Add "Restrictions" for configuring app-settings by MDM

[stegl83]

When using Android Enterprise and a mobile device management (MDM), you can define in the appmanifest settings which can be configured by a MDM.
This XML-elements are called "restrictions".
see https://developer.android.com/reference/android/content/RestrictionsManager

An admin can create a policy to force the installation of the app and if restrictions are defined, the admin can additionally configure these settings. Interesting settings would be:

• Port
• Pwd
• showMouseCursor
• the preselected Mode when hit the "Start" button: single app or device screen.

I think it is a good practise to support this managed settings feature.

[bk138]

This would require rebuilding the app each time settings are changed? Doesn't https://github.com/bk138/droidVNC-NG?tab=readme-ov-file#how-to-pre-seed-preferences do the same?

[stegl83]

In my opinion, the local file is a different scenario. The MDM is not able to put the json file in this directory.
BUT:
The feature of trigger the vnc-server by intent and configuring the settings by the intents "datacontainer" is really great. Maybe this can be used for a workaround:
I could extend my app so it can be configured by MDM and pass these Settings to VNCServer per Intent.
I will try out and close this issue when it's working.

[bk138]

Good morning and thanks for your answer! If you get it to work, please leave a few notes here; might be interesting to others as well.

[stegl83]

Hi again,
I just think about the approach: I need the randomly on the device generated access key to setup the settings from my app by intent. Right? When yes, this is a big problem.

The goal is to make a mass deployable configuration which can be rolled out by MDM.
When every device has a different access key, it is useless to pass the access key by MDM to my app on the device fleet so it can trigger vncServer.

The only way would be to setup the same access key on every device. There is not much saving here compared to setup the whole configuration by json-file.

My next step is to request my MDM-vendor if there is a way to drop the json-File on the described location. I let you know the answer.

[bk138]

Hi again, I just think about the approach: I need the randomly on the device generated access key to setup the settings from my app by intent. Right? When yes, this is a big problem.

It would be, but you can preseed the access key via the JSON, see the docs at https://github.com/bk138/droidVNC-NG?tab=readme-ov-file#how-to-pre-seed-preferences

[stegl83]

The MDM-vendor confirms that there is no way to put the json file by MDM.
I tried another workaround and my app tried accessing the directory - even if MANAGE_EXTERNAL_STORAGE is definied and explicitly permitted - the app can not access this app-specific directory. This aligns with https://developer.android.com/training/data-storage/manage-all-files.
The only use case for using the json to setup the vnc-app is copy it by usb on the directory on the device.
But that is not a solution for me.

I think, configure the app by using managed settings is the only way that fits the needs of the described MDM-scenario.
Please consider about this feature.

[bk138]

@stegl83 Are there any docs/examples/best-practices for the requested feature? Are you representing a company that would fund this?

[stegl83]

Hi,
I just prepared the restriction-files for you. In .NET MAUI / Visual Studio you have to put them like this:

In Java it will be similar. After building the App and publishing to the store, the MDM will evaluate this new metadata and the configuration UI will look like this:

restriction_values.xml:

<?xml version="1.0" encoding="utf-8" ?>
<resources>
	<string name="net.christianbeier.droidvnc_ng_config">Configuration</string>
	<string name="net.christianbeier.droidvnc_ng_config_desc">Configuration for DroidVNC</string>
	<string name="net.christianbeier.droidvnc_ng_EXTRA_ACCESS_KEY">Access Key</string>
	<string name="net.christianbeier.droidvnc_ng_EXTRA_ACCESS_KEY_default"></string>
	<string name="net.christianbeier.droidvnc_ng_EXTRA_PORT">Port</string>
	<string name="net.christianbeier.droidvnc_ng_EXTRA_PORT_default">5900</string>
	<string name="net.christianbeier.droidvnc_ng_EXTRA_PASSWORD">Password</string>
	<string name="net.christianbeier.droidvnc_ng_EXTRA_PASSWORD_default"></string>
	<string name="net.christianbeier.droidvnc_ng_EXTRA_SCALING">Scaling</string>
	<string name="net.christianbeier.droidvnc_ng_EXTRA_SCALING_default"></string>
	<string name="net.christianbeier.droidvnc_ng_EXTRA_VIEW_ONLY">ViewOnly</string>
	<string name="net.christianbeier.droidvnc_ng_EXTRA_VIEW_ONLY_default">false</string>
	<string name="net.christianbeier.droidvnc_ng_EXTRA_SHOW_POINTERS">Show Pointers</string>
	<string name="net.christianbeier.droidvnc_ng_EXTRA_SHOW_POINTERS_default">true</string>
	<string name="net.christianbeier.droidvnc_ng_EXTRA_FILE_TRANSFER">File Transfer</string>
	<string name="net.christianbeier.droidvnc_ng_EXTRA_FILE_TRANSFER_default">false</string>
</resources>

app_restrictions.xml:
`

	<restriction
	  android:key="EXTRA_ACCESS_KEY"
	  android:title="@string/net.christianbeier.droidvnc_ng_EXTRA_ACCESS_KEY"
	  android:defaultValue="@string/net.christianbeier.droidvnc_ng_EXTRA_ACCESS_KEY_default"
	  android:restrictionType="string"/>

	<restriction
	  android:key="EXTRA_PORT"
	  android:title="@string/net.christianbeier.droidvnc_ng_EXTRA_PORT"
	  android:defaultValue="@string/net.christianbeier.droidvnc_ng_EXTRA_PORT_default"
	  android:restrictionType="integer"/>

	<restriction
	  android:key="EXTRA_PASSWORD"
	  android:title="@string/net.christianbeier.droidvnc_ng_EXTRA_PASSWORD"
	  android:defaultValue="@string/net.christianbeier.droidvnc_ng_EXTRA_PASSWORD_default"
	  android:restrictionType="string"/>

	<restriction
	  android:key="EXTRA_SCALING"
	  android:title="@string/net.christianbeier.droidvnc_ng_EXTRA_SCALING"
	  android:defaultValue="@string/net.christianbeier.droidvnc_ng_EXTRA_SCALING_default"
	  android:restrictionType="string"/>

	<restriction
	  android:key="EXTRA_VIEW_ONLY"
	  android:title="@string/net.christianbeier.droidvnc_ng_EXTRA_VIEW_ONLY"
	  android:defaultValue="@string/net.christianbeier.droidvnc_ng_EXTRA_VIEW_ONLY_default"
		android:restrictionType="bool"/>

	<restriction
	  android:key="EXTRA_SHOW_POINTERS"
	  android:title="@string/net.christianbeier.droidvnc_ng_EXTRA_SHOW_POINTERS"
	  android:defaultValue="@string/net.christianbeier.droidvnc_ng_EXTRA_SHOW_POINTERS_default"
		android:restrictionType="bool"/>

	<restriction
	  android:key="EXTRA_FILE_TRANSFER"
	  android:title="@string/net.christianbeier.droidvnc_ng_EXTRA_FILE_TRANSFER"
	  android:defaultValue="@string/net.christianbeier.droidvnc_ng_EXTRA_FILE_TRANSFER_default"
		android:restrictionType="bool"/>

	<!-- add more settings if something missing --> 
</restriction>

`

[stegl83]

For reading this settings in the app, you have to use RestrictionsManager-API.
Here are the Docs: https://developer.android.com/work/managed-configurations?hl=de

[bk138]

Thanks! Will go through this when I have so spare time. If you or your company need this in an expedited form, feel free to reach out to me via email.

[leandro-nomid]

Hey @stegl83, I'm CEO and CTO of Nomid Tech, a MDM provider.
We are evaluating alternatives for remote access and stumbled upon this project and issue. Please reach us at [email protected] so we can discuss further the usage in your company.
I'm sure we can share experience and combine efforts to either contribute with a PR or fund this feature request.

[bk138]

@leandro-nomid @stegl83 Would happily merge a PR that's generic enough for all users, or, if that's not possible, detailed documentation of setting things up.