Here is my scenario,
I am looking at solutions like Good for Government, which allows a government agency to restrict access to system applications in iOS and Android via a web server/enterprise solution. This is what they describe their solution does:
Helpdesk personnel can quickly troubleshoot issues, with complete
visibility into all iOS devices deployed within the agency. To
protect agency data, you can enforce policies, such as requiring
passwords and preventing cut/copy/paste from the Good app. You can
also block unapproved applications such as YouTube, the Safari
browser, camera, or the App Store. In the event the device is lost
or stolen, you can remote-wipe agency data. Self-service
capabilities allow you to empower employees with basic tasks, such as
adding devices or remote wiping their own devices.
Is this at all possible to recreate? Of course for a different purpose, but if I could restrict access to certain system applications with a set code, and only to be unblocked again by a qualified person within a data center?
If someone could point me in the right direction to be able to do such things with iOS, and Android if possible as well, it would be more than appreciated.
Some of these things are possible using Device Administration introduced in Android 2.2
http://developer.android.com/guide/topics/admin/device-admin.html#policies
e.g
Remote Wipe
, Disable Camera
iOS has some of these features like Device Administration, Remote Wipe, Ability to control which apps can be disabled..
http://images.apple.com/iphone/business/docs/iOS_Security.pdf
Related
My goal is to write an application for Android (>= 9.0) which basically offers a device-owner-style control like Google's "Android Device Policy".
The following criteria have to be met:
Zero dependency on Google servers or any other 3rd party infrastructure like existing EMM solutions (MobileIron et cetera)
The user should not be able to remove or disable the app
Provisioning methods: QR-Code, NFC, URL, ADB, actually any "local" way ...
Has to work with stock androids on regular consumer devices
In short: I'd like to write an unremovable device manager (including a web-based management UI), put it on a device I own, give that device to someone else, and being able to fully control the device remotely.
Is such a project even possible with the current situation of Android?
No.
Has to work with stock androids on regular consumer devices
Mostly, this is your biggest hurdle to overcome.
What you are asking for is the description of a very powerful MalWare. An app that ca run on any version of Android, that can't be uninstalled, but can do what it wants to "fully control the device".
If you move away from the idea of "stock android on regular consumer device", towards a suite of devices you have some say in distributing:
Here is a list of Google Partners who offer an EMM solution: https://androidenterprisepartners.withgoogle.com/emm/
Here is Samsungs effort at device control:
https://www.samsungknox.com/en
Here is Googles device management:
https://developers.google.com/android/management
You could write your own ROM of Android and be able to control the things you want, but that would require .. building a ROM aka a whole phone OS forked from AOSP.
The user should not be able to remove or disable the app
This is only possible if you have a system app.
Or something extreme (which with any extreme, is always possible to have problems), like having two apps, and they monitor each other for uninstall, and programatically reinstall (vs 1 app that can't do much when it is being uninstalled).
maybe someone know , samsung have a powerfull core with name KNOX SDK.We have application which based on this sdk. And we are looking a way to do same application without knox sdk. But we stuck with simple function like kiosk mode. This mode not working if device owner is not setted for application (for me it's hard to understand) All what i found - it's this way :
This way is correct if im testing application myself. But when time is come and we will need to install this application on our 100-200 devices , then this way looks bad . Every device to do factory reset, and adb commands etc.
So question :
I'm sure there are should be a way to do this offically. But i can't find any info about this. Maybe some one know how to do this ? Please help. I'm sure i'm missed something somewhere. :)
You can get information about the ways to provision device here. They include:
QR code
Managed Google Play Accounts
Google Account
NFC
I've wrote an article where I've described provisioning with QR-code here. We've selected this way for our Kiosk application as the most optimal one, because:
zero touch enrolment works only on a small subset of devices;
NFC provisioning requires another device with special app;
Google Account requires having and managing this account.
On the other hand QR-code works almost on all Android 7.0+ devices ("almost" because some vendors disable this in their custom ROMs) and is easy to setup for end user.
But when you need to install it on multiple devices (and it's some internal app, so you do it yourself, rather than end user) Google Account can be more appropriate.
In production, you'll want to provision your dedicated devices from the factory reset state (on the initial blue screen) using NFC, a QR code, or if supported, zero touch enrollment. NFC can be used from another Android device using an app such as the NFC provisioning app. A dedicated NFC card can also be programmed using an app such as NFC Tools. Google provides provisioning instruction on their TestDPC github repo. EMMs will also provide instructions for their DPC app. Using Android Management is usually a better alternative to TestDPC for production deployments under a 1000 devices. Additonal provisioning options and increased API usage limits are available if you're part of the EMM Community.
We are working on a mobile app with a feature that allows parents to restrict or disable certain phone functions on their children's devices.
I have been googling for this for a while and can't find an adequate search term.
Ultimately I would like to create a table that outlines various phone features and indicates whether a native mobile application can restrict or disable it. This will be used to indicate the differences between iOS, Android, and Windows Phone development capabilities.
Some features I am looking to modify are: app use, phone calls, text messages, internet access, etc. For restrictions such as phone calls and texts, I'd also like to determine if we can allow a "white list" of allowed contacts.
Thanks for your time.
Windows Phone doesn't have any mechanisms to allow one app to restrict what the user / other apps can do. It does have the Kids Corner feature that enables parents to limit what apps a child can use (and some features within those apps, like In-App-Purchases) but not individual features.
iOS already has a pretty rich parental control center built into the Settings app. I don't believe there is an API that would allow you access those features either. In general, this type of inter-app communication is very limited on iOS.
I am working with WSO2's EMM (Enterprise Mobility Management) which is an open source MDM (Mobile Device Management) and MAM (Mobile App Management) solution. Specifically to implement a BYOD (Bring Your Own Device) program. I am unhappy with a few features.
One main feature I want to implement myself is strict control over which apps can be installed by the user.
1) By not allowing installation of apps from 'Unknown Sources'. That is to not allow the user to check the 'Allow Installation of Apps From Unknown Sources' option or at least to be able to flag it if they do.
2) Black-Listing only specific apps that can be downloaded from the Play Store.
3) Even better would be the ability to White-List apps that can be downloaded form the Play Store
4) And in a perfect world I would like the ability to mix both an Enterprise App Store and the above restrictions to Play Store app downloads. (The benefit to that would be the ability to push corporate software to users, and still allow a safe and user friendly experience through the Play Store.)
Android's Device Administration API does not explicitly allow for these controls. Yet paid enterprise MDM solutions such as AirWatch boast these features. Any help would be much appreciated.
After much research I have found a few things I would like to share:
The current Android Device Administration API is very limited the features included are:
Device password restrictions
Disable camera
Lock and wipe device
Device Encryption
Beyond that (as Victor Ronin described in the above answer) your app can only check for compliance but can not enforce it.
The only way to enforce policies beyond the scope of the Device
Administration API is to have system level permissions. The only way
to get these system level permissions is to have your app signed by
the OEM of the device running your software. This is exactly how
enterprise MDM solutions can enforce such rules, their apps are
actually signed by the OEM and then returned and distributed. Once
your UID is given the system permissions you can enforce most policies
needed to secure a device in the MDM scenario.
If interested watch this video it describes this scenario and a detailed system level exploit.
Most of the time support of such features are patchy. As example Samsung SAFE provides more API (which will allow to do what you want) and Motorolla had some additional enterprise API.
So, you can't implemented it on generic Android, but rather you can implement it on some devices.
Second approach is compliance. May be you can't prevent installation or remove apps, but you can detect them and do some actions associated with it (revoke credentials, turn off enterprise email and so on).
Usually, MDM solutions have some mix of these two things.
We are building an enterprise focused mobile application.
To take this app to the market we need to figure out how to remotely
a) upgrade / wipe the application on mobile devices
b) get access to the device for support and troubleshooting
I guess mobile device management (MDM) applications like AirWatch or
MobiControl can do this job. But they are expensive and do a lot of
other things which we are not interested in.
Is there anything else in the market that is especially geared for
mobile application developers to add the above features within their
application?
*Addition:
We are working on iOS and Android for now.
iOS
Install/Upgrade
On iOS you can use MDM API to install and upgrade apps. However, there are multiple gotchas
A user has to accept it
If the same app is preinstalled by user, you won't be able to install it/upgrade it through MDM
Wipe
You can wipe only whole device or you can remove an application which will remove it's data. However, you can remove only apps which was installed through MDM
Get access to the device for support and troubleshooting
If you are talking about remote desktop like capabilities then you are out of luck. You can't remotely control it. However, you may be interested to look at airplay mirroring.
Android
Install/Upgrade
Look at this: Android: install .apk programmatically
Install Application programmatically on Android
Wipe
You can use device admin capabilities for this: http://developer.android.com/guide/topics/admin/device-admin.html
Get access to the device for support and troubleshooting
I am not sure.
Obvious self-marketing :)
Can you contact me by email (I have it in my profile). My company does a lot of things which you are interested it. May be we can find interesting opportunity for a cooperation.