I have an customer project where I have to make single task android device. Customer isn't able to escape the application which my company have developed. Also customer isn't able to start any other application and our application is started when the device is booted. Overall all the customer is able to do with the device is run our application.
Is there any other way to make this work than rooting the device, disabling all system buttons and making our application the launcher. I have something like 400 devices for this purpose so rooting all those would cost lot of time.
I also read Google's tutorial about COSU devices but found it very confucing https://developer.android.com/work/cosu.html#testing-plan
Androids own screen pinning is not good enough because customer can escape the app. Some may suggest to use some kiosk application like SureLock but my company's goal is to find clear solution for this without using any third party apps. Also running our app via some kiosk application is not our goal.
I found some posts on the Stack Overflow with similar question, but not the answer I'm looking for.
If someone has some tips for this question I would be very grateful.
Single purpose devices built on top of Android can get difficult to implement. There are a few different options, but each have trade-offs.
As you mentioned, rooting devices will functionally get you what you want - however it will be time consuming with hundreds of devices to root, difficult to maintain, and you will (potentially) introduce security issues to your devices and app.
Another option is using Google's Lock Task Mode for COSU devices[1]. The link there has a nice graphic showing the features of lock task mode:
stopLockTask()
There are some downsides to using Google's solution for this. First Google recommends creating (and therefor maintaining) an entirely separate DPC app to run as a device owner and set policies[2]. You'll also be dependent on Google Play to manage application updates and be required to have Play accounts associated with each device which "are used to identify a single device that is not tied to a single user for simplified, per-device app distribution rules in COSU-style scenarios"[3]. To automatically get your DPC app on devices your "DPC must be publicly availble on Google Play, and the end user can install the DPC from the device setup wizard by entering the DPC-specific identifier."[3] You'll also need to upload the user application to Google Play[4], which may be an issue for some who don't want their apps on Play. Going this route gives you features you need, but can be complicated and also ties you and your customer pretty tightly with Google/Play services and their workflow.
You can also look at enterprise mobile deployment platforms like Mason[5]. In your case, you can create a custom Android OS in a few minutes with your app locked in kiosk mode (+ other features like disable camera/sms, remove apps and hide settings, etc.) and then deploy it to all of your devices remotely. Mason also supports OS and app updates controlled by you if your requirements change.
DISCLAIMER: I work for Mason