Add exceptions for Android Internal and System Apps via WS1
search cancel

Add exceptions for Android Internal and System Apps via WS1

book

Article ID: 302929

calendar_today

Updated On:

Products

VMware

Issue/Introduction

As documented in 'Grant all Permissions' permission payload does not work on Android 8.0 and 9.0 devices, Android 8 and 9 are impacted by a known issue with Permissions Profiles.

  • Setting the Master Permission setting to Grant All Permissions does not automatically grant permissions to apps on the device.
  • To manage permissions for an app, you must add the app as an Exception in the profile, select Configure, and select whether grant, deny, or allow the user to manage the permission themselves.

Note: Currently, you may only add Public Applications as an Exception in the Permissions Profile User Interface (UI). To add Exceptions for Internal Applications or for system applications that are pre-installed in the Android OS, see the instructions below.

 


Resolution

To build the XML for single or multiple internal apps:

 

  1. The first step is to define the list of run-time permissions you want to manage for your application. For example, Workspace ONE Web uses android.permission.READ_EXTERNAL_STORAGE permission to read from the device’s storage.
     
  2. Create an array of these permissions per the format below and set each value to 0, 1, or 2 where:
  • 0 - Prompt User
  • 1 – Grant
  • 2 – Deny 
 

Single App Permissions Array
 (Workspace ONE Web)
Multiple Apps Permissions Array
(Workspace ONE Web and Workspace ONE Content)
[{"packageName":"com.airwatch.browser","permissions":[{"name":"android.permission.INTERNET","value":"0"},{"name":"android.permission.ACCESS_NETWORK_STATE","value":"1"},{"name":"android.permission.READ_PHONE_STATE","value":"2"},{"name":"android.permission.WRITE_EXTERNAL_STORAGE","value":"0"},{"name":"android.permission.READ_EXTERNAL_STORAGE","value":"0"},{"name":"android.permission.FOREGROUND_SERVICE","value":"0"},{"name":"android.permission.ACCESS_FINE_LOCATION","value":"0"},{"name":"android.permission.ACCESS_WIFI_STATE","value":"0"},{"name":"com.airwatch.sdk.BROADCAST","value":"0"},{"name":"android.permission.VIBRATE","value":"0"},{"name":"android.permission.CAMERA","value":"0"},{"name":"android.permission.CHANGE_NETWORK_STATE","value":"0"},{"name":"android.permission.WAKE_LOCK","value":"0"},{"name":"com.airwatch.email.permission.ACCESS_PROVIDER","value":"0"},{"name":"com.android.alarm.permission.SET_ALARM","value":"0"},{"name":"com.google.android.c2dm.permission.RECEIVE","value":"0"},{"name":"android.permission.RECEIVE_BOOT_COMPLETED","value":"0"},{"name":"android.permission.USE_BIOMETRIC","value":"0"},{"name":"android.permission.USE_FINGERPRINT","value":"0"}]}][{"packageName":"com.airwatch.contentlocker","permissions":[{"name":"android.permission.RECEIVE_BOOT_COMPLETED","value":"0"},{"name":"android.permission.SYSTEM_ALERT_WINDOW","value":"1"},{"name":"android.permission.DISABLE_KEYGUARD","value":"2"},{"name":"android.permission.INTERNET","value":"0"},{"name":"android.permission.WRITE_EXTERNAL_STORAGE","value":"1"},{"name":"android.permission.WAKE_LOCK","value":"0"},{"name":"android.permission.ACCESS_NETWORK_STATE","value":"0"},{"name":"android.permission.CAMERA","value":"0"},{"name":"android.permission.RECORD_AUDIO","value":"0"},{"name":"android.permission.VIBRATE","value":"0"},{"name":"android.permission.ACCESS_WIFI_STATE","value":"0"},{"name":"com.airwatch.sdk.BROADCAST","value":"0"},{"name":"android.permission.READ_EXTERNAL_STORAGE","value":"1"},{"name":"android.permission.GET_TASKS","value":"0"},{"name":"com.airwatch.contentlocker.SEND_GCM_COMMAND","value":"0"},{"name":"android.permission.READ_PHONE_STATE","value":"1"},{"name":"com.airwatch.email.permission.ACCESS_PROVIDER","value":"0"},{"name":"com.android.alarm.permission.SET_ALARM","value":"0"},{"name":"android.permission.ACCESS_FINE_LOCATION","value":"0"},{"name":"com.google.android.c2dm.permission.RECEIVE","value":"0"},{"name":"android.permission.FOREGROUND_SERVICE","value":"0"},{"name":"android.permission.USE_BIOMETRIC","value":"0"},{"name":"android.permission.MANAGE_ACCOUNTS","value":"0"},{"name":"android.permission.AUTHENTICATE_ACCOUNTS","value":"0"},{"name":"android.permission.KILL_BACKGROUND_PROCESSES","value":"0"},{"name":"android.permission.GET_ACCOUNTS","value":"0"},{"name":"android.permission.USE_CREDENTIALS","value":"0"},{"name":"android.permission.INTERACT_ACROSS_USERS_FULL","value":"0"},{"name":"android.permission.NFC","value":"0"},{"name":"android.permission.BLUETOOTH_ADMIN","value":"0"},{"name":"android.permission.BLUETOOTH","value":"0"},{"name":"android.permission.EXPAND_STATUS_BAR","value":"0"},{"name":"android.permission.USE_FINGERPRINT","value":"0"},{"name":"com.google.android.finsky.permission.BIND_GET_INSTALL_REFERRER_SERVICE","value":"0"},{"name":"com.airwatch.contentlocker.permission.C2D_MESSAGE","value":"0"}]},{"packageName":"com.airwatch.browser","permissions":[{"name":"android.permission.INTERNET","value":"0"},{"name":"android.permission.ACCESS_NETWORK_STATE","value":"1"},{"name":"android.permission.READ_PHONE_STATE","value":"2"},{"name":"android.permission.WRITE_EXTERNAL_STORAGE","value":"1"},{"name":"android.permission.READ_EXTERNAL_STORAGE","value":"1"},{"name":"android.permission.FOREGROUND_SERVICE","value":"0"},{"name":"android.permission.ACCESS_FINE_LOCATION","value":"0"},{"name":"android.permission.ACCESS_WIFI_STATE","value":"0"},{"name":"com.airwatch.sdk.BROADCAST","value":"0"},{"name":"android.permission.VIBRATE","value":"0"},{"name":"android.permission.CAMERA","value":"0"},{"name":"android.permission.CHANGE_NETWORK_STATE","value":"0"},{"name":"android.permission.WAKE_LOCK","value":"0"},{"name":"com.airwatch.email.permission.ACCESS_PROVIDER","value":"0"},{"name":"com.android.alarm.permission.SET_ALARM","value":"0"},{"name":"com.google.android.c2dm.permission.RECEIVE","value":"0"},{"name":"android.permission.RECEIVE_BOOT_COMPLETED","value":"0"},{"name":"android.permission.USE_BIOMETRIC","value":"0"},{"name":"android.permission.USE_FINGERPRINT","value":"0"}]}]

 

  1. Encode the permission array (using any 3rd party applications) from the previous step in Base64 format.
     
  2. Next, take the encoded string (output of Step 3) and substitute it into the {PermissionsEncodedString} value field into the sample XML below:
<characteristic uuid="ece876fd-da7d-424f-9bab-85a1b483e95d" type="com.airwatch.android.androidwork.permissions" target="1"><parm name="MasterRuntimePermission" value="1" type="integer" /><parm name="AppLevelRuntimePermissions" value="{PermissionsEncodedString}" type="string" /></characteristic>

Note: This sample is what the permissions profile XML will look like for the Workspace ONE Web app only:
<characteristic uuid="ece876fd-da7d-424f-9bab-85a1b483e95d" type="com.airwatch.android.androidwork.permissions" target="1"><parm name="MasterRuntimePermission" value="1" type="integer" /><parm name="AppLevelRuntimePermissions" value="W3sicGFja2FnZU5hbWUiOiJjb20uYWlyd2F0Y2guYnJvd3NlciIsInBlcm1pc3Npb25zIjpbeyJuYW1lIjoiYW5kcm9pZC5wZXJtaXNzaW9uLklOVEVSTkVUIiwidmFsdWUiOiIwIn0seyJuYW1lIjoiYW5kcm9pZC5wZXJtaXNzaW9uLkFDQ0VTU19ORVRXT1JLX1NUQVRFIiwidmFsdWUiOiIxIn0seyJuYW1lIjoiYW5kcm9pZC5wZXJtaXNzaW9uLlJFQURfUEhPTkVfU1RBVEUiLCJ2YWx1ZSI6IjIifSx7Im5hbWUiOiJhbmRyb2lkLnBlcm1pc3Npb24uV1JJVEVfRVhURVJOQUxfU1RPUkFHRSIsInZhbHVlIjoiMCJ9LHsibmFtZSI6ImFuZHJvaWQucGVybWlzc2lvbi5SRUFEX0VYVEVSTkFMX1NUT1JBR0UiLCJ2YWx1ZSI6IjAifSx7Im5hbWUiOiJhbmRyb2lkLnBlcm1pc3Npb24uRk9SRUdST1VORF9TRVJWSUNFIiwidmFsdWUiOiIwIn0seyJuYW1lIjoiYW5kcm9pZC5wZXJtaXNzaW9uLkFDQ0VTU19GSU5FX0xPQ0FUSU9OIiwidmFsdWUiOiIwIn0seyJuYW1lIjoiYW5kcm9pZC5wZXJtaXNzaW9uLkFDQ0VTU19XSUZJX1NUQVRFIiwidmFsdWUiOiIwIn0seyJuYW1lIjoiY29tLmFpcndhdGNoLnNkay5CUk9BRENBU1QiLCJ2YWx1ZSI6IjAifSx7Im5hbWUiOiJhbmRyb2lkLnBlcm1pc3Npb24uVklCUkFURSIsInZhbHVlIjoiMCJ9LHsibmFtZSI6ImFuZHJvaWQucGVybWlzc2lvbi5DQU1FUkEiLCJ2YWx1ZSI6IjAifSx7Im5hbWUiOiJhbmRyb2lkLnBlcm1pc3Npb24uQ0hBTkdFX05FVFdPUktfU1RBVEUiLCJ2YWx1ZSI6IjAifSx7Im5hbWUiOiJhbmRyb2lkLnBlcm1pc3Npb24uV0FLRV9MT0NLIiwidmFsdWUiOiIwIn0seyJuYW1lIjoiY29tLmFpcndhdGNoLmVtYWlsLnBlcm1pc3Npb24uQUNDRVNTX1BST1ZJREVSIiwidmFsdWUiOiIwIn0seyJuYW1lIjoiY29tLmFuZHJvaWQuYWxhcm0ucGVybWlzc2lvbi5TRVRfQUxBUk0iLCJ2YWx1ZSI6IjAifSx7Im5hbWUiOiJjb20uZ29vZ2xlLmFuZHJvaWQuYzJkbS5wZXJtaXNzaW9uLlJFQ0VJVkUiLCJ2YWx1ZSI6IjAifSx7Im5hbWUiOiJhbmRyb2lkLnBlcm1pc3Npb24uUkVDRUlWRV9CT09UX0NPTVBMRVRFRCIsInZhbHVlIjoiMCJ9LHsibmFtZSI6ImFuZHJvaWQucGVybWlzc2lvbi5VU0VfQklPTUVUUklDIiwidmFsdWUiOiIwIn0seyJuYW1lIjoiYW5kcm9pZC5wZXJtaXNzaW9uLlVTRV9GSU5HRVJQUklOVCIsInZhbHVlIjoiMCJ9XX1d" type="string" /></characteristic>
  1. Add a new profile in the UEM Console.
Note: You can refer to Using Custom Settings (Android) for additional information on this step.
  1. Open the Custom Settings Profile (payload).
    A Custom Settings profile can be used to configure Permissions settings for internal applications.
    ws1 custom settings to configure permission settings for internal apps
  2. Paste the XML from the previous sample.
  3. Click SAVE AND PUBLISH to save the profile and publish it to your devices. 

Additional Information

For additional details on deploying internal apps through Workspace ONE, refer to the following resources: For additional guidance explaining how this profile works and how admins can add Exceptions to Public Apps, see Set Permissions (Android).

Note: If you require assistance building this profile, please contact VMware Workspace ONE Support.