Most enterprises use devices that are customized for their requirement. For example having a custom android device that functions as a POS. In such situations organizations prefer to have and maintain custom firmwares or get device vendors to build a custom device to suite their requirement. For example apps or devices having the capability to sign their POS app with the vendor firmware signing key and install it on devices as a system app.
WSO2 EMM provides a separate service application that can be signed by a firmware signing key and installed on the devices as a system application alongside the EMM Agent application. This enables you to have better control over the devices registered with WSO2 EMM. Since this is a system app it provides system level capabilities, such as device firmware upgrade, reboot and enforcing security policies, and much more.
For more information on managing the system service Android application see the following subsections:
Table of Contents | ||
---|---|---|
|
Securing Communication
When the system service app is installed on a device that is registered with WSO2 EMM, the EMM Android Agent communicates with it to trigger system level operations from the WSO2 EMM server. The communication between the system service application and the Android agent is secured by two layers of protection as shown below:
Via the signature - The system will grant permission only if the requesting application is signed with the same certificate as the application that is declared in the permission.
Info For more information on securing the communication, see <permissions> on the Android Developer documents.
- Check the package name of the intent who makes the call to verify that it’s a request from the EMM Anroid agent.
Integrating WSO2 EMM and the system service application
Follow the steps given below to integrate the system service Android application with WSO2 EMM:
- Build the system service application.
- Download the source code.
- The system service app can not be built via the usual android developer SDK, as it requires access to developer restricted APIs. Therefore, you need to replace the existing
android.jar
file that is under the<SDK_LOCATION>/platforms/android-<COMPILE_SDK_VERSION>
directory with the explicitly builtandroid.jar
file that has access to the restricted APIs. Use the method given below:- Download the Android Open Source Project (AOSP) and build the source code to get the
jar
file for the required SDK level.
- Download the Android Open Source Project (AOSP) and build the source code to get the
- Open the system service application source code via Android Studio and clean build it as a usual android application.
Sign the system service.
Sign the application via the device firmware signing key. If you don’t have access to the firmware signing key, you have to get the system application signed via your device vendor.Info For more information of singing the system service, see Signing Your Applications.
Install the system service application by following any of the methods given below:
The system service application will be available out of the box with your firmware distribution, if you have your own firmware.
Copy the signed system service APK file to the
/system/priv-apps
directory of the device.When the device boots or restarts for the first time, it will automatically install the application as a system application.
Install the system service application externally via an Android Debug Bridge command.
Info For more information on how this takes place on WSO2 EMM, see Configuring the WSO2 EMM service application
Enable the system service invocations through the WSO2 EMM Agent application
Note Make sure to sign the EMM-Agent using the same device firmware signing key that was used to sign the System Service Application.
Navigate to the
Constants.java
class, which is in theorg.wso2.emm.agent.utils
package and configure theSYSTEM_APP_ENABLED
field as follows:Code Block public static final boolean SYSTEM_APP_ENABLED = true;
- Rebuild the EMM agent application.
Operations supported via the system service application
The following operations are supported via the system service application:
Device Reboot:Restart or reboot your Android device.
Firmware upgrade: Upgrade the firmware of Android devices.
Enforcing user restrictions: Restrict different functions on the user's device using this REST API. When adding a policy you will have the option of saving the user restriction policy or saving and publishing the user restriction policy.
Silent app installation, removal and update
Application installation, removal and update will be performed without the user's confirmation when the Android system service application is available on an Android device.
The operations will only be available for enterprise applications (apps that were created by your organization.) and for public applications (publicly available apps, such as free apps available online).