EHS Special Features

Enterprise Home Screen 3.0

Overview

This guide covers advanced EHS features such as Kiosk Mode and EHS Logging. It assumes a working knowledge of Enterprise Home Screen and use of its Advanced Settings through direct manipulation of the enterprisehomescreen.xml config file. For those not familiar with these procedures, please refer to the About and Setup pages and the Advanced Settings Guide before continuing.

Note: Many of the capabilities of EHS can be accomplished manually on the device, programmatically through EMDK or remotely using StageNow or a third-party Enterprise Mobile Management (EMM) system (if supported by that EMM system). EHS simply puts the capabilities into a single tool.

Note: Secure Mode is discontinued in EHS 3.0 and higher.


Kiosk Mode

Kiosk Mode is designed for devices to run a single application, often with a touch-based UI. Examples include retail price checkers, auto parts look-ups, patient check-in systems and so on. Kiosk Mode also can be useful when dedicating a device to a single user and/or task, such as a retail clerk's hand-held barcode scanner. Kiosk Mode places the app in full-screen mode and prevents the BACK and HOME keys from being used to exit the app by mapping those keys to the Kiosk app's most recent activity.

Also see the EHS Auto-Launch feature, which provides functionality similar to Kiosk Mode without changing the HOME and BACK key functions.

Kiosk Mode tags:

<kiosk> - Specifies the app that will run when Kiosk Mode is enabled

<kiosk_mode_enabled> - Toggles the feature on and off

Enable Kiosk Mode

In the enterprisehomescreen.xml file:

  1. Specify the Kiosk app in the <kiosk> section of the config file.
  2. Enter a value of '1' in the <kiosk_mode_enabled> tag in the Preferences section of the file.
  3. If USB Debugging is desired in Kiosk Mode, enter a value of '0' in the <usb_debugging_disabled> tag.
    (See Disable Kiosk Mode below for details).

Security Note: When using Kiosk Mode, be sure to disable 'key remapping' and other possible methods of launching applications, which would thereby defeat Kiosk Mode safeguards.

Disable Kiosk Mode

Once Kiosk Mode is enabled it can be disabled in only one of two ways (without writing custom program code):

  • If USB Debugging was not disabled for User Mode, disable Kiosk Mode by pushing to the device a config file with a value of '0' in the <kiosk_mode_enabled> tag.

  • If USB Debugging was disabled for User Mode, perform a factory reset.

Control Kiosk Mode Programmatically

Kiosk Mode can be controlled from within an Android application using Android Intents. The following JavaScript code shows how to enable and disable Kiosk Mode programmatically:


//Disable Kiosk Mode:
Intent intent = new Intent("com.symbol.enterprisehomescreen.actions.MODIFY_KIOSK_MODE");
 Intent.putExtra("enable",false);
 sendBroadcast(intent);

//Enable Kiosk Mode:
Intent intent = new Intent("com.symbol.enterprisehomescreen.actions.MODIFY_KIOSK_MODE");
 Intent.putExtra("enable",true);
 sendBroadcast(intent);

Security Note: When using Kiosk Mode, be sure to disable "key remapping" and other possible methods of launching applications, which would thereby defeat Kiosk Mode safeguards.


Privileged Settings

In EHS 3.0 (and higher), certain features once automatically enabled when entering Admin Mode must now be enabled manually. EHS refers to these as Privileged Settings:

  • USB debugging
  • The Android Settings panel app
  • The Google Search app

Most notably, activation of USB Debugging enables the Android Debug Bridge (adb) and its ability to transfer files to and from a device. The Privileged Settings state on the device is indicated by a pop-up whenever the user enters Admin Mode: Tap "OK" to dismiss.

All three Privileged Settings are enabled as a group through an Admin-mode UI control and are disabled automatically when re-entering User Mode.

To access Privileged Settings:

  1. While in Admin Mode, go to Tools -> Privileged Settings for Admin:
  2. The current state (disabled) is shown.
    Tap "Enable" to activate Privileged Settings:
  3. Privileged Settings are enabled immediately. Tap "OK" to continue.

To disable Privileged Settings:

  1. Go to Tools -> Privileged Settings for Admin:
  2. The current state (enabled) is shown.
    Tap "Restore" to disable all three features:
  3. Features are disabled immediately and a confirmation dialog appears.
    Tap "OK" to continue.

EHS Log

EHS records all major activities, failures and security events in the /enterprise/usr/enterprisehomescreen.log file. These include failed attempts to enter Admin Mode, switches of the operating mode and all EHS errors. The log is a plain text file and can be retrieved with ADB or an EMM and viewed with any text editor.

For more information about logging, see Logging Preferences.

In EHS 2.7 and higher, logging is disabled through the UI or config file.

IMPORTANT: Secure Mode is discontinued in EHS 3.0 and higher. Log files are no longer designated as "SECURED" or "UNSECURED" in log entries.


Security Notes

This section covers important interactions between EHS and Android features that might impact device security or application behavior.

Recent Apps List

  • Accessing an app from the Recent Apps list could represent a security risk; apps not cleared from the list can be activated with the BACK button, potentially exposing a non-EHS home screen.
  • On Android Nougat devices, the Recent Apps button can be Enabled/Disabled. It is disabled by default to prevent the use of multi-window mode.
  • EHS does not add apps or activities to the Android Recent Apps list, but apps/activities launched from within EHS might. Such apps/activities could launch others that might appear on the Recent Apps list and pose a security risk.
  • Some devices retain the Recent Apps list after a reboot. Use App Manager through EMDK, StageNow or a third-party EMM system to clear the list.
  • To manually clear Recent Apps, bring up the Recent Apps list by long-pressing the Home or Menu button (depending on the device) until the list appears, then swipe away each app.

EHS and MX Multi-user

  • If using EHS with Zebra's MX Multi-user feature, it's important to enable the device Lock Screen. Failure to do so will prevent the MX multi-user login screen from being displayed. Use the DevAdmin features of Zebra's StageNow or EMDK tools to configure this setting.
  • MX Multi-user has the ability to override EHS-imposed restrictions on access to System Settings. Users logged in as an MX Admin will have full access to System Settings at all times. MX non-admin users by default will have access only to Sound, Display and About screens.

Other Unintended Access

  • On devices running Android 4.4 KitKat, users might gain access to Airplane mode, Wi-Fi, Bluetooth and other device settings via the Quick Settings menu in the Notification drop-down. This can be prevented with the Disable Status Bar Settings tag.
  • Wireless capabilities also can be individually disabled through these MX modules:
  • MX modules are accessible using EMDK or StageNow tools.
  • Taking a screenshot (by pressing the "volume-down" and "Power" buttons simultaneously) while in User Mode might expose users to the Gallery app or to apps used for sharing images such as Gmail and MMS. To prevent this, disable such unwanted apps in the Disable/Enable Applications section of Optional Feature Tags section.
  • If the Programmable Keys feature on the Android System Settings panel is used to program a key to launch an application, that key mapping will be available in User Mode.

Install OpenSSL

Installing OpenSSL tool on Windows PC:

1. Download OpenSSL 1.0.1g or above for Windows.

2. Install OpenSSL on a computer with connectivity to the target device.

3. Dismiss the Visual C++ 2008 warning, if any, during installation and complete the installation.

4. At the command prompt, navigate to the OpenSSL installed folder (c:\OpenSSL-Win32\ by default)

5. Set the OpenSSL configuration environment variable by executing the following command:

C:\OpenSSL-Win32\ Set OPENSSL_CONF=C:\OpenSSL-Win32\bin\openssl.cfg

OpenSSL can now be used to sign EHS files.