Darko Grozdanovski - THE POWER OF EMM

Transcript

1. THE POWER OF EMM Darko Grozdanovski Solutions Architect DEPLOY ENTERPRISE-READY

   APPS FASTER

2. On the agenda today: • What is an EMM? •

   What is AppConfig? • Code an app with Managed Configuration • Overview of the deployment workflow • Create a managed configuration

3. What is an EMM? Enterprise mobility Management

4. What is an EMM? The infrastructure that enables organizations to

   run their enterprise apps, manage and secure the corporate data

5. Challenges in deploying to the enterprise

6. Developing for the end consumers • Deploying directly to the

   end users through Google Play

7. Traditional enterprise deployment • Distributing versions directly to organizations •

   Still used a lot for in-house apps

8. Traditional enterprise development lifecycle

9. Modern enterprise deployment • Always deploy using EMM and Google

   Play • Distribute using Managed Configurations

10. Modern enterprise development lifecycle

11. What is AppConfig? • The community’s mission is to streamline

    the adoption and deployment of mobile enterprise applications by providing a standard approach to app configuration and management, building upon the extensive app security and configuration frameworks available in the OS. https://appconfig.org

12. Benefits for Developers • EMM vendor neutral solution • Reduce

    need for proprietary SDK • Reduce need for App Wrapping

13. Benefits for Enterprises • Leverage existing EMM investments • Better

    native onboarding user experience • Greater selection of business apps

14. Members of AppConfig - EMM • 20+ EMM vendors are

    part of the community

15. Members of AppConfig - Apps • A huge ecosystem of

    apps that are part of the community • New ones are constantly added • In-house apps can also use it

16. When you DON‘T NEED to write code • Lock down

    a device into kiosk • Create an app VPN • Single Sign On with existing identity management providers • Disable screen capture • Disable copy/paste • Restrict input methods • Whitelist/Blacklist specific system apps

17. And many more options…

18. When you NEED to write code • Deliver managed app

    configurations

19. What are Android Managed Configurations

20. Android Managed Configuration

21. Android Managed Configuration

22. AppConfig - Managed Configuration • Create and manage application configurations

    directly the EMM admin console • A set of native Android API‘s enabling a deeper integration with an EMM system • Empowers the IT admin and eases app deployments

23. What can be configured?

24. Any combination of key value pairs that an app needs

    including dynamic user/device related properties

25. Device attributes • Make use of attributes that are normally

    not available for apps

26. User attributes • Receive and use data that identifies the

    enterprise user

27. Custom device or user attributes • Forward attributes from an

    Identity provider such as Active Directory • Manually define attributes and their values

28. Common configuration options • Username – typically full email address

    or just company domain for easier sign in • Server/Resource endpoint configurations • Crash reporting on/off • Device analytics on/off • On-device data retention policies • Prefered apps to interact with (for sending emails, opening PDF, viewing images)

29. Limitations and drawbacks of using Android managed configurations

30. Limitations and drawbacks • Testing the integration • Only works

    in Android Enterprise deployments • Requires Android 5.0 and up • Some API methods are available starting from Android 5.1 and 6.0 • Only primitive values can be delivered – No files/images etc…

31. How to get around some of these limitations • Provide

    reasonable defaults in case a managed configuration cannot be used • Know your audience – Ask the organization about the devices they are using, specifically their OS version • Host complex configurations/files/photos that the app needs and point to those with an identifier through configuration – Ex. https://mycdn.com/mobileiron/logo.png - where „mobileiron“ is the identifier to the resources for the specific organization.

32. How to implement “Managed Configurations” into an Android app

33. Add metadata to the application manifest <meta-data android:name="android.content.APP_RESTRICTIONS" android:resource="@xml/app_restrictions" />

34. Add XML file with app restrictions <?xml version="1.0" encoding="utf-8"?> <restrictions

    xmlns:android="http://schemas.android.com/apk/res/android" > <restriction android:key="string" android:title="string resource" android:restrictionType=["bool" | "string" | "integer" | "choice" | "multi-select" | "hidden" | "bundle" | "bundle_array"] android :description="string resource" android :entries="string-array resource" android :entryValues="string-array resource" android :defaultValue="reference" > <restriction …/> ... </restriction> <restriction …/> ... </restrictions> src/main/res/xml/app_restrictions.xml

35. Field Type - Boolean <restriction android:defaultValue="@bool/default_can_increment_number" android:description="@string/description_can_increment_number" android:key="can_increment_number" android:restrictionType="bool" android:title="@string/title_can_increment_number"/>

36. Field Type - String <restriction android:defaultValue="@string/default_welcome_text" android:description="@string/description_welcome_text" android:key="welcome_message" android:restrictionType="string" android:title="@string/title_welcome_text"/>

37. Field Type - Number <restriction android:defaultValue="@integer/default_number" android:description="@string/description_number" android:key="number" android:restrictionType="integer" android:title="@string/title_number"/>

    • Is validated in the admin UI • Empty value means 0 • Default value must be a number

38. Field Type - Choice <restriction android:defaultValue="@string/default_colors" android:description="@string/description_colors" android:entries="@array/entries_colors" android:entryValues="@array/entry_values_colors" android:key="colors"

    android:restrictionType="choice" android:title="@string/title_colors"/> • Entries and entryValues are mandatory

39. Field Type - Multi-select <restriction android:defaultValue="@array/default_user_role" android:description="@string/description_user_role" android:entries="@array/entries_user_role" android:entryValues="@array/entry_values_user_role" android:key="user_role"

    android:restrictionType="multi-select" android:title="@string/title_user_role"/> • Entries and entryValues are mandatory

40. Field Type Hidden <restriction android:defaultValue="@string/default_secret_code" android:description="@string/description_secret_code" android:key="secret_code" android:restrictionType="hidden" android:title="@string/title_secret_code"/> •

    Not shown to the admin in the UI • Use to provide a Read-only value • Must have a default set

41. Field Type – Bundle Array API Level 23 – Android

    6.0 • Contains a subset of restrictions • Contains a bundle • Can dynamically add more items in the array from the Admin UI <restriction android:description="@string/description_bookmarks" android:title="@string/title_bookmarks" android:key="bookmark_list" android:restrictionType="bundle_array"> <restriction android:title="@string/title_bookmark" android:key="bookmark" android:restrictionType="bundle"> <restriction android:title="@string/title_bookmark_key" android:key="bookmark_name" android:restrictionType="string"/> <restriction android:title="@string/title_bookmark_value" android:key="bookmark_value" android:restrictionType="string"/> </restriction> </restriction>

42. Field Type – Bundle Array API Level 23 – Android

    6.0

43. Read Configured values private fun stringValueInASingleMethod(key: String = "serverUrl"): String

    { val restrictionsManager = context.getSystemService(Context.RESTRICTIONS_SERVICE) as RestrictionsManager val entry = restrictionsManager.getManifestRestrictions(context.packageName).first { key == it.key } val applicationRestrictions = restrictionsManager.applicationRestrictions return if (applicationRestrictions.containsKey(key)) { applicationRestrictions.getString(key) } else { entry.selectedString } }

44. Register change receiver • It’s a broadcast receiver which needs

    to be registered in code • Delivers a notification when the restriction values are updated • Typical use is for kiosk apps, apps for task workers etc..

45. Register change receiver private var broadcastReceiver: BroadcastReceiver? = null public

    override fun onStart() { super.onStart() broadcastReceiver = object : BroadcastReceiver() { override fun onReceive(context: Context, intent: Intent) { // Fetch and use new values } } this.registerReceiver(broadcastReceiver, IntentFilter(Intent.ACTION_APPLICATION_RESTRICTIONS_CHANGED)) } public override fun onStop() { super.onStop() if (broadcastReceiver != null) { this.unregisterReceiver(broadcastReceiver) broadcastReceiver = null } }

46. Check if device is under management Check for an empty

    bundle. This means your application acts like it’s unmanaged. There is no configuration being delivered. The app is NOT managed by an EMM system, it has been installed by other means. fun isDeviceManaged(): Boolean = !restrictionsManager.applicationRestrictions.isEmpty

47. Check if device is configured properly Check for a bundle

    with a single key value pair with KEY_RESTRICTIONS_PENDING set to true. This means your application is being managed, but isn’t configured correctly. You should block this user from your app, and direct them to their IT administrator. API Level 22 – Android 5.1

48. Enable Android Enterprise in EMM

49. Enable Android Enterprise in EMM

50. Enable Android Enterprise in EMM • Use any Google Account

    (preferably create one that will only be used by the organization)

51. Enable Android Enterprise in EMM

52. Enable Android Enterprise in EMM

53. Enable Android Enterprise in EMM

54. Enable Android Enterprise in EMM

55. Enable Android Enterprise in EMM • This ID will be

    used by the developers inside google play later on

56. Suggestion – enroll into work profile for testing • Can

    test the interaction between work and private partitions of the device • Can more easily enable USB debugging and view logs • Easier to remove after done, no need to factory reset device

57. Developers release their app on Google Play

58. Release the app on Google Play

59. Release the app on Google Play • Release process on

    google Play is exactly the same as any normal app • Turn on Managed Google Play inside Pricing and Distribution to target organizations

60. Release the app on Google Play • App can be

    released privately only to specific organizations. It wont be visible on the public Google Play store in this case

61. Release the app on Google Play • Distribute the app

    to multiple organizations by adding their Google Enterprise ID to the list within Google Play

62. Hit the release button and wait! It takes a while…

63. EMM admin needs to approve the app, configure and distribute

    it

64. EMM Admin approves the app • Visit https://play.google.com/work/apps and approve

    the app

65. Import into the EMM system • The app is imported

    into the EMM

66. Create a managed configuration and push it to the devices

67. Create a managed configuration • Enter all the details and

    save the config • After saving the configuration will be published to the devices • It will be available immediately for any new app installations

68. Thank You! Questions? https://github.com/darko1002001/android-managed-configuration-sample https://github.com/googlesamples/android-AppRestrictionSchema https://appconfig.org Contact Info - Darko

    Grozdanovski [email protected] linkedin.com/in/darko-grozdanovski