Good day
Ime looking to bring the EMM onboard in our already successful WSO2 environment but just need some help.
1) The latest EMM (2.0.0) seem to not be able to restrict/enforce the applications a device is allowed to have installed. I want to have only white listed apps installed on a device. Is this possible?
2) If a policy disables functionality e.g. the camera, all the user has to do is click on the app, deregister from EMM and bypass the policy as needed. After the user is done he/she can just register again. This does introduce the risk of a user installing unwanted software on a COPE device thus compromising the device.
3) If you have a COPE device registered and the user uninstalls the EMM app, do you loose all the monitoring functionality and control?
Thanks in advance for you assistance. :-)
Please see the answers in line.
1) That whitelisting and blacklisting part is still in progress. With a future release you should be able to block the Google play app, Apple app store app etc. and enforce only the whitelisted apps to your devices.
2) Yes that is where the monitoring helps. It needs to track whether the user has removed the app or not. Anyway if you have policies created in advance and assigned it to roles with enforce selection even after they enroll again it should get pushed back to that device.
3) Yes it is. Specially in Andorid it rely on this agent app. Other platforms like iOS will have the OS based MDM capability where this will not have any effect. Anyway Android is also going towards the same profile concept in newer Android versions. Apparently we are going to support them in a future release. For the existing versions that is how Android has provided the APIs.
Related
I want to setup all my devices as COPE. WSO2 EMM setup is complete and working fine. Only thing is left is to sign the system service application with the firmware key. I am using Google devices only (Android one, Motorola G2). From where I can find the key and password to sign the application.
Is there any other alternative way to get the application signed?
As per documentation, "Sign the application via the device firmware signing key. If you don’t have access to the firmware signing key, you have to get the system application signed via your device vendor."
But I am not able to find the device firmware signing key.
Any guidance will be really helpful.
There are couple of COPE enrollment types WSO2 IoT server supports,
1. Device owner mode
2. Kioski mode
3. System application
The first 2 options can be used with any out of the box Android device. However system app is targetted towards original equipment manufacturers(OEM) who builds Android devices and maintain their own Android versions. This mean they maintain a version of Android OS image and does the installation to some customer device. If you are an OEM, you should have these keys with you. If you are not an OEM and still needs to use out of the box devices such as Motorola or Samsung to install system app, you need to form a partnerships with those vendors to get the sign the system service app. Unless you need to perform operations such as reboot or firmware upgrade. You do not need systrm service app. In that case i would recommend you to go for option 1 or 2. What are the features that you are looking at? Also it is best to seek wso2 professinal services if thats an option for you https://wso2.com/contact/
I have admin rights in my wso2 api manager. But it has number of users and they have number of applications which are created by them selves. But I need to remove some selected applications which are already created(approved) by other users also as the admin. So how can I do this in WSO2 api manager 1.7 with GUI. I can do this from the data base level. But looking for a way of doing it with GUI.
We can not delete or update other use's applications in the wso2 APIM with the graphical user interface up to now even for the system admin. It's not a good practice of deleting other user's account even by the admin. But there can be some practical scenarios in some cases such number of applications are created by different users but no one is using any of them. In such a situation the only possible way of removing those unwanted applications from APIM is, remove them from database.
We hope this simple feature will also be given with GUI in future.
Check the api store's api at https://docs.wso2.com/display/AM170/Store+APIs
There is an option to delete an application. But, AFAIK, it wont check whether that application has any active subscriptions (APIM versions such as 1.9.0 checks it). So, this can cause problems to existing subscriptions, if any.
I want to create an iOS app to manage the devices that enroll such the same functions on the webpage (monitor devices status and push configurations to devices). Does EMM provide some API or SDK for development?
We do have APIs for every platform. Check here for iOS. Others are listed there as well.
You will need to get a account from apple developer. In order to manage apps and distribute you will need this. Read the full doc and it will mention about the provisioning of apps in development portal.
I found two products open sourced in Github called MDM and EMM of WSO2
I didn't get completely what is the difference btw both of them.
WSO2 EMM is a unique mobile solution that is open source, user-friendly and distributed under the Apache Software License v2.0. WSO2 EMM includes two key aspects: Mobile Device Management (MDM) and Mobile Application Management (MAM). EMM enables organizations to secure, manage and monitor Android and iOS powered devices (e.g., smart phones, ipod touch devices and tablet PCs), irrespective of the mobile operator, service provider, or the organization. In addition, EMM also enables organizations to manage mobile application (app) life cycles via the Publisher, distribute mobile apps to users registered with EMM via the Store, and manage mobile apps (i.e., install and uninstall in bulk, blacklist, and more) via the EMM Console. EMM, maintains a compliance monitoring process to detect devices that are non-compliant to the assigned policy. In addition, EMM supports SSO and multi-tenancy.
Documentation - https://docs.wso2.com/display/EMM110/WSO2+Enterprise+Mobility+Manager
Features - http://wso2.com/products/enterprise-mobility-manager/
Enterprise Mobility Management (EMM) is the term for the comprehensive security and enablement platforms that are evolving specifically for mobility. Mobile Device Management (MDM) is one of the facets within a complete EMM solution, providing a broader set of tools for IT. These include the ability to require a PIN lock, identify and exclude jailbroken or hacked devices, and the power to remotely lock the device in case of loss. While today’s EMM products feature more granular and less intrusive controls, MDM features remain an important foundational piece of mobile enablement.
WSO2 MDM is of products which was in the 1st release (1.0.0) of WSO2 Enterprise Mobility Manager suite. MDM was targeted for managing Enterprise mobile devices (iOS & Android). Its other component is MAM which is targeted for managing Enterprise mobile applications. You can find that component in github. However in the latest release of WSO2 Mobility suite, MDM & MAM components were merged into a single product called EMM. It contains the bug fixes & some improvements also.
We have an existing Android and iOS application that consumes REST API from our servers. The API provides a token to the authenticated users after they log in using their credentials (username, password combo.) from the mobile applications.
Now, we're planning to create a Google Glass application for the same. In this case, we'd like to use the existing REST API along with Glass also. The Glass app will be built natively using the GDK.
My concern is, how would the users be able to input credentials? Because, users may have signed up for the service using non-google accounts?
Many thanks in advance.
At the moment, there is no supported way for apps made with GDK Early Access to authenticate the user or provide a way to connect the Glass account to your auth system. The Glass team has indicated such methods are coming, however - the Strava Cycling app, for example, does this, and it is expected that a similar feature will become widely available as the GDK matures.
Strava Cycling appears to get its credentials at the time you setup the app through MyGlass. When you turn it on it redirects you to a website to log into Strava's service before completing the install.
I just gave a talk on this exact topic at Wearables DevCon. The solution I proposed is purely done through GDK. All the user has to do is sign into their Google Account on a phone/tablet/computer and enter a code that is shown on Glass.
Check out the slides here:
https://docs.google.com/presentation/d/1NepYwlKdEvLV0QH9ix2I8l-JY1kHjBR9AXKBNpgTI6g/edit
And the code here:
https://github.com/victorkp/GlassWebNotes
The latest Glass release (XE16) publishes the remote authentication API for apps distributed through MyGlass:
https://developers.google.com/glass/develop/gdk/authentication