Ken Yee

Android For Work

Overview • What is Android for Work?

• App Changes to Support Android for Work

• Testing Apps for Android for Work

TL;DR for Android for Work• Encrypted Devices w/ Security Updates Commitment

• IT Mobile Device Configuration Management via EMM

• Work-Only App/Data Sandbox via SELinux

• Private App Store

• COSU aka Kiosk Mode

Device Policy Configurables• Remote Lock/Wipe

• PIN Complexity/Rotation

• VPN/Wireless Setup

• Apps Allowed in Sandbox

• Lock Out USB/SD/Widgets/Root/GPS/Clipboard/Share

• https://support.google.com/a/answer/1408902

USER EXPERIENCE

Modifying Apps for Android for Work

Sandbox’isms• IT can prevent Intents crossing or lock out System Apps

always call Intent.resolveActivity()

• Separate storage area so URIs aren’t the same

use Content URI from FileProvider instead of File URI

Configurable Restrictions• Runtime parameters that show up in IT/EMM Admin UI for

your App

• Defined via Manifest to point to an XML file:

<application ... > <meta-data android:name="android.content.APP_RESTRICTIONS" android:resource="@xml/app_restrictions" /> ... </application>

<?xml version="1.0" encoding="utf-8"?> <restrictions xmlns:android="http://schemas.android.com/apk/res/android" >

<restriction android:key="downloadOnCellular" android:title="App is allowed to download data via cellular" android:restrictionType="bool" android:description="If 'false', app can only download data via Wi-Fi" android:defaultValue="true" />

</restrictions>

Restrictions XML File

RestrictionsManager restrictionsMgr = (RestrictionsManager) getActivity() .getSystemService(Context.RESTRICTIONS_SERVICE);

Bundle appRestrictions = restrictionsMgr.getApplicationRestrictions();

Check Restrictions

if ((appRestrictions.containsKey(UserManager.KEY_RESTRICTIONS_PENDING) && appRestrictions.getBoolean(UserManager.KEY_RESTRICTIONS_PENDING)) { Toast.makeText(getActivity(), “Not Configured”, LENGTH_LONG).show();

getActivity().finish(); }

boolean appCanUseCellular;

if (appRestrictions.containsKey(“downloadOnCellular") { appCanUseCellular = appRestrictions.getBoolean("downloadOnCellular"); } else { // here, cellularDefault is a boolean set with the restriction's // default value appCanUseCellular = cellularDefault; }

IntentFilter restrictionsFilter = new IntentFilter(Intent.ACTION_APPLICATION_RESTRICTIONS_CHANGED);

Listen for Restriction Changes

BroadcastReceiver restrictionsReceiver = new BroadcastReceiver() { @Override public void onReceive(Context context, Intent intent) {

// Get the current restrictions bundle Bundle appRestrictions =

restrictionsMgr.getApplicationRestrictions();

// Check current restrictions settings, change your app's UI and // functionality as necessary.

} };

registerReceiver(restrictionsReceiver, restrictionsFilter);

COSU/Kiosk Mode

Android 5.x vs. 6.x+• Home/Overview buttons

visible but disabled

• User can exit app by hitting Home/Overview simultaneously

• Lockscreen happens

• Home/Overview buttons hidden on Android 6.x

• Exit by app calling stopLockTask

• Lockscreen never kicks in

• Can’t be modified in Safe Mode

<activity android:name=".KioskModeActivity" android:label="@string/kiosk_mode" android:launchMode="singleInstance" android:lockTaskMode="if_whitelisted" android:enabled="false"> <intent-filter> <action android:name="android.intent.action.MAIN"/> <category android:name="android.intent.category.HOME"/> <category android:name="android.intent.category.DEFAULT"/> </intent-filter> </activity>

Enabling Kiosk in Android 6.0

Testing your App

Resources• “BasicManagedProfile” for Intent testing in a Work sandbox

• “Test DPC” app for Restrictions sandbox testing

• “NFCProvisioning” app for kiosk mode testing

• Contact EMM Provider for Testing Console for end to end testing

Decision Oriented Messaging

Thank You. ken.yee@raizlabs.com

github: kenkyee