android forwork
TRANSCRIPT
Ken Yee
Android For Work
Overview • What is Android for Work?
• App Changes to Support Android for Work
• Testing Apps for Android for Work
TL;DR for Android for Work• Encrypted Devices w/ Security Updates Commitment
• IT Mobile Device Configuration Management via EMM
• Work-Only App/Data Sandbox via SELinux
• Private App Store
• COSU aka Kiosk Mode
Device Policy Configurables• Remote Lock/Wipe
• PIN Complexity/Rotation
• VPN/Wireless Setup
• Apps Allowed in Sandbox
• Lock Out USB/SD/Widgets/Root/GPS/Clipboard/Share
• https://support.google.com/a/answer/1408902
USER EXPERIENCE
Modifying Apps for Android for Work
Sandbox’isms• IT can prevent Intents crossing or lock out System Apps
always call Intent.resolveActivity()
• Separate storage area so URIs aren’t the same
use Content URI from FileProvider instead of File URI
Configurable Restrictions• Runtime parameters that show up in IT/EMM Admin UI for
your App
• Defined via Manifest to point to an XML file:
<application ... > <meta-data android:name="android.content.APP_RESTRICTIONS" android:resource="@xml/app_restrictions" /> ... </application>
<?xml version="1.0" encoding="utf-8"?> <restrictions xmlns:android="http://schemas.android.com/apk/res/android" >
<restriction android:key="downloadOnCellular" android:title="App is allowed to download data via cellular" android:restrictionType="bool" android:description="If 'false', app can only download data via Wi-Fi" android:defaultValue="true" />
</restrictions>
Restrictions XML File
RestrictionsManager restrictionsMgr = (RestrictionsManager) getActivity() .getSystemService(Context.RESTRICTIONS_SERVICE);
Bundle appRestrictions = restrictionsMgr.getApplicationRestrictions();
Check Restrictions
if ((appRestrictions.containsKey(UserManager.KEY_RESTRICTIONS_PENDING) && appRestrictions.getBoolean(UserManager.KEY_RESTRICTIONS_PENDING)) { Toast.makeText(getActivity(), “Not Configured”, LENGTH_LONG).show();
getActivity().finish(); }
boolean appCanUseCellular;
if (appRestrictions.containsKey(“downloadOnCellular") { appCanUseCellular = appRestrictions.getBoolean("downloadOnCellular"); } else { // here, cellularDefault is a boolean set with the restriction's // default value appCanUseCellular = cellularDefault; }
IntentFilter restrictionsFilter = new IntentFilter(Intent.ACTION_APPLICATION_RESTRICTIONS_CHANGED);
Listen for Restriction Changes
BroadcastReceiver restrictionsReceiver = new BroadcastReceiver() { @Override public void onReceive(Context context, Intent intent) {
// Get the current restrictions bundle Bundle appRestrictions =
restrictionsMgr.getApplicationRestrictions();
// Check current restrictions settings, change your app's UI and // functionality as necessary.
} };
registerReceiver(restrictionsReceiver, restrictionsFilter);
COSU/Kiosk Mode
Android 5.x vs. 6.x+• Home/Overview buttons
visible but disabled
• User can exit app by hitting Home/Overview simultaneously
• Lockscreen happens
• Home/Overview buttons hidden on Android 6.x
• Exit by app calling stopLockTask
• Lockscreen never kicks in
• Can’t be modified in Safe Mode
<activity android:name=".KioskModeActivity" android:label="@string/kiosk_mode" android:launchMode="singleInstance" android:lockTaskMode="if_whitelisted" android:enabled="false"> <intent-filter> <action android:name="android.intent.action.MAIN"/> <category android:name="android.intent.category.HOME"/> <category android:name="android.intent.category.DEFAULT"/> </intent-filter> </activity>
Enabling Kiosk in Android 6.0
Testing your App
Resources• “BasicManagedProfile” for Intent testing in a Work sandbox
• “Test DPC” app for Restrictions sandbox testing
• “NFCProvisioning” app for kiosk mode testing
• Contact EMM Provider for Testing Console for end to end testing