the App. (Again, at least for Aesop.) P.S. If you're up to it, feel free to download and build Aesop. It's not done yet, but it's quite usable as it appears on GitHub. I'm hoping for a month or two more before I put it on Play Store (but no promises... there are lots of housekeeping details yet). Feedback always welcome.

…

On Thu, Sep 12, 2019 at 6:39 AM Sam Stutsman ***@***.***> wrote: I've set up multiple tablets in full kiosk mode with homerplayer. I always seem to have issues granting privileges to the app with ADB for one reason or another, but this one is new to me: Error: DeviceAdminReceiver ComponentInfo{com.studio4plus.homerplayer/com.studio4plus.homerplayer.HomerPlayerDeviceAdmin} must be protected with android.permission.BIND_DEVICE_ADMIN Reading this, https://developer.android.com/reference/kotlin/android/app/admin/DeviceAdminReceiver, I would guess that the Manifest is missing a specific intent-filter for DEVICE_ADMIN_ENABLED, but why this wouldn't be an issue in the past is beyond me. Any thoughts? — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#19?email_source=notifications&email_token=AKS2YT3DGCZ45M5UVSUKAFTQJJA7RA5CNFSM4IWEFBA2YY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4HK7XGLA>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AKS2YT5QQG6TWSHHYLUSPULQJJA7RANCNFSM4IWEFBAQ> .

[msimonides]

TL;DR

There are secretly two versions of Homer Player: the one in Google Play Store that cannot be set as a device owner on Android 7+ and the one here on Github that has all the necessary permissions.

For full-kiosk mode please use the latter (but also see the section on QR codes below).

Yes, I should make it known that there are two versions of the app.

Long explanation

The "device owner" mode has been introduced in Android 5 and didn't require the BIND_DEVICE_ADMIN permission back then. Starting with Android 7 the permission is needed.

The files released here on Github do have the permission.
The version in Google Play doesn't, and the reason is their policy.

Google Play Store policy has some requirements for the use of the BIND_DEVICE_ADMIN permission:

Provide prominent user facing disclosure of this usage before asking the user to enable this permission within your app. Your disclosure must meet each of the following requirements: ...

(you only get this detailed info when your app is removed from the Play Store)

This is reasonable for apps that send the ACTION_ADD_DEVICE_ADMIN intent to request becoming a device admin (which is different than a device owner). These apps respond to user action (e.g. "enable feature X" from within the app's UI) and that's when they are supposed to show the disclosure message and only then request the permission (in runtime!).

This doesn't work for a feature that requires expert knowledge and ADB to enable. What's more, I can't comply with the policy because the permission needs to be hard-coded in the manifest. But in Play Store's defense I can say that the device owner mode is an enterprise functionality that "takes over" the device and as such doesn't really belong in consumer apps.
Although in my opinion they should have used a completely separate permission.

Therefore there are these two versions of the app and I am sorry about this.

(it might be best to split the device owner component into a separate app and distribute it separately).

QR code provisioning

Starting with Android 7 Google not only introduced tighter security with this permission but also added a new method of provisioning a device: scanning a QR code. This may be by far the best and easiest way to do this but so far no-one but me has tested it for Homer Player.

Here's the process: https://developers.google.com/android/work/play/emm-api/prov-devices#qr_code_provisioning_process

And here's a QR code for Homer Player:

[mtbottens]

@msimonides Glad you commented this here, FYI, QR code method did not work for us, but downloading the APK worked like a charm.

Thanks for your work on this!

[techge]

Slightly related, but afaik not noted elsewhere...

For those of you trying to get the privilege for device manager done on a phone that does not support QR privisioning (e.g. a lineageos), but are able to use a shell:

You can use the adb shell and the following command to give the right permissions (reset the device nonetheless, $people say there shall be no accounts configured for this to work)

dpm set-device-owner com.studio4plus.homerplayer/.HomerPlayerDeviceAdmin

[msimonides]

Thank you @techge. I should probably add this to the documentation for Android 7+. This is described in the documentation for Android 5 and 6 but people with newer devices are unlikely to check it.

Please be aware that on Android 7+ the app needs to declare the BIND_DEVICE_ADMIN permission which is only present in builds downloaded from GitHub, not Play Store, as discussed above.

[techge]

This is described in the documentation for Android 5 and 6 but people with newer devices are unlikely to check it.

I see. Yes, indeed, I wasn't even thinking about looking there 😅

[DonnKey]

See also https://github.com/DonnKey/KioskInstaller. That still has to be downloaded from Github (due to Google policies), but it allows you to then take advantage of automatic updates from Playstore for the "real" application. (It was written to go with an extended version of Homer Player called Aesop Player.) Donn

…

On Sat, Oct 2, 2021 at 9:00 AM Alexander Paetzelt ***@***.***> wrote: This is described in the documentation for Android 5 and 6 but people with newer devices are unlikely to check it. I see. Yes, indeed, I wasn't even thinking about looking there 😅 — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#19 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AKS2YT2A6FLXA57J6FDPG3TUE4UDTANCNFSM4IWEFBAQ> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.

[AlessioM]

In case anyone else stumbles across this, for version 1.0.9 the command is (only tested under Android 5 though)
adb shell dpm set-device-owner com.studio4plus.homerplayer/.deviceadmin.HomerPlayerDeviceAdmin