Access Manager

Stagenow - 2.3

Overview

The AccessMgr enables the configuration of a device to control which user, or "installable" application(s) can be used on a given device as well as what the application(s) can do.

A key concept within the AccessMgr is the ability to turn Whitelisting on or off. Whitelisting is off by default, imposing no restrictions. When Whitelisting is turned on, various restrictions can be applied using the AccessMgr.

Whitelisting is a process that allows only those applications explicitly specified in a list to run. Applications not included in the "whitelist" are prohibited from running. The AccessMgr allows whitelist applications to be installed, launched and maintained. The AccessMgr also allows control of which applications are allowed to submit XML for all CSPs, including the AccessMgr itself.

Whitelisting applies only to user applications and will never have an effect on System applications. System applications are those applications that are built into the device and hence are always installed. Some control of System applications can be accomplished by using the AppMgr.

User applications are those applications that are not built into the device and hence must be installed onto a device before they can be used. Whitelisting can be used to control whether a device user is allowed to install a user application, but cannot control whether an application can be installed programmatically by using the AppMgr. Whitelisting also can be used to control whether a user application can be launched (by any means) once it is installed.

Note: It is important to understand that if a user application uses the AccessMgr to turn on Whitelisting, then that application will become subject to Whitelisting. If the application does not add itself to the "white" list, then that application will no longer be allowed to run. Also, if such an application does not explicitly allow itself to submit XML, then it would not be able to alter the configuration once it was successfully applied.

The AccessMgr also provides the option to control whether the device user can access a full or reduced version of in-device System Settings Menu.

Main Functionality

  • Turn Whitelisting on or off
  • Manage the "white" list of applications that a device user can install and that can be launched
  • Turn verification of application signatures on or off
  • Control which applications are allowed to submit XML
  • Select whether the device user can use Full or Reduced Settings
  • Set Application Verification Mode to Verify All App Signature

Operation Mode

Select the desired Operation Mode which will turn Whitelisting on or off. Whitelisting is turned off by default, and hence no restrictions are imposed on which applications device users can install or which applications can be launched.

Turning on Whitelisting allows a device to be made more secure by preventing a device user from installing applications that are not on the "white" list and by preventing all launching of applications that are not on the "white" list. Turning on Whitelisting also complicates the process of deploying applications since applications that are deployed and installed will have to also be added to the "white" list before they can be launched.

Parm Name: OperationMode

Option Name Description Device Group Requires
1 Single User without Whitelist This value will cause Whitelisting to be turned off and hence disable all Whitelisting functionality. A

OSX: 1.0+

MX: 4.1+

2 Single User with Whitelist This value will cause Whitelisting to be turned on and hence enable Whitelisting functionality. The exact behavior of Whitelisting will depend on the configuration of the other parms. A

OSX: 1.0+

MX: 4.1+

System Settings Access

Select the level of system settings access to be allowed on the device's System Settings menu.

Shown if: The Operation Mode is "Single User With Whitelist"

Parm Name: SystemSettings

Option Name Description Device Group Requires
1 Full Access This value will cause the device user to be allowed to access the full capabilities of the in-device System Settings Menu. A

OSX: 3.5+

MX: 4.1+

2 Reduced Access This value will cause the device user to be allowed to access only a reduced set of the capabilities of the in-device System Settings Menu (Display, Volume, About) A

OSX: 3.5+

MX: 4.1+

Application Verification Signing Mode

This parm allows you to control whether Whitelisting will verify the signatures of applications, and if so, which application signatures will be verified. Signature verification is turned off by default.

When Whitelisting is turned on but Signature verification is turned off, the determination of whether an application is on the "white" list is made solely by comparing the Android Package Name. This is insecure since it cannot prevent a potentially rogue application from setting it's Package Name to be one that is known to be on the "white" list, and hence circumvent Whitelisting by impersonating a trusted application.

To increase security, Signature verification can be turned on. When Signature verification is turned on, the determination of whether an application is on the "white" list will be based on both its Package Name and its Signature. For that to work, the Signature must be provided for every application that is added to the "white" list so it can be compared against the actual Signature of that application.

Signature verification is more secure since only a specific "authentic" version, as identified by its Signature, of a given application, whose Package Name is on the "white" list, will be allowed to be installed and launched. Turning on Signature verification also complicates the process of deploying applications since a unique Signature will need to be configured for each application as part of adding that application to the "white" list.

Shown if: The Operation Mode is "Single User With Whitelist"

Parm Name: AppVerifySignMode

Option Name Description Device Group Requires
0 Do not change This value (or the absence of this parm from the XML) will cause no change to whether Signature verification will occur or for which applications. A

OSX: 3.5+

MX: 4.3+

1 Do not verify app signature This value will cause Signature verification to be turned off, thus causing Package Names alone to be used in to determine if an application is on the "white" list. A

OSX: 3.5+

MX: 4.3+

2 Verify user app signature This value will cause Signature verification to be turned on, thus causing Signature verification to be used in addition to Package Names to determine if a user, or "installable," application is on the "white" list. A

OSX: 3.5+

MX: 4.3+

3 Verify all apps signature This value will cause Signature verification to be turned on, thus causing Signature verification to be used in addition to Package Names to determine if any application, "built-in" or "installable," is on the "white" list. A

OSX: 3.5+

MX: 4.3+

Delete Packages

Select whether or not to delete Packages from the Whitelist

Shown if: The Operation Mode is "Single User With Whitelist"

Parm Name: DeletePackagesAction

Option Name Description Device Group Requires
0 Delete NO Packages This value does not delete anything and hence does not affect the "white" list at all. A

OSX: 1.0+

MX: 4.1+

1 Delete specified Packages(s) This value will cause one or more selected Package Names to be deleted from the "white list," thus blocking user, or "installable," applications with those Package Names from being installed by the device user or launched. A

OSX: 1.0+

MX: 4.1+

2 Delete ALL Packages This value will cause all Package Names to be deleted from the "white list," thus blocking all user, or "installable," applications from being installed by the device user or launched. A

OSX: 1.0+

MX: 4.1+

3 Delete specified Signature(s) This value is meaningful only with Signature verification is turned on, in which case it deletes one or more Signatures from the "white list," thus blocking user, or "installable," applications with those Signatures from being installed by the device user or launched. A

OSX: 1.0+

MX: 4.1+

Delete Package Name(s)

Provide the Package Names to be deleted from the "white" list.

Parm value input rules:

  • String with a minimum size of 1 character
  • Package names must be separated by commas, such as "com.mycompany.mypackage,com.mycompany2.mypackage2"

Shown if: The Operation Mode is "Single User With Whitelist" *AND* Delete Packages is "Delete specified Packages(s)"

Parm Name: DeletePackageNames

Requires:

  • OSX: 1.0+
  • MX: 4.1+

Delete Package Signature(s)

Provide the package signatures to be deleted.

Parm value input rules:

  • String with a minimum size of 1 character
  • The package signatures must be separated by commas

Shown if: Delete Packages is "Delete specified Signature(s)" *AND* the Application Verification Signing Mode is "Do not verify app signature," "Verify user app signature," or "Verify all apps signature"

Parm Name: DeletePackageSign

Requires:

  • OSX: 3.4+
  • MX: 4.3+

Add Packages

Select whether or not to add Packages to the "white" list. Adding an application to the "white" list using this parm does not allow the application to submit XML, that must be done using the separate parm "Add Packages and Allow to Submit XML."

Note: It is important to understand that if an application uses the AccessMgr to turn on Whitelisting, then that application will become subject to Whitelisting. If the application does not add itself to the "white" list, then that application will no longer be allowed to run. Also, if such an application does not explicitly allow itself to submit XML, then it would not be able to alter the configuration once it was successfully applied.

Shown if: The Operation Mode is "Single User With Whitelist"

Parm Name: AddPackagesAction

Option Name Description Device Group Requires
0 Add No Packages This value will not cause any Package Names to be added to the "white" list. A

OSX: 1.0+

MX: 4.1+

1 Add Specified Package(s) This value will cause the specified Package Names to be added the "white" list. A

OSX: 1.0+

MX: 4.1+

Add Package Name(s)

Provide the Package Names that should be added to the "white" list.

Parm value input rules:

  • String with a minimum size of 1 character
  • Package names must be separated by commas, such as "com.mycompany.mypackage,com.mycompany2.mypackage2"

Shown if: The Operation Mode is "Single User With Whitelist" *AND* Add Packages is "Add Specified Package(s)"

Parm Name: AddPackageNames

Requires:

  • OSX: 1.0+
  • MX: 4.1+

Add Package Signature(s)

Provide the Signatures that should be added to the "white" list. Specifying an empty (length of zero) value (or the absence of this parm from the XML) will cause no package signatures to be added.

Shown if: The Application verification signing mode is "Do not verify app signature" or "Verify user app signature" *AND* Add Packages is "Add Specified Package(s)"

Parm Name: AddPackageSign

Requires:

  • OSX: 3.4+
  • MX: 4.3+

Add Packages and Allow to Submit XML

Select whether or not to add Packages to the "white" list and allow them to submit XML.

Shown if: The Operation Mode is "Single User With Whitelist"

Parm Name: AddPackagesActionAllowXML

Option Name Description Device Group Requires
0 Add NO Packages This value (or the absence of this parm from the XML) will not cause any Package Names to be added to the "white" list and does not explicitly allow any applications to submit XML. A

OSX: 4.1+

MX: 4.2+

1 Add specified Package(s) This value will cause the specified Package Names to be added to the "white" list and also allows the applications identified by those Package Names to submit XML. A

OSX: 4.1+

MX: 4.2+

Add Package Name(s) and Allow XML

Provide the Package Names to be added to the "white" list and that should be allowed to submit XML. Specifying an empty (length of zero) value (or the absence of this parm from the XML) will cause no package names to be added and allowed to submit XML.

Parm value input rules:

  • String with a minimum size of 1 character
  • Package names must be separated by commas, such as "com.mycompany.mypackage,com.mycompany2.mypackage2"

Shown if: The Operation Mode is "Single User With Whitelist" *AND* Add Packages and Allow to Submit XML is "Allow specified application(s)"

Parm Name: AddPackageNamesAllowXML

Requires:

  • OSX: 4.1+
  • MX: 4.2+

Add Package Signature(s) and Allow XML

Provide the Signatures that should be added to the "white" list.

Parm value input rules:

  • String with a minimum size of 1 character
  • Package signatures must be separated by commas

Shown if: The Operation Mode is "Single User With Whitelist" *AND* Add Packages and Allow to Submit XML is "Allow specified application(s)" *AND* Application Verification Signing Mode is "Do not verify app signature," "Verify user app signature," or "Verify all apps signature"

Parm Name: AddPackageSignAllowXML

Requires:

  • OSX: 3.4+
  • MX: 4.3+

Allow the Application To Submit XML

Select whether or not to allow the application to submit XML. This will allow or restrict applications from submitting changes to the MX Framework.

Note: This feature is supported on devices that are running KitKat versions of Android like the TC70 and will only be used when the Whitelist feature is enabled.

WARNING: Be sure to always include the EMDK for Android service package name com.symbol.emdkservice when this feature is enabled. Otherwise Profile Features (excluding DataCapture) will not be able to be processed.

Shown if: The Operation Mode is "Single User With Whitelist"

Parm Name: AllowSubmitXMLAction

Option Name Description Device Group Requires
0 Allow NO applications This value (or the absence of this parm from the XML) will not cause any changes and hence does not explicitly allow any applications to submit XML. A

OSX: 4.1+

MX: 4.2+

1 Allow specified application(s) This value will cause the applications identified by the specified list of Package Names to be allowed to submit XML.</p><p>This value also allows a list of Package Names to be specified that will NOT be allowed to submit XML, thus providing an option to specify "these but not those" A

OSX: 4.1+

MX: 4.2+

2 Allow ALL applications that are permitted to be executed This value will cause all of the applications that are on the "white" list (i.e. that are allowed to be launched) to be allowed to submit XML. This value also allows a list of Package Names to be specified that will NOT be allowed to submit XML, thus providing an option to specify "all except these". A

OSX: 4.1+

MX: 4.2+

Allow Package Name(s) to Submit XML

Provide the Package Names that should be allowed to submit XML. Specifying an empty (length of zero) value (or the absence of this parm from the XML) will cause no package names to be allowed to submit XML.

Parm value input rules:

  • String with a minimum size of 0 characters
  • Package names must be separated by commas, such as "com.mycompany.mypackage,com.mycompany2.mypackage2"

Shown if: Allow the Application To Submit XML is "Allow specified application(s)"

Parm Name: AllowSubmitXMLPackageNames

Requires:

  • OSX: 4.1+
  • MX: 4.2+

Disallow Package Name(s) to Submit XML

Provide the Package Names that should be disallowed from submitting XML. Specifying an empty (length of zero) value (or the absence of this parm from the XML) will cause no package names to be disallowed from submitting XML.

Parm value input rules:

  • String with a minimum size of 0 characters
  • Package names must be separated by commas, such as "com.mycompany.mypackage,com.mycompany2.mypackage2"

Shown if: Allow the Application To Submit XML is "Allow specified application(s)" or "Allow ALL applications that are permitted to be executed"

Parm Name: DisallowSubmitXMLPackageNames

Requires:

  • OSX: 4.1+
  • MX: 4.2+

Examples

Add an Application to the "white" list


<wap-provisioningdoc>
    <characteristic version="4.3" type="AccessMgr">
        <parm name="OperationMode" value="2" />
        <parm name="SystemSettings" value="1" />
        <parm name="DeletePackagesAction" value="0" />
        <parm name="AddPackagesAction" value="1" />
        <parm name="AddPackageNames" value="com.mypackage" />
    </characteristic>
</wap-provisioningdoc>

Specify Applications to Allow and Disallow from Submitting XML


<wap-provisioningdoc>
    <characteristic version="4.3" type="AccessMgr">
        <parm name="OperationMode" value="2" />
        <parm name="SystemSettings" value="1" />
        <parm name="DeletePackagesAction" value="0" />
        <parm name="AddPackagesAction" value="0" />
        <parm name="AllowSubmitXMLAction" value="1" />
        <parm name="AllowSubmitXMLPackageNames" value="com.mypackage" />
        <parm name="DisallowSubmitXMLPackageNames" value="com.mypackage2" />
    </characteristic>
</wap-provisioningdoc>

Queries

Query the Package Names in the Whitelist, the Operation Mode, and the Application Verification Signing Mode


<wap-provisioningdoc>
    <characteristic type="AccessMgr" >
        <parm-query name="PackageNames"/>  
        <parm-query name="OperationMode"/>  
        <parm-query name="AppVerifySignMode"/>  
    </characteristic>
</wap-provisioningdoc>