Does anyone know how to build a test app that plays well with Samsung Knox? What do I have to so differently to build an app for samsung devices that have Knox installed on them?
From KNOX 2.0, App wrapping is not required.
This is from the Samsung KNOX 2.0 whitepaper:
The KNOX 2.0 platform features major enhancements to the Application Container from the original KNOX platform. The most significant enhancement is the elimination of application wrapping. This is achieved by leveraging technology introduced by Google in Android 4.2 to support multiple users on tablet devices. This enables enterprises to easily deploy custom applications without requiring Samsung to wrap the applications. It also reduces the barrier to entry for independent software developers wishing to develop applications for the KNOX container.
Complete White paper can be found here: http://www.samsung.com/ca/business-images/resource/white-paper/2014/03/Samsung_KNOX_tech_whitepaper_Final_140220-0.pdf
Multiple user: (Complete Ref: http://developer.android.com/about/versions/android-4.2.html#MultipleUsers)
Android now allows multiple user spaces on shareable devices such as tablets. Each user on a device has his or her own set of accounts, apps, system settings, files, and any other user-associated data.
As an app developer, there’s nothing different you need to do in order for your app to work properly with multiple users on a single device. Regardless of how many users may exist on a device, the data your app saves for a given user is kept separate from the data your app saves for other users. The system keeps track of which user data belongs to the user process in which your app is running and provides your app access to only that user’s data and does not allow access to other users’ data.
Might want to take a look through here https://www.samsungknox.com/en/blog/what-app-wrapping and here https://www.samsungknox.com/en/resources.
Looks like you have to develop the app and then send it in to Samsung to have them 'wrap' it.
Personal data on Samsung devices is protected from mobile threats such as ransomware, malware, and unauthorized rooting, even while you’re using your device.
Secure Folder
Samsung Pay
Samsung Health
Samsung Pass
Empower enterprise mobility by leveraging Samsung Knox and ensure seamless device deployment with advance security, taking device management to next level.
Related
My goal is to write an application for Android (>= 9.0) which basically offers a device-owner-style control like Google's "Android Device Policy".
The following criteria have to be met:
Zero dependency on Google servers or any other 3rd party infrastructure like existing EMM solutions (MobileIron et cetera)
The user should not be able to remove or disable the app
Provisioning methods: QR-Code, NFC, URL, ADB, actually any "local" way ...
Has to work with stock androids on regular consumer devices
In short: I'd like to write an unremovable device manager (including a web-based management UI), put it on a device I own, give that device to someone else, and being able to fully control the device remotely.
Is such a project even possible with the current situation of Android?
No.
Has to work with stock androids on regular consumer devices
Mostly, this is your biggest hurdle to overcome.
What you are asking for is the description of a very powerful MalWare. An app that ca run on any version of Android, that can't be uninstalled, but can do what it wants to "fully control the device".
If you move away from the idea of "stock android on regular consumer device", towards a suite of devices you have some say in distributing:
Here is a list of Google Partners who offer an EMM solution: https://androidenterprisepartners.withgoogle.com/emm/
Here is Samsungs effort at device control:
https://www.samsungknox.com/en
Here is Googles device management:
https://developers.google.com/android/management
You could write your own ROM of Android and be able to control the things you want, but that would require .. building a ROM aka a whole phone OS forked from AOSP.
The user should not be able to remove or disable the app
This is only possible if you have a system app.
Or something extreme (which with any extreme, is always possible to have problems), like having two apps, and they monitor each other for uninstall, and programatically reinstall (vs 1 app that can't do much when it is being uninstalled).
maybe someone know , samsung have a powerfull core with name KNOX SDK.We have application which based on this sdk. And we are looking a way to do same application without knox sdk. But we stuck with simple function like kiosk mode. This mode not working if device owner is not setted for application (for me it's hard to understand) All what i found - it's this way :
This way is correct if im testing application myself. But when time is come and we will need to install this application on our 100-200 devices , then this way looks bad . Every device to do factory reset, and adb commands etc.
So question :
I'm sure there are should be a way to do this offically. But i can't find any info about this. Maybe some one know how to do this ? Please help. I'm sure i'm missed something somewhere. :)
You can get information about the ways to provision device here. They include:
QR code
Managed Google Play Accounts
Google Account
NFC
I've wrote an article where I've described provisioning with QR-code here. We've selected this way for our Kiosk application as the most optimal one, because:
zero touch enrolment works only on a small subset of devices;
NFC provisioning requires another device with special app;
Google Account requires having and managing this account.
On the other hand QR-code works almost on all Android 7.0+ devices ("almost" because some vendors disable this in their custom ROMs) and is easy to setup for end user.
But when you need to install it on multiple devices (and it's some internal app, so you do it yourself, rather than end user) Google Account can be more appropriate.
In production, you'll want to provision your dedicated devices from the factory reset state (on the initial blue screen) using NFC, a QR code, or if supported, zero touch enrollment. NFC can be used from another Android device using an app such as the NFC provisioning app. A dedicated NFC card can also be programmed using an app such as NFC Tools. Google provides provisioning instruction on their TestDPC github repo. EMMs will also provide instructions for their DPC app. Using Android Management is usually a better alternative to TestDPC for production deployments under a 1000 devices. Additonal provisioning options and increased API usage limits are available if you're part of the EMM Community.
I like to have single android app in our managed devices, we want only that app to be used on the device with necessary restriction, such that,
Single use - Device will have only one app, user can't use other apps, like browsing, youtube or anything,
the initial setting like notification sound, GPS always on, notification and ring sound maximum level can't be modified.
user can not power off the device.
this setting can only be changed by our servers.
i think i have 2 option,
1) Using samsung knox sdk on samsung devices,
Here's MDM proving feature of Samsung Knox Standard!
2) General Android way, Set up Single-Purpose Devices, COSU solution
Android Developer's site.
Wanted to know your's view on this, may be if you guys have done any of the two or any other ways, i could use some of the guidelines or a path.
Thanks for reading, and please comment if i was unable to articulate the subject or it needs editing.
You can use Google's new Android Management API, it seems to suit your needs.
It is a new cloud API that allows to manage Android devices from a server, without having to build an on-device agent (a device policy controller).
I have broad experience of using Samsung Kiosk Mode from Knox Standard SDK which is free and Pro-Kiosk mode from Knox Customization SDK (which has more functions but is not free).
So I can tell you for sure that all 4 points that you have mentioned can be achieved by using Knox Standard SDK.
Singe Purpose: https://seap.samsung.com/api-references/android-standard/reference/android/app/enterprise/kioskmode/KioskMode.html
LocationPolicy (you can turn on GPS and restrict changing): https://seap.samsung.com/api-references/android-standard/reference/android/app/enterprise/LocationPolicy.html
Yes. It is possible but I forgot the exact implementation.
Yes, as well.
Only downside of using this SDK is:
You are tied to Samsung (which I personally okay with, since Samsung has such market penetration and you could get service almost anywhere in the world and in enterprise world it is critical)
About Android native functionality: never tried it
Update March 7, 2019: Now I am playing around Device Owner, we use it for Kiosk mode, works well and works on android Device with Nougat and earlier.
I seek advise about what solution to use for building a specific enterprise app for android.
We want to develop an enterprise app for a business partner.
Our partner sells android devices, and they want us to administrate their devices.
Needed features:
ability to administrate the device (reboot, block/allow apps, disable uninstall of the app other than administrators, update app silently), so in general, have a functionality that DPC apps have with device-owner mode
the phone should be associated with a device-account, generated for each device in a store, about 50 devices per store; the phones belong to the store, and customers can try it, but should not have control over it (similar to a retail mode phone)
I am facing these issues:
rooting the devices is not an option
silent auto-update and remote management is a must
only administrators (we) should be able to remove the app
I have read through the
Android EMM Developers overview,
and the Android in the Enterprise tutorials,
but I can't seem to figure out what to use.
As I understand, EMM developers should provide a DPC app and an EMM console to customers.
This situation is a bit different, because our customer does not need a console since we will be administrating their devices, and we don't want anybody else to use our console.
Can we use the EMM solution provider way to achieve this - is it right for it at all? -, or should we do something else?
The functionality you are looking for is exactly what EMM providers do, there's no need to develop a new app. It's typical for Admins to interact with the EMM portal instead of the business owners.
Here's how it works:
The DPC app is provided by the EMM and acts as the device owner. Settings applied through the EMM console are communicated to the DPC app for enforcement. EMMs manage the devices in two ways: Managed Profile (Android for Work) or Managed Device. You'll want to use a managed device. These are set up by enrolling a device that has been factory reset with your EMM. Newer devices don't need to be factory reset.
EMM's provide you with all the control you need including:
Locking down/force installing applications silently
Applying configuration to managed applications
Enforcing device encryption
Enforcing device security policies
Ability to remotely wipe the device
Kiosk mode
Because the DPC app acts as the device owner instead of the user, it can't be uninstalled and has complete control over the device. The capabilities provided by the EMM's will vary from provider to provider but I'm pretty sure all offer the capabilities you are looking for. AirWatch and MobileIron are popular ones, but there are many more including some free solutions.
These features are available on all devices with Android 5.0 and newer.
Is it true that ANY Android phone can be used for App development and testing?
I'm trying to find some inexpensive off-contract hardware for development and testing of our Apps. I've found some devices I can buy New with No Contract for $150 to $300 (like the HTC Aria or the Huawei Ascend). Is there anything that would prevent me from using these devices for USB debugging and app testing? I guess I'm concerned because I've read how the HTC Aria has been locked down by AT&T to limit applications. I suspect this won't affect me loading apps using ADB, but I'd like to be sure.
Yes, you can use any phone for testing applications via the Android development tools. This includes the HTC Aria of what I've read.
You can read more here: http://developer.android.com/guide/developing/device.html
And it is not true what Sam Dufel wrote. A developer phone have messaging and phone features. It's just as any other ordinary unlocked phone. The only difference between the dev-phones is that they have unlocked bootloaders so you can install and customize your own Android-system and install it. It is rooted by default.
Google actually sells development phones - after you create a developer account, they give you an option to buy one of a couple different models. You don't get any messaging / phone features though, obviously.