Overview
Managed configurations are part of a specification developed by Google and the Android community for remotely configuring installed applications and devices through any Enterprise Mobility Management (EMM) system that supports it. Originally known as "App Restrictions" because of their limited initial scope, managed configurations (MCs) are now being used by Zebra to remotely configure a variety of settings, including those for device hardware, software and security.
The features of a given app that are manageable using MCs are defined in its schema. The EHS schema is downloaded when visiting Google Play through the EMM console and selecting EHS for administration. The schema defines the features available for consumption by the EMM, and provides the information necessary to present the app's management UI within the EMM console.† This data-driven UI method allows delivery of new features and their corresponding UI attributes as soon as they become available, and without the need to download a new .exe
. For more information about configuring Zebra devices with managed configurations, see Zebra OEMConfig.
† The EHS management UI varies slightly depending on the EMM system in use.
Configuring EHS with MCs
At present, the full suite of EHS settings can be administered only through the EnterpriseHomeScreen.xml
config file. Over time, Zebra plans to increase the features manageable through MCs until all are included, at which time the use of the EnterpriseHomeScreen.xml
config file will be deprecated.
Current MC Capabilities:
- Securely mass-deploy EHS settings files across an enterprise
- Limit device-user access to approved apps only
- Prevent unauthorized changes to device apps and settings
Requirements
- One or more Zebra devices running Android 11 or later
- A supported EMM with EHS and its schema downloaded from Google Play
- EHS 5.0 (or later) installed on device(s) (can be deployed by EMM, if necessary)
App Restrictions
EHS app restriction categories and their a corresponding bundles are described in the table below. Specific parameters for each restriction are contained in individual the tables that follow.
Restriction Name | Description | Bundle Name |
---|---|---|
Secure EHS Login Configuration | Controls and configure access to EHS login admin to prevent unexpected configuration changes. | Admin Login Control |
Control access to EHS | Restricts application use of different types of EHS | Application Management Control |
Secure EHS Configuration | Controls and configures access to EHS UI to prevent unexpected configuration changes. | Home Screen UI |
Control access to EHS applications | Lock Down Functionality | |
Control EHS Profiles | Controls role-based profile configurations | Role Selection |
Control size of EHS Logs | Root Log File Max Size | |
Control access to EHS Logs | Root Logging | |
Control EHS reboot on installation | Use Root Reboot on the install bundle |
Admin Login Control Group
Control log-in options of the administrative user on the device.
Restriction Name | Value | Display Name | Description |
---|---|---|---|
Change Admin Password | User inputs password | Blank string (default) | Encrypted admin password to set or updated the password. |
Maximum Admin Login Attempt | User inputs 1-100 | 10 (default) | Maximum number of admin login attempts before admin lockout will occur. |
Admin Inactivity Timeout | 0 15 30 60 120 300 600 1800 |
Disabled 15 seconds 30 seconds 1 minute (default) 2 minutes 5 minutes 10 minutes 30 minutes |
Inactivity time (in seconds) before admin is automatically logged out. |
Admin Lockout Recovery | 1 0 |
On Off |
Turn on/off admin lock out recovery |
Admin Recovery Timeout | Integer greater than 15 | 60 (default) | Time (in minutes) that admin must wait before trying to login to admin mode again after being locked out due to reaching maximum failed login attempts. |
Advanced Screen Blanking Group
Controls Do Not Disturb, Notification Pulldown and Navigation Bar functions on the device when applied with Screen Blanking.
Restriction Name | Value | Display Name | Description |
---|---|---|---|
Do not Disturb | 0 1 |
Off (default) On |
Controls Do Not Disturb (DND) mode on the device, which (when enabled) silences all notifications coming into the device, including incoming phone calls, text messages, system alerts and all other notifications and sounds. EMM users: This feature requires a device reboot after deployment. |
Notification Pulldown | 0 1 |
Enabled (default) Disabled |
Controls whether a device user is allowed to "pull down" the Notifications/Status bar and access the Notifications panel, which displays active notifications, alerts and other incoming messages. EMM users: This feature requires a device reboot after deployment. |
Navigation Bar | 0 1 |
Enabled (default) Disabled |
Controls the on-screen Navigation Bar, which contains the BACK, HOME and RECENT soft keys. Disabling the Navigation Bar can prevent the user from switching between apps by means of those keys. EMM users: This feature requires a device reboot after deployment. |
Application Folder Management Group
Controls creation and management of application folders for app and shortcut icons visible in User Mode. Created folders are NOT visible in Admin Mode.
App folders also can be created using the EHS config file.
Restriction Name | Value | Display Name | Description |
---|---|---|---|
User screen folder name | User screen folder name | Blank string (default) | String input field for the title of a created folder. Optional; leave empty for a blank title. |
User Screen Applications | User inputs applications | JSON string containing a list of packages and/or activities and/or label information for the app shortcuts to be added to the created folder. Example: [{"package":"com.symbol.datawedge","activity":"com.symbol.datawedge.DWDemoActivity","label":"DWDemo"}, {"package":"com.android.deskclock","activity":"com.android.deskclock.DeskClock","label":"Clock"}]
|
|
User Screen Links | User inputs applications | JSON string containing a list of packages and/or URLs/URIs/pinned shortcuts and/or label information for the link shortcuts to be added to the created folder. Example: [{"label":"google","url":"http://www.google.com"}, {"label":"yahoo","url":"http://www.yahoo.com"}]
|
Application Management Group
Control the apps that device users are able to see and launch.
Restriction Name | Value | Display Name | Description |
---|---|---|---|
User screen applications | User inputs applications | JSON string containing a list of packages and/or activities and/or label information for the application shortcuts to be added to the user screen. Example: [{"package":"com.symbol.datawedge","activity":"com.symbol.datawedge.DWDemoActivity","label":"DWDemo"}, {"package":"com.android.deskclock","activity":"com.android.deskclock.DeskClock","label":"Clock"}]
|
|
Tools menu applications | User inputs applications | JSON string containing a list of packages and/or activities and/or label information for the application shortcuts to be added to the tools menu. Example: [{"package":"com.symbol.datawedge","activity":"com.symbol.datawedge.DWDemoActivity","label":"DWDemo"}, {"package":"com.android.deskclock","activity":"com.android.deskclock.DeskClock","label":"Clock"}]
|
|
User screen links | User inputs applications | JSON string containing a list of packages and/or activities and/or label information for the application shortcut links to be added to the user screen. Example: [{"label":"google","url":"http://www.google.com"}, {"label":"yahoo","url":"http://www.yahoo.com"}]
|
|
Auto launch | 0 1 |
Off (default) On |
Turn on/off app auto-launch |
Auto launch applications | User inputs applications | JSON string containing a list of auto-launch app information with package name, activity, Class Name and launching delay. Example: [{"delay":"8000","package":"com.andoid.calculator","activity":""}, {"package":"com.android.deskclock","activity":"com.android.deskclock.DeskClock","label":"Clock"}]
|
|
Service auto launch | 0 1 |
Off (default) On |
Turn on/off service auto-launch |
Service or Foreground applications | User inputs services or foreground applications | JSON string containing a list of service information with package name, service Class Name, launching delay and action. Example: [{"delay":"4000","package":"com.sample.service","class":"com.sample.service.MyService","action":"downloadfile"}, "delay":"6000","package":"com.sample.fgservice","class":"com.sample.fgservice.FgService","action":"savefile"}]
|
|
Foreground service auto launch | 0 1 |
off (default) On |
Turn on/off foreground service auto-launch. |
Pin shortcuts | 0 1 |
Remove pinned shortcut (default) Add pinned shortcut |
Add or remove pinned shortcuts to local apps or websites. |
Bypass confirmation for pinned shortcuts | 0 1 |
Disallow (default) Allow |
Allow/disallow Bypass confirmation screen for pinned shortcut requests. |
Disable any application | User inputs applications | Comma-separated list of app package names to disable on the device. | |
Enable any application | User inputs applications | Comma-separated list of app package names to enable on the device. | |
Screen blanking | 0 1 |
Off (default) On |
Turn on/off Screen blanking |
Screen blanking threshold | User inputs speed | 10 (default) | A value for speed (5 or greater) to enable Screen Blanking feature. |
Screen blanking mode | 1 2 |
Black screen (default) Transparent screen |
Blanking Mode |
Advanced Screen Blanking | Advanced Screen Blanking Group | Configure Advanced Screen Blanking properties (DND, Notification Pulldown, Navigation Bar) |
Home Screen UI Group
Configure the EHS device user interface.
Restriction Name | Value | Display Name | Description |
---|---|---|---|
EHS title | User inputs title | "Enterprise Home Screen" (default) | Text to display on the title bar. NOTE: This value can be combined with [device_identifier] in the EHS title bar when separated by the "#" character. Example: "XYZ Corp.#[bluetooth_name]" appears as "XYZ Corp.#LI4278 Scanner" EHS 7.1.x fully supports the "EHS title with device identifier" MC (below). To preserve backward compatibility, the method above remains supported and takes precedence. |
EHS title with device identifier | (null) [serial_number] [mac_address] [network_host_name] [bluetooth_address] [bluetooth_name] [imei_number] |
None Serial number MAC address Network host name Bluetooth address Bluetooth name IMEI number |
The device identifier to be appended to title in EHS Title bar. |
Title bar icon | 0 1 |
Show (default) Hide |
Show/hide the title bar icon. |
Title bar icon file | File path of the image file | Path and the name of the file containing the icon to be displayed in the title bar. | |
Reuse of custom icon | 0 1 |
No (default) Yes |
Controls whether to reuse custom icon in other screens. |
App icon settings | 0 1 |
Allow (default) Disallow |
Controls app icon settings to be allowed in user mode. |
Icon settings | S M L XL XXL |
Small (S) Medium (M) (default) Large (L) Extra Large (XL) Extra Extra Large (XXL) |
Used to select the app icon size. |
Screen size | 0 1 |
Off (default) On |
Used to control whether to run an app in full-screen mode and obscure the status bar. |
Orientation | Set EHS orientation | Default (default) Portrait Landscape |
Controls orientation in which the EHS UI will be presented, with \'Default\' indicating use the system default orientation. |
Wallpaper | File path of the image file | Used to enter the image file name and path of the file containing the wallpaper. | |
Wallpaper stretching | 0 1 |
Disabled (default) Enabled |
Controls whether wallpaper is stretched to fill the screen. |
Icon label text color | User inputs HTML color | Used to enter an HTML color code in RGB format for the icon label text. Example: #557BF3 |
|
Icon label background color | User inputs HTML color | Used to enter an HTML color code in RGB format for the icon label background. Example: #557BF3 |
|
IP address | 0 1 |
Hide (default) Show |
Controls whether to show device IP address in user mode. |
MAC address | 0 1 |
Hide (default) Show |
Controls whether to show device MAC address in user mode. |
BSSID | 0 1 |
Hide (default) Show |
Controls whether to show Basic Service Set Identifier (BSSID) of the current access point in User Mode. |
SSID | 0 1 |
hide (default) Show |
Controls whether to show Service Set Identifier (SSID) of the current network in user mode. |
Scan result | 0 1 |
Hide (default) Show |
Controls whether to show the access points found in the most recent scan in user mode. |
Lock Down Functionality Group
Configure device lock-down features and functionality.
Restriction Name | Value | Display Name | Description |
---|---|---|---|
Kiosk Mode | 0 1 |
Off (default) On |
Used to turn on/off Kiosk Mode. |
Kiosk apps | User inputs apps | JSON string containing a list of kiosk app package(s) and/or activities and/or label information. Can be used to provide a list of package names as input to support apps with different package names in different Android versions. Example: [ {"package":"com.google.android.calculator","activity":"com.android.calculator2.Calculator","label":"Calculator"}
, {"package":"com.android.calculator2","activity":"com.android.calculator2.Calculator","label":"Calculator"}
]
|
|
Keyguard camera | 1 0 |
Off (default) On |
Used to turn on/off camera application in keyguard/unlock screen. |
Keyguard search | 1 0 |
Off (default) On |
Used to turn on/off search application in keyguard/unlock screen. |
USB debugging | 1 0 |
Off (default) On |
Used to turn on/off adb in the device. |
System settings | 1 0 |
Reduced (default) Full |
Controls whether to display a reduced set of system settings in user mode. |
Recent apps button | 1 0 |
Disabled (default) Enabled |
Controls whether to enable on recent apps button in the device. |
Recent apps access | 1 0 |
Disallow (default) Allow |
Controls whether to allow access to recently launched applications by the user in user mode. |
Log File Max Size
Defines the maximum size of the EHS log file on the device.
Restriction Name | Value | Display Name | Description |
---|---|---|---|
Log file maximum size | User inputs value | 10 MB (default) | Used to set the maximum size (in MB) of the log file (from 1–99999). |
Zebra recommends a maximum log file size of 10MB (default) to maintain optimal device performance.
Logging
Used to enable/disable the capture log on the device.
Restriction Name | Value | Display Name | Description |
---|---|---|---|
Logging | 0 1 |
On Off |
Used to turn on/off writing to the device log file. |
Reboot on Install
Controls whether to reboot following an installation of the EHS app.
Restriction Name | Value | Display Name | Description |
---|---|---|---|
Auto reboot | 0 1 |
Disabled Enabled |
Controls whether EHS automatically reboots the device the first time it is launched after initial installation. A device reboot is required after EHS installation in order to make EHS fully operational. Reboot can be performed automatically by EHS or manually at a later time. |
Role Selection Group
Configure EHS on a device based on user roles, which are activated by Zebra Identity Guardian (per-device license required).
IMPORTANT NOTES
- When roles are in use on a device, the existing
enterprisehomescreen.xml
profile is known as the "default" role, and is assigned to users launching EHS without a designated Role Name. - Before adding roles, Zebra recommends confirming that the default role defines accessible apps, settings and lockdown functions as required by the organization.
- Content formatting for role configuration files is the same as for the existing
enterprisehomescreen.xml
file. - As with all EHS config files, role files are stored in the
/enterprise/usr
folder on the device. - Role configuration files are named according to their designated Role Name (e.g.
Manager_config.xml
). - To remove or update a role, delete or replace the corresponding XML file in the
/enterprise/usr
folder. - For organizations using Identity Guardian:
- Role Names configured in EHS must match exactly with those of Identity Guardian for successful role assignment during sign-on.
- The EHS User Screen for the default user appears briefly and is operable while Identity Guardian initializes after a device is restarted.
Restriction Name | Value | Description |
---|---|---|
Role Name | [user-defined name] (case-sensitive) |
Used to enter a unique role name, which must match the roles defined in Zebra Identity Guardian. |
Home Screen UI | Home Screen UI Group bundle | Configures the EHS user interface for the role. |
EHS UI Lockdown | Lockdown Functionality Group bundle | Configures access to System settings, USB debugging and other potentially sensitive device features. |
Application Management | Application Management Group bundle | Configures the apps accessible by device users in the role. |
Application Folders | Application Folder Management Group bundle | Configures app folders for role-based profiles. |