Android - Allowing installation of non-market-apps fails in device owner app

Question

I'm trying to set the security setting "Unknown Sources - Allow installation of apps from unknown sources" programmatically.

For this, the DevicePolicyManager (with level 21) provides a function ("SetSecureSetting") to set this setting (only available for profile or device owner).

In my Device-Owner-App (deployed by NFC provisioning) I tried the following code:

public void allowNonMarketApps() {
    DevicePolicyManager devicePolicyManager = (DevicePolicyManager) getSystemService(Context.DEVICE_POLICY_SERVICE);
    ComponentName deviceAdmin = new ComponentName(this, AdminReceiver.class);
    try {
      devicePolicyManager.setSecureSetting(deviceAdmin, Settings.Secure.INSTALL_NON_MARKET_APPS, "1");
    } catch (SecurityException e) {
      Log.d(TAG, "securityException caught");
    }
}

Despite my app's the device owner, I always get a SecurityException!

Can anybody help me with this issue?

Thanks in advance!!

EDIT The SecurityException's output is telling me that device owners cannot change this setting:

java.lang.SecurityException: Permission denial: Device owners cannot update install_non_market_apps
W/System.err(27634):    at android.os.Parcel.readException(Parcel.java:1547)
W/System.err(27634):    at android.os.Parcel.readException(Parcel.java:1499)
W/System.err(27634):    at android.app.admin.IDevicePolicyManager$Stub$Proxy.setSecureSetting(IDevicePolicyManager.java:7158)
W/System.err(27634):    at android.app.admin.DevicePolicyManager.setSecureSetting(DevicePolicyManager.java:3753)

I'm confused, because the Documentation is telling something different:

public void setSecureSetting (ComponentName admin, String setting, String value) 

(Added in API level 21)

Called by profile or device owners to update Settings.Secure settings. Validation that the value of the setting is in the correct form for the setting type should be performed by the caller.

The settings that can be updated by a profile or device owner with this method are:

DEFAULT_INPUT_METHOD

INSTALL_NON_MARKET_APPS

SKIP_FIRST_USE_HINTS

Answer 1

Apparently, the ability to change INSTALL_NON_MARKET_APPS was added in API 22.

You can find the change in the codebase done on Oct 21 2014 (after release of API 21) here:

This allows work profile MDM to enable unknown sources even if the user doesn't have UI for it. Installing an app from an unknown source will still prompt the user with the package installer dialog, so it's not like the MDM can now quietly install apps from non-market sources

This feature was definitively missing in API 21.