Support Android managed app configuration (AppConfig) for MDM/EMM provisioning

[HubertusWine]

Describe the feature

Expose an Android managed-configuration schema (android.content.APP_RESTRICTIONS) so IT admins can pre-configure the app from any standard MDM/EMM (Intune, Workspace ONE, Ivanti, Hexnode, Google Android Management, 7P EMM, etc.) — server URL, long-lived access token, device name, default dashboard, connection security level — and have devices come up provisioned with zero manual onboarding.

Use cases

• Wall tablets as Lovelace dashboards. Rolling out 10–20 identical tablets today means walking through onboarding on every single one. With managed config the EMM pushes the URL, a long-lived token and a default dashboard path, and the tablet boots straight into the dashboard at first power-on. Replacing a tablet later is a one-MDM-profile job, not an evening of setup.

• Public kiosks (museums, building lobbies, conference rooms): dedicated-device enrollment provisions a whole fleet pointing at the same HA instance, settings UI hidden, no chance of an end user breaking the connection.

• Corporate work-profile / BYOD. An employee's managed phone gets the HA app pushed for facility/desk/meeting-room control. They open it, it's already connected to the internal HA, no token-creation walkthrough.

• Schools and shared devices. Admin pushes the server URL plus trust for an internal CA so students don't see — and can't accidentally break — connection settings.

• Households at scale. Even outside the enterprise context, anyone who runs more than two or three HA-tablet endpoints would benefit. Today swapping a broken wall tablet is a manual chore; with this it's a profile push.

Examples

Lots of mainstream Android apps already do this and carry the "This app offers managed configuration" badge in Managed Google Play. Same shape of config (server / auth / behaviour flags):

Microsoft Outlook for Android — server, account, sync rules.
Gmail for Android — Exchange/IMAP server settings.
Microsoft Edge / Chrome — homepage URL, allow-lists.
Cisco AnyConnect / Pulse Secure — server URL plus cert alias.
WiseMo Host — a clean reference for a small-but-complete schema: https://www.wisemo.com/download/WiseMo_Intune_Android_Host_Deployment.pdf

API + standard:

https://developer.android.com/work/managed-configurations
https://www.appconfig.org/android.html
RestrictionsManager reference: https://developer.android.com/reference/android/content/RestrictionsManager

A minimal proposed schema (all keys optional; absence = current behaviour):

• server_url (string) — URL of the HA instance
• server_name (string) — Friendly server name
• auth_token (string) — Long-lived access token; lets the EMM skip OAuth on first launch
• device_name (string) — Pre-fills registered device name; supports EMM variables like ${user.username}
• default_dashboard (string) — Lovelace path to open (e.g. lovelace/kiosk)
• connection_security_level (choice) — most_secure / prefer_secure / allow_insecure, mirroring the existing UI setting
• allow_self_signed (bool) — Trust certs not in the system store (internal-CA scenarios)
• block_settings_ui (bool) — Hide the in-app settings entry for locked-down deployments
• disable_onboarding (bool) — If server_url + auth_token are present, skip the onboarding wizard

Anything else?

Scope. The change is contained: one new app/src/main/res/xml/app_restrictions.xml, one <meta-data android:name="android.content.APP_RESTRICTIONS" .../> line in the tag of AndroidManifest.xml, and one read site (RestrictionsManager.getApplicationRestrictions() in onResume() plus a receiver for ACTION_APPLICATION_RESTRICTIONS_CHANGED) feeding the existing onboarding / settings flow. No new dependencies, no new permissions, no behavioural change for users without an EMM provider — the restrictions Bundle is simply empty for them.

Compatibility. Managed configuration has been available since Android 5.0 / API 21, well below the app's current minSdk, so this works on every Android version the app currently supports.
Optional follow-up (not blocking this request). Add KeyedAppStatesReporter so EMMs receive a "provisioning succeeded / failed" signal back. It's the best-practice companion to managed configuration and what earns an app the "Advanced" tier in Google's Android Enterprise Solutions Directory.

Context. I work as an ops engineer on an EMM/MDM platform managing Android devices in production, so this is grounded in real deployment pain rather than wishlist territory. Happy to PR the manifest + schema + onboarding-skip logic if there's appetite from maintainers — would appreciate a quick "yes / no / scope first" signal before sinking time into it.

[TimoPtr]

I like the idea especially for people using HA in other places than in a Home. It might be a bit hard to maintain for us depending on the implementation.

I'm not against giving it a try, but if it's too much of a burden to maintain we might drop it (setting the expectations here).