Launching soon: The world's first vendor agnostic bug scrubLearn more & join waitlist
OPERATIONAL DEFECT DATABASE
...
...
Important Updates: Administrators must push a custom settings profile to existing Android 11, fully-managed, non-Zebra devices after updating to Workspace ONE Intelligent Hub v21.09. If Workspace ONE Launcher is used, Administrators must update to Launcher v21.09. It is recommended to update Launcher before updating Hub. Scoped Storage Overview Scoped Storage is a change in the file system on Android 10 and above to increase the security and integrity of device storage. Before scoped storage, each application had access to its own file directory as well as access to shared directories, such as the Downloads folder. In Android 10+, apps have a restricted level of access to these folders.What are app-specific directories?Each application has its own private folder on the storage system. App directories are located in /sdcard/Android/data/<package_id>/ Depending on the OS version, these folders are only accessible by the application that owns them. Even Hub cannot access these folders. Please review the various limitations below. Below are the file restrictions in Android 10 and 11+. All apps are bound by these limitations, even Device or Profile Owners like Workspace ONE Intelligent Hub. Android 9 and below is not affected. Android 10 with target API 30 (or apps running on Android 10+ that target API 29): Applications can opt out of Scoped Storage, which allows them to retain the same access as before If apps do not opt out, apps will only have access to their own file directory. They will not have access to other apps’ directories, nor will they have access to shared directories. Android 11+ (all apps regardless of target API level): Apps do not have access to other apps’ private directories. There is no way to gain access to these folders. Apps can only access their own private directory, or shared storage locations if target API is 29 or lower and they have opted out of Scoped Storage. Android 11+ (apps that target API 30+): Applications cannot opt out of Scoped Storage Applications can request a permission, via user prompt, called “All Files Access” to gain access to shared directories. However, other apps’ private directories are off-limits even with this permission. For more details on what directories and operations are allowed with this permission, please see Google's documentation on Operations that MANAGE_EXTERNAL_STORAGE allow.The permission is restricted. The app that requested this permission requires approval by Google when uploading to play store. How Scoped Storage affects Device Management in WS1 UEM By default, Scoped Storage impacts the below features and use cases. Because Hub can opt out of Scoped Storage on Android 10, these limitations only apply to Android 11 and higher. File Management Product Provisioning File/Actions – files cannot be retrieved or moved to the file system outside of Hub’s own app directory. OS Upgrades – files cannot be placed in certain folders where other apps or services fetch the update file. This may only impact certain OEMs. Configuration files – many third-party apps use configuration files, however it is recommended to use Android Managed Configurations instead, as Hub can no longer place the configuration files within the other apps’ directories.Application files – certain files that third-party apps require, such as images or other media, configuration, or data files cannot be placed in other apps’ directories by Hub. These apps will need to fetch the files from a shared location, such as Downloads or Documents. Custom Attributes Third party custom attributes can no longer be placed in Hub’s directory on Android 11. See the Custom Attributes section below for more information. Workspace ONE Assist - File Manager Without the "All Files Access" permission, WS1 Assist can only access the media and downloads folders in the Android file system. For more information, see Android 11+ (apps that target API 30). With the latest version of the WS1 Assist Agent and the WS1 Assist Service app v2.5, as well as on Zebra devices, this permission is automatically granted on the remote device. For OEMs that do not have a Service app, (like Samsung) WS1 Assist Agent prompts the user to enable the “All Files Access” permission, which will provide the necessary access for the file management feature. Disclaimer: VMware is not responsible for the reliability of any data, opinions, advice, or statements made on third-party websites. Inclusion of such links does not imply that VMware endorses, recommends, or accepts any responsibility for the content of such sites.
Workspace ONE Product Changes to Support Scoped Storage: Workspace ONE Intelligent Hub v21.09For Work Managed (DO) devices only, Hub v21.09 will adopt the “All Files Access” permission. This permission requires a user prompt and acceptance to grant it on all except Zebra devices. This prompt will be different depending on the scenario. In any scenario, if Workspace ONE Launcher is used, Launcher will also need to be updated to v21.09. There is more information about the differences with Launcher below. Fresh enrollments (non-Zebra devices) There are two ways to ask the user to grant the All Files Access permission: DPC extra in QR Code (See Appendix A) This extra will tell Hub to prompt the user to grant the permission during enrollmentEnrollment will only proceed once the permission is granted Custom settings profile (See Appendix B) This profile will prompt the user to grant the permission on a device that is already enrolledThe prompt will be in the form of a sticky notification. The user taps the notification to be transferred to the Settings page to grant the permissionThe stick notification will not be cleared until the permission is grantedIf Launcher is installed, there will be a prompt instead of a notification. See Launcher section for more details. Hub updates to v21.09 from a previous version (non-Zebra devices & Launcher not installed) Hub may retain access to the file system for a brief period after the update, without granting the permission. However, this is only temporary, and Hub will lose access after a reboot. The custom settings profile will need to be pushed to devices AFTER the update, so that the permission can be granted. When the profile is installed, the user will see a sticky notification requesting to grant the permission. The user will also see a prompt in Hub as well, if opened. The notification will not be cleared until the user grants the permission. Device updates to Android 11 from lower version with Hub v21.09 installed (non-Zebra devices & Launcher not installed) The custom settings profile will need to be pushed to devices AFTER the Hub update, so that the permission can be granted after update. When the profile is installed, the user will see a sticky notification requesting to grant the permission. The user will also see a prompt in Hub as well, if opened. The notification will not be cleared until the user grants the permission. Workspace ONE Launcher v21.09: When Launcher is installed, the user may not have access to the system notifications. Therefore, Launcher will take over the screen to prompt and instruct the user to grant the All Files Access permission. The prompt will close once the permission is granted. This only applies to the scenarios where the custom settings profile is used. Confirm users have granted the All Files Access permission There are two ways to confirm that the user has granted the All Files Access permission to Hub: A new Custom Attribute 'allFileAccessPermission' will be reported, which will indicate if the permission was granted (true) or not (false). The attribute can be viewed in Device Details > Custom Attributes, or it can be included in a bulk device report with Workspace ONE Intelligence.If a Product fails due to a file management error, the Job Log will include the error message “ALL_FILE_ACCESS_PERMISSION_NOT_GRANTED” Zebra DevicesZebra devices allow the All Files Access permission to be granted silently, without needing to prompt the user. There are several methods to enable this permission: Before enrollment with Android Provisioning Extra in the enrollment QR Code (See Appendix C) MX setting, which can be applied through an Apply Custom Settings File/Action or OEMconfig (See Appendix D) This method is recommended for granting the permission to other applications , such as internal apps that require file access. Automatically – If the permission is not already granted, Hub will grant it to itself, MX Service, and WS1 Assist automatically without having to notify or prompt the user. This will happen on all Zebra Android 11 fully managed devices. Note: This requires the latest MX Service v5.4, which will release alongside Hub v21.09, and MX Framework 10.4 or higher on the device. The permission is granted automatically in any scenario (fresh enrollment, Hub upgrade, OS upgrade, Enterprise Reset ,etc). Custom Attributes As noted here, third-party custom attributes are impacted by Scoped Storage on Android 11, as apps are no longer able to write the XML files into Hub’s directory, even with the All Files Access Permission granted. To solve this problem, customers can push a custom settings profile to devices, which will instruct Hub to use a different file path to collect the custom attributes files. It is recommended to use a shared folder, such as Downloads or Documents, to store the XML files. For more information and sample profile XML, see Custom Attributes, Android. Appendix A: DPC Extra for QR Code Enrollment Add this parameter to the Admin Extras Bundle in the enrollment QR Code along with the other necessary parameters to prompt the user during enrollment to grant the All Files Access permission. Note: A third-party QR Code generator will be required to create the QR Code. "android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE": {"EnableAllFileAccessPermission":"true"} Below is an example of a full QR code with the new parameter included: { "android.app.extra.PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME":"com.airwatch.androidagent/com.airwatch.agent.DeviceAdministratorReceiver", "android.app.extra.PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM":"6kyqxDOjgS30jvQuzh4uvHPk-0bmAD-1QU7vtW7i_o8=\n", "android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION":"https://play.google.com/managed/downloadManagingApp?identifier=hub", "android.app.extra.PROVISIONING_SKIP_ENCRYPTION":false, "android.app.extra.PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED":true, "android.app.extra.PROVISIONING_WIFI_SECURITY_TYPE":"WPA", "android.app.extra.PROVISIONING_WIFI_SSID":"WIFI_SSID", "android.app.extra.PROVISIONING_WIFI_PASSWORD":"WifiPassword", "android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE": { "serverurl":"serverurl.com", "gid":"groupID", "un":"un", "pw":"password", "EnableAllFileAccessPermission":"true" } } Appendix B: Custom Settings Profile Use this custom settings profile to prompt users to grant the All Files Access permission. This profile must be used for migration scenarios (OS update or Hub update), and it can only be pushed after Hub has been updated to v21.09. <characteristic type="com.airwatch.android.agent.settings" uuid="568bc89d-1df8-4ce9-a041-e5a24acdb7df"> <parm name="EnableAllFileAccessPermission" value="True"/> </characteristic> Appendix C: Zebra device enrollment On Zebra devices, the All Files Access permission can be granted to Hub automatically by the OS even before enrollment. This is the smoothest and easiest way to get the permission granted on Zebra devices. Add the below line to the Admin Provisioning Extras Bundle in the enrollment QR code. Note: This only grants the permission to Hub. Other apps will need to use the method noted in Appendix D. "android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE": { "android.oem.zebra.permission":"android.permission.MANAGE_EXTERNAL_STORAGE" } Appendix D: Grant permission on Zebra devices using MX Zebra devices running MX Framework 10.4 or higher support an MX feature to grant the All Files Access permission silently to any application. This feature will be used by Hub to automatically grant the permission to Hub, MX Service, and Assist, but it can be used via the below methods for other apps as well. The two methods to take advantage of this feature are OEMconfig and MX XML. OEMconfig: In Zebra OEMconfig, navigate to Transaction Steps > Permission Access Configuration For Permission Access Action, select Grant For Grant Permission, select Manage External Storage For Grant Application Package, enter the package ID of the intended app To grant multiple applications, add another Transaction Step and complete steps 2-4 again. MX XML: Include the below in an XML file, which can be applied using the Apply Custom Settings File/Action within Product Provisioning. Requires MX Framework 10.4 on the device. <wap-provisioningdoc> <characteristic version="10.0" type="AccessMgr"> <parm name="PermissionAccessAction" value="1" /> <parm name="PermissionAccessPermissionName" value="android.permission.MANAGE_EXTERNAL_STORAGE" /> <parm name="PermissionAccessPackageName" value="YOUR PACKAGE NAME HERE" /> <parm name="PermissionAccessSignature"value="YOUR PACKAGE SIGNATURE HERE" /> </characteristic> </wap-provisioningdoc>