Display over other apps permission not working

Display over other apps permission not working

I am trying to enable permission for "Allow display over other apps" using the below script. 

afw_set_permission_grant_state com.google.android.youtube android.permission.SYSTEM_ALERT_WINDOW allow

 

My handset (an Ascom Myco 3) is enrolled as a Work Managed Device. The handset has Android 9 OS. 

The command does nothing at all. The permission on the handset is disabled by default and has to be enabled remotly only. 

I tried this for other apps as well, and the result is the same. 

 

Can you help me resolve this issue. 

 

Thanks 

4 Answers

Order By:   Standard | Newest | Votes
Joao Nelson Cavezale de la Torre | posted this 09 November 2020

We may allow the user to set it, even when the lockdown is set, by a trick, on android enterprise agents.

Your lockdown must add an entry to Launch://com.android.settings/.Settings$OverlaySettingsActivity named as overlay.

Your lockdown, in the advance tab, must leave marked the option Activity Suppression.

Then you must create a whitelist application control including com.android.settings.

 

You will got surprised that clicking on the entry overlay, it will still not open it to be set.

Then you may create a script to send an intent of android.settings.action.MANAGE_OVERLAY_PERMISSION and it will show you a list with all apps that may be granted by this permission.

In my case I have created an java app to launch it and included in the lockdown menu and keep a screen coming back until end user grant the permission requested. But could also be used as a script as :

 

sendintent  -a "intent:#Intent;action=android.settings.action.MANAGE_OVERLAY_PERMISSION;launchFlags=0x4000000;end"

 

If you need an app to assure its has been granted, please let me know that we may share it.

 

 

  • 0
  • 0
Raymond Chan | posted this 14 January 2020

The active MDM API's can be found below the device agent version in the "device-configuration" tab of your device agent.

 

It's good to know that you found the script command to be functional for some other permission on an app you tested.  Maybe you should perform more tests on other permissions over a range of apps on the devices you are managing.  Keep a spreadsheet of your test results so that you know what can or can't be configured with script.

 

I am not from Soti or Google, and therefore cannot officially confirm that the script command works for ALL 150+ permissions available and for all device models/firmware-versions.  It is totally possible that Google disallow some sensitive permissions to be programmatically due to security/privacy reasons, and I am still searching for any Google's documentation that might have mentioned something on the topic.

 

Although SYSTEM_ALERT_WINDOW permission should be the right permission related to "Draw over other applications", however, the fact that even Soti device agents themselves need such permission to be manually granted by the device end-user makes me suspect that this permission may belong to the sensitive category mentioned above.

  • 0
  • 0
Pranam | posted this 13 January 2020

Hi Raymond, 

The Agent Version is 14.1.4 and Build : 1010

 

What about the active MDM API's reported by your device agent? -- I dont understand this question. 

 

I tried the below to change permission and it worked. 

afw_set_permission_grant_state com.ascom.myco.barcodescanner android.permission.CAMERA deny

afw_set_permission_grant_state com.ascom.myco.barcodescanner android.permission.CAMERA default

  • 0
  • 0
Raymond Chan | posted this 11 January 2020

What are the version and build numbers of your device agent?  What about the active MDM API's reported by your device agent?

 

Have you tried changing permission(s) other than SYSTEM_ALERT_WINDOW ?   if so, what are they and the test results?

 

  • 0
  • 0

Give us your feedback
Give us your feedback
Feedback