Table of contents

1. Introduction
2. WSO2 EMM - Android device management
3. Enrollment process
4. Android EMM Agent features
5. Summary
6. References

Introduction

The world of mobility is changing rapidly day by day as people are now starting to think mobile first. People tend to bring their personal mobile devices to work and prefer to use these to keep track of corporate data as well. As a result, the BYOD (Bring our Own Device) concept was introduced and brought in the separation of BYOD and COPE (Corporate Owned Personally Enabled) devices into the corporate world.

This prompted the mobile industry to come up with technologies such as mobile device management (MDM). Android and iOS are currently leading the enterprise mobile sector where they own more than 80% of the market. Among these two, iOS has system (OS) level MDM capabilities and Android is a little bit behind in the race because it is open source and it has a lot of security challenges. This article will explain how WSO2 MDM manages Android devices.

WSO2 EMM - Android device management

WSO2 EMM contains a back-end application, namely the WSO2 MDM Console, which contains a management console that enables the user to view device information, monitor device status, perform operations (which will be discussed later in this article) to devices, define and assign policies as well as perform group operations, which affects multiple devices across multiple user groups and roles.

Figure 1: WSO2 MDM console

To manage Android devices with WSO2 EMM, you need to setup the EMM server [1] by following the Getting Started guide and the WSO2 Agent Application should be installed on each device. Afterwards, this application will seamlessly communicate with the MDM server, perform all the operations, and it will also handle the monitoring process. This application uses Google Cloud Messaging (GCM) [2] as the messaging protocol and it has a listener that listens to GCM messages. As soon as the device receives a message from the GCM, the application gets activated and performs the operation on the device.

Figure 2: WSO2 Agent Messaging protocol

Now let’s see how to get your device enrolled to WSO2 MDM.

Enrollment process

1. Download the Agent application using the link provided in the WSO2 MDM invitation email.

2. After the download is completed, install the application to the device.

Figure 3a: Installation permissions

Figure 3b: After installation

Before the user proceeds with the installation, it will show the capabilities of the application. These permissions can be configured according to the requirements of the organization. The operations that can be performed by the MDM Agent is totally configurable.

3. After installation, open the WSO2 Agent. It will ask for the MDM server address. If the default address is incorrect, you can provide the correct address and click on “Start Registration”.

Figure 4: Setting server address

4. A message will be prompted to confirm whether the MDM server address you had entered is correct. If the address is correct, click “Yes”.

Figure 5: Server address confirmation

5. Enter your user credentials, then select an option (BYOD or COPE) depending on whether the device is a company owned or your personal device and click “Register”.

Figure 6a: Authentication

Figure 6b: Confirmation

6. If you have selected “BYOD” as the type, then it will display the BYOD policy as a policy agreement. You need to agree to the Policy Agreement by clicking “Agree” if you want to proceed. If you have selected “COPE” the policy agreement will not be displayed and it will directly proceed to the next step.

Figure 7a: Agreement

Figure 7b: Accept the license

7. When you agree to the policy agreement, you will be asked to set a PIN code, which has 4+ character length. This PIN code will give you the assurance that your device will be safe from critical operations such as device reset (wipe). If you want to wipe your device from the MDM console, you need to provide the PIN code that you had set in the MDM Agent. This PIN code will not be sent to the server and will only be stored in the MDM Agent application (locally).

Figure 8: Setting PIN code

8. Then, the MDM application will ask the user to activate the device administrator. This actually means that the application will be registered as a device administrator, hence the MDM Agent is capable of performing administrative tasks such as changing/clearing device screen lock password, device wipe, setting password policies etc. Click “Activate” to activate the device administrator.

Figure 9: Activating device administrator

9. You are now enrolled to the WSO2 MDM and at anytime you can unregister from the MDM by clicking on the “Unregister” button.

Figure 10: Register success screen

Android EMM Agent features

1. Retrieve device information
• Retrieving device information and providing a device level real-time overview. Information includes
• Device battery level as a percentage
• Total and available internal memory
• Total and available external memory
• Mobile operator
• Device location (longitude, latitude)
• All the static information will be retrieved in the device registration process itself, namely
• Device name
• IMEI number
• IMSI number
• MAC address
• User information
• Device OS version
• OEM information
2. Retrieve device installed Application information
• Retrieving a list of all the application installed on the device. The information includes application name and package name of each application
3. Device lock
• Remotely lock the device so that the user cannot access any other functions
4. Change lock code
• Change the lock code of the device in case the user forgets his/her existing passcode or in a special scenario where the user has to remotely lock the device with a passcode
5. Clear passcode
• Clear the lock code of the device in case the user forgets his/her existing passcode
6. Password policy enforcement
• This feature will enable the capability of enforcing policies to improve the quality and the strength of the device lock password. The same password will be used in the features like device encryption. Customizable password policies are as follows
• Minimum length
• Alphanumeric password required
• Complex password required (Must contain a letter, digit and a special character)
• Minimum number of symbols (special characters) required
• Password expiration timeout
• Password history restriction
• Maximum failed password attempts
7. Set WIFI
• This will enable WIFI access on the device and the Admin can push WIFI settings to the MDM Agent. The device will automatically configure the WIFI and activate the configured account
8. Send Message to device
• MDM Admin can send Messages to the device and the MDM Agent captures that message and displays it to the user
9. Disable/Enable camera
• Enable/Disable camera of the device. When it is disabled, the user cannot use the device camera since it will be locked by the MDM Agent
10. Wipe data
• Wiping a device result in setting the device to its factory default configuration, which removes all the personal data and third-party applications from the device. Since this operation is a critical one, MDM agent has a PIN code setting to secure this from being misused. During the device registration process the user will be prompted with a PIN code setting where the user can set a preferred PIN code and it can be changed later from the MDM Agent settings menu. This PIN setting can also be customized according to the type of user (BYOD/non-BYOD)
11. Encrypt device storage
• Encrypting the device application data and the storage area. This uses the same screen lock password, and to enable the encryption, the password must be strong with at least 6 characters long. Once the encrypt function is executed, when the device reboots or is locked, the user will be asked for a password to enable access to the encrypted storage area
12. Mute device
• Mute the device by setting the device on silent mode
13. Install web clips
• Create home screen shortcuts for web links. An icon image, web clip name and the link should be passed onto the device and it will be created as an application on the home screen, which will be opened using the device web browser
14. Monitor device location
• The device’s location will be tracked by retrieving device longitude and latitude. Device location will be shown on a Google map where the user can track the device easily
15. Install applications
• Applications can be installed on to the device by passing the application URL. The MDM Agent will then download the application to the device and will install it automatically. Installation will prompt a message for the user to accept or reject the installation request and the application will then be installed to the device after the user’s acceptance
16. Uninstall applications
• Applications can be uninstalled from the device by package name. The user will be prompted with a message to accept/reject uninstallation requests. If the user accepts, then the application will be uninstalled from the device
17. Google Play Store integration
• Applications from Google Play Store can be directly installed on the device through the MDM console. The user will be automatically directed to the Google Play Store application installation screen where the user can simply do the installation with a click of a button. To complete this task, a Google account must be configured on the respective device

Summary

The corporate world is changing to a mobility-oriented structure. Therefore it’s important to let employees use their own mobile devices in the corporate as well, i.e. for enterprises to embrace the BYOD and COPE concepts. Especially when it comes to BYOD devices, there should be some level of control by the corporate to manage these devices in a way that ensures data security. When it comes to the Android platform, this task is extremely hard because the Android platform is still not enterprise friendly. WSO2 EMM addresses this problem by introducing mobile device management capability for the Android platform, which enables full control over Android devices without harming personal user experience.

References

WSO2 EMM Documentation

Developer.android.com

Click here to download WSO2 EMM.