SOTI Pulse Logo

Android 11 Scoped storage blocking Package and File Sync Rules

DS
Dan Sulan

Hi All, 

I'm running into this issue. I have Samsung devices S10e and A11 devices. They have Ivanti's Velocity installed and some other custom apps installed. Both Velocity and the custom app are using the new Android Scoped storage standard for file storage by using the paths 

"%sdcard%\Android\data\com.wavelink.velocity\files\" and "%sdcard%\Android\data\com.mycompany/myapplicaiton\files\"  respectively.

Both apps are looking to find their config files in the \files\ directory. I'm trying to build either a file sync rule or a package to deliver the files to the application \files\ folder and both are failing. If it try to browse these folders using SOTI remote control I cannot get past the "%sdcard%\Android\data" directory. 

Both the S10e and A11 are running Android 11. If I try this on the same devices running Android 10 I have no issues. This obvisoly has to do with Android changing the scope of permissions for file access, but shouldn't a Device Owner DPC agent have full rights to that storage location? This is a major disruption as to how SOTI can function as Apps are now being forced to move their configurations to support scoped storage, but the MDM's are not being provided access to configure them.  

I understand that App config, can potentially be used for some work arounds, but this will only help in certain situations. The majority of clients rely on the flexibility of File Sync and Packages for configuration. 

Has anyone experienced this and have a solution?

Thanks

DAN

scoped-storage
4 years ago
Android
ANSWERS
RC
Raymond Chan Diamond Contributor
4 years ago

File-sync rules were introduced 10+ years ago to support legacy Windows platform, and have also been applicable to more modern device platforms over the years.

However, read/write permissions of device directory has always been one of the biggest limitations of file-sync rule, but there is basically no solution, as Mobicontrol device agent is not the kernel or any higher priority user in the system, and is no more than an ordinary app with some specialized EMM api's to request kernel/system to perform some allowed operations.  In fact, even for Android before version 11, the directory tree within each installed app private space is not accessible by Soti device agent.

The usual workaround is to have the file-sync rule targeted to some public device directory that MobiControl device agent and all other apps have common access rights.  Such file can be in sub-folder, specially formatted and encrypted to avoid data theft and/or tampering by other apps on the system.  Verified sync file data can be saved to an app's private space for subsequent secure offline access.

DS
Dan Sulan
4 years ago

Hi Raymond,

Thank you for the reply. 

Your solution of delivering config files to a public storage space, such as the root of the sdcard or the media folder is a technique we are already using, but its limited to apps that have been written to access files form those locations (many commercial apps such as Velocity are not setup to do this, yet).

The irony of this is that Google is forcing app developers to start using Scoped Storage for storing APP files in order to limit apps form having full access to storage, but in doing so it is forcing developers and users to grant legacy permissions to maintain the ability to configure the app using a MDM. This seems counter productive to Google's main goal of security.

Cheers

Dan

RS
Randy, Saputra
4 years ago

Hi Dan, 

Since both your devices already running on And 11, just want to ask is Remote Control work in your S10e and A11 ?

Thanks,

Randy

DS
Dan Sulan
4 years ago

Hi Randy,

I have no problem with remote control working on Samsung devices running Android 10 or 11. Note on android 11 I cannot browse all the storage locations under the \SDcard due to the scoped storage change we were discussing above. 

MD
Matt Dermody Diamond Contributor
4 years ago

Hi Dan!

Bumping this thread. Were you able to get File Sync or Package based config file delivery working with Android 11? This definitely seems to be related to the scoped storage enforcements but I too assumed that the DO SOTI Agent would have elevated permissions to be able to place files in scoped storage. This is going to be majorly disruptive if the agent can't be updated to read/write from those directories. 

MD
Matt Dermody Diamond Contributor
3 years ago

Leaving this here for anyone experiencing this issue in the future

https://discussions.soti.net/articles/impact-of-android-11-scoped-storage-restrictions-on-android-agent

Google has in fact enforced scoped storage restrictions on EMM agents in A11+ which will force apps leveraging external configuration files for configuration to request new permissions like MANAGE_EXTERNAL_STORAGE in order to have shared storage access returned. To Dan's point, this is indeed ironic given that it results in apps now requesting more storage access under A11 than they otherwise would have needed. This would not have been as big of an issue if DPCs with DO were given elevate privileges in order to be able to access other apps' scoped storage directories. 

OK
Oliver Kulbach
3 years ago

Hi Matt,

I read everything I found about this based on your link, but my knowledge about Android and Soti is to limited to fully understand it. I neet to copy a config file under Android 11 to

%sdcard%/Android/data/APPNAME/files

That is currently not possible as it looks like and AccessMgr doesn't help either. Am I understanding tis correct?

MD
Matt Dermody Diamond Contributor
2 years ago

That is correct. Android has restricted access to those directory, known as scoped storage on Android 11 and higher. The individual apps have access to their scoped storage directories so APPNAME can read and write from there but no other app, including EMM/MDM policy controllers/agents, have the ability to access those directories. Enterprise application developers therefore need to adjust their process for configuration to something other than scoped storage. Some developers have opted to move to managed configurations whereas others are just using different public storage directories on the device. You will need to contact APPNAME developer to see if they have any alternate configuration mechanisms available in order to support A11+. 

Similar Discussions