Display over other apps permission not working
We may allow the user to set it, even when the lockdown is set, by a trick, on android enterprise agents.
Your lockdown must add an entry to Launch://com.android.settings/.Settings$OverlaySettingsActivity named as overlay.
Your lockdown, in the advance tab, must leave marked the option Activity Suppression.
Then you must create a whitelist application control including com.android.settings.
You will got surprised that clicking on the entry overlay, it will still not open it to be set.
Then you may create a script to send an intent of android.settings.action.MANAGE_OVERLAY_PERMISSION and it will show you a list with all apps that may be granted by this permission.
In my case I have created an java app to launch it and included in the lockdown menu and keep a screen coming back until end user grant the permission requested. But could also be used as a script as :
sendintent -a "intent:#Intent;action=android.settings.action.MANAGE_OVERLAY_PERMISSION;launchFlags=0x4000000;end"
If you need an app to assure its has been granted, please let me know that we may share it.
The active MDM API's can be found below the device agent version in the "device-configuration" tab of your device agent.
It's good to know that you found the script command to be functional for some other permission on an app you tested. Maybe you should perform more tests on other permissions over a range of apps on the devices you are managing. Keep a spreadsheet of your test results so that you know what can or can't be configured with script.
I am not from Soti or Google, and therefore cannot officially confirm that the script command works for ALL 150+ permissions available and for all device models/firmware-versions. It is totally possible that Google disallow some sensitive permissions to be programmatically due to security/privacy reasons, and I am still searching for any Google's documentation that might have mentioned something on the topic.
Although SYSTEM_ALERT_WINDOW permission should be the right permission related to "Draw over other applications", however, the fact that even Soti device agents themselves need such permission to be manually granted by the device end-user makes me suspect that this permission may belong to the sensitive category mentioned above.
The Agent Version is 14.1.4 and Build : 1010
What about the active MDM API's reported by your device agent? -- I dont understand this question.
I tried the below to change permission and it worked.
afw_set_permission_grant_state com.ascom.myco.barcodescanner android.permission.CAMERA deny
afw_set_permission_grant_state com.ascom.myco.barcodescanner android.permission.CAMERA default
What are the version and build numbers of your device agent? What about the active MDM API's reported by your device agent?
Have you tried changing permission(s) other than SYSTEM_ALERT_WINDOW ? if so, what are they and the test results?