I seek advise about what solution to use for building a specific enterprise app for android.
We want to develop an enterprise app for a business partner.
Our partner sells android devices, and they want us to administrate their devices.
Needed features:
ability to administrate the device (reboot, block/allow apps, disable uninstall of the app other than administrators, update app silently), so in general, have a functionality that DPC apps have with device-owner mode
the phone should be associated with a device-account, generated for each device in a store, about 50 devices per store; the phones belong to the store, and customers can try it, but should not have control over it (similar to a retail mode phone)
I am facing these issues:
rooting the devices is not an option
silent auto-update and remote management is a must
only administrators (we) should be able to remove the app
I have read through the
Android EMM Developers overview,
and the Android in the Enterprise tutorials,
but I can't seem to figure out what to use.
As I understand, EMM developers should provide a DPC app and an EMM console to customers.
This situation is a bit different, because our customer does not need a console since we will be administrating their devices, and we don't want anybody else to use our console.
Can we use the EMM solution provider way to achieve this - is it right for it at all? -, or should we do something else?
The functionality you are looking for is exactly what EMM providers do, there's no need to develop a new app. It's typical for Admins to interact with the EMM portal instead of the business owners.
Here's how it works:
The DPC app is provided by the EMM and acts as the device owner. Settings applied through the EMM console are communicated to the DPC app for enforcement. EMMs manage the devices in two ways: Managed Profile (Android for Work) or Managed Device. You'll want to use a managed device. These are set up by enrolling a device that has been factory reset with your EMM. Newer devices don't need to be factory reset.
EMM's provide you with all the control you need including:
Locking down/force installing applications silently
Applying configuration to managed applications
Enforcing device encryption
Enforcing device security policies
Ability to remotely wipe the device
Kiosk mode
Because the DPC app acts as the device owner instead of the user, it can't be uninstalled and has complete control over the device. The capabilities provided by the EMM's will vary from provider to provider but I'm pretty sure all offer the capabilities you are looking for. AirWatch and MobileIron are popular ones, but there are many more including some free solutions.
These features are available on all devices with Android 5.0 and newer.
Related
maybe someone know , samsung have a powerfull core with name KNOX SDK.We have application which based on this sdk. And we are looking a way to do same application without knox sdk. But we stuck with simple function like kiosk mode. This mode not working if device owner is not setted for application (for me it's hard to understand) All what i found - it's this way :
This way is correct if im testing application myself. But when time is come and we will need to install this application on our 100-200 devices , then this way looks bad . Every device to do factory reset, and adb commands etc.
So question :
I'm sure there are should be a way to do this offically. But i can't find any info about this. Maybe some one know how to do this ? Please help. I'm sure i'm missed something somewhere. :)
You can get information about the ways to provision device here. They include:
QR code
Managed Google Play Accounts
Google Account
NFC
I've wrote an article where I've described provisioning with QR-code here. We've selected this way for our Kiosk application as the most optimal one, because:
zero touch enrolment works only on a small subset of devices;
NFC provisioning requires another device with special app;
Google Account requires having and managing this account.
On the other hand QR-code works almost on all Android 7.0+ devices ("almost" because some vendors disable this in their custom ROMs) and is easy to setup for end user.
But when you need to install it on multiple devices (and it's some internal app, so you do it yourself, rather than end user) Google Account can be more appropriate.
In production, you'll want to provision your dedicated devices from the factory reset state (on the initial blue screen) using NFC, a QR code, or if supported, zero touch enrollment. NFC can be used from another Android device using an app such as the NFC provisioning app. A dedicated NFC card can also be programmed using an app such as NFC Tools. Google provides provisioning instruction on their TestDPC github repo. EMMs will also provide instructions for their DPC app. Using Android Management is usually a better alternative to TestDPC for production deployments under a 1000 devices. Additonal provisioning options and increased API usage limits are available if you're part of the EMM Community.
I am working with WSO2's EMM (Enterprise Mobility Management) which is an open source MDM (Mobile Device Management) and MAM (Mobile App Management) solution. Specifically to implement a BYOD (Bring Your Own Device) program. I am unhappy with a few features.
One main feature I want to implement myself is strict control over which apps can be installed by the user.
1) By not allowing installation of apps from 'Unknown Sources'. That is to not allow the user to check the 'Allow Installation of Apps From Unknown Sources' option or at least to be able to flag it if they do.
2) Black-Listing only specific apps that can be downloaded from the Play Store.
3) Even better would be the ability to White-List apps that can be downloaded form the Play Store
4) And in a perfect world I would like the ability to mix both an Enterprise App Store and the above restrictions to Play Store app downloads. (The benefit to that would be the ability to push corporate software to users, and still allow a safe and user friendly experience through the Play Store.)
Android's Device Administration API does not explicitly allow for these controls. Yet paid enterprise MDM solutions such as AirWatch boast these features. Any help would be much appreciated.
After much research I have found a few things I would like to share:
The current Android Device Administration API is very limited the features included are:
Device password restrictions
Disable camera
Lock and wipe device
Device Encryption
Beyond that (as Victor Ronin described in the above answer) your app can only check for compliance but can not enforce it.
The only way to enforce policies beyond the scope of the Device
Administration API is to have system level permissions. The only way
to get these system level permissions is to have your app signed by
the OEM of the device running your software. This is exactly how
enterprise MDM solutions can enforce such rules, their apps are
actually signed by the OEM and then returned and distributed. Once
your UID is given the system permissions you can enforce most policies
needed to secure a device in the MDM scenario.
If interested watch this video it describes this scenario and a detailed system level exploit.
Most of the time support of such features are patchy. As example Samsung SAFE provides more API (which will allow to do what you want) and Motorolla had some additional enterprise API.
So, you can't implemented it on generic Android, but rather you can implement it on some devices.
Second approach is compliance. May be you can't prevent installation or remove apps, but you can detect them and do some actions associated with it (revoke credentials, turn off enterprise email and so on).
Usually, MDM solutions have some mix of these two things.
Does anyone know how to build a test app that plays well with Samsung Knox? What do I have to so differently to build an app for samsung devices that have Knox installed on them?
From KNOX 2.0, App wrapping is not required.
This is from the Samsung KNOX 2.0 whitepaper:
The KNOX 2.0 platform features major enhancements to the Application Container from the original KNOX platform. The most significant enhancement is the elimination of application wrapping. This is achieved by leveraging technology introduced by Google in Android 4.2 to support multiple users on tablet devices. This enables enterprises to easily deploy custom applications without requiring Samsung to wrap the applications. It also reduces the barrier to entry for independent software developers wishing to develop applications for the KNOX container.
Complete White paper can be found here: http://www.samsung.com/ca/business-images/resource/white-paper/2014/03/Samsung_KNOX_tech_whitepaper_Final_140220-0.pdf
Multiple user: (Complete Ref: http://developer.android.com/about/versions/android-4.2.html#MultipleUsers)
Android now allows multiple user spaces on shareable devices such as tablets. Each user on a device has his or her own set of accounts, apps, system settings, files, and any other user-associated data.
As an app developer, there’s nothing different you need to do in order for your app to work properly with multiple users on a single device. Regardless of how many users may exist on a device, the data your app saves for a given user is kept separate from the data your app saves for other users. The system keeps track of which user data belongs to the user process in which your app is running and provides your app access to only that user’s data and does not allow access to other users’ data.
Might want to take a look through here https://www.samsungknox.com/en/blog/what-app-wrapping and here https://www.samsungknox.com/en/resources.
Looks like you have to develop the app and then send it in to Samsung to have them 'wrap' it.
Personal data on Samsung devices is protected from mobile threats such as ransomware, malware, and unauthorized rooting, even while you’re using your device.
Secure Folder
Samsung Pay
Samsung Health
Samsung Pass
Empower enterprise mobility by leveraging Samsung Knox and ensure seamless device deployment with advance security, taking device management to next level.
We are building an enterprise focused mobile application.
To take this app to the market we need to figure out how to remotely
a) upgrade / wipe the application on mobile devices
b) get access to the device for support and troubleshooting
I guess mobile device management (MDM) applications like AirWatch or
MobiControl can do this job. But they are expensive and do a lot of
other things which we are not interested in.
Is there anything else in the market that is especially geared for
mobile application developers to add the above features within their
application?
*Addition:
We are working on iOS and Android for now.
iOS
Install/Upgrade
On iOS you can use MDM API to install and upgrade apps. However, there are multiple gotchas
A user has to accept it
If the same app is preinstalled by user, you won't be able to install it/upgrade it through MDM
Wipe
You can wipe only whole device or you can remove an application which will remove it's data. However, you can remove only apps which was installed through MDM
Get access to the device for support and troubleshooting
If you are talking about remote desktop like capabilities then you are out of luck. You can't remotely control it. However, you may be interested to look at airplay mirroring.
Android
Install/Upgrade
Look at this: Android: install .apk programmatically
Install Application programmatically on Android
Wipe
You can use device admin capabilities for this: http://developer.android.com/guide/topics/admin/device-admin.html
Get access to the device for support and troubleshooting
I am not sure.
Obvious self-marketing :)
Can you contact me by email (I have it in my profile). My company does a lot of things which you are interested it. May be we can find interesting opportunity for a cooperation.
Here is my scenario,
I am looking at solutions like Good for Government, which allows a government agency to restrict access to system applications in iOS and Android via a web server/enterprise solution. This is what they describe their solution does:
Helpdesk personnel can quickly troubleshoot issues, with complete
visibility into all iOS devices deployed within the agency. To
protect agency data, you can enforce policies, such as requiring
passwords and preventing cut/copy/paste from the Good app. You can
also block unapproved applications such as YouTube, the Safari
browser, camera, or the App Store. In the event the device is lost
or stolen, you can remote-wipe agency data. Self-service
capabilities allow you to empower employees with basic tasks, such as
adding devices or remote wiping their own devices.
Is this at all possible to recreate? Of course for a different purpose, but if I could restrict access to certain system applications with a set code, and only to be unblocked again by a qualified person within a data center?
If someone could point me in the right direction to be able to do such things with iOS, and Android if possible as well, it would be more than appreciated.
Some of these things are possible using Device Administration introduced in Android 2.2
http://developer.android.com/guide/topics/admin/device-admin.html#policies
e.g
Remote Wipe
, Disable Camera
iOS has some of these features like Device Administration, Remote Wipe, Ability to control which apps can be disabled..
http://images.apple.com/iphone/business/docs/iOS_Security.pdf