Allow permissions via script

Allow permissions via script

Hello dear SOTI-community,

I want to enforce a lockdown on our Android devices with only two or three apps being offered to the user. Unfortunately, I currently have to enable the settings app as well, because if I update one of our apps (self-programmed app), the device will prompt the user for permissions, which he or she is not allowed to permit if the settings app is not enabled.

I am already using a post-install-script, but the commands don't seem to work:

afw_set_permission_grant_state com.ignitix.systemone net.soti.mobicontrol.permission.DEVICE_INFO allow
afw_set_permission_grant_state com.ignitix.systemone net.soti.mobicontrol.permission.DEVICE_INFO_ELM allow
afw_set_permission_grant_state com.ignitix.systemone net.soti.mobicontrol.permission.DEVICE_INFO_AFW allow
afw_set_permission_grant_state com.ignitix.systemone net.soti.mobicontrol.permission.GET_DATA allow
afw_set_permission_grant_state com.ignitix.systemone net.soti.mobicontrol.permission.GET_DATA_ELM allow
afw_set_permission_grant_state com.ignitix.systemone net.soti.mobicontrol.permission.GET_DATA_AFW allow
;afw_set_permission_grant_state com.ignitix.systemone android.permission.CAMERA allow
;afw_set_permission_grant_state com.ignitix.systemone android.permission.RECORD_AUDIO allow
;afw_set_permission_grant_state com.ignitix.systemone android.permission.WRITE_EXTERNAL_STORAGE allow
;afw_set_permission_grant_state com.ignitix.systemone android.permission.READ_EXTERNAL_STORAGE allow
;afw_set_permission_grant_state com.ignitix.systemone android.permission.CALL_PHONE allow
;afw_set_permission_grant_state com.ignitix.systemone android.permission.ACCESS_COURSE_LOCATION allow
;afw_set_permission_grant_state com.ignitix.systemone android.permission.ACCESS_FINE_LOCATION allow
;afw_set_permission_grant_state com.ignitix.systemone android.permission.RECEIVE_SMS allow
;afw_set_permission_grant_state com.ignitix.systemone android.permission.SEND_SMS allow
;afw_set_permission_grant_state com.ignitix.systemone android.permission.WRITE_SETTINGS allow
;afw_set_permission_grant_state com.ignitix.systemone android.permission.VIBRATE allow
;afw_set_permission_grant_state com.ignitix.systemone android.permission.WAKE_LOCK allow
afw_set_permission_grant_state com.ignitix.systemone android.permission.ACCESS_WIFI_STATE allow
afw_set_permission_grant_state com.ignitix.systemone android.permission.ACCESS_NETWORK_STATE allow
afw_set_permission_grant_state com.ignitix.systemone android.permission.ACCESS_FINE_LOCATION allow
afw_set_permission_grant_state com.ignitix.systemone android.permission.ACCESS_COARSE_LOCATION allow
afw_set_permission_grant_state com.ignitix.systemone android.permission.BLUETOOTH allow
afw_set_permission_grant_state com.ignitix.systemone android.permission.BLUETOOTH_ADMIN allow
afw_set_permission_grant_state com.ignitix.systemone android.permission.CALL_PHONE allow
afw_set_permission_grant_state com.ignitix.systemone android.permission.CHANGE_WIFI_STATE allow
afw_set_permission_grant_state com.ignitix.systemone android.permission.FOREGROUND_SERVICE allow
afw_set_permission_grant_state com.ignitix.systemone android.permission.GET_ACCOUNTS allow
afw_set_permission_grant_state com.ignitix.systemone android.permission.INTERNET allow
afw_set_permission_grant_state com.ignitix.systemone android.permission.KILL_BACKGROUND_PROCESSES allow
afw_set_permission_grant_state com.ignitix.systemone android.permission.READ_PROFILE allow
afw_set_permission_grant_state com.ignitix.systemone android.permission.READ_CONTACTS allow
afw_set_permission_grant_state com.ignitix.systemone android.permission.READ_PHONE_STATE allow
afw_set_permission_grant_state com.ignitix.systemone android.permission.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS allow
afw_set_permission_grant_state com.ignitix.systemone android.permission.REQUEST_INSTALL_PACKAGES allow
afw_set_permission_grant_state com.ignitix.systemone android.permission.RECEIVE_BOOT_COMPLETED allow
afw_set_permission_grant_state com.ignitix.systemone android.permission.VIBRATE allow
afw_set_permission_grant_state com.ignitix.systemone android.permission.WAKE_LOCK allow
afw_set_permission_grant_state com.ignitix.systemone android.permission.WRITE_SETTINGS allow
afw_set_permission_grant_state com.ignitix.systemone android.permission.WRITE_EXTERNAL_STORAGE allow
afw_set_permission_grant_state com.ignitix.systemone com.honeywell.provisioner.ACCESS allow
afw_set_permission_grant_state com.ignitix.systemone android.permission.NFC allow
afw_set_permission_grant_state com.ignitix.systemone android.permission.CAMERA allow
afw_set_permission_grant_state com.ignitix.systemone android.permission.RECORD_AUDIO allow
afw_set_permission_grant_state com.ignitix.systemone android.permission.FLASHLIGHT allow
afw_set_permission_grant_state com.ignitix.systemone com.android.settings/.Settings$AppWriteSettingsActivity allow
afw_set_permission_grant_state com.ignitix.systemone com.android.settings.Settings$AppWriteSettingsActivity allow
afw_set_permission_grant_state com.ignitix.systemone com.android.browser.permission.READ_HISTORY_BOOKMARKS allow
afw_set_permission_grant_state com.ignitix.systemone com.google.android.gms.permission.ACTIVITY_RECOGNITION allow
batteryoptimize allow com.ignitix.systemone

 

Although it should permit practically everything, our Android 7.1.0 devices still want the permission for system setting access and battery optimization from the user. Our Android 8 devices want even more permissions to be sanctioned by the user.

Which script command will work properly? Does anyone have any experience regarding this type of problem?

6 Answers

Order By:   Standard | Newest | Votes
DDMOD@SOTI | posted this 02 June 2020

Hi Dahin,

 

Thanks for the post!

Please try sending the below legacy script to the android devices(Android Agent Implemented 13.6.0.1645) to have the Notification Access and grant those permissions:
request_appops_permission BIND_NOTIFICATION_LISTENER_SERVICE

This permission can usually be found via this path: Settings -> Apps & notifications -> Special app access -> Notification access. The path may vary from device to device.

 

Please share the outcome if this script works for you.

 

Regards,

Technical Support | SOTI Inc. |1.905.624.9828 | support@soti.net | www.soti.net |

  • 0
  • 0
Dahin | posted this 03 June 2020

Thanks for replying!

How would a line in the above posted script look?

Like this?

request_appops_permission android.permission.BIND_NOTIFICATION_LISTENER_SERVICE

  • 0
  • 0
JVMOD@SOTI | posted this 03 June 2020

Hello Dahin,

 

Above mentioned script worked for you? if not, can you please try below script -

request_appops_permission BIND_NOTIFICATION_LISTENER_SERVICE
restartagent

 

Regards,

Technical Support | SOTI Inc. |1.905.624.9828 | support@soti.net | www.soti.net |

  • 0
  • 0
Dahin | posted this 04 June 2020

I have added you lines to the top of my script, so it now looks as follows:

request_appops_permission BIND_NOTIFICATION_LISTENER_SERVICE
restartagent
afw_set_permission_grant_state com.ignitix.systemone net.soti.mobicontrol.permission.DEVICE_INFO allow
afw_set_permission_grant_state com.ignitix.systemone net.soti.mobicontrol.permission.DEVICE_INFO_ELM allow
afw_set_permission_grant_state com.ignitix.systemone net.soti.mobicontrol.permission.DEVICE_INFO_AFW allow
afw_set_permission_grant_state com.ignitix.systemone net.soti.mobicontrol.permission.GET_DATA allow
afw_set_permission_grant_state com.ignitix.systemone net.soti.mobicontrol.permission.GET_DATA_ELM allow
afw_set_permission_grant_state com.ignitix.systemone net.soti.mobicontrol.permission.GET_DATA_AFW allow
;afw_set_permission_grant_state com.ignitix.systemone android.permission.CAMERA allow
;afw_set_permission_grant_state com.ignitix.systemone android.permission.RECORD_AUDIO allow
;afw_set_permission_grant_state com.ignitix.systemone android.permission.WRITE_EXTERNAL_STORAGE allow
;afw_set_permission_grant_state com.ignitix.systemone android.permission.READ_EXTERNAL_STORAGE allow
;afw_set_permission_grant_state com.ignitix.systemone android.permission.CALL_PHONE allow
;afw_set_permission_grant_state com.ignitix.systemone android.permission.ACCESS_COURSE_LOCATION allow
;afw_set_permission_grant_state com.ignitix.systemone android.permission.ACCESS_FINE_LOCATION allow
;afw_set_permission_grant_state com.ignitix.systemone android.permission.RECEIVE_SMS allow
;afw_set_permission_grant_state com.ignitix.systemone android.permission.SEND_SMS allow
;afw_set_permission_grant_state com.ignitix.systemone android.permission.WRITE_SETTINGS allow
;afw_set_permission_grant_state com.ignitix.systemone android.permission.VIBRATE allow
;afw_set_permission_grant_state com.ignitix.systemone android.permission.WAKE_LOCK allow
afw_set_permission_grant_state com.ignitix.systemone android.permission.ACCESS_WIFI_STATE allow
afw_set_permission_grant_state com.ignitix.systemone android.permission.ACCESS_NETWORK_STATE allow
afw_set_permission_grant_state com.ignitix.systemone android.permission.ACCESS_FINE_LOCATION allow
afw_set_permission_grant_state com.ignitix.systemone android.permission.ACCESS_COARSE_LOCATION allow
afw_set_permission_grant_state com.ignitix.systemone android.permission.BLUETOOTH allow
afw_set_permission_grant_state com.ignitix.systemone android.permission.BLUETOOTH_ADMIN allow
afw_set_permission_grant_state com.ignitix.systemone android.permission.CALL_PHONE allow
afw_set_permission_grant_state com.ignitix.systemone android.permission.CHANGE_WIFI_STATE allow
afw_set_permission_grant_state com.ignitix.systemone android.permission.FOREGROUND_SERVICE allow
afw_set_permission_grant_state com.ignitix.systemone android.permission.GET_ACCOUNTS allow
afw_set_permission_grant_state com.ignitix.systemone android.permission.INTERNET allow
afw_set_permission_grant_state com.ignitix.systemone android.permission.KILL_BACKGROUND_PROCESSES allow
afw_set_permission_grant_state com.ignitix.systemone android.permission.READ_PROFILE allow
afw_set_permission_grant_state com.ignitix.systemone android.permission.READ_CONTACTS allow
afw_set_permission_grant_state com.ignitix.systemone android.permission.READ_PHONE_STATE allow
afw_set_permission_grant_state com.ignitix.systemone android.permission.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS allow
afw_set_permission_grant_state com.ignitix.systemone android.permission.REQUEST_INSTALL_PACKAGES allow
afw_set_permission_grant_state com.ignitix.systemone android.permission.RECEIVE_BOOT_COMPLETED allow
afw_set_permission_grant_state com.ignitix.systemone android.permission.VIBRATE allow
afw_set_permission_grant_state com.ignitix.systemone android.permission.WAKE_LOCK allow
afw_set_permission_grant_state com.ignitix.systemone android.permission.WRITE_SETTINGS allow
afw_set_permission_grant_state com.ignitix.systemone android.permission.WRITE_EXTERNAL_STORAGE allow
afw_set_permission_grant_state com.ignitix.systemone com.honeywell.provisioner.ACCESS allow
afw_set_permission_grant_state com.ignitix.systemone android.permission.NFC allow
afw_set_permission_grant_state com.ignitix.systemone android.permission.CAMERA allow
afw_set_permission_grant_state com.ignitix.systemone android.permission.RECORD_AUDIO allow
afw_set_permission_grant_state com.ignitix.systemone android.permission.FLASHLIGHT allow
afw_set_permission_grant_state com.ignitix.systemone com.android.settings/.Settings$AppWriteSettingsActivity allow
afw_set_permission_grant_state com.ignitix.systemone com.android.settings.Settings$AppWriteSettingsActivity allow
afw_set_permission_grant_state com.ignitix.systemone com.android.browser.permission.READ_HISTORY_BOOKMARKS allow
afw_set_permission_grant_state com.ignitix.systemone com.google.android.gms.permission.ACTIVITY_RECOGNITION allow
afw_prevent_uninstall com.ignitix.systemone enable
batteryoptimize allow com.ignitix.systemone

I also tried it without the "restartagent", but it didn't work. The permission popups still show up, unfortunately.

  • 0
  • 0
Raymond Chan | posted this 04 June 2020

What are the version and build numbers of your device agent? And the active MDM API's reported by your device agent or in the device's information tab of your web console.

 

Have you manually granted any permission(s) for the device agent itself in your device's Settings?

 

Did you fail for some or all of the permissions specified in your scripts?   If some worked fine, what were they?

 

  • 0
  • 0
Dahin | posted this 04 June 2020

The agent installed on the device has the version number 13.6.0.1476, according to SOTI MobiControl.

APIs are the follwing: RC+, Enterprise 4.1

I have not manually configured anything on the devices. If we get a new device, we set it up using three QR-codes which tell the device to download the agent from our SFTP-server and install it - from then on SOTI rolls out the package. The only permissions I tinker with are the ones set in the post install script of the packages I build (= the ones seen above).

Most of the permissions (camera, microphone, phone calls, etc.) are working on Android 7.1.1 devices (only the changing of battery settings as well as the access to system settings have to be permitted manually). On my Android 8.1.0 test device, multiple permissions pop up (running in the background, camera, microphone, etc.).

 

Edit: Is there a way to hide a lockdown icon (e.g. if I enabled the settings "com.android.settings" in lockdown mode, but I dont want it to be visible, just to not get blocked if another app calls a settings function)?

  • 0
  • 0

Give us your feedback
Give us your feedback
Feedback