Upcoming Device Admin Deprecations?

TL;DR: If you use the device admin APIs on Android (e.g., DevicePolicyManager), keep a close eye on the upcoming Android P release, as parts of that API may be deprecated, with an eye towards elimination in the Android Q timeframe.

One of the reasons that I help out on Stack Overflow is that reviewing questions is a bit like panning for gold — you never know what you might find, and occasionally some of it is useful.

Today’s bit of gold points to this piece of Android EMM documentation, where Google attempts to explain some upcoming changes to the device admin API. I say “attempts” because the explanation raises almost as many questions as it provides answers.

What seems clear is that four policies that you might be requesting for use from your device admin app are going to be marked as deprecated in Android P and “will throw a SecurityException” in Android Q:

  • Blocking camera access (USES_POLICY_DISABLE_CAMERA)

  • Disabling certain unspecified keyguard features (USES_POLICY_DISABLE_KEYGUARD_FEATURES)

  • Forcing the user to reset their password after an admin-defined time period (USES_POLICY_EXPIRE_PASSWORD)

  • Forcing the user to use passwords meeting certain quality guidelines, such as minimum length (USES_POLICY_LIMIT_PASSWORD)

In some cases, there appears to be replacement behavior in the APIs surrounding work profiles and managed devices. In other cases, there may not be — for example, the Stack Overflow question is inquiring about how to block camera usage. With luck, Android P documentation will provide clear and unambiguous instructions for how to replace use of these deprecated features.

The Android EMM documentation specifies three policies that will be kept intact:

  • Locking the device (USES_POLICY_FORCE_LOCK)

  • Resetting the password (USES_POLICY_RESET_PASSWORD)

  • Wiping the device (USES_POLICY_WIPE_DATA)

This leaves two policies unaccounted for:

  • Requiring encrypted device storage (USES_ENCRYPTED_STORAGE)

  • Monitor failed login attempts (USES_POLICY_WATCH_LOGIN)

Also, the documentation does not address capabilities in DevicePolicyManager that are not tied specifically to those sorts of policies yet seem to be available to active device administrators (e.g., setLongSupportMessage()). Plus, for the deprecated items, it is unclear exactly when the SecurityException would be thrown in Android Q:

  • At install time?

  • On first run of the app?

  • When the user attempts to activate the device administrator app?

  • When the app attempts to use the affected DevicePolicyManager APIs?

(I presume the solution is the latter, but stranger things have happened. Also, Stranger Things have happened.)

There is always the possibility that this documentation is incorrect, for any number of reasons, such as:

  • The plan is still there, but execution was delayed by a full release

  • The plan is still there, but execution was delayed until a maintenance release (e.g., a P MR1 that might come out late this year)

  • The plan was scrapped for various reasons

  • The documentation understated the situation, and more device admin capabilities will be affected, or the one-year deprecation period will be reduced or dropped

So, if you use the device admin APIs, when Android P ships, head to the “Behavior Changes” portion of the release notes and see what changed that will affect your app.

Need an extra hand with your Android app development project? CommonsWare can help — reach out for details!