Reducing Outbound Network Traffic from Zebra Android Devices
By Zebra Engineering
All Android devices come pre-installed with applications and services that provide functionality to the administrator and end-user but require an Internet connection to function. Zebra Android devices are no exception; they contain additional features designed specifically for the enterprise, and some communicate over the internet.
Some customers, especially those with very large deployments of WAN-enabled devices, frequently want to restrict or deny any network traffic to all but their specific line-of-business applications. While common Android features such as Data Saver mode can help reduce device data usage, knowing which device applications and services are generating data is critical to preventing it. This document provides some of that critical knowledge.
Google Mobile Services (GMS)
Moderate data usage
What is GMS?
GMS is a collection of applications and services provided by Google that add functionality to Android and simplify application development. Commonly recognizable GMS applications include Google Chrome, the Play store app, YouTube, Gmail, Google Maps and Photos, though the exact makeup of GMS will differ from one Android version to another. GMS services include enhanced location and the ability to push messages to the device asynchronously in a power efficient manner, for example to receive messages.
What depends on GMS?
Any application that makes use of a GMS application or service will depend on GMS. Some common examples include:
- An application that displays a Google map on one of its activities
- An application that receives messages from a server when the device is in a low power mode (e.g. Firebase Cloud Messaging)
- An application that retrieves the user's location through the "fused" location provider.
What data is collected by GMS?
A description of what data GMS packages collect is covered by the Google privacy policy. No comprehensive public list exists of exactly what data is collected.
How much data is exchanged by GMS?
There is no single answer to how much data is exchanged by GMS applications; it will depend on your deployment, but the figure can be substantial. A user browsing Google Maps and performing Play store application updates will use significantly more data than a user who is not doing so.
What server endpoints are used by GMS?
The best official source for GMS endpoints is Google's documentation for Android Enterprise Network Requirements, though be aware that Google does not provide specific IP addresses for its service endpoints.
To disable GMS:
You can disable GMS using Zebra GMS Manager to select the "Restricted" option in the "GMSFeatureSet" parameter. This can be done through StageNow or by your EMM system and Zebra OEMConfig. Be aware that disabling GMS may have side-effects for your deployment so please refer to the GMS Manager documentation for full details and test reconfigured devices fully before deployment.
If you do not want to disable GMS entirely but instead just want to prevent GMS applications from updating, you can use Zebra App Manager and set the "Action" to "DisallowApplicationUpgrade" for each package. The primary reason to do this is to ensure that your device retains a consistent version of any application delivered by Google Play, which includes all GMS packages and services.
Network Time Protocol (NTP)
Minimal data usage
What is NTP?
The Network Time Protocol is a networking protocol for time synchronization between the Android device and a remote "time" server. It's designed to keep the device's time up to date, which is vital for many tasks including secure server communication.
What depends on NTP?
The Android OS and all applications will make use of NTP, either directly or indirectly
How much data is exchanged by NTP?
The data exchanged with the NTP server will be small and infrequent, in the order of tens of KB/hour
What server endpoints are used by NTP?
By default, recent builds of Android will use time.android.com as the time server but this can be modified using Zebra Clock Manager and setting the "NTPServer" parameter to the desired value. This can be done through StageNow or by your EMM system and Zebra OEMConfig.
To disable NTP:
You can disable NTP using the Clock Manager and setting the "AutoTime" parameter to "false." This can be done through StageNow or by your EMM system and Zebra OEMConfig.
Capture Portal Detection
Minimal data usage
What is Captive Portal Detection?
A captive portal is a web page that is displayed to newly connected Wi-Fi users before they are granted broader access to network resources. Captive portals are commonly seen on public Wi-Fi (such as hotels or airports) and can be automatically detected by Android.
What depends on Captive Portal Detection?
If your end-users need to connect to any web page or web-based application behind a captive portal, captive portal detection must be enabled.
How much data is exchanged to detect a captive portal?
The data exchanged to detect a captive portal will be small and infrequent, in the order of tens of KB/hour.
What server endpoints are used to detect a captive portal?
The device will check whether an external network is available by connecting to two Google-hosted domains: connectivitycheck.gstatic.com and www.google.com.
To disable captive portal detection:
You can disable captive portal detection using the Zebra Wi-Fi Manager and setting the "CaptivePortalDetection" parameter to "Disable."
Zebra Data Services (ZDS)
Moderate data usage
What is ZDS?
The Zebra Data Service (ZDS) system is a set of background services running on all supported Zebra devices and is responsible for collecting and uploading analytics data coming from ZDS plug-ins and Zebra-authorized third-party apps. Data is uploaded to the Zebra analytics database every 24 hours by default with transport secured with HTTPS. You can learn more about ZDS on TechDocs.
What depends on ZDS?
In general, any Zebra cloud-based service that presents device data will depend on ZDS to acquire that data. These includes the PowerPrecision Console, VisibilityIQ, OTA Update Delivery service and the Zebra Data Services APIs. This list is not exhaustive and may expand in the future.
What data is collected by ZDS?
Only non-personally identifiable information is collected by ZDS and you can see a full list of what is collected in the help documentation on TechDocs.
How much data is exchanged with ZDS?
For full details about how much data is transferred by ZDS, including both data collection and application updates, please see the ZDS FAQ page.
Note that ZDS also controls the Zebra Application Self-Update feature, described later.
What server endpoints are used by ZDS?
The server endpoints are listed on the ZDS FAQ page.
To disable ZDS:
You can disable data collection by ZDS using Zebra Analytics Manager and setting the "AnalyticsAction" to "Disable." This can be done through StageNow or by your EMM system using Zebra OEMConfig. Note that disabling ZDS data collection also prevents the application from automatically updating.
Where can I learn more about ZDS?
The Zebra Data Service is part of Zebra's intelligent edge solutions portfolio and has a dedicated product page.
Zebra Lifeguard Over the Air
Potentially major data usage
What is Lifeguard OTA?
Lifeguard OTA (formally Firmware Over the Air, or FOTA) provides the ability to deliver Lifeguard updates remotely to your devices. The solution consists of Lifeguard OTA Manager (formerly FOTA Manager or FotaMgr), which controls and configures the Firmware Over the Air (FOTA) Client. The FOTA client app comes preinstalled on supported devices and is preconfigured to communicate with the Zebra update server.
What depends on Lifeguard OTA?
Most solutions that deliver Lifeguard updates remotely will depend on the Lifeguard OTA client. Typically this will include EMM agents. For example, SOTI has a dedicated page for LG OTA, as does SureMDM (42 Gears), WizyEMM and others.
What data is exchanged by Lifeguard OTA?
Non-personally identifiable device information (e.g., model number and installed OS version) is required to manage and deploy OS updates to devices. A one-time enrollment action is required to claim a device using a token.
How much data is exchanged with Lifeguard OTA?
Android updates in general can get quite large but among the goals of LG OTA is to keep the update size as small as possible. Depending on which Android version or patch your device is currently running and which version or patch you are updating to, updates can be as small as tens of MB for a small LG update to over 1GB for exceptional cases, where a full OS update is required.
What server endpoints are used by Lifeguard OTA?
Lifeguard updates are managed by and delivered from the following URLs:
- fts.zebra.com
- downloads.zebra.com
- zbr-entitled-downloads-prod.s3.amazonaws.com
To disable Lifeguard OTA:
You can disable the LifeGuard OTA client using the Zebra Lifeguard Over the Air Manager and setting the "LifeGuardOTAClientState" to "Turn Off." This can be done through StageNow or by your EMM system using Zebra OEMConfig.
Where can I learn more about Lifeguard OTA?
The Lifeguard updates landing page is the best place to learn more about LG OTA. Also refer to your EMM documentation for references to Zebra LG OTA or FOTA.
Zebra Application Self-Update
Moderate data usage
What is Zebra Application Self-Update?
Some of the Zebra applications that come preinstalled on the device are configured to self-update when new versions are available to ensure the device always has the latest features and updates. This is analogous to how the Google Play store updates most applications installed from there.
What applications are automatically updated?
The following applications are covered by Zebra's application self-update feature:
- Zebra Data Services (ZDS)
- LifeGuard OTA client
- Zebra Common Transport Layer (CTL).
Note that applications delivered from the Google Play are still subject to Google's Play store update policy and controls.
What server endpoints are used to update applications?
Applications will be downloaded from a URL in the form \*.zebra.engineering.
To disable Zebra application self-update:
Please see the "How can I disable ZDS?" section. By disabling ZDS, you also disable all application updates.
Assisted GPS (A-GPS)
Minimal data usage
What is A-GPS?
Assisted GPS is a technique to augment global positioning system (GPS) data using data delivered via a WAN or WLAN connection. This can improve the time it takes for the GPS system to start, acquire signals and figure out where it is. This activity is known as "time to first fix" or TTFF.
What uses A-GPS?
Whether your device uses A-GPS or not will depend on your OS and network stack.; A-GPS is not supported on devices running Android 10 or later. On devices that do support A-GPS, any application that relies solely on GPS for location information will have a faster time-to-first-fix if it's using A-GPS.
How much data is used by A-GPS?
The data received to support A-GPS will vary depending on use case, but an average figure is less than 5MB per month.
What server endpoints are used by A-GPS?
The servers that support this feature and deliver A-GPS data (on devices where this is supported) are in the form \*.izatcloud.net
To disable A-GPS:
Disabling GPS also disables A-GPS. You can disable GPS using Zebra Wireless Manager and setting the "GPSState" to "Turn Off."
Notes
- This document covers applications and services that come preloaded on the device and exchange data with an external network. The administrator provisioning devices also should be aware that applications installed as part of the provisioning process will also likely communicate with external servers.
- Also keep in mind that Zebra APIs such as OEMInfo have the capability to grant those applications access to secure data, when authorized by the administrator.
- No static IP addresses are given in this document. If your firewall requires IP addresses, you will need to resolve these during configuration.