I am looking into large Mobile Device Management MDM solution which is supposed to support a variety of platforms, but of course primarily iOS and Android 3.x onwards.
We need to provision certificates for allowing access to services such as VPN, Exchange and Wifi. This is easily done with iOS, since their MDM api allows provisioning of certificates, so all MDM vendors can provision these to their iPhones and iPAds.
It is (At least from my research) however another story with Android, there is apparently no such function in the generic google Android MDM API for provisioning and installing certificates. So the only MDM vendors that support this, are those who has access to vendor-specific API's such as Samsung, HTC, Motorola etc.
Is it true there is no generic way of installing certificates on ALL Android devices, or is it just for MDM specific functions (API calls) this is the case? I've looked at this post in regard to this: How to use p12 certificates in Android (client certificates)
Any suggestion as to how to automize delivery of certificates for different corporate services such as Exchange, VPN and Wifi to Android clients (3.x onwards) would be very welcome.
You can install certificat using a device admin component using this API:
https://developer.android.com/reference/android/app/admin/DevicePolicyManager.html#installCaCert(android.content.ComponentName,%20byte[])
.
Related
Given self-signed CA certificate file which was generated on device, I'm trying to figure out a way to install it on work profile, since the traditional way of installing CA certificates using android.security.KeyChain.createInstallIntent() no longer works, neither on personal profile nor work profile.
I noticed that on some devices (for example, Pixel device), there is no system settings UI for installing CA certificate on work profile (only for personal profile), while other devices (for example, Samsung Galaxy S10+ and Galaxy S8+) does provide a system UI to install CA certificates on work profile.
But since it's not available across all device manufacturers, I cannot rely on it.
According to Android Developers documentation of Android Enterprise changes in Android 11, only DPC apps or apps delegated by DPC apps can install and revoke CA certificates in work profile programatically.
But not all DPC apps support this API (exist in Test DPC but not in Microsoft's Intune Company Portal).
I'm lost, does anybody know a way that will always work?
It's been a while and I made progress and observed multiple MDM platforms.
Most MDM clients does use this API to install certificates programmatically but it's being activated from the MDM management platform, rather then the MDM DPC app itself.
So if my goal is to install certificate that is generated on device it cannot be done using the MDM DPC app (all least not using the MDM platforms I encountered).
However, I can still install certificate using the MDM management platform, usually for root CA certificates which are deployed on multiple devices, rather then per-device certificates.
I seek advise about what solution to use for building a specific enterprise app for android.
We want to develop an enterprise app for a business partner.
Our partner sells android devices, and they want us to administrate their devices.
Needed features:
ability to administrate the device (reboot, block/allow apps, disable uninstall of the app other than administrators, update app silently), so in general, have a functionality that DPC apps have with device-owner mode
the phone should be associated with a device-account, generated for each device in a store, about 50 devices per store; the phones belong to the store, and customers can try it, but should not have control over it (similar to a retail mode phone)
I am facing these issues:
rooting the devices is not an option
silent auto-update and remote management is a must
only administrators (we) should be able to remove the app
I have read through the
Android EMM Developers overview,
and the Android in the Enterprise tutorials,
but I can't seem to figure out what to use.
As I understand, EMM developers should provide a DPC app and an EMM console to customers.
This situation is a bit different, because our customer does not need a console since we will be administrating their devices, and we don't want anybody else to use our console.
Can we use the EMM solution provider way to achieve this - is it right for it at all? -, or should we do something else?
The functionality you are looking for is exactly what EMM providers do, there's no need to develop a new app. It's typical for Admins to interact with the EMM portal instead of the business owners.
Here's how it works:
The DPC app is provided by the EMM and acts as the device owner. Settings applied through the EMM console are communicated to the DPC app for enforcement. EMMs manage the devices in two ways: Managed Profile (Android for Work) or Managed Device. You'll want to use a managed device. These are set up by enrolling a device that has been factory reset with your EMM. Newer devices don't need to be factory reset.
EMM's provide you with all the control you need including:
Locking down/force installing applications silently
Applying configuration to managed applications
Enforcing device encryption
Enforcing device security policies
Ability to remotely wipe the device
Kiosk mode
Because the DPC app acts as the device owner instead of the user, it can't be uninstalled and has complete control over the device. The capabilities provided by the EMM's will vary from provider to provider but I'm pretty sure all offer the capabilities you are looking for. AirWatch and MobileIron are popular ones, but there are many more including some free solutions.
These features are available on all devices with Android 5.0 and newer.
I've read that the Apple devices are managed by Mobile Device Management (MDM) servers using configuration profiles saved on the device. I also read somewhere that Android devices do not have a configuration profile. Then what is the alternate used to manage Android device? Also, please let me know about alternate to configuration profile in universal Windows platform.
On Android, Google and device vendors offer native APIs, e.g. 'set up passcode' or 'wipe the device'. The middleware client on the device calls these.
On Windows platform, Microsoft offers CSPs, which are basically xml-wrapped API calls of a similar nature, you can say 'Configure exchange' or 'Install an App'.
I am working with WSO2's EMM (Enterprise Mobility Management) which is an open source MDM (Mobile Device Management) and MAM (Mobile App Management) solution. Specifically to implement a BYOD (Bring Your Own Device) program. I am unhappy with a few features.
One main feature I want to implement myself is strict control over which apps can be installed by the user.
1) By not allowing installation of apps from 'Unknown Sources'. That is to not allow the user to check the 'Allow Installation of Apps From Unknown Sources' option or at least to be able to flag it if they do.
2) Black-Listing only specific apps that can be downloaded from the Play Store.
3) Even better would be the ability to White-List apps that can be downloaded form the Play Store
4) And in a perfect world I would like the ability to mix both an Enterprise App Store and the above restrictions to Play Store app downloads. (The benefit to that would be the ability to push corporate software to users, and still allow a safe and user friendly experience through the Play Store.)
Android's Device Administration API does not explicitly allow for these controls. Yet paid enterprise MDM solutions such as AirWatch boast these features. Any help would be much appreciated.
After much research I have found a few things I would like to share:
The current Android Device Administration API is very limited the features included are:
Device password restrictions
Disable camera
Lock and wipe device
Device Encryption
Beyond that (as Victor Ronin described in the above answer) your app can only check for compliance but can not enforce it.
The only way to enforce policies beyond the scope of the Device
Administration API is to have system level permissions. The only way
to get these system level permissions is to have your app signed by
the OEM of the device running your software. This is exactly how
enterprise MDM solutions can enforce such rules, their apps are
actually signed by the OEM and then returned and distributed. Once
your UID is given the system permissions you can enforce most policies
needed to secure a device in the MDM scenario.
If interested watch this video it describes this scenario and a detailed system level exploit.
Most of the time support of such features are patchy. As example Samsung SAFE provides more API (which will allow to do what you want) and Motorolla had some additional enterprise API.
So, you can't implemented it on generic Android, but rather you can implement it on some devices.
Second approach is compliance. May be you can't prevent installation or remove apps, but you can detect them and do some actions associated with it (revoke credentials, turn off enterprise email and so on).
Usually, MDM solutions have some mix of these two things.
I am devlopeing some application wherein i have to store the keys in secure manner and do some cryptographic operation on it.
You can't use it directly. You need to develop (or buy) a trusted application and then have your app talk to it through the secure API it provides. This may or may not be usable on all devices, so unless you control the device and/or firmware, it is not guaranteed that you can use it all.
The system keystore on some devices already uses hardware-backed storage for RSA keys (Nexus 7 for example), but it is not standard and some devices only have a software implementation.
If you are targeting the Western World, where Samsung is by far the dominant player, you can make use of their API for Trust Zone:
https://developer.samsung.com/teegris
2019 update:
You still can't use it directly. You should use Google APIs for Android security, some of which may or may not use TrustZone. It is a security tech aimed at device and OS manufacturers, not app developers.
You can read more on the topic here:
ARM TrustZone on Android