[Article] An Introduction to the App Management Capabilities in WSO2 Enterprise Mobility Manager
- Kamidu Sachith Punchihewa
- Senior Software Engineer - WSO2
Table of contents
- Introduction
- Application management components
- Application lifecycle management
- Install application to enrolled devices
- Monitoring the installed application on enrolled devices
- Allow listing and deny listing applications (applicable from EMM 2.1.0 and above)
- Conclusion
- References
Introduction
The two main components of WSO2 Enterprise Mobility Manager (WSO2 EMM) are mobile device management and mobile application management. Setting up WSO2 EMM can be done by following the “Getting Started” guide as mentioned in the documentation. This article mainly focuses on the mobile application management capabilities of WSO2 EMM.
When monitoring and managing devices in an organization, monitoring an application on the device and maintaining it in-house is required in order to have a complete control of the organization’s devices and confidential information. WSO2 EMM ships with a separate app store and an app publisher along with application management features in order to provide end-to-end application management capabilities.
Application management components
WSO2 EMM contains three major components that enable mobile application management capabilities.
- App Publisher - Enables the organization to easily publish their apps, share documentation, and gather feedback on the quality and usage of apps.
- App Store - Enables device owners to easily access web applications to self-register, discover apps, subscribe to apps, and evaluate them. It also enables administrators to push install requests of a published app to selected devices.
- Policy Management - Enables administrators to check the installed applications on the enrolled devices and include allow listed and deny listed applications for devices. Policy Management is powered by WSO2 Connected Device Management Framework.
The above three components in WSO2 EMM help to provide end-to-end mobile application management.
Application lifecycle management
This refers to the process of publishing a mobile application to the app store, and maintaining the application in the store is managed under the application lifecycle management. When a developed mobile application needs to be published to the app store it needs to be iterated through a few states and then get approved by authorized users. This process is described using Figure 1. The states of an application is described in Table 1.
| State | Description |
|---|---|
| In Review | Initial state when developers submit their applications to the publishers. |
| Approved | The application is moved to this stage when a user with permission approves the application after reviewing it. |
| Rejected | If a user with permissions rejects the application after reviewing, the application is moved to this stage. |
| Published | After obtaining approval by a relevant user, another user with publishing permissions can publish the application. All the published applications will be in this stage. |
| Unpublished | A user with permission can un-publish an application that’s already published. All the unpublished applications will be moved to this stage. These applications will be removed from the store until they are published again. |
| Deprecated | If a user deprecates an application, those will be moved to this stage. These applications will be removed from the store. |
Table 1: States of the app life cycle
Table 1 describes the status of the application life cycle that’s supported by WSO2 EMM. The state transition is represented in Figure 1 given below.
Figure 1: Application lifecycle
As shown in Figure 1, a developer can create mobile applications (either Android or iOS) and submit it to the publisher. You can log into the publisher web app by simply visiting https://<YOUR_DOMAIN>/publisher URL. In order to successfully create a mobile application, you can follow the instructions given in “Creating an Android Application” guide and “Creating an IOS Application” guide accordingly.
After a developer submits the mobile application for review, any user with app approval permission can approve the application or reject the application accordingly. When a user with the related permissions logs in to the publisher, they can see a list of applications in the “In Review” state as shown in Screen Capture 1.
Screen Capture 1: In Review application view
Users can simply approve an application by clicking on the Approve button on the action column or reject an application by clicking on the Reject button on the action column. This will result in the application changing the state to approved or rejected accordingly.
Approved applications will be listed to be published in approved state. These applications will be listed as shown below in Screen Capture 2, when a user with permission logs in to the publisher.
Screen Capture 2: Approved application view
Authorized users can publish the approved applications by clicking on the Publish button in the action column or delete and remove the application by clicking on the Delete button in the action column. After publishing an application, applications can be viewed in the app store. Users can login to the store using https:<your_domain>/store URL. Published applications are listed in the app publisher as shown in Screen Capture 3 and published applications are listed in the app store as shown in Screen Capture 4.
Screen Capture 3: Published application view
Screen Capture 4: Published application in store
All published applications can be unpublished by users with permission by simply clicking on the Unpublish button in the action column or deprecate the application by clicking on the Deprecate button in the action column. Applications that are deprecated or unpublished will not be visible in the application store. All unpublished applications can be republished when needed by simply clicking the Republish button in the action column of the unpublished application view shown in Screen Capture 5. Deprecated applications cannot be published again, but they can be either deleted or retired by clicking the Delete button or Retire button accordingly.
All the actions and the state changes according to the action are represented in Figure 1. Organizations can maintain their applications and versions according to the life cycle support provided by WSO2 EMM. For more information about application lifecycle management please refer to the “Mobile Application Lifecycle Management” guide.
Screen Capture 5: Unpublished application in store
Following the above-mentioned actions, users can manage the lifecycle of their mobile applications using WSO2 EMM.
Install application to enrolled devices
Device administrators can send application install requests to enrolled devices using the app store. To successfully send application installation requests, device administrators need to follow the steps below:
Login to the app store and select the application that needs to be installed to the enrolled devices. Users will have two options of installing a mobile application as shown in Screen Capture 6.
Screen Capture 6: Web application view in store with two options of installations
Install
Here the list of devices enrolled will be listed. The user can select the devices that need to install the application from the listed devices. Refer to Screen Capture 7 for a sample view of the device selection.
Screen Capture 7: Enrolled device selection view for app installation
Enterprise install
Here the user has the option to install the application to all devices owned by users with a selected role as shown in Screen Capture 8 or the user has the ability to push the app installation request to all devices enrolled under select users as shown in Screen Capture 9.
Screen Capture 8: Enterprise installation option by role selection
Screen Capture 9: Enterprise installation option by user selection
From the two options of app installation given above, an application installation request will be sent to the related device and by accepting the request the application will be installed to the device.
Monitoring the installed application on enrolled devices
WSO2 EMM provides the ability to monitor installed mobile applications on enrolled mobile devices. In each device, in the detail view, there is a tab to view the list of installed applications on the device as in Screen Capture 10. The device owners and administrators can see what kind of application is installed in the device. If there is any application that might harm the organization’s data or break rules and regulations of the organization, they can take action to prevent an incident.
Screen Capture 10: View list of installed applications on a device
Allow listing and deny listing applications (applicable from EMM 2.1.0 and above)
Allow listing and deny listing application is enabled through the WSO2 EMM policy management component where administrators have the ability to enforce application allow listing or application deny listing policies under application restriction policies. In order to configure a policy that holds application deny listing or allow listing details, administrators have to create a policy using the policy generation wizard in WSO2 EMM.
Administrators can simply create a policy and enable the applications restrictions and select deny listing or allow listing from the dropdown as shown in Screen Capture 11.
Screen Capture 11: Enable application restrictions in policy
Administrators can provide the list of applications that need to be managed by the policy by utilizing the controllers under the above-mentioned dropdown menu as shown in Screen capture 12.
Screen Capture 12: Sample application list for deny listing
Then administrators have to follow the same method as publishing a policy to devices to activate the allow listing or deny listing of applications defined in the policy above. To have more depth in understanding on managing policies using WSO2 EMM refer to the “Managing Policies” guide.
How application deny listing works
When a policy with deny listing application list is enforced to a device, applications that are listed on the deny list will not be available to the device user. When the user tries to utilize an application that’s deny listed, the application will be terminated and the user will be provided with a warning message from the WSO2 agent.
How application allow listing works
When a policy with a allow listed application list is enforced to a device, applications that are not mentioned in the provided list will be unavailable to the user. When a user tries to utilize an application that’s not listed under the allow list applications, the user will be provided with a warning and the application will be terminated.
Conclusion
WSO2 EMM has the capability of managing application lifecycle, monitoring, and enforcing restrictions to installed applications in enrolled devices. The app management capabilities comes with an app publisher and app store that allows the organization to manage their applications and lifecycle. In addition, the policy management capability allows administrators to monitor and manage the applications installed in the enrolled devices as well.
References
- [1] https://docs.wso2.com/display/EMM200/Managing+Policies
- [2] https://docs.wso2.com/display/EMM200/Creating+Mobile+Applications
- [3] https://docs.wso2.com/display/EMM200/Mobile+Application+Lifecycle+Management
- [4] https://wso2.com/library/articles/2015/08/article-application-life-cycle-management-with-wso2-app-manager/