Overview
Managed configurations are part of a specification developed by Google and the Android community for remotely configuring installed applications and devices through any Enterprise Mobility Management (EMM) system that supports it. Originally known as "App Restrictions" because of their limited initial scope, managed configurations (MCs) are now being used by Zebra to remotely configure a variety of settings, including those for device hardware, software and security.
The features of a given app that are manageable using MCs are defined in its schema. The EHS schema is downloaded when visiting Google Play through the EMM console and selecting EHS for administration. The schema defines the features available for consumption by the EMM, and provides the information necessary to present the app's management UI within the EMM console.† This data-driven UI method allows delivery of new features and their corresponding UI attributes as soon as they become available, and without the need to download a new .exe. For more information about configuring Zebra devices with managed configurations, see Zebra OEMConfig.
† The EHS management UI varies slightly depending on the EMM system in use.
Configuring EHS with MCs
At present, the full suite of EHS settings can be administered only through the EnterpriseHomeScreen.xml config file. Over time, Zebra plans to increase the features manageable through MCs until all are included, at which time the use of the EnterpriseHomeScreen.xml config file will be deprecated.
Current MC Capabilities:
- Securely mass-deploy EHS settings files across an enterprise
- Limit device-user access to approved apps only
- Prevent unauthorized changes to device apps and settings
Requirements
- One or more Zebra devices running Android 11 or later
- A supported EMM with EHS and its schema downloaded from Google Play
- EHS 5.0 (or later) installed on device(s) (can be deployed by EMM, if necessary)
App Restrictions
EHS app restriction categories and their a corresponding bundles are described in the table below. Specific parameters for each restriction are contained in individual the tables that follow.
| Restriction Name | Description | Bundle Name |
|---|---|---|
| Secure EHS Login Configuration | Controls and configure access to EHS login admin to prevent unexpected configuration changes. | Admin Login Control |
| Control access to EHS | Restricts application use of different types of EHS | Application Management Control |
| Secure EHS Configuration | Controls and configures access to EHS UI to prevent unexpected configuration changes. | Home Screen UI |
| Control access to EHS applications | Lock Down Functionality | |
| Control EHS data | Persist access to data | Persist Config Data |
| Control EHS Profiles | Controls role-based profile configurations | Role Selection |
| Control size of EHS Logs | Root Log File Max Size | |
| Control access to EHS Logs | Root Logging | |
| Control EHS reboot on installation | Use Root Reboot on the install bundle |
Admin Login Control Group
Control log-in options of the administrative user on the device.
| Restriction Name | Value | Display Name | Description |
|---|---|---|---|
| Change Admin Password | User inputs password | Blank string (default) | Encrypted admin password to set or updated the password. |
| Maximum Admin Login Attempt | User inputs 1-100 | 10 (default) | Maximum number of admin login attempts before admin lockout will occur. |
| Admin Inactivity Timeout | 0 15 30 60 120 300 600 1800 |
Disabled 15 seconds 30 seconds 1 minute (default) 2 minutes 5 minutes 10 minutes 30 minutes |
Inactivity time (in seconds) before admin is automatically logged out. |
| Admin Lockout Recovery | 1 0 |
On Off |
Turn on/off admin lock out recovery |
| Admin Recovery Timeout | User inputs 0-9999 | 60 (default) | Time (in minutes) that admin must wait before trying to login to admin mode again after being locked out due to reaching maximum failed login attempts. |
Application Management Group
Control the apps that device users are able to see and launch.
| Restriction Name | Value | Display Name | Description |
|---|---|---|---|
| User screen applications | User inputs applications | Json string containing a list of packages and/or activities and/or label information for the application shortcuts to be added to the user screen. Example: [{"package":"com.symbol.datawedge","activity":"com.symbol.datawedge.DWDemoActivity","label":"DWDemo"}, {"package":"com.android.deskclock","activity":"com.android.deskclock.DeskClock","label":"Clock"}] |
|
| Tools menu applications | User inputs applications | Json string containing a list of packages and/or activities and/or label information for the application shortcuts to be added to the tools menu. Example: [{"package":"com.symbol.datawedge","activity":"com.symbol.datawedge.DWDemoActivity","label":"DWDemo"}, {"package":"com.android.deskclock","activity":"com.android.deskclock.DeskClock","label":"Clock"}] |
|
| User screen links | User inputs applications | Json string containing a list of packages and/or activities and/or label information for the application shortcut links to be added to the user screen. Example: [{"label":"google","url":"http://www.google.com"}, {"label":"yahoo","url":"http://www.yahoo.com"}] |
|
| Auto launch | 0 1 |
Off (default) On |
Turn on/off app auto-launch |
| Auto launch applications | User inputs applications | Json string containing a list of auto-launch app information with package name, activity, Class Name and launching delay. Example: :[{"delay":"8000","package":"com.andoid.calculator","activity":""}, {"package":"com.android.deskclock","activity":"com.android.deskclock.DeskClock","label":"Clock"}] |
|
| Service auto launch | 0 1 |
Off (default) On |
Turn on/off service auto-launch |
| Service or Foreground applications | User inputs services or foreground applications | Json string containing a list of service information with package name, service Class Name, launching delay and action. Example: :[{"delay":"4000","package":"com.sample.service","class":"com.sample.service.MyService","action":"downloadfile"}, "delay":"6000","package":"com.sample.fgservice","class":"com.sample.fgservice.FgService","action":"savefile"}] |
|
| Foreground service auto launch | 0 1 |
off (default) On |
Turn on/off foreground service auto-launch. |
| Pin shortcuts | 0 1 |
Remove pinned shortcut (default) Add pinned shortcut |
Add or remove pinned shortcuts to local apps or websites. |
| Bypass confirmation for pinned shortcuts | 0 1 |
Disallow (default) Allow |
Allow/disallow Bypass confirmation screen for pinned shortcut requests. |
| Disable any application | User inputs applications | App checkbox checked if disabled in disabled app list | Comma-separated list of app package names to disable on the device. |
| Enable any application | User inputs applications | Checkbox in front of the application is unchecked if disabled in disabled app list | Comma-separated list of app package names to enable on the device. |
| Screen blanking | 0 1 |
Off (default) On |
Turn on/off Screen blanking |
| Screen blanking threshold | User inputs speed | 10 (default) | A value for speed (5 or greater) to enable Screen Blanking feature. |
| Screen blanking mode | 1 2 |
Black screen (default) Transparent screen |
Blanking Mode |
| Enable icon grouping | 0 1 |
Disable (default) Enable |
Enable/disable icon grouping |
| Application icon grouping | User inputs applications to create the group | Json string containing a list of packages and/or activities and/or label information of the application to be added to create a group. Example: [{title: "UserGroup1",role:"User",applications: [{label: "Calculator",package: " com.android.calculator ",activity: ""},{label: "Calendar",package: " com.android.calendar",activity: ""}] |
Home Screen UI Group
Configure the EHS device user interface.
| Restriction Name | Value | Display Name | Description |
|---|---|---|---|
| EHS title | User inputs title | "Enterprise Home Screen" (default) | Text to display on the title bar. |
| EHS title with device identifier | [serial_number] [mac_address] [network_host_name] [bluetooth_address] [bluetooth_name] [imei_number] |
None Serial number MAC address Network host name Bluetooth address Bluetooth name IMEI number |
The device identifier to be added in title bar text. |
| Title bar icon | 0 1 |
Show (default) Hide |
Show/hide the title bar icon. |
| Title bar icon file | File path of the image file | Path and the name of the file containing the icon to be displayed in the title bar. | |
| Reuse of custom icon | 0 1 |
No (default) Yes |
Controls whether to reuse custom icon in other screens. |
| App icon settings | 0 1 |
Allow (default) Disallow |
Controls app icon settings to be allowed in user mode. |
| Icon settings | S M L XL XXL |
Small (S) Medium (M) (default) Large (L) Extra Large (XL) Extra Extra Large (XXL) |
Used to select the app icon size. |
| Screen size | 0 1 |
Off (default) On |
Used to control whether to run an app in full-screen mode and obscure the status bar. |
| Orientation | Set EHS orientation | Default (default) Portrait Landscape |
Controls orientation in which the EHS UI will be presented, with \'Default\' indicating use the system default orientation. |
| Wallpaper | File path of the image file | Used to enter the image file name and path of the file containing the wallpaper. | |
| Wallpaper stretching | 0 1 |
Disabled (default) Enabled |
Controls whether wallpaper is stretched to fill the screen. |
| Icon label text color | User inputs HTML color | Used to enter an HTML color code in RGB format for the icon label text. Example: #557BF3 |
|
| Icon label background color | User inputs HTML color | Used to enter an HTML color code in RGB format for the icon label background. Example: #557BF3 |
|
| IP address | 0 1 |
Hide (default) Show |
Controls whether to show device IP address in user mode. |
| MAC address | 0 1 |
Hide (default) Show |
Controls whether to show device MAC address in user mode. |
| BSSID | 0 1 |
Hide (default) Show |
Controls whether to show Basic Service Set Identifier (BSSID) of the current access point in User Mode. |
| SSID | 0 1 |
hide (default) Show |
Controls whether to show Service Set Identifier (SSID) of the current network in user mode. |
| Scan result | 0 1 |
Hide (default) Show |
Controls whether to show the access points found in the most recent scan in user mode. |
Lock Down Functionality Group
Configure device lock-down features and functionality.
| Restriction Name | Value | Display Name | Description |
|---|---|---|---|
| Kiosk Mode | 0 1 |
Off (default) On |
Used to turn on/off Kiosk Mode. |
| Kiosk apps | User inputs apps | Json string containing a list of kiosk app package(s) and/or activities and/or label information. Example: :[{"package":"com.symbol.datawedge","activity":"com. symbol.datawedge.DWDemoActivity","label":"DWDemo"}, {"package":"com.android.deskclock","activity":"com.android.deskclock.DeskClock","label":"Clock"}] |
|
| Keyguard camera | 1 0 |
Off (default) On |
Used to turn on/off camera application in keyguard/unlock screen. |
| Keyguard search | 1 0 |
Off (default) On |
Used to turn on/off search application in keyguard/unlock screen. |
| USB debugging | 1 0 |
Off (default) On |
Used to turn on/off adb in the device. |
| System settings | 1 0 |
Reduced (default) Full |
Controls whether to display a reduced set of system settings in user mode. |
| Recent apps button | 1 0 |
Disabled (default) Enabled |
Controls whether to enable on recent apps button in the device. |
| Recent apps access | 1 0 |
Disallow (default) Allow |
Controls whether to allow access to recently launched applications by the user in user mode. |
Role Selection Group
Configure EHS on a device based on user roles, which are activated by Zebra Identity Guardian (per-device license required).
IMPORTANT NOTES
- When roles are in use on a device, the existing
enterprisehomescreen.xmlprofile is known as the "default" role, and is assigned to users launching EHS without a designated Role Name. - Before adding roles, Zebra recommends confirming that the default role defines accessible apps, settings and lockdown functions as required by the organization.
- Content formatting for role configuration files is the same as for the existing
enterprisehomescreen.xmlfile. - As with all EHS config files, role files are stored in the
/enterprise/usrfolder on the device. - Role configuration files are named according to their designated Role Name (e.g.
Manager_config.xml). - To remove or update a role, delete or replace the corresponding XML file in the
/enterprise/usrfolder. - For organizations using Identity Guardian:
- Role Names configured in EHS must match exactly with those of Identity Guardian for successful role assignment during sign-on.
- The EHS User Screen for the default user appears briefly and is operable while Identity Guardian initializes after a device is restarted.
| Restriction Name | Value | Description |
|---|---|---|
| Role Name | [user-defined name] (case-sensitive) |
Used to enter a unique role name, which must match the roles defined in Zebra Identity Guardian. |
| Home Screen UI | Home Screen UI Group bundle | Configures the EHS user interface for the role. |
| EHS UI Lockdown | Lockdown Functionality Group bundle | Configures access to System settings, USB debugging and other potentially sensitive device features. |
| Application Management | Application Management Group bundle | Configures the apps accessible by device users in the role. |
Root Logging
Configure root logging to capture log file on the device.
| Restriction Name | Value | Display Name | Description |
|---|---|---|---|
| Logging | 0 1 |
On Off |
Used to turn on/off writing to the device log file. |
Root Log File Max Size
Root log file max size defines the maximum size of the EHS log file.
| Restriction Name | Value | Display Name | Description |
|---|---|---|---|
| Log file maximum size | User inputs value | 10 MB (default) | Used to set the maximum size of the log file in MB (from range 1-99999). |
Root Reboot on Install
Root reboot on install controls whether to reboot on EHS installation.
| Restriction Name | Value | Display Name | Description |
|---|---|---|---|
| Auto reboot | 0 1 |
Disabled Enabled |
Controls whether EHS automatically reboots the device the first time it is launched after initial installation. A device reboot is required after EHS installation in order to make EHS fully operational. Reboot can be performed automatically by EHS or manually at a later time. |