Most enterprises use devices that are customized for their requirement. For example having a custom android device that functions as a POS. In such situations most organizations prefer to have custom firmwares maintained by themselves or get device vendors to build custom device to suite their requirement. For example apps or devices having the capability to sign their POS app with the vendor firmware signing key and install it on devices as a system app.
WSO2 EMM provides a separate service application that can be signed by a firmware signing key and installed on the devices as a system application alongside the EMM Agent application. This enables you to have better control over the devices registered with WSO2 EMM. Since this is a system app it provides system level capabilities, such as device firmware upgrade, reboot and enforcing security policies and much more.
For more information on managing the system service Android application see following sections:
Securing Communication
When the system service app is installed on a device that is registered with WSO2 EMM, the EMM Agent application communicates with the system service to get the operation executed when a system level operation triggers from the WSO2 EMM server. The communication between the system service and the agent app is secured by two layers of protection as shown below:
Via the signature - A permission that the system grants only if the requesting application is signed with the same certificate as the application that is declared in the permission.
For more information on securing the communication, see <permissions> on the Android Developer documents.
- Check the package name of the agent who makes the call to verify that it’s a request from the EMM Agent application.
Integrating WSO2 EMM and the system service application
Follow the steps given below to configure the system service Android application with WSO2 EMM:
- Build the system service application.
- Download the source code.
- The system service app can not be built via the usual android developer SDK, as it requires access to developer restricted APIs. Therefore, you need to replace the existing
android.jar
file that is under the<SDK_LOCATION>/platforms/android-<COMPILE_SDK_VERSION>
directory with the explicitly builtandroid.jar
file having the access to the restricted APIs. Follow the method given below:- Download the Android Open Source Project (AOSP) and build the source code to get the jar file in the required SDK level.
- Open the system service app source code via the Android Studio and clean build it as a usual android application.
Sign the system service.
Sign the application via the device firmware signing key. If you don’t have access to the firmware signing key, you have to get the system application signed via your device vendor.For more information of singing the system service, see Signing Your Applications.
Install the system service application by following any of the methods given below:
The system service application will be available out of the box with your firmware distribution, if you have your own firmware.
Copy the signed system service APK file inside
/system/priv-apps
directory of the device.When the device boots or restarts for the first time, it will automatically install the app as a system application.
Install the system service application externally via an Android Debug Bridge command.
For more information on how this takes place on WSO2 EMM, see Configuring the WSO2 EMM service application
- Enable the system service invocations through the WSO2 EMM Agent application
Navigate to the
Constants.java
class, which is in theorg.wso2.emm.agent.utils
package and configure theSYSTEM_APP_ENABLED
field as follows:public static final boolean SYSTEM_APP_ENABLED = true;
- Rebuild the EMM agent application.
Operations supported via the system service application
The following operations are supported via the system service application:
Device Reboot
For more information on the device reboot REST API command, see Rebooting an Android Device.
Firmware upgrade
For more information on the firmware upgrade REST API command, see Upgrading Firmware of an Android Device via the REST API.
Enforcing user restrictions
For more information on the enforcing user restriction via the REST API, see Adding a User Restriction Policy on Android Devices.
Silent app installation/removal