Enterprise Mobility

Management
with

Android for Work

Rim KHAZHIN, AvDevCon San Francisco 2016

whoami

software architect @ DarkBlue Systems

space technologies research institute
Ericsson mobility world
underwater photographer

Enterprise Mobility Management with Android for Work, AnDevCon Boston 2016

Rim KHAZHIN

About Darkblue Systems

Brief company profile darkbluesystems.com

Briefly

R&D

Over 15 years in mobile

technology

100% dedicated to Research

and Development

Branches
Offices in Europe, MEA, and
Asia

Statistics
One of the fastest growing
companies in Middle East,
Africa, and Europe

DarkBlue Systems

mobile device management

system managing 15 million devices

business process management

BigData analytics

Enterprise Mobility Management with Android for Work, AnDevCon Boston 2016

Rim KHAZHIN

why am I giving this tutorial?

share our research

describe device management features
describe Android for Work

Enterprise Mobility Management with Android for Work, AnDevCon Boston 2016

Rim KHAZHIN

agenda
what is EMM?
case study - sample project developed by DarkBlue
what is Android for Work?
develop a management app
communication with EMM
develop App for Work
Google EMM API
Enterprise Mobility Management with Android for Work, AnDevCon Boston 2016

Rim KHAZHIN

Enterprise Mobility Management (EMM)

MAM (Mobile Application Management)
MDM (Mobile Device Management)

Enterprise Mobility Management with Android for Work, AnDevCon Boston 2016

Rim KHAZHIN

Enterprise Mobility Management system (EMM)

purpose: controlling device(s)
typical features:
restrictions: password, camera, screenshot, bluetooth, SD
card, usb debugging
management: wipe, encrypt, lock, reset pw
settings: wifi, email, apn, vpn
application control: install, remove, enable, disable
Enterprise Mobility Management with Android for Work, AnDevCon Boston 2016

Rim KHAZHIN

why MDM?

security policy
data leak prevention
app & settings management

Enterprise Mobility Management with Android for Work, AnDevCon Boston 2016

Rim KHAZHIN

useful scenarios (MAM)

install and remove apps

enable/disable apps (whitelist, blacklist)
update, run, configure
single app usage - screen pinning

Enterprise Mobility Management with Android for Work, AnDevCon Boston 2016

Rim KHAZHIN

useful scenarios

enforce passcode strength policy

URL blacklist
URL filter
find my Android

Enterprise Mobility Management with Android for Work, AnDevCon Boston 2016

Rim KHAZHIN

useful scenarios (configuration)

deploy wifi, vpn, app settings

certificate installation
deploy wifi, vpn, app settings
install VPN client app, configure, secret password

Enterprise Mobility Management with Android for Work, AnDevCon Boston 2016

Rim KHAZHIN

how to develop MDM?

root access?
compile from source?
manufacturers MDM API
android Device Administration API
android for Work
Enterprise Mobility Management with Android for Work, AnDevCon Boston 2016

Rim KHAZHIN

root access?

version-specific
device-specific
cant do bulk provisioning
security compromise

Enterprise Mobility Management with Android for Work, AnDevCon Boston 2016

Rim KHAZHIN

compile source?

mission Google services

missing vendor add-ons
missing drivers

Enterprise Mobility Management with Android for Work, AnDevCon Boston 2016

Rim KHAZHIN

what do we get from manufacturers?

Android (Samsung, LG, General Mobile, etc)

MDM API

Sony Open Devices

Apple MDM, Microsoft
built-in
Enterprise Mobility Management with Android for Work, AnDevCon Boston 2016

Rim KHAZHIN

manufacturer MDM API

hardware control
application management
Install application (silent)
Remove application (silent)

control submenus of Settings

Enterprise Mobility Management with Android for Work, AnDevCon Boston 2016

Rim KHAZHIN

procedure (device manufacturer)

join Enterprise Developer Program

get your app signed by vendor
security check

Enterprise Mobility Management with Android for Work, AnDevCon Boston 2016

Rim KHAZHIN

what do we get from Android Google?

Device Administration API (AOSP)

Android for Work
Google Play for Work
Google Mobile Management

Enterprise Mobility Management with Android for Work, AnDevCon Boston 2016

Rim KHAZHIN

case studies

railway company

5000 devices
used by train drivers and dispatch
mixed brands: Samsung, Huawei, General Mobile

Enterprise Mobility Management with Android for Work, AnDevCon Boston 2016

Rim KHAZHIN

medical apps in prisons

1000 devices
fully locked!
single app

Enterprise Mobility Management with Android for Work, AnDevCon Boston 2016

Rim KHAZHIN

education project

ordered by Ministry of Education

15 million devices delivered at 30k public schools
free wifi Internet to all public schools
running since 2013

Enterprise Mobility Management with Android for Work, AnDevCon Boston 2016

Rim KHAZHIN

education project

mixed Android and iOS devices

Samsung, LG, Huawei, General Mobile devices
pure AOSP API management (70%)

Enterprise Mobility Management with Android for Work, AnDevCon Boston 2016

Rim KHAZHIN

project requirements

deliver and manage 15 million devices

control & restrict applications
control & restrict hardware
offline policies

Enterprise Mobility Management with Android for Work, AnDevCon Boston 2016

Rim KHAZHIN

big challenge

MDM is an app
protect MDM
undetectable, unstoppable, unremovable
prevent rooting
detect if rooted
Enterprise Mobility Management with Android for Work, AnDevCon Boston 2016

Rim KHAZHIN

Device Administration API

device administration API

password strength policy

reset password
lock, wipe, encrypt, disable camera

Enterprise Mobility Management with Android for Work, AnDevCon Boston 2016

Rim KHAZHIN

make app unstoppable?!

device administration permission

app is unstoppable!
and unremovable!

Enterprise Mobility Management with Android for Work, AnDevCon Boston 2016

Rim KHAZHIN

getting device administration permission

bind BIND_DEVICE_ADMIN permission

declare used permissions
extend DeviceAdminReceiver
listen to ACTION_DEVICE_ADMIN_ENABLED intent

Enterprise Mobility Management with Android for Work, AnDevCon Boston 2016

Rim KHAZHIN

security -> device administrators

view device administrators

remove permission

Enterprise Mobility Management with Android for Work, AnDevCon Boston 2016

Rim KHAZHIN

prevent removing admin permission

offer carrot on a stick

wifi settings
email account
vpn settings

Enterprise Mobility Management with Android for Work, AnDevCon Boston 2016

Rim KHAZHIN

if permission removed!

DeviceAdminReceiver.onDisabled()
disable accounts
show warning
notify system administrator

Enterprise Mobility Management with Android for Work, AnDevCon Boston 2016

Rim KHAZHIN

remember the carrots

dont restrict too much

give good carrots:
wifi access. Don't give the password!
corporate accounts: disable account if MDM gets removed

Enterprise Mobility Management with Android for Work, AnDevCon Boston 2016

Rim KHAZHIN

Android for Work

Android for Work

Separate personal apps and data from work

Wipe work data
Remotely install apps, certs (silently)
Remotely configure apps (Restrictions, settings)
Disable wifi, bluetooth, gps,
Enterprise Mobility Management with Android for Work, AnDevCon Boston 2016

Rim KHAZHIN

Android for Work

Set Settings.Global directly (Normally user is not

allowed - use Settings app)
KeyGuard settings
Disable screenshot, status bar, uninstalling app(s)
Set global proxy
Enterprise Mobility Management with Android for Work, AnDevCon Boston 2016

Rim KHAZHIN

modes of operation

Device owner corporate-owned device

DPC manages the entire device

Profile owner BYOD

DPC manages work profile
can be removed by user
Enterprise Mobility Management with Android for Work, AnDevCon Boston 2016

Rim KHAZHIN

use case (COSU)

secure device for prison deployment

provision 1000 devices via NFC
lock everything on the device
install app
update, configure app remotely
Enterprise Mobility Management with Android for Work, AnDevCon Boston 2016

Rim KHAZHIN

useful scenarios: enterprise apps

DarkBlue secure mail
remote install (app and account)
disable exporting and screenshots

DarkBlue secure browser

internet portal access, URL filter

DarkBlue task management

Enterprise Mobility Management with Android for Work, AnDevCon Boston 2016

Rim KHAZHIN

useful scenarios: per-app VPN

access intranet services securely

via specific app (ex: DarkBlue secure browser)

prevent using insecure apps

protect intranet from malware
filter, protect, audit
Enterprise Mobility Management with Android for Work, AnDevCon Boston 2016

Rim KHAZHIN

useful scenarios: employee left

wipe work profile

apps
locally stored data

disable accounts
remove work profile
Enterprise Mobility Management with Android for Work, AnDevCon Boston 2016

Rim KHAZHIN

procedure (Android for Work)

implement Device Policy Controller app

sign up for Android for Work
register a managed domain
create managed accounts

create work profile

Enterprise Mobility Management with Android for Work, AnDevCon Boston 2016

Rim KHAZHIN

Enterprise Mobility Management with Android for Work, AnDevCon San Francisco 2016

Rim KHAZHIN

app restrictions = settings

each app publishes its configurable settings list

(Restrictions schema)
admin can set the settings for each app
DPC app applies the settings to the app

Enterprise Mobility Management with Android for Work, AnDevCon Boston 2016

Rim KHAZHIN

app restrictions

AppConfig community
same configurations for all EMMs
backend service configuration: server URL, port, use SSL,
group/tenant code
user configuration: username, email, domain

Enterprise Mobility Management with Android for Work, AnDevCon Boston 2016

Rim KHAZHIN

Device Policy Controller

Device Owner mode

provision device (device owner mode)

Only during initial setup of a new device or after a

factory reset:
NFC deployment
Google Account method
Android for Work accounts method
dpm utility
Enterprise Mobility Management with Android for Work, AnDevCon Boston 2016

Rim KHAZHIN

NFC provisioning

send NFC message during setup wizard

MIME type: application/com.android.managedprovisioning
device admin package name
download location
checksum
wifi ssid (optional)
Enterprise Mobility Management with Android for Work, AnDevCon Boston 2016

Rim KHAZHIN

import static android.app.admin.DevicePolicyManager.*;

...
Properties p = new Properties();
p.setProperty(EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_NAME, com.btt.device_owner);
p.setProperty(EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION,
https://bttmdm.com/dpc.apk");
p.setProperty(EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_CHECKSUM,AGt-"jhvbjkhftdfkjhv");
ByteArrayOutputStream bos = new ByteArrayOutputStream();
OutputStream out = new ObjectOutputStream(bos);
p.store(out, "");
final byte[] bytes = bos.toByteArray();
NdefMessage msg = new NdefMessage(
NdefRecord.createMime("application/com.android.managedprovisioning", bytes));

NFC provisioning

device downloads DPC

device runs DPC
onProfileProvisioningComplete

Enterprise Mobility Management with Android for Work, AnDevCon Boston 2016

Rim KHAZHIN

Google Account provisioning

since Android M
login with Google account of a managed domain
DPC is automatically downloaded from Google Play
DPC runs automatically
DPC provisions profile
Enterprise Mobility Management with Android for Work, AnDevCon Boston 2016

Rim KHAZHIN

Android for Work Accounts provisioning

enter afw#DPC_IDENTIFIER as google account

EMMs DPC is automatically downloaded from
Google Play
DPC runs automatically and provisions profile
Android for Work account is added to device
Enterprise Mobility Management with Android for Work, AnDevCon Boston 2016

Rim KHAZHIN

manual adb provisioning

install DPC app

adb shell dpm set-device-owner
com.btt.device_owner/.BttDeviceAdminReceiver
start DPC app manually

Enterprise Mobility Management with Android for Work, AnDevCon Boston 2016

Rim KHAZHIN

key points

enable system apps

disable Google Play during install
enable enterprise factory reset protection

Enterprise Mobility Management with Android for Work, AnDevCon Boston 2016

Rim KHAZHIN

sample Device Owner app (hands-on demo)

provision device
onProfileProvisioningComplete
get User name (Google account)

activate with EMM

send GCM registration ID
Enterprise Mobility Management with Android for Work, AnDevCon Boston 2016

Rim KHAZHIN

sample Device Owner app (hands-on demo)

Settings.Global
KeyGuard settings
disable app installing/uninstalling
disable screenshot, status bar
disable outgoing calls and sms
Enterprise Mobility Management with Android for Work, AnDevCon Boston 2016

Rim KHAZHIN

sample Device Owner app (hands-on demo)

set restrictions for AppRestrictionSchema app

allow screen pinning for AppRestrictionSchema
hide Google Play app
disable factory reset
disable bluetooth, wifi, camera
Enterprise Mobility Management with Android for Work, AnDevCon Boston 2016

Rim KHAZHIN

DevicePolicyManager class

set app restrictions and settings

set device restrictions and settings

Enterprise Mobility Management with Android for Work, AnDevCon Boston 2016

Rim KHAZHIN

management API

DevicePolicyManager class
UserManager class
Settings.Global
Settings.Secure

Enterprise Mobility Management with Android for Work, AnDevCon Boston 2016

Rim KHAZHIN

communication with EMM

Enterprise Mobility Management with Android for Work, AnDevCon San Francisco 2016

Rim KHAZHIN

sample protocol

device-initiated operation
use push notification for server-initiated operation

HTTPS POST request

JSON message request
JSON response
Enterprise Mobility Management with Android for Work, AnDevCon Boston 2016

Rim KHAZHIN

device activation

identify Google account with device

{user: rim@darkbluesystems.com,
pw: ,
device_info: {},
gcm_registration_id: }

Enterprise Mobility Management with Android for Work, AnDevCon Boston 2016

Rim KHAZHIN

status update

request:

{device_id: ,
device_info: {} }

response:
{status:1}
{status:1, commands_pending:2}
Enterprise Mobility Management with Android for Work, AnDevCon Boston 2016

Rim KHAZHIN

get commands

request:

{device_id: }

response:

{command_type: 3, param1: 0,
param2: com.btt.eciton }

Enterprise Mobility Management with Android for Work, AnDevCon Boston 2016

Rim KHAZHIN

app restrictions samples (JSON)

sample e-mail account setting

{restrictions: [
{app:com.btt.securemail, payload:
{server:4.4.4.4, type:1, port:25,
user: rim@darkbluesystems.com, pass: }}]}

Enterprise Mobility Management with Android for Work, AnDevCon Boston 2016

Rim KHAZHIN

app restrictions samples (JSON)

sample e-mail account setting

sample vpn account setting
sample per-app vpn setting

Enterprise Mobility Management with Android for Work, AnDevCon Boston 2016

Rim KHAZHIN

sending commands to device

send push notification

device connects over HTTPS
verify SSL certificate

Enterprise Mobility Management with Android for Work, AnDevCon Boston 2016

Rim KHAZHIN

microservices

separate service for each function:

get command
get restrictions
get settings

Enterprise Mobility Management with Android for Work, AnDevCon Boston 2016

Rim KHAZHIN

microservice workflow

parse and validate message

authenticate user
no business logic

Enterprise Mobility Management with Android for Work, AnDevCon Boston 2016

Rim KHAZHIN

background services

sending push notifications

sending commands

Enterprise Mobility Management with Android for Work, AnDevCon Boston 2016

Rim KHAZHIN

Device Policy Controller

Policy Owner mode

managed profile

information security
separate personal data and apps from corporate
created by DPC
controlled by administrator (via DPC)

Enterprise Mobility Management with Android for Work, AnDevCon Boston 2016

Rim KHAZHIN

managing the work profile

install, remove, configure apps silently

restrict apps in a profile
even default apps!

allow some intents to cross profile boundaries

COSU - corporate-owned single-use device
Enterprise Mobility Management with Android for Work, AnDevCon Boston 2016

Rim KHAZHIN

register Android for Work

add managed domain

add managed user
enable Android for Work
setup EMM provider

Enterprise Mobility Management with Android for Work, AnDevCon Boston 2016

Rim KHAZHIN

Google Play for Work

approve Apps
login as Google Apps super admin

only approved apps are available

mandatory apps installed silently
optional apps installed by user
Enterprise Mobility Management with Android for Work, AnDevCon Boston 2016

Rim KHAZHIN

develop DPC app

create managed profile

DPC becomes available in both profiles: personal and
the new work profile
uninstall personal DPC after receiving
ACTION_MANAGED_PROFILE_ADDED
release Device Admin privileges (personal DPC)
Enterprise Mobility Management with Android for Work, AnDevCon Boston 2016

Rim KHAZHIN

provision device (profile owner mode)

install DPC app manually

add Google account to device (Android 5.1)
DPC is downloaded automatically from Google Play

device encryption required

Enterprise Mobility Management with Android for Work, AnDevCon Boston 2016

Rim KHAZHIN

App for Work

app for Work

enterprise app
publish on Google Play for Work
subject to approval by company admin
volume purchase

Enterprise Mobility Management with Android for Work, AnDevCon Boston 2016

Rim KHAZHIN

restrictions = settings

define app restrictions

check restrictions
listen for restriction changes

Enterprise Mobility Management with Android for Work, AnDevCon Boston 2016

Rim KHAZHIN

sample restrictions (settings)

email account
vpn account
URL blacklist

Enterprise Mobility Management with Android for Work, AnDevCon Boston 2016

Rim KHAZHIN

managed by administrator

screen pinning enabled/disabled

app disabled

Enterprise Mobility Management with Android for Work, AnDevCon Boston 2016

Rim KHAZHIN

develop app for Work (hands-on demo)

read/update settings
onResume
on broadcast

screen pinning

Enterprise Mobility Management with Android for Work, AnDevCon Boston 2016

Rim KHAZHIN

compatibility requirements

intents don't cross profiles

admin can disable apps (even default apps!)
admin decides which intents cross profiles
Intent.resolveActivity()

Enterprise Mobility Management with Android for Work, AnDevCon Boston 2016

Rim KHAZHIN

file sharing

file URI not valid in other profiles

use content URI instead

Enterprise Mobility Management with Android for Work, AnDevCon Boston 2016

Rim KHAZHIN

content URI

specify file URI

specify authority sharing this file
can only share from shareable directory

Enterprise Mobility Management with Android for Work, AnDevCon Boston 2016

Rim KHAZHIN

specify shareable directories

res/xml/filepaths.xml

Enterprise Mobility Management with Android for Work, AnDevCon Boston 2016

Rim KHAZHIN

testing an app for Work

side loaded app gets installed on both profiles

delete app from unwanted profile
sample app: BasicManagedProfile

Enterprise Mobility Management with Android for Work, AnDevCon Boston 2016

Rim KHAZHIN

testing an app for Work using adb

pm list users

am start --user

Enterprise Mobility Management with Android for Work, AnDevCon Boston 2016

Rim KHAZHIN

COSU

corporate-owned single-use devices

kiosk
point of sale
ticket printing
enterprise app tablet

Enterprise Mobility Management with Android for Work, AnDevCon Boston 2016

Rim KHAZHIN

screen pinning

app is pinned to screen

Home and Recents buttons are disabled
exit by pressing Home and Recents together
available since Lollipop

Enterprise Mobility Management with Android for Work, AnDevCon Boston 2016

Rim KHAZHIN

lock the screen

only whitelisted apps

available in Device Owner mode
Home and Recents buttons are hidden
only app itself can release

Enterprise Mobility Management with Android for Work, AnDevCon Boston 2016

Rim KHAZHIN

lockTask

Activity.startLockTask()
Activity.stopLockTask()
onResume, onPause

DevicePolicyManager.isLockTaskPermitted(pkg)

Enterprise Mobility Management with Android for Work, AnDevCon Boston 2016

Rim KHAZHIN

the lockTaskMode attribute

if_whitelisted
always
normal

Enterprise Mobility Management with Android for Work, AnDevCon Boston 2016

Rim KHAZHIN

whitelist apps for task lock

DevicePolicyManager.setLockTaskPackages()
called by EMM
or DPC app

Enterprise Mobility Management with Android for Work, AnDevCon Boston 2016

Rim KHAZHIN

additionally COSU app could

keep screen always on

prevent device from locking
disable status bar
become default launcher

Enterprise Mobility Management with Android for Work, AnDevCon Boston 2016

Rim KHAZHIN

Google EMM API

Enterprise Mobility Management with Android for Work, AnDevCon San Francisco 2016

Rim KHAZHIN

procedure (Google EMM API)

sign up for Google EMM API

implement DPC
publish DPC on Google Play
connect your EMM to Google
get approved as EMM provider
Enterprise Mobility Management with Android for Work, AnDevCon Boston 2016

Rim KHAZHIN

Google Mobile Management

select EMM provider

sign up for Google Apps for Work

enable Android for Work
select Google Mobile Management as EMM provider

Enterprise Mobility Management with Android for Work, AnDevCon Boston 2016

Rim KHAZHIN

Google Mobile Management console

view users, devices, apps

assign apps
Google Play for Work

Enterprise Mobility Management with Android for Work, AnDevCon Boston 2016

Rim KHAZHIN

conclusion

android administration methods

sample management app
useful enterprise scenarios
sample App for Work
intro to Google services
Enterprise Mobility Management with Android for Work, AnDevCon Boston 2016

Rim KHAZHIN

resources
http://darkbluesystems.com/emm/

Enterprise Mobility Management with Android for Work, AnDevCon San Francisco 2016

Rim KHAZHIN

questions?
http://google.com/+RimKhazhin

Enterprise Mobility Management with Android for Work, AnDevCon San Francisco 2016

Rim KHAZHIN