Given self-signed CA certificate file which was generated on device, I'm trying to figure out a way to install it on work profile, since the traditional way of installing CA certificates using android.security.KeyChain.createInstallIntent() no longer works, neither on personal profile nor work profile.
I noticed that on some devices (for example, Pixel device), there is no system settings UI for installing CA certificate on work profile (only for personal profile), while other devices (for example, Samsung Galaxy S10+ and Galaxy S8+) does provide a system UI to install CA certificates on work profile.
But since it's not available across all device manufacturers, I cannot rely on it.
According to Android Developers documentation of Android Enterprise changes in Android 11, only DPC apps or apps delegated by DPC apps can install and revoke CA certificates in work profile programatically.
But not all DPC apps support this API (exist in Test DPC but not in Microsoft's Intune Company Portal).
I'm lost, does anybody know a way that will always work?
It's been a while and I made progress and observed multiple MDM platforms.
Most MDM clients does use this API to install certificates programmatically but it's being activated from the MDM management platform, rather then the MDM DPC app itself.
So if my goal is to install certificate that is generated on device it cannot be done using the MDM DPC app (all least not using the MDM platforms I encountered).
However, I can still install certificate using the MDM management platform, usually for root CA certificates which are deployed on multiple devices, rather then per-device certificates.
Related
I am working with some devices that happen to use Android as the OS. One runs Android L, the other, N. We run a custom NDK app as the launcher. The devices are manufactured for us, and we sell them. The devices drive displays in meeting rooms and allow users to wirelessly share their content. They can also provide digital signage.
I need for administrators to be able to remotely upload an in-house CA certificate that the device will then honor. The problem is that I've been googling and still don't understand what to do with the CA certificate once I get it on device. The install technique cannot require user interaction with the device.
These are not certificates that can be pre-installed. They must be installable dynamically by owners of the devices who have their own in-house certificate authority.
Our app is predominantly C++ NDK. It doesn't run as a system app, but it can run shell commands as root. Of course, we can call Java code.
So, what do I do to make the device use an uploaded CA certificate?
I seek advise about what solution to use for building a specific enterprise app for android.
We want to develop an enterprise app for a business partner.
Our partner sells android devices, and they want us to administrate their devices.
Needed features:
ability to administrate the device (reboot, block/allow apps, disable uninstall of the app other than administrators, update app silently), so in general, have a functionality that DPC apps have with device-owner mode
the phone should be associated with a device-account, generated for each device in a store, about 50 devices per store; the phones belong to the store, and customers can try it, but should not have control over it (similar to a retail mode phone)
I am facing these issues:
rooting the devices is not an option
silent auto-update and remote management is a must
only administrators (we) should be able to remove the app
I have read through the
Android EMM Developers overview,
and the Android in the Enterprise tutorials,
but I can't seem to figure out what to use.
As I understand, EMM developers should provide a DPC app and an EMM console to customers.
This situation is a bit different, because our customer does not need a console since we will be administrating their devices, and we don't want anybody else to use our console.
Can we use the EMM solution provider way to achieve this - is it right for it at all? -, or should we do something else?
The functionality you are looking for is exactly what EMM providers do, there's no need to develop a new app. It's typical for Admins to interact with the EMM portal instead of the business owners.
Here's how it works:
The DPC app is provided by the EMM and acts as the device owner. Settings applied through the EMM console are communicated to the DPC app for enforcement. EMMs manage the devices in two ways: Managed Profile (Android for Work) or Managed Device. You'll want to use a managed device. These are set up by enrolling a device that has been factory reset with your EMM. Newer devices don't need to be factory reset.
EMM's provide you with all the control you need including:
Locking down/force installing applications silently
Applying configuration to managed applications
Enforcing device encryption
Enforcing device security policies
Ability to remotely wipe the device
Kiosk mode
Because the DPC app acts as the device owner instead of the user, it can't be uninstalled and has complete control over the device. The capabilities provided by the EMM's will vary from provider to provider but I'm pretty sure all offer the capabilities you are looking for. AirWatch and MobileIron are popular ones, but there are many more including some free solutions.
These features are available on all devices with Android 5.0 and newer.
I am working with WSO2's EMM (Enterprise Mobility Management) which is an open source MDM (Mobile Device Management) and MAM (Mobile App Management) solution. Specifically to implement a BYOD (Bring Your Own Device) program. I am unhappy with a few features.
One main feature I want to implement myself is strict control over which apps can be installed by the user.
1) By not allowing installation of apps from 'Unknown Sources'. That is to not allow the user to check the 'Allow Installation of Apps From Unknown Sources' option or at least to be able to flag it if they do.
2) Black-Listing only specific apps that can be downloaded from the Play Store.
3) Even better would be the ability to White-List apps that can be downloaded form the Play Store
4) And in a perfect world I would like the ability to mix both an Enterprise App Store and the above restrictions to Play Store app downloads. (The benefit to that would be the ability to push corporate software to users, and still allow a safe and user friendly experience through the Play Store.)
Android's Device Administration API does not explicitly allow for these controls. Yet paid enterprise MDM solutions such as AirWatch boast these features. Any help would be much appreciated.
After much research I have found a few things I would like to share:
The current Android Device Administration API is very limited the features included are:
Device password restrictions
Disable camera
Lock and wipe device
Device Encryption
Beyond that (as Victor Ronin described in the above answer) your app can only check for compliance but can not enforce it.
The only way to enforce policies beyond the scope of the Device
Administration API is to have system level permissions. The only way
to get these system level permissions is to have your app signed by
the OEM of the device running your software. This is exactly how
enterprise MDM solutions can enforce such rules, their apps are
actually signed by the OEM and then returned and distributed. Once
your UID is given the system permissions you can enforce most policies
needed to secure a device in the MDM scenario.
If interested watch this video it describes this scenario and a detailed system level exploit.
Most of the time support of such features are patchy. As example Samsung SAFE provides more API (which will allow to do what you want) and Motorolla had some additional enterprise API.
So, you can't implemented it on generic Android, but rather you can implement it on some devices.
Second approach is compliance. May be you can't prevent installation or remove apps, but you can detect them and do some actions associated with it (revoke credentials, turn off enterprise email and so on).
Usually, MDM solutions have some mix of these two things.
I'm developing a system app in android. However, I will need system certificates for that purpose. I wanted to know, if I sign my app with AOSP system certificate, will it work on Nexus devices?
I know manufacturers like samsung and HTC have their own system certificates, so I cannot run my system app on their devices. Just want to know, will my app work on Nexus devices?
You won't be able to sign your app to make it a system app on Nexus devices. The key used by Google is private. It would be a big security issue allowing "random developers" to create system apps.
But there are some "androids" using the android debug key as system signature (e.g. most custom roms (newer cm versions won't work because they have other security mechanisms implemented to avoid misuse of system apps) or a lot of "low-budget" china manufacturers)
I am looking into large Mobile Device Management MDM solution which is supposed to support a variety of platforms, but of course primarily iOS and Android 3.x onwards.
We need to provision certificates for allowing access to services such as VPN, Exchange and Wifi. This is easily done with iOS, since their MDM api allows provisioning of certificates, so all MDM vendors can provision these to their iPhones and iPAds.
It is (At least from my research) however another story with Android, there is apparently no such function in the generic google Android MDM API for provisioning and installing certificates. So the only MDM vendors that support this, are those who has access to vendor-specific API's such as Samsung, HTC, Motorola etc.
Is it true there is no generic way of installing certificates on ALL Android devices, or is it just for MDM specific functions (API calls) this is the case? I've looked at this post in regard to this: How to use p12 certificates in Android (client certificates)
Any suggestion as to how to automize delivery of certificates for different corporate services such as Exchange, VPN and Wifi to Android clients (3.x onwards) would be very welcome.
You can install certificat using a device admin component using this API:
https://developer.android.com/reference/android/app/admin/DevicePolicyManager.html#installCaCert(android.content.ComponentName,%20byte[])
.