feat(android): use device serial for deviceName (#4180)

Fixes #4042 

The serial number of the device is blocked behind a permission. There's
a couple ways we can go about this:

-----

### (1) Ask the user to (optionally) grant the permission

When we show the grant VPN permission activity, we also mention the
optional READ_PRIVILEGED_PHONE_STATE permission. Here, the user can
decide to grant it or not, and if they decide not to, they can grant it
in the future in the app settings. When the permission is not granted,
the `deviceName` falls back to the `Build.MODEL`

### (2) Force the user to grant the permission

We keep asking them to grant the permission in the splash view.
`deviceName` is always the serial number of the device.

### (3) Let MDM grant the permission

We don't provide a UI to grant the permission in the application.
Instead, the `deviceName` is the `Build.MODEL` by default, unless
advanced users or admins using MDM set the permission, in which case
it's the serial number of the device.

### (4) Let MDM set a custom/override device name

This could be an alternative to (3) if it is easier for customers using
MDM software to manage it this way. Though I doubt it...

-----

Going with option (3) is safe, and the other options can be added
incrementally in the future. However, it requires communicating to the
customer that they should set this permission for the `deviceName` to be
the serial of the device. That's not a problem yet, since the relevant
customer is using MDM to manage the app; it's trivial to set this
permission via that UI.

If we did want to show this permission to the user, I think option (1)
is most likely going to be better than option (2) in most cases.

---------

Signed-off-by: Jamil <jamilbk@users.noreply.github.com>
Co-authored-by: Jamil <jamilbk@users.noreply.github.com>

kotlin/android/app/src/main/java/dev/firezone/android/tunnel/TunnelService.kt

@@ -213,7 +213,7 @@ class TunnelService : VpnService() {
                     apiUrl = config.apiUrl,
                     token = token,
                     deviceId = deviceId(),
-                    deviceName = Build.MODEL,
+                    deviceName = getDeviceName(),
                     osVersion = Build.VERSION.RELEASE,
                     logDir = getLogDir(),
                     logFilter = config.logFilter,
@@ -384,6 +384,15 @@ class TunnelService : VpnService() {
         startForeground(STATUS_NOTIFICATION_ID, notification)
     }
 
+    private fun getDeviceName(): String {
+        val deviceName = appRestrictions.getString("deviceName")
+        return if (deviceName.isNullOrBlank() || deviceName == "null") {
+            Build.MODEL
+        } else {
+            deviceName
+        }
+    }
+
     companion object {
         enum class State {
             CONNECTING,

kotlin/android/app/src/main/res/values/strings.xml

@@ -26,7 +26,7 @@
 	<string name="sign_out">Sign Out</string>
 
 	<!-- Auth -->
-	<string name="launching_auth_flow">Launching Chrome to sign in...</string>
+	<string name="launching_auth_flow">Launching Chrome to sign in…</string>
 
 	<!-- Error Dialog -->
 	<string name="error_dialog_title">Error</string>
@@ -62,4 +62,9 @@
 		If this list is empty, no applications are disallowed. Either "Allowed Applications" OR
 		"Disallowed Applications" may be set *but not* both.
 	</string>
+	<string name="config_device_name_title">Device Name</string>
+	<string name="config_device_name_description">
+		The name of the device. This is used to identify the device in the admin portal.
+		If unset, device\'s model name will be used.
+	</string>
 </resources>

kotlin/android/app/src/main/res/xml/app_restrictions.xml

@@ -18,4 +18,10 @@
         android:key="disallowedApplications"
         android:restrictionType="string"
         android:title="@string/config_disallowed_applications_title" />
+
+    <restriction
+        android:description="@string/config_device_name_description"
+        android:key="deviceName"
+        android:restrictionType="string"
+        android:title="@string/config_device_name_title" />
 </restrictions>