I'm working on an application that uses Airwatch to enter the device into a single purpose device when only one app is opened for a user (not by Knox sealed mode) and also uses Knox SDK to manage device settings, etc.
I'd like to block system notifications when the app is in a kiosk mode (or it more preferably to block any notifications like a low-battery in any mode, not only a kiosk).
How can I do it using Knox SDK or can I do it using Airwatch?
As from official Airwatch response: there no such functionality in Airwatch and an appropriate feature request has been created in the internal tracker.
Unfortunately, there are no any estimations because of internal feature prioritization should be done.
Related
I have an app for my company(Enterprise) owned devices , which works as single use app, so it locks itself and becomes single use app, for that it needs to be enabled as device owner, for testing i am using adb shell command and it works.
my problem is how do i achieve it for production so my enterprise will be able to install and use this as required.
This answer will work if your Android 5.0 devices have NFC. Otherwise, Google supported a method using a Google Account with an activiation code within the Google Setup Wizard, but you need to be a Google EMM partner. I also don't know if they still support activation codes in 5.0/5.1. It was a Lollipop specific implementation.
If your devices DON'T have NFC, this link might help you set the device-owner programmatically, but it's not a recommended solution for production apps:
How to make my app device owner without NFC and ADB shell command
But finally, if your devices DO have NFC:
You will need a provisioning wifi network that can connect to a server hosting the app that will be the device owner.
You can modify this project to create a quick provisioning app:
https://github.com/googlesamples/android-NfcProvisioning
Be sure the NFC provisioning app sends, at a minimum, this information over NFC for an Android 5.0 device:
EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_NAME
EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_CHECKSUM
EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION
EXTRA_PROVISIONING_LOCALE
EXTRA_PROVISIONING_TIME_ZONE
EXTRA_PROVISIONING_WIFI_SSID
EXTRA_PROVISIONING_WIFI_SECURITY_TYPE
EXTRA_PROVISIONING_WIFI_PASSWORD
When your corporate owned device is at the welcome screen of the Google Setup Wizard, place this device back-to-back with the provisioner device with the NFC provisioning app running. You will then tap the NFC provisioning app when it senses another NFC device. This sends across all the information the Google Setup Wizard requires to get on the network, download the app, verify the app, and then installs the app as the device owner.
Here's a good reference for creating package checksum:
Checksum Error while provisioning Android Lollipop
I have tested build applications for corporate-owned, single-use (COSU) code from google for single app use case where there will be one app locked on the screen. It works well, but the app need to be device owner to use lockTask. For testing purpose i have use adb shell command which can not be used for production, how do i manage provisioning process for production?
You no longer need to implement a Device Policy Controller to manage Android devices, Google has recently released the Android Management API which allows you to set up a COSU device with just a few Cloud API calls. With the Android Management API you can set up devices using a QR code, with NFC, or entering a manual token, as you prefer.
For once you can use a NFC provisioning. You will need another phone with "programmer app" that will beam the Bundle of data including wifi SSID, PASSWORD and APK PATH for the "production device" to download install and set as device owner. There are another ways of doing that (apart from the one you used with adb command, but that only works on rooted devices). Please get back to me if you need any more info.
Check this out:
http://florent-dupont.blogspot.com/2015/02/10-things-to-know-about-device-owner.html
and this :
https://www.youtube.com/watch?v=GGDpShew3aA&t=278s
For testing purposes I've actually used the programmer's app from the second link I posted.
Is it possible to deploy a mobile profile on an Android device that enforces the use of a pass-code lock by the end user? Similar to how with iOS devices a company can deploy a mobile configuration XML file which enforce settings like the pass-code lock requirement. Is there an equivalent of this for android ? If so which versions of android support this?
Thank you.
yes. the way you do it is to use Android's device admin facility.
Android 2.2 introduces support for enterprise applications by offering
the Android Device Administration API. The Device Administration API
provides device administration features at the system level. These
APIs allow you to create security-aware applications that are useful
in enterprise settings, in which IT professionals require rich control
over employee devices.
in a nutshell, you send the user through a short workflow that ask them to approve your app's activity as a device admin, then you can you use the DevicePolicyManager API to define security policies for the device (such as password policy).
the first link i provided is very good and it walks you through the whole process, so i won't try to duplicate that here.
Can any one help me out how to do MDM Integration in Android from client and server prespective?
I want to do an enterprise application which having lock and wipe functionality. I have no any clue of workflow of MDM in Android.
Thanks.
Android Device Admin API will do both things what you want to do (lock/wipe device and even more). An example is given and also you can find this complete source code in your Android SDK directory.
Now as client server perspective:
You have to implement your task (lock and wipe) in your android application (in client, i.e. known as agent). Now your application should be capable to communicate with your server or vice-verse.
I am 100% agree with adamk as he said "Remote controlling your application remains exclusively your responsibility - the Android framework does not provide (or enforce) any solution for that."
And Android gives your this feature too, as adamk said to use C2DM, he was right but now C2DM is deprecated, and GCM has been introduced, “a service that helps developers send data from servers to their Android applications on Android devices.” The service can send a message of up to 4 kb to an application on an Android device, most often to tell the application to retrieve a larger set of data. GCM will now handle all queueing and delivery for messages to Android applications.
You should read how to use GCM, and you can find sample code too. Download GCM Android Library from SDK Manager
and check android-sdk/extras/google/GCM directory
After establishing successful communication between your agent and server, evaluate msg in agent sent by server and perform desire action (lock/ wipe). This is again up to you how you define your message payload and how you handle those payloads in agent application.
Here is an article about Android MDM.
Happy Coding :)
You can use DeviceAdmin to gain privileges for managing the Lock preferences and performing device wipe (among other stuff).
(The user must add your app as a device administrator beforehand)
Remote controlling your application remains exclusively your responsibility - the Android framework does not provide (or enforce) any solution for that.
You may want to consider using Google's C2DM API, which is a convenient push mechanism.
As mentioned in the above answer, DeviceAdmin API can help. If you are using an Android device, you might know about the Android Device Manager (the web-based version) which allows you to manage your device. Basically, you can track, locate, lock, and wipe your device, some of the basic features of an MDM solution. So, in coding (though I am not a coding expert), you need to get access to the Device Manager (I guess, using some listener codes, or notification access).
Apart from this, MDM allows creating policies and groups of users (which would be a part of the coding in the app itself), then pushing the command over the internet (or OTA) to the connected device.
MDM also allows managing Apps and Data on the device, for which, you need the app to get access to the internal as well as external device storage.
Hope this helps. Good luck creating your MDM software
I would like to build an enterprise application. So in these case. i want remotely manage my Android Device,
Example. I want to disable USB port my office users device & New application installation. Since device will be provided by us , So in order to main security.
How to achieve this. Did Google Provides any APIS
From the Dev Guide:
http://developer.android.com/guide/topics/admin/device-admin.html
Android 2.2 provides a Device Administration API that allows you to set certain policies for the device on which your app gets installed. There is also a step-by-step tutorial on the same page.
This API has been used in some of the existing apps that come bundled with the Android source code. For eg: Exchange Email.
The Device Administration API only supports certainpolicies. If you need to restrict the use of the device, it might also be a good idea to tie in your app with the Exchange Email (or a corporate account, since you mentioned it's for office users). A typical corporate Exchange account has a much larger policy set.