从 Play 商店中的不同帐户安装应用程序未被 Android 管理 API 阻止
[英]App installs from different account in Play Store not being blocked by Android Management API
问题描述
We are testing the Android Management API for our organization,and we found a workaround to the managed play store: If a user adds his personal account to the device (to access Gmail, for example), he can switch to that account in the Play Store and download apps which are not allowed by the policy.
我们正在为我们的组织测试 Android 管理 API,我们找到了托管 Play 商店的解决方法:如果用户将他的个人帐户添加到设备(访问 Gmail 中的帐户,例如,他可以切换到该帐户)存储和下载政策不允许的应用程序。
Although the DPC (Android Device Policy) deletes the app on the next policy sync, for some reason that sync does not happen automatically whenever an app is installed.尽管 DPC(Android 设备策略)会在下一次策略同步时删除该应用程序,但由于某种原因,无论何时安装应用程序,同步都不会自动发生。 The Device Policy app only syncs if either: 1) the admin pushes a change to the policy through the API, or 2) the user manually syncs through the app. Device Policy 应用仅在以下情况下同步:1) 管理员通过 API 推送对策略的更改,或 2) 用户通过应用手动同步。
Which means that the user can install any app he wants, and use it until the policy syncs.这意味着用户可以安装他想要的任何应用程序,并使用它直到策略同步。
Is there any way to prevent the user from downloading apps from outside the managed play store account, or to make the Device Policy app auto-sync whenever an app is installed?有什么方法可以阻止用户从托管的 Play 商店帐户之外下载应用程序,或者让 Device Policy 应用程序在安装应用程序时自动同步?
This is the policy that I applied to the test devices and the patch code:这是我应用于测试设备和补丁代码的策略:
import json
test_policy_name = enterprise_name + '/policies/test'
test_policy_json = '''
{
"applications": [
{
"packageName": <app_package_name>,
"installType": "BLOCKED"
},
{
"packageName": <app_package_name>,
"installType": "AVAILABLE"
}
],
"installAppsDisabled": false,
"playStoreMode": "WHITELIST",
"installUnknownSourcesAllowed": false
}
'''
androidmanagement.enterprises().policies().patch(
name=test_policy_name,
body=json.loads(test_policy_json)
).execute()
1 个解决方案
解决方案1
1 已采纳 2019-09-24 11:34:57
Indeed it's possible to install any app from the Google Play Store by using a different Google account than the one configured by the Android Management API.实际上,可以使用与 Android 管理 API 配置的帐户不同的 Google 帐户从 Google Play 商店安装任何应用程序。
You have two options to address this:您有两种选择来解决这个问题:
- Block the device until the apps that are not in the policy are uninstalled阻止设备,直到卸载不在策略中的应用程序
- Disable adding additional Google accounts, so the user can't install apps that are not in the policy禁止添加其他 Google 帐户,因此用户无法安装不在政策中的应用
At the moment it's not possible to prevent installing any app from the Google Play Store while allowing additional Google accounts.目前,在允许其他 Google 帐户的同时,无法阻止从 Google Play 商店安装任何应用程序。 We are working on a feature that will allow to do that, but don't have a precise timeline at the moment.我们正在开发一项允许这样做的功能,但目前没有准确的时间表。
Option 1: Block the device until the apps that are not in the policy are uninstalled选项 1:阻止设备,直到卸载不在策略中的应用程序
You can set a policyEnforcementRules in the policy to block the device until the disallowed apps are uninstalled:您可以在策略中设置policyEnforcementRules以阻止设备,直到卸载不允许的应用程序:
{
"policyEnforcementRules": [
{
"blockAction": {
"blockAfterDays": 0
},
"wipeAction": {
"wipeAfterDays": 30,
"preserveFrp": true
},
"settingName": "playStoreMode"
}
]
}
Option 2: Disable adding additional Google accounts, so the user can't install apps that are not in the policy选项 2:禁用添加其他 Google 帐户,因此用户无法安装不在政策中的应用
You can disable adding additional Google accounts in the policy:您可以禁用在策略中添加其他 Google 帐户:
- set
accountTypesWithManagementDisabledto["com.google"],将accountTypesWithManagementDisabled设置为["com.google"], - or alternatively, set
modifyAccountsDisabledtotrue.或者,将modifyAccountsDisabled设置为true。
This will prevent using additional Google accounts in all Google apps (including Gmail, Google Calendar, Google Drive, etc), not just in the Google Play Store.这将防止在所有 Google 应用程序(包括 Gmail、Google 日历、Google Drive 等)中使用其他 Google 帐户,而不仅仅是在 Google Play 商店中。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.