Data Containerization for Android Device

WSO2 EMM enables you to register mobile devices via the BYOD or COPE device enrollment scenario. Data containerization allows you to have a separation between data. Therefore, if you are registering your device via the BYOD scenario you are able to have a clear separation between your personal data and the enterprise data. To understand the underlying concept clearly, take a look at the example given below.

Example:

MobX uses WSO2 EMM to manage and monitor the employees mobile devices and applications. Kim joins as the new marketing Manager and needs to register her personal mobile device with WSO2 EMM, but she is concerned because she doesn't want to expose the personal data on the device to the Organization. On the other hand, MobX is concerned about not letting the other applications installed in Kim's device to access the confidential enterprise data. For example, Kim has installed an application for enterprise docs on her device. This application has access to all the enterprise docs and the personal docs as they are all stored in the same location. Therefore, it is important to clearly separate the enterprise and personal data in a BYOD device enrollment scenario. Follow the steps given below to enable data containerization on your device.

Click here for more information on registering an Android device with data containerization, see End-user Registering an Android Device via the Managed Profile.

Follow the instructions given below to register an Android device once the EMM agent application downloads:

Open the downloaded file, and tap INSTALL.
Tap OPEN, once the WSO2 Android Agent is successfully installed.
Tap Setup Work-Profile to proceed with registering the Android device via the Work-Profile.
If you don't want to set up the work profile and prefer to proceed with the default Android device registration process, tap Skip and go to enrollment, and proceed to start the registration.
Tap SET UP.
Tap OK to confirm.
Tap UNINSTALL to uninstall the WSO2 EMM agent you downloaded previously.
Enter the server address based on your environment, in the text box provided. A confirmation message will appear.
- Developer Environment - Enter the server IP as your server address.
  Example: 10.10.10.123:9443
- Deployment Environment - Enter the domain as your server address.
  
  The Android Agent app's default port is 80. If you are using any other port or using port offset in EMM, the server address should state the new port in the following format: www.abc.com :<PORT>
  For example, if the port offset is 1 and you are using the 9763 port, the port will change to 9764. Therefore, in such a scenario an example server IP is as follows: 110.100.7.123:9764
Tap Yes to continue.
Enter your details and tap Register. A confirmation message will appear.
- Username - Enter the username provided in the email.
- Password - Enter the password provided in the email.
- Domain - Enter the domain only if the server is hosted with multi-tenant support.
- Ownership type - Select the corresponding device ownership option. This will customize the EMM behavior accordingly.
  - BYOD - Bring your own device.
  - COPE - Corporate owned personally enabled.
Tap Yes to continue.
- If you select BYOD, go to the preceding step - You will be shown a policy agreement, which you can either accept or reject.
  
  You will get access to EMM only if you accept the policy agreement.
- If you select COPE, proceed to activate the device administrator - As it's a corporate owned device, you will not be shown a policy agreement. You will have to adhere to the company policy.
Read the tenant policy agreement, and tap Agree to accept the agreement.
Set a PIN code of your choice with a minimum of 4 digits. The PIN code will be used to secure your personal data. Thereby, the EMM server will not be able to carry out critical operations on your personal data without using this PIN.
Example: If the EMM admin needs to wipe your device or remove data from the device, he/she can't do it without the providing the PIN code. This is added as a security measure to safeguard the data on your device. You have to provide the PIN code to get your device wiped or you can log into the EMM Console and wipe your device by entering the PIN code. Once the data is wiped off a confirmation message will appear.

You will be prompted to provide a PIN code only if your device is a BYOD device.
Confirm the PIN and click OK to continue.
Tap ACTIVATE to enable the EMM device administrator on your device. A confirmation message will appear after enabling the device admin.
You have now successfully registered you Android device. If you wish to unregister the registered device, click Unregister.

Once the registration process is complete, navigate to the launcher of your device. You will see that some applications are duplicated, with one set of the applications having a red icon. These applications are the ones used by WSO2 EMM.

The following subsections will provide details on how data containerization is achieved via the managed-profile feature.

Setting up the work profile

Data containerization for Android devices was implemented using the Managed Profile feature that is available on the Android devices that support the Android Lollipop OS or upwards. Let's take a look at the how data containerization works on WSO2 EMM.

When you download and install the Android Agent on your Android mobile device, the agent will check if the device supports the managed profile feature.
If the device supports the managed profile feature, the agent will prompt the user to set up the work profile before the installation.

Having the Android Lollipop OS version or above will not enable you to set up the work profile. The setup might fail because of the OS customizations that would have been done on some of the devices by the manufacturers.
Example: The managed-profile doesn't work as expected on Asus Zenfone 2 device that supports Android Lollipop.
Once the profile is set up, the EMM Agent is automatically copied into the new work profile. Therefore, WSO2 EMM will prompt you to uninstall the agent you downloaded previously as it was installed in the devices personal profile.
After setting up the work profile you need to follow the default steps to register an Android device with WSO2 EMM.
Once the registration process is completed, navigate to the launcher of the device and you will be able to see the application that are used by the worker profile and the personal profile. The applications having the red icon are used by the WSO2 EMM work profile.
- Using this approach, you don't have to switch between the personal profile and work profile as all the applications used by each profile is shown in the same launcher.
- Based on the underlying architecture, the profiles have their own storage locations that can not be accessed by each other.

Applying Android device operations

After registering your device with WSO2 EMM you can apply operations on a device.

Click here for more information on applying operations on a device.

Follow the instructions below to apply operations on your device via the EMM Console:

Sign in to the EMM Console.
Navigate to the Device Management page:
1. To navigate through the DASHBOARD page, click View under DEVICES.
2. Navigate using the menu:
  1. Click the menu icon.
  2. Click Device Management.
Click the registered device to navigate to the Device page, which has the Device Overview, Operations, and Device Details.
Click on the respective operation under Operations and provide the required details (if requested) to apply the selected operation on your device. For more details see, allowed device operations.

If you wish to get the device details follow the steps given below:

The Battery level, local storage, and the external storage device details can be retrieved from the details under Device Details in the Device page.

Additional information of each registered devices will be shown under separate sections within the Device page as listed below:

Description

Device Details

The following device information will be retrieved automatically when you register with EMM.

Device ID	The unique device identifier.
Name	This shows the name the user has given his/her device or the default name of the device (e.g., Kim's iPhone).
Model	Each mobile device is build to
Status	Defines if a device is active, inactive or removed.
Owner	The username of the device owner.
Ownership	Indicates if a device belongs to the Bring Your Own Device (BYOD) or Corporate-Owned, Personally-Enabled (COPE) ownership type.
IMEI	The International Mobile Station Equipment Identity (IMEI) number of all GSM devices. This is not applicable to devices that work without a SIM.
Last Update	The date and time that the device last communicated with the server.

Policy Compliance

If your device does not comply to certain criteria in the enforced policy, the aspects in which your device is none compliant will be highlighted under this section.

Device Location

Provide the location of your device.

Installed Application

A list of all the applications that have been installed on your device will be listed under this section.

Operation Log

A list of all the operations that have been carried out by you and its current status

For more information on the operations that can and can not be applied once data containerization is enabled, see below:

The EMM agent is the profile owner of the newly created work profile and only has control over it. Therefore, now the agent is unable to perform operations that affect the entire device, such as changing the device PIN and wiping data of the entire device.
If your Organization has imposed a policy to restrict the usage of the camera, you will not be able to use the camera application that is installed in the work profile. You will only be allowed to used the camera application that is installed in your personal profile.
The enterprise wipe operation will delete the enterprise related data along with the work profile on your device while keeping the personal data intact.