Access Manager

Note: To display only the features present on a particular device, select one or more filters from the SmartDocs bar below.

Overview

The Access Manager (AccessMgr) enables an admin to configure a device to control which user or "installable" application(s) can be used on the device and what actions the application(s) can perform.

A key feature of AccessMgr is the ability to enable and disable "whitelisting," a process that allows only those applications explicitly specified in a list to run. Whitelisting is disabled by default and imposes no restrictions. When whitelisting is turned on, various restrictions can be applied using AccessMgr. Applications NOT included in the "whitelist" are prevented from running. AccessMgr allows whitelist applications to be installed, launched and maintained, and can control which applications are allowed to submit XML for all CSPs, including AccessMgr itself.

Whitelisting applies only to user applications and has no effect on System applications, which are applications built into the device and are therefore always present. To control aspects of System applications, see [AppMgr]../appmgr.

User applications are those NOT built into the device and hence must be installed before they can be used. Whitelisting can be used to control whether a device user is allowed to install a user application, but cannot control whether an application can be installed programmatically by using AppMgr. Whitelisting also can be used to control whether a user application can be launched (by any means) once it is installed.

Note: It is important to understand that if a user application uses AccessMgr to turn on whitelisting, then that application will become subject to whitelisting. If the application does not add itself to the "white" list, then that application will no longer be allowed to run. Also, if such an application does not explicitly allow itself to submit XML, then it would not be able to alter the configuration once it was successfully applied.

AccessMgr also provides the option to control whether the device user can access a full or reduced version of the in-device Settings panel.

Main Functionality

  • Turn whitelisting on or off
  • Manage the "whitelist" of applications that a device user can install and launch
  • Turn verification of application signatures on or off
  • Control which applications are allowed to submit XML
  • Select whether the device user can access Full or Reduced Settings
  • Set Application Verification Mode to Verify All App Signatures
  • Allow, disallow and verify service binding
  • Allow, disallow and verify calls to a service

Operation Mode

Select the desired Operation Mode which will turn Whitelisting on or off. Whitelisting is turned off by default, and hence no restrictions are imposed on which applications device users can install or which applications can be launched.

Turning on Whitelisting allows a device to be made more secure by preventing a device user from installing applications that are not on the "white" list and by preventing all launching of applications that are not on the "white" list. Turning on Whitelisting also complicates the process of deploying applications since applications that are deployed and installed will have to also be added to the "white" list before they can be launched.

Parm Name: OperationMode

Option Name Description Note Requires
1 Single User without Whitelist This value will cause Whitelisting to be turned off and hence disable all Whitelisting functionality.

OSX: 1.0+

MX: 4.1+

2 Single User with Whitelist This value will cause Whitelisting to be turned on and hence enable Whitelisting functionality. The exact behavior of Whitelisting will depend on the configuration of the other parms.

OSX: 1.0+

MX: 4.1+

System Settings Access

Controls the level of access a device user is granted to the Android Settings panel.

Shown if: The Operation Mode is "Single User With Whitelist"

Parm Name: SystemSettings

Option Name Description Note Requires
1 Full Access Allows full access to the Android Settings panel.

OSX: 3.5+

MX: 4.1+

2 Reduced Access Limits Settings panel access to Display, Volume and About features.

OSX: 3.5+

MX: 4.1+

Application Verification Signing Mode

This parm allows you to control whether Whitelisting will verify the signatures of applications, and if so, which application signatures will be verified. Signature verification is turned off by default.

When Whitelisting is turned on but Signature verification is turned off, the determination of whether an application is on the "white" list is made solely by comparing the Android Package Name. This is insecure since it cannot prevent a potentially rogue application from setting it's Package Name to be one that is known to be on the "white" list, and hence circumvent Whitelisting by impersonating a trusted application.

To increase security, Signature verification can be turned on. When Signature verification is turned on, the determination of whether an application is on the "white" list will be based on both its Package Name and its Signature. For that to work, the Signature must be provided for every application that is added to the "white" list so it can be compared against the actual Signature of that application.

Signature verification is more secure since only a specific "authentic" version, as identified by its Signature, of a given application, whose Package Name is on the "white" list, will be allowed to be installed and launched. Turning on Signature verification also complicates the process of deploying applications since a unique Signature will need to be configured for each application as part of adding that application to the "white" list.

Shown if: The Operation Mode is "Single User With Whitelist"

Parm Name: AppVerifySignMode

Option Name Description Note Requires
0 Do not change This value (or the absence of this parm from the XML) will cause no change to whether Signature verification will occur or for which applications.

OSX: 3.5+

MX: 4.3+

1 Do not verify app signature This value will cause Signature verification to be turned off, thus causing Package Names alone to be used in to determine if an application is on the "white" list.

OSX: 3.5+

MX: 4.3+

2 Verify user app signature This value will cause Signature verification to be turned on, thus causing Signature verification to be used in addition to Package Names to determine if a user, or "installable," application is on the "white" list.

OSX: 3.5+

MX: 4.3+

3 Verify all apps signature This value will cause Signature verification to be turned on, thus causing Signature verification to be used in addition to Package Names to determine if any application, "built-in" or "installable," is on the "white" list.

OSX: 3.5+

MX: 4.3+

Service Access Action

Used to control which "installable" (non-System) applications can call controllable services running on the device. This allows an administrator to manage access to the services present in a device and the ability of apps to bind to and leverage callable services. This can be used, for example, to prevent access to services relating to sensitive functionality, or to prevent use of such services when they are not explicitly required for a particular usage scenario or app.

Parm Name: ServiceAccessAction

Option Name Description Note Requires
0 Do nothing. This value (or the absence of this parm from the XML) causes no change to device settings; any previously selected setting is retained.

MX: 8.3+

1 AllowBinding Allows apps to bind to the specified service.

MX: 8.3+

2 DisallowBinding Prevents apps from binding to the specified service.

MX: 8.3+

3 VerifyBinding Confirms that an app is permitted to bind to a service.

MX: 8.3+

4 AllowCaller Allows the specified app(s) to call a specified service.

MX: 8.3+

5 DisallowCaller Prevents the specified app(s) apps from calling a specified service.

MX: 8.3+

6 VerifyCaller Confirms that the specified app(s) is permitted to call a specified service.

MX: 8.3+

Delete Packages

Used to delete Packages from the Whitelist.

Shown if: The Operation Mode is "Single User With Whitelist"

Parm Name: DeletePackagesAction

Option Name Description Note Requires
0 Delete NO Packages This value (or the absence of this parm from the XML) causes no change to device settings; all packages remain on the device.

OSX: 1.0+

MX: 4.1+

1 Delete specified Packages(s) Causes the selected Package Name(s) to be deleted from the "white list," blocking user or "installable" applications with those Package Names from being installed by the device user or launched.

OSX: 1.0+

MX: 4.1+

2 Delete ALL Packages Causes all Package Names to be deleted from the "white list," blocking all user or "installable" applications from being installed by the device user or launched.

OSX: 1.0+

MX: 4.1+

3 Delete specified Signature(s) When Signature verification is turned on, deletes one or more Signatures from the "white list," thus blocking user or "installable" applications with those Signatures from being installed by the device user or launched.

OSX: 1.0+

MX: 4.1+

Caller Package Name

Used to specify the application package name on which to perform a Service Access Action.

Parm value input rules:

  • String with a minimum size of 1 character
  • Package names must be separated by commas, such as "com.mycompany.mypackage,com.mycompany2.mypackage2"

Shown if: The Service Access Action is "Allow Caller," "Disallow Caller" or "Verify Caller."

Parm Name: CallerPackageName

Requires:

  • MX: 8.3+

Caller Signature

Used to specify the application package name on which to perform a Service Access Action.

Parm value input rules:

  • String with a minimum size of 1 character
  • Package names must be separated by commas, such as "com.mycompany.mypackage,com.mycompany2.mypackage2"

Shown if: The Service Access Action is "Allow Caller," "Disallow Caller" or "Verify Caller."

Parm Name: CallerSignature

Requires:

  • MX: 8.3+

Service Identifier

Used to specify the service on which to perform a Service Access Action.

Parm value input rules:

  • String with a minimum size of 1 character
  • Service names must be separated by commas, such as "com.mycompany.mypackage,com.mycompany2.mypackage2"

Shown if: The Service Access Action is NOT "Do nothing."

Parm Name: ServiceIdentifier

Requires:

  • MX: 8.3+

Delete Package Name(s)

Used to specify Package Names to be deleted from the "white" list.

Parm value input rules:

  • String with a minimum size of 1 character
  • Package names must be separated by commas, such as "com.mycompany.mypackage,com.mycompany2.mypackage2"

Shown if: The Operation Mode is "Single User With Whitelist" *AND* Delete Packages is "Delete specified Packages(s)"

Parm Name: DeletePackageNames

Requires:

  • OSX: 1.0+
  • MX: 4.1+

Delete Package Signature(s)

Used to specify package signatures to be deleted.

Parm value input rules:

  • String with a minimum size of 1 character
  • The package signatures must be separated by commas

Shown if: Delete Packages is "Delete specified Signature(s)" *AND* the Application Verification Signing Mode is "Do not verify app signature," "Verify user app signature," or "Verify all apps signature"

Parm Name: DeletePackageSign

Requires:

  • OSX: 3.4+
  • MX: 4.3+

Add Packages

Select whether or not to add Packages to the "white" list. Adding an application to the "white" list using this parm does not allow the application to submit XML, that must be done using the separate parm "Add Packages and Allow to Submit XML."

Note: It is important to understand that if an application uses the AccessMgr to turn on Whitelisting, then that application will become subject to Whitelisting. If the application does not add itself to the "white" list, then that application will no longer be allowed to run. Also, if such an application does not explicitly allow itself to submit XML, then it would not be able to alter the configuration once it was successfully applied.

Shown if: The Operation Mode is "Single User With Whitelist"

Parm Name: AddPackagesAction

Option Name Description Note Requires
0 Add No Packages This value will not cause any Package Names to be added to the "white" list.

OSX: 1.0+

MX: 4.1+

1 Add Specified Package(s) This value will cause the specified Package Names to be added the "white" list.

OSX: 1.0+

MX: 4.1+

Add Package Name(s)

Used to specify Package Names to add to the "white" list.

Parm value input rules:

  • String with a minimum size of 1 character
  • Package names must be separated by commas, such as "com.mycompany.mypackage,com.mycompany2.mypackage2"

Shown if: The Operation Mode is "Single User With Whitelist" *AND* Add Packages is "Add Specified Package(s)"

Parm Name: AddPackageNames

Requires:

  • OSX: 1.0+
  • MX: 4.1+

Add Package Signature(s)

Provide the Signatures that should be added to the "white" list. Specifying an empty (length of zero) value (or the absence of this parm from the XML) will cause no package signatures to be added.

Shown if: The Application verification signing mode is "Do not verify app signature" or "Verify user app signature" *AND* Add Packages is "Add Specified Package(s)"

Parm Name: AddPackageSign

Requires:

  • OSX: 3.4+
  • MX: 4.3+

Add Packages and Allow to Submit XML

Select whether or not to add Packages to the "white" list and allow them to submit XML.

Shown if: The Operation Mode is "Single User With Whitelist"

Parm Name: AddPackagesActionAllowXML

Option Name Description Note Requires
0 Add NO Packages This value (or the absence of this parm from the XML) will not cause any Package Names to be added to the "white" list and does not explicitly allow any applications to submit XML.

OSX: 4.1+

MX: 4.2+

1 Add specified Package(s) This value will cause the specified Package Names to be added to the "white" list and also allows the applications identified by those Package Names to submit XML.

OSX: 4.1+

MX: 4.2+

Add Package Name(s) and Allow XML

Used to specify Package Name(s) to add to the "white" list, granting them the ability to submit XML. Specifying an empty (length of zero) value (or the absence of this parm from the XML) adds no package names to the list.

Parm value input rules:

  • String with a minimum size of 1 character
  • Package names must be separated by commas, such as "com.mycompany.mypackage,com.mycompany2.mypackage2"

Shown if: The Operation Mode is "Single User With Whitelist" *AND* Add Packages and Allow to Submit XML is "Allow specified application(s)"

Parm Name: AddPackageNamesAllowXML

Requires:

  • OSX: 4.1+
  • MX: 4.2+

Add Package Signature(s) and Allow XML

Used to specify Signatures be add to the "white" list.

Parm value input rules:

  • String with a minimum size of 1 character
  • Package signatures must be separated by commas

Shown if: The Operation Mode is "Single User With Whitelist" *AND* Add Packages and Allow to Submit XML is "Allow specified application(s)" *AND* Application Verification Signing Mode is "Do not verify app signature," "Verify user app signature," or "Verify all apps signature"

Parm Name: AddPackageSignAllowXML

Requires:

  • OSX: 3.4+
  • MX: 4.3+

Allow the Application To Submit XML

Select whether or not to allow the application to submit XML. This will allow or restrict applications from submitting changes to the MX Framework.

Note: This feature is supported on devices that are running KitKat versions of Android like the TC70 and will only be used when the Whitelist feature is enabled.

WARNING: Be sure to always include the EMDK for Android service package name com.symbol.emdkservice when this feature is enabled. Otherwise Profile Features (excluding DataCapture) will not be able to be processed.

Shown if: The Operation Mode is "Single User With Whitelist"

Parm Name: AllowSubmitXMLAction

Option Name Description Note Requires
0 Allow NO applications This value (or the absence of this parm from the XML) will not cause any changes and hence does not explicitly allow any applications to submit XML.

OSX: 4.1+

MX: 4.2+

1 Allow specified application(s) This value will cause the applications identified by the specified list of Package Names to be allowed to submit XML.</p><p>This value also allows a list of Package Names to be specified that will NOT be allowed to submit XML, thus providing an option to specify "these but not those"

OSX: 4.1+

MX: 4.2+

2 Allow ALL applications that are permitted to be executed This value will cause all of the applications that are on the "white" list (i.e. that are allowed to be launched) to be allowed to submit XML. This value also allows a list of Package Names to be specified that will NOT be allowed to submit XML, thus providing an option to specify "all except these".

OSX: 4.1+

MX: 4.2+

Allow Package Name(s) to Submit XML

Used to specify Package Names to allow to submit XML. Specifying an empty (length of zero) value (or the absence of this parm from the XML) prevents all package(s) from submitting XML.

Parm value input rules:

  • String with a minimum size of 0 characters
  • Package names must be separated by commas, such as "com.mycompany.mypackage,com.mycompany2.mypackage2"

Shown if: Allow the Application To Submit XML is "Allow specified application(s)"

Parm Name: AllowSubmitXMLPackageNames

Requires:

  • OSX: 4.1+
  • MX: 4.2+

Disallow Package Name(s) to Submit XML

Used to specify Package Name(s) to prevent from submitting XML. Specifying an empty (length of zero) value (or the absence of this parm from the XML) will cause no package names to be disallowed from submitting XML.

Parm value input rules:

  • String with a minimum size of 0 characters
  • Package names must be separated by commas, such as "com.mycompany.mypackage,com.mycompany2.mypackage2"

Shown if: Allow the Application To Submit XML is "Allow specified application(s)" or "Allow ALL applications that are permitted to be executed"

Parm Name: DisallowSubmitXMLPackageNames

Requires:

  • OSX: 4.1+
  • MX: 4.2+

Examples

Add an Application to the "white" list


<wap-provisioningdoc>
    <characteristic version="4.3" type="AccessMgr">
        <parm name="OperationMode" value="2" />
        <parm name="SystemSettings" value="1" />
        <parm name="DeletePackagesAction" value="0" />
        <parm name="AddPackagesAction" value="1" />
        <parm name="AddPackageNames" value="com.mypackage" />
    </characteristic>
</wap-provisioningdoc>

Specify Applications to Allow and Disallow from Submitting XML


<wap-provisioningdoc>
    <characteristic version="4.3" type="AccessMgr">
        <parm name="OperationMode" value="2" />
        <parm name="SystemSettings" value="1" />
        <parm name="DeletePackagesAction" value="0" />
        <parm name="AddPackagesAction" value="0" />
        <parm name="AllowSubmitXMLAction" value="1" />
        <parm name="AllowSubmitXMLPackageNames" value="com.mypackage" />
        <parm name="DisallowSubmitXMLPackageNames" value="com.mypackage2" />
    </characteristic>
</wap-provisioningdoc>

Queries

Query the Package Names in the Whitelist, the Operation Mode, and the Application Verification Signing Mode


<wap-provisioningdoc>
    <characteristic type="AccessMgr" >
        <parm-query name="PackageNames"/>  
        <parm-query name="OperationMode"/>  
        <parm-query name="AppVerifySignMode"/>  
    </characteristic>
</wap-provisioningdoc>