I've read that the Apple devices are managed by Mobile Device Management (MDM) servers using configuration profiles saved on the device. I also read somewhere that Android devices do not have a configuration profile. Then what is the alternate used to manage Android device? Also, please let me know about alternate to configuration profile in universal Windows platform.
On Android, Google and device vendors offer native APIs, e.g. 'set up passcode' or 'wipe the device'. The middleware client on the device calls these.
On Windows platform, Microsoft offers CSPs, which are basically xml-wrapped API calls of a similar nature, you can say 'Configure exchange' or 'Install an App'.
Related
I seek advise about what solution to use for building a specific enterprise app for android.
We want to develop an enterprise app for a business partner.
Our partner sells android devices, and they want us to administrate their devices.
Needed features:
ability to administrate the device (reboot, block/allow apps, disable uninstall of the app other than administrators, update app silently), so in general, have a functionality that DPC apps have with device-owner mode
the phone should be associated with a device-account, generated for each device in a store, about 50 devices per store; the phones belong to the store, and customers can try it, but should not have control over it (similar to a retail mode phone)
I am facing these issues:
rooting the devices is not an option
silent auto-update and remote management is a must
only administrators (we) should be able to remove the app
I have read through the
Android EMM Developers overview,
and the Android in the Enterprise tutorials,
but I can't seem to figure out what to use.
As I understand, EMM developers should provide a DPC app and an EMM console to customers.
This situation is a bit different, because our customer does not need a console since we will be administrating their devices, and we don't want anybody else to use our console.
Can we use the EMM solution provider way to achieve this - is it right for it at all? -, or should we do something else?
The functionality you are looking for is exactly what EMM providers do, there's no need to develop a new app. It's typical for Admins to interact with the EMM portal instead of the business owners.
Here's how it works:
The DPC app is provided by the EMM and acts as the device owner. Settings applied through the EMM console are communicated to the DPC app for enforcement. EMMs manage the devices in two ways: Managed Profile (Android for Work) or Managed Device. You'll want to use a managed device. These are set up by enrolling a device that has been factory reset with your EMM. Newer devices don't need to be factory reset.
EMM's provide you with all the control you need including:
Locking down/force installing applications silently
Applying configuration to managed applications
Enforcing device encryption
Enforcing device security policies
Ability to remotely wipe the device
Kiosk mode
Because the DPC app acts as the device owner instead of the user, it can't be uninstalled and has complete control over the device. The capabilities provided by the EMM's will vary from provider to provider but I'm pretty sure all offer the capabilities you are looking for. AirWatch and MobileIron are popular ones, but there are many more including some free solutions.
These features are available on all devices with Android 5.0 and newer.
I am interested in developing trusted applications using TEE.
I have a Nexus 5 that has Android 5.1.1 (LMY48M) on it. I want to create a very basic hello world app to understand TEE logic running on a real device. Nexus 5 supports QSEE (Qualcomm Secure Execution Environment) but I couldn't found any documentation about how to include QSEE communication libraries on a regular Android application.
In an adb root shell,
cat /d/tzdbg/log
cat /d/tzdbg/qsee_log
commands displays empty result.
Is there any one who had try to develop an application like this before?
Any help will be appreciated.
First, for TEE one APP contains two parts, TA(Trust APP, runs in TEE) and CA(Client APP, runs in REE).
QSEE has implement GlobalPlatform(GP) API(not all the GP API), so you should read the GP API white paper and use them to develop CA and TA.
But, you cannot install CA and TA by yourself, because CA and TA should dispatch by TSM.
I am afraid there is currently no straightforward way to do this.
If you want to learn to use a TEE right now, I would suggest that you use a VM running OP-TEE or Open-TEE (as I read you have in your response to #Cobain above), as the GlobalPlatform APIs are widely supported on different devices.
Unfortunately you essentially need to be a device OEM or an established software supplier to do what you want right now, but that is something which may get easier in the future - this is the downside of working with a relatively new technology.
A TSM is a Trusted Services Manager, which is a technology used by some GlobalPlatform TEE implementations to load a TA on a TEE. It is not applicable to QSEE.
Trusty is a Google proprietary TEE, and I'm not aware of any available device which exposes this to users. QSEE is the Qualcomm TEE. Unfortunately I am not able to comment on exactly what it may or may not do.
I wanted to do the same but ended up using sequiturlabs framework for developing Trusted applications on OP-TEE on Raspberry Pi 3. It enabled a hello world TA on a hardware but I am still looking for something that would allow TA development for a secure OS with Android as REE.
https://www.sequiturlabs.com/media_portfolio/sequitur-labs-collaborates-with-linaro-to-lower-barriers-to-iot-security-education-for-raspberry-pi-maker-community/
If you found this: http://source.android.com/security/trusty/index.html
I believe this is the relevant section:
Currently all Trusty applications are developed by a single party and
packaged with the Trusty kernel image. The entire image is signed and
verified by the bootloader during boot. Third-party application
development is not supported in this version of Trusty.
So unless you are creating your own Custom ROM, I don't think you can do anything with Trusty.
Is their an android equivalent to the Apple configuration policy?
https://developer.apple.com/library/ios/documentation/NetworkingInternet/Conceptual/iPhoneOTAConfiguration/Introduction/Introduction.html
We are deploying some android tablets (company owned) in a corporate environment and need to lock down specific features in the tablets. Mainly to turn off the camera and the lock which applications can be run. Possibly forcing install of certain applications.
Mainly to turn off the camera
That is supported via the device administration API.
the lock which applications can be run
There is nothing in the Android SDK for this.
Possibly forcing install of certain applications
There is nothing in the Android SDK for this.
Try out android for work..
https://www.google.com/work/android/features/
It should give you ways to remotely administer android devices.
App security
Work apps are deployed through Google Play for Work. IT can prevent
installation of apps from unknown sources and apply app
configurations.
We are building an enterprise focused mobile application.
To take this app to the market we need to figure out how to remotely
a) upgrade / wipe the application on mobile devices
b) get access to the device for support and troubleshooting
I guess mobile device management (MDM) applications like AirWatch or
MobiControl can do this job. But they are expensive and do a lot of
other things which we are not interested in.
Is there anything else in the market that is especially geared for
mobile application developers to add the above features within their
application?
*Addition:
We are working on iOS and Android for now.
iOS
Install/Upgrade
On iOS you can use MDM API to install and upgrade apps. However, there are multiple gotchas
A user has to accept it
If the same app is preinstalled by user, you won't be able to install it/upgrade it through MDM
Wipe
You can wipe only whole device or you can remove an application which will remove it's data. However, you can remove only apps which was installed through MDM
Get access to the device for support and troubleshooting
If you are talking about remote desktop like capabilities then you are out of luck. You can't remotely control it. However, you may be interested to look at airplay mirroring.
Android
Install/Upgrade
Look at this: Android: install .apk programmatically
Install Application programmatically on Android
Wipe
You can use device admin capabilities for this: http://developer.android.com/guide/topics/admin/device-admin.html
Get access to the device for support and troubleshooting
I am not sure.
Obvious self-marketing :)
Can you contact me by email (I have it in my profile). My company does a lot of things which you are interested it. May be we can find interesting opportunity for a cooperation.
I would like to send data to an android mobile device via a bluegiga module.
My question is, what SDK I need for that, and how can I get it?
What I found is Bluegiga SDK, but there's not a lot of information about it.
BlueGiga modules may come with SSP support. That is, Serial Port Profile. If so, you should be able to connect to the module using RS232 type physical interface and use SPP profile from the android device.
Module documentation should have information about security and pairing e.g. default pin number when Android connects to the module and if there is a pin/button to be initiate connection and pairing.
Firstly, you need to get the knowledge of how BLE works. Its different than classic Bluetooth that BLE (generally) is preferred to communicate by means of service/s (with characterstic/s bundled up into them), be them Standard or Custom. Depending upon your area of application you can select one of the standard services implementation.
For more info on services, check Bluetooth Developer Portal.
About development at BlueGiga device, you will have to device upon which way you would want to proceed: BGAPI or BGScript. BGAPI is incorporated into a readily portable (C-programming based) library: bglib that you can easily port in your main firmware project.
Then you will have to take one of the standard services to get started with and dump the .hex file into the BLE module (either directly or if you have the Eval kit). The .hex file is generated from a BGProject that contains few configuration files like gatt.xml, hardware.xml and few others which are present in the demo projects that you can receive from BlueGiga when you download the SDK and other tools. To dump the .hex into the module, you'll need to get a TI-made CC Debugger.
Understand the GATT implementation and GAP implementation.
Tool that you'll require for setting up the BLE device is: BLEUpdate. It runs on windows platform flawlessly (Window XP service pack 2 onwards). There are plenty of documents and user guides available on BlueGiga product Support Page to get hand on knowledge of how this should be used.
To put it in a simple way:
To start with, pick a standard service probably from a demo project. Dump the .hex file into the BLE module / Eval kit.
Share the UUIDs from gatt.xml with the android application code.
Do necessary implementation at android app in order to discover and connect with the BLE device.