Making your Android Application Enterprise-Ready...
Introduction
With ever-growing mobile usage and with the recent advent of work from home scenarios, many enterprises are in the market for secure applications which can allow their employees to have access to sensitive data and prevent data leaks. Therefore, mobile applications which can securely enable the usage of sensitive data are the need of the hour in the enterprise ecosystem.
Mobile apps drive employee productivity and IT must move beyond static app distribution to meet security, management, and productivity. Enterprise Mobility Management (referred to as EMM ) allows enterprises to enroll their employees in either a Bring-Your-Own-Device (BYOD) or Company-Owned-Personally-Enabled (COPE) device programs.
EMM addresses the challenges associated with mobile security by providing a simplified, efficient way to view and manage all devices from the central admin console. It allows enterprise IT administrators to prevent data leakage and remotely configure the application on these devices as per the company’s enterprise policy. Employees benefit from instant mobile productivity and a seamless out-of-the-box experience, and enterprises benefit from secure work-ready apps with minimal setup.
Android Mobile Applications has moved to a single application model which supports both personal and work environments from within the same application in a seamless and secure manner, thus enabling productivity. We showcase Android Application in both personal and Work mode (Notice the briefcase icon at the bottom right of the application icon)[1]
Setting up work profile
Different EMM vendors have a different workflow to help you create a work profile, or one can be provided to you by your organization.
Here I will demonstrate the process to create a work profile using the TestDPC [2] application which can be used to simulate the Work Profile and Restrictions which can be applied to a work-managed android application. The creation, once you have downloaded the APK from the link, is straightforward. Once this provision is complete now you will see personal and work applications (for that application that supports Work Mode)separately on your device.
Note : You can access both personal and work profiles from setting application
Work mode in Action
I will be using the enterprise sample application to demonstrate how the enterprise version of the application can behave in work mode. This basically gives the IT admin of the organization to control features of the application they want to restrict.
The application demonstrates how we can restrict the say hello button in a managed application.
The IT Administrator for the organization can specify the restrictions for the application and those functionalities will then be restricted for all the users of the application.
This allows companies to have a single application with these restrictions in place instead of the different distribution of APK and allows the organization to deploy according to their restrictions, implementation of this is explained in detail below.
Checking if the Application is Work Application?
Android provides us with DevicePolicyManager class, which lists down admin available for the device which can then be used to get the package name. The isProfileOwnerApp() or isDeviceOwnerApp() API helps us identify whether the application in question is managed or other the entire device is managed.
The restriction to be imposed are added as an XML wherein the default values for these restrictions are specified. The different types of restrictions which can be imposed are enumerated in the XML below, here I will be showcasing how one of the listed restrictions can be used to control application behavior.
These restrictions can be stored in SharedPreference so that they can be accessed across application sessions. We have the RestrictionsManager class which can be used to get all getManifestRestrictions() which returns a list of restrictions. We then store the preference for the restrictions to be utilized to check the availability of a particular feature i.e. if the feature is allowed by the IT admin for your organization.
Finally …
The above code can be used to control the feature inside the work application, thus providing the additional functionality for the organization to restrict some features while allowing others in the work-managed application. We need to create a broadcast receiver for ACTION_APPLICATION_RESTRICTIONS_CHANGED which sends out a broadcast when restrictions change.
The canUpdateSayHello() will use these restrictions to determine if the button needs to be disabled or not.
I hope the above article can help you understand some of the basics of managed apps and give you insights on how you can implement Restrictions for your Application, and make it enterprise-ready.
Useful Links
[1]https://developers.google.com/android/work/overview
[2]https://github.com/googlesamples/android-testdpc
[3] https://github.com/android/enterprise-samples
[4] https://www.miradore.com/blog/separate-work-time-from-free-time-with-android-work-profile/
