Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support work account creation through device policy controller #2521

Draft
wants to merge 11 commits into
base: master
Choose a base branch
from
Draft

Support work account creation through device policy controller #2521

wants to merge 11 commits into from

Conversation

fynngodau
Copy link
Contributor

Implements a work account service API that is used by Device Policy Controller apps through the proprietary DPC support library.

Only device / profile owners are allowed to use this API (GMS instead uses an allowlist). The DPC support library will use the API to enable the work account authenticator component, making the option to add a "Managed Google for Work account" visible in the Accounts screen for the work profile. However, the account cannot be created manually. Instead, it can only be created by admin apps / the DPC app which can create a token for this purpose.

This token is used to sign in to the managed work account. Like on GMS, the account will have a name like work-25[…][email protected].

This managed work account should allow access to a scoped version of the Google Play store, but is not used at all as-is. As of now, it is not possible for a user to download any apps to the work profile if the policy controller does not install any app store other than Google Play to the profile.

fynngodau and others added 9 commits September 2, 2024 15:38
@fynngodau
Create Work Account service
08835cb
@jonathanklee @fynngodau
Introduce WorkAccountAuthenticatorService
3826b56
@fynngodau
Work account POC
29c5642
@fynngodau
Work profile: use correct AIDL
ef09310
@fynngodau
Call account creation when app is using API to create work account
10ded90
@fynngodau
Work account: Fix rough edges
7e6617f
@fynngodau
Work account: Add security checks
37a6f1c 
Verify that work accounts are only added by device owners or profile
owners.

For instance, Microsoft Intune will create a work profile (moving itself
to the work profile in the process) before using the work account servce
to create a work account, so at that point it will already be profile
owner. Apps that are not the profile owner will subsequently not be able
to disable the work account authenticator or remove the work account.
The personal account would not have an owner and thus no application
could enable the work account provider there.
@fynngodau
Work account: Redeem token when signing in to account
052658d
@fynngodau
Add license identifiers and remove unwanted changes
cbdab68
@fynngodau fynngodau marked this pull request as draft September 2, 2024 15:39
@fynngodau
Copy link
Contributor Author

The files AuthRequest.kt and AuthResponse.kt are uselessly duplicated in the current state, because I don't know a good place to put them as I don't want to include :play-services-core in the :play-services-workaccount-core module. Maybe @mar-v-in has a suggestion?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@fynngodau @jonathanklee