Skip to content

add automatic installation of play apps into work profile #147

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 4 commits into
base: 16
Choose a base branch
from
Open

add automatic installation of play apps into work profile #147

wants to merge 4 commits into from
+180 −4

Conversation

mkg20001
Copy link

@mkg20001 mkg20001 commented Mar 21, 2025
edited
Loading

Currently when creating a work profile with a DPC app that requires play services, the DPC app expects play services to also exist on the work profile

Since play services aren't global on GOS, this patch automatically installs them into the work profile

Whether an app requires play services is automatically detected

Because this needs to happen before the DPC app is triggered in any way in the work profile, this needs to be part of the profile creation itself.

@mkg20001
Copy link
Author

mkg20001 commented Mar 21, 2025
edited
Loading

New, simpler approach. No custom permissions, no custom apis

In InstallStart when installing apps it checks if play store is genuine google play store and the user is a work profile and skips the DISALLOW_UNKNOWN_SOURCES restriction

DevicePolicyGmsHooks runs after device policy manager creates the profile and installs store + services and gives the store permission to install packages (REQUEST_INSTALL_PACKAGES) (only if the managing app requires play services)

@mkg20001 mkg20001 force-pushed the gapps-work-profile-new branch 2 times, most recently from 65c24ec to 6090d44 Compare March 22, 2025 00:13
@thestinger thestinger mentioned this pull request Mar 24, 2025
Closed
@mkg20001
Copy link
Author

mkg20001 commented Mar 24, 2025
edited
Loading

I remember last time I was told the play store installation shouldn't happen in DevicePolicyManagerService as it has too many permissions

I need the installation to happen just before the device policy app is installed and gets any intent, as it may crash due to lack of play services.

I'm none the wiser on how to do that securely and I'd appreciate some guidence if possible

@xxxsskxxx
Copy link

Absolute legend mate, thank you so much for continuing to develop and push this!

@mkg20001 mkg20001 force-pushed the gapps-work-profile-new branch from 6090d44 to b7c9a88 Compare April 5, 2025 23:10
@thestinger thestinger force-pushed the 15-qpr2 branch 5 times, most recently from 5f3142f to 8edf282 Compare April 10, 2025 20:49
@thestinger thestinger force-pushed the 15-qpr2 branch 10 times, most recently from 3ec1472 to ccaf1e6 Compare April 28, 2025 03:31
@loligans
Copy link

loligans commented May 2, 2025

New, simpler approach. No custom permissions, no custom apis

In InstallStart when installing apps it checks if play store is genuine google play store and the user is a work profile and skips the DISALLOW_UNKNOWN_SOURCES restriction

DevicePolicyGmsHooks runs after device policy manager creates the profile and installs store + services and gives the store permission to install packages (REQUEST_INSTALL_PACKAGES) (only if the managing app requires play services)

How do we know the managing app requires play services? For example, Microsoft Company Portal requires it to set up the work profile. Will this change support that use case?

@mkg20001
Copy link
Author

mkg20001 commented May 2, 2025

New, simpler approach. No custom permissions, no custom apis
In InstallStart when installing apps it checks if play store is genuine google play store and the user is a work profile and skips the DISALLOW_UNKNOWN_SOURCES restriction
DevicePolicyGmsHooks runs after device policy manager creates the profile and installs store + services and gives the store permission to install packages (REQUEST_INSTALL_PACKAGES) (only if the managing app requires play services)

How do we know the managing app requires play services? For example, Microsoft Company Portal requires it to set up the work profile. Will this change support that use case?

See 437b272#diff-d0c4fee5a9bb21d19df9696c4428b8053d7842e0e3fde3356fd4bdc335666548R33

@thestinger thestinger force-pushed the 15-qpr2 branch 3 times, most recently from 44f6627 to c0c2721 Compare May 6, 2025 22:55
@mkg20001 mkg20001 force-pushed the gapps-work-profile-new branch from b7c9a88 to bdfe2c2 Compare May 14, 2025 14:19
@thestinger thestinger force-pushed the 15-qpr2 branch 2 times, most recently from 1e77b17 to acd9811 Compare May 17, 2025 00:40
@thestinger thestinger force-pushed the 15-qpr2 branch 2 times, most recently from fe7b0c1 to 0c8ac15 Compare May 23, 2025 19:30
@mkg20001 mkg20001 force-pushed the gapps-work-profile-new branch from bdfe2c2 to 006d02d Compare June 13, 2025 09:56
@mkg20001 mkg20001 changed the base branch from 15-qpr2 to 16 June 13, 2025 09:57
@mkg20001 mkg20001 force-pushed the gapps-work-profile-new branch from 006d02d to b45559b Compare June 14, 2025 13:46
@mkg20001 mkg20001 force-pushed the gapps-work-profile-new branch from b45559b to 4778e63 Compare June 27, 2025 12:24
@mkg20001
Copy link
Author

Stopped working on android 16, need to find a fix

06-28 01:12:31.831  1339  1888 D ConnectivityService: NetReassign [no changes] [c 1] [a 0] [i 1]
06-28 01:12:31.843   838 11158 I resolv  : GetAddrInfoHandler::run: {101 262245 101 327781 10008 0}
06-28 01:12:31.843   838 11159 I resolv  : res_nmkquery: (QUERY, IN, AAAA)
06-28 01:12:31.843   838 11159 I resolv  : resolv_cache_lookup: FOUND IN CACHE entry=0xb400d0216dc8ae00
06-28 01:12:31.843   838 11159 I resolv  : doQuery: rcode=0, ancount=1, return value=118
06-28 01:12:31.844   838 11160 I resolv  : res_nmkquery: (QUERY, IN, A)
06-28 01:12:31.844   838 11160 I resolv  : resolv_cache_lookup: FOUND IN CACHE entry=0xb400d03f2d464000
06-28 01:12:31.844   838 11160 I resolv  : doQuery: rcode=0, ancount=11, return value=228
06-28 01:12:31.848  6295  6314 I Auth    : [BroadcastManager] [BroadcastManager] Broadcasting bad device management=DeviceManagementRequired [CONTEXT service_id=343 ]
06-28 01:12:31.848  6295  6314 W Auth    : [BroadcastManager] [BroadcastManager] No device or profile owner found for bad device management broadcast. [CONTEXT service_id=343 ]
06-28 01:12:31.849  6295  6314 I Auth    : [AccountStatusChecker]  Canceling DM notification because of DM suppression [CONTEXT service_id=343 ]
06-28 01:12:31.850  6295  6314 W Auth    : [GetToken] GetToken failed with status code: DeviceManagementRequired  [CONTEXT service_id=343 ]
06-28 01:12:31.854  6295  6314 W GLSActivity: [GmsAccountAuthenticatorImpl] error status while fetching token:DeviceManagementRequired
06-28 01:12:31.859 10485 11107 E OAuth2CallCredentials: Error refreshing OAuth token
06-28 01:12:31.859 10485 11107 E OAuth2CallCredentials: java.io.IOException: Error creating OAuth access token for gRPC calls
06-28 01:12:31.859 10485 11107 E OAuth2CallCredentials:   at hwx$a.a(PG:39)
06-28 01:12:31.859 10485 11107 E OAuth2CallCredentials:   at tsb.call(PG:139)
06-28 01:12:31.859 10485 11107 E OAuth2CallCredentials:   at java.util.concurrent.FutureTask.run(FutureTask.java:317)
06-28 01:12:31.859 10485 11107 E OAuth2CallCredentials:   at hwx.a(PG:36)
06-28 01:12:31.859 10485 11107 E OAuth2CallCredentials:   at nig$b.d(PG:178)
06-28 01:12:31.859 10485 11107 E OAuth2CallCredentials:   at nig$c.a(PG:49)
06-28 01:12:31.859 10485 11107 E OAuth2CallCredentials:   at hwr.a(PG:46)
06-28 01:12:31.859 10485 11107 E OAuth2CallCredentials:   at nbs.a(PG:47)
06-28 01:12:31.859 10485 11107 E OAuth2CallCredentials:   at xuy$c.a(PG:35)
06-28 01:12:31.859 10485 11107 E OAuth2CallCredentials:   at xun.a(PG:28)
06-28 01:12:31.859 10485 11107 E OAuth2CallCredentials:   at xuv.run(PG:7)
06-28 01:12:31.859 10485 11107 E OAuth2CallCredentials:   at xxw.run(PG:12)
06-28 01:12:31.859 10485 11107 E OAuth2CallCredentials:   at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1156)
06-28 01:12:31.859 10485 11107 E OAuth2CallCredentials:   at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:651)
06-28 01:12:31.859 10485 11107 E OAuth2CallCredentials:   at java.lang.Thread.run(Thread.java:1119)
06-28 01:12:31.859 10485 11107 E OAuth2CallCredentials: Caused by: hpz
06-28 01:12:31.859 10485 11107 E OAuth2CallCredentials:   at got.e(PG:275)
06-28 01:12:31.859 10485 11107 E OAuth2CallCredentials:   at hpt.b(PG:20)
06-28 01:12:31.859 10485 11107 E OAuth2CallCredentials:   at hwx$a.a(PG:21)
06-28 01:12:31.859 10485 11107 E OAuth2CallCredentials:   ... 14 more
06-28 01:12:31.859 10485 11107 E OAuth2CallCredentials: Error refreshing OAuth token
06-28 01:12:31.859 10485 11107 E OAuth2CallCredentials: java.io.IOException: Error creating OAuth access token for gRPC calls
06-28 01:12:31.859 10485 11107 E OAuth2CallCredentials:   at hwx$a.a(PG:39)
06-28 01:12:31.859 10485 11107 E OAuth2CallCredentials:   at tsb.call(PG:139)
06-28 01:12:31.859 10485 11107 E OAuth2CallCredentials:   at java.util.concurrent.FutureTask.run(FutureTask.java:317)
06-28 01:12:31.859 10485 11107 E OAuth2CallCredentials:   at hwx.a(PG:36)
06-28 01:12:31.859 10485 11107 E OAuth2CallCredentials:   at nig$b.d(PG:178)

06-28 01:12:31.859 10485 11107 E OAuth2CallCredentials:   at nig$c.a(PG:49)
06-28 01:12:31.859 10485 11107 E OAuth2CallCredentials:   at hwr.a(PG:46)
06-28 01:12:31.859 10485 11107 E OAuth2CallCredentials:   at nbs.a(PG:47)
06-28 01:12:31.859 10485 11107 E OAuth2CallCredentials:   at xuy$c.a(PG:35)
06-28 01:12:31.859 10485 11107 E OAuth2CallCredentials:   at xun.a(PG:28)
06-28 01:12:31.859 10485 11107 E OAuth2CallCredentials:   at xuv.run(PG:7)
06-28 01:12:31.859 10485 11107 E OAuth2CallCredentials:   at xxw.run(PG:12)
06-28 01:12:31.859 10485 11107 E OAuth2CallCredentials:   at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1156)
06-28 01:12:31.859 10485 11107 E OAuth2CallCredentials:   at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:651)
06-28 01:12:31.859 10485 11107 E OAuth2CallCredentials:   at java.lang.Thread.run(Thread.java:1119)
06-28 01:12:31.859 10485 11107 E OAuth2CallCredentials: Caused by: hpz
06-28 01:12:31.859 10485 11107 E OAuth2CallCredentials:   at got.e(PG:275)
06-28 01:12:31.859 10485 11107 E OAuth2CallCredentials:   at hpt.b(PG:20)
06-28 01:12:31.859 10485 11107 E OAuth2CallCredentials:   at hwx$a.a(PG:21)
06-28 01:12:31.859 10485 11107 E OAuth2CallCredentials:   ... 14 more
06-28 01:12:31.860 10485 11107 W AuthRetryClientIntercep: Failed to re-auth on retry.
06-28 01:12:31.860 10485 11107 W AuthRetryClientIntercep: Failed to re-auth on retry.
06-28 01:12:31.861 10485 10586 E GoogleOneUtils: PromoApi caused exception: xsd: UNAUTHENTICATED
06-28 01:12:31.861 10485 10586 E GoogleOneUtils: PromoApi caused exception: xsd: UNAUTHENTICATED

mkg20001 added 4 commits June 30, 2025 15:37
@mkg20001
GmsCoreHooks: add REQUEST_INSTALL_PACKAGES to GmsCore
852867a 
When setting up a google-managed work profile, GmsCore tries to install the Android Device Policy app

For this to work REQUEST_INSTALL_PACKAGES permission needs to be in it's manifest
@mkg20001
DevicePolicyManagerService: add automatic installation of play apps i…
d909b14 
…nto work profile

Currently when creating a work profile with a DPC app that requires play
services,
the DPC app expects play services to also exist on the work profile

Since play services aren't global on GOS, this patch automatically
installs them
into the work profile

Whether an app requires play services is automatically detected

Because this needs to happen before the DPC app is triggered in any way
in the work
profile, this needs to be part of the profile creation itself.
@mkg20001
InstallStart: trust play store in work profile
808963f 
When a work profile with play services gets created Play Store can't 
install any apps
as the work profile may have a policy active to forbid unknown sources 
as it is not
aware that play store is not a system app and gets blocked by that 
policy.

Here we detect if the play store is genuine and is trying to install an 
app
in a work profile. If that is the case we allow it to proceed, despite 
not being a
@mkg20001
DevicePolicyGmsHooks: show toast if install fails
0742a64
@mkg20001 mkg20001 force-pushed the gapps-work-profile-new branch from 4778e63 to 0742a64 Compare June 30, 2025 13:37
@mkg20001
Copy link
Author

mkg20001 commented Jul 1, 2025

new issue, play store is not being copied.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@mkg20001 @xxxsskxxx @loligans