The "SmartDocs" bar can customize this page to show only the features present on a particular Zebra device.
OSX, MX and Android version information for a device can be found in the Android Settings panel or by querying the device through ADB, EMDK or the MX CSP. More info.
The Access Manager (AccessMgr) enables an admin to configure a device to control which user or "installable" application(s) can be used on the device and what actions the application(s) can perform.
A key feature of AccessMgr is the ability to enable and disable "whitelisting," a process that allows only those applications explicitly specified in a list to run. Whitelisting is disabled by default and imposes no restrictions. When whitelisting is turned on, various restrictions can be applied using AccessMgr. Applications NOT included in the "whitelist" are prevented from running. AccessMgr allows whitelist applications to be installed, launched and maintained, and can control which applications are allowed to submit XML for all CSPs, including AccessMgr itself.
Whitelisting applies only to user applications and has no effect on System applications, which are applications built into the device and are therefore always present. To control aspects of System applications, see AppMgr.
User applications are those NOT built into the device and hence must be installed before they can be used. Whitelisting can be used to control whether a device user is allowed to install a user application, but cannot control whether an application can be installed programmatically by using AppMgr. Whitelisting also can be used to control whether a user application can be launched (by any means) once it is installed.
Note: It is important to understand that if an app uses AccessMgr to enable whitelisting, then that app becomes subject to whitelisting. If the app does not add itself to the "whitelist," the app is prevented from running. Also, if such an app does not explicitly allow itself to submit XML, it would be unable to alter that configuration once successfully applied.
AccessMgr also provides the option to control whether the device user can access a full or reduced version of the in-device Settings panel.
This is the On/Off switch for Whitelisting, which restricts the apps that a device user can install and/or launch. Whitelisting is Off by default, imposing no restrictions. Whitelisting provides device security by preventing the installation and/or use of unauthorized apps, and by complicating the process of app deployment.
Parm Name: OperationMode
Option | Name | Description | Note | Requires |
---|---|---|---|---|
0 | Do not change | This value (or the absence of this parm from the XML) causes no change; any prior settings are retained. |
MX: 9.2+ |
|
1 | Single User without Whitelist | Turns off Whitelisting and all associated functionality. |
OSX: 1.0+ MX: 4.1+ |
|
2 | Single User with Whitelist | Turns on Whitelisting and associated functionality. |
OSX: 1.0+ MX: 4.1+ |
Controls the level of access to the Android Settings panel a device user is granted.
Note: This parameter takes priority over the "Quick Settings" parameter of UI Manager. If Reduced Access is enabled, later attempts enable Quick Settings result in failure.
Shown if: The Operation Mode is "Single User With Whitelist"
Parm Name: SystemSettings
Option | Name | Description | Note | Requires |
---|---|---|---|---|
1 | Full Access | Allows full access to the Android Settings panel. |
OSX: 3.5+ MX: 4.1+ |
|
2 | Reduced Access | Limits Settings panel access to Display, Volume and About features. |
OSX: 3.5+ MX: 4.1+ |
Controls whether Whitelisting verifies the signatures of apps, and if so, which app signatures are verified. Signature verification is turned off by default.
When Whitelisting is turned on but Signature verification is turned off, the determination of whether an application is on the "whitelist" is made solely by comparing the Android Package Name. This is insecure since it cannot prevent a potentially rogue application from setting it's Package Name to be one that is known to be on the "whitelist," and hence circumvent Whitelisting by impersonating a trusted application.
To increase security, Signature verification can be turned on. When Signature verification is turned on, the determination of whether an application is on the "whitelist" will be based on both its Package Name and its Signature. For that to work, the Signature must be provided for every application that is added to the "whitelist" so it can be compared against the actual Signature of that application.
Signature verification is more secure since only a specific "authentic" version, as identified by its Signature, of a given application, whose Package Name is on the "whitelist," will be allowed to be installed and launched. Turning on Signature verification also complicates the process of deploying applications since a unique Signature will need to be configured for each application as part of adding that application to the "whitelist."
Shown if: The Operation Mode is "Single User With Whitelist"
Parm Name: AppVerifySignMode
Option | Name | Description | Note | Requires |
---|---|---|---|---|
0 | Do not change | This value (or the absence of this parm from the XML) causes no change; any previously selected setting is retained. |
OSX: 3.5+ MX: 4.3+ |
|
1 | Do not verify app signature | This value will cause Signature verification to be turned off, thus causing Package Names alone to be used in to determine if an application is on the "whitelist." |
OSX: 3.5+ MX: 4.3+ |
|
2 | Verify user app signature | This value will cause Signature verification to be turned on, thus causing Signature verification to be used in addition to Package Names to determine if a user, or "installable," application is on the "whitelist." |
OSX: 3.5+ MX: 4.3+ |
|
3 | Verify all apps signature | This value will cause Signature verification to be turned on, thus causing Signature verification to be used in addition to Package Names to determine if any application, "built-in" or "installable," is on the "whitelist." |
OSX: 3.5+ MX: 4.3+ |
Used to delete Packages from the Whitelist.
Shown if: The Operation Mode is "Single User With Whitelist"
Parm Name: DeletePackagesAction
Option | Name | Description | Note | Requires |
---|---|---|---|---|
0 | Delete NO Packages | This value (or the absence of this parm from the XML) causes no change to device settings; all packages remain on the device. |
OSX: 1.0+ MX: 4.1+ |
|
1 | Delete specified Packages(s) | Causes the selected Package Name(s) to be deleted from the "white list," blocking user or "installable" applications with those Package Names from being installed by the device user or launched. |
OSX: 1.0+ MX: 4.1+ |
|
2 | Delete ALL Packages | Causes all Package Names to be deleted from the "white list," blocking all user or "installable" applications from being installed by the device user or launched. |
OSX: 1.0+ MX: 4.1+ |
|
3 | Delete specified Signature(s) | When Signature verification is turned on, deletes one or more Signatures from the "white list," thus blocking user or "installable" applications with those Signatures from being installed by the device user or launched. |
OSX: 1.0+ MX: 4.1+ |
Used to control which "installable" (non-System) applications can call controllable services running on the device. This allows an administrator to manage access to the services present in a device and the ability of apps to bind to and leverage callable services. This can be used, for example, to prevent access to services relating to sensitive functionality, or to prevent use of such services when they are not explicitly required for a particular usage scenario or app.
Parm Name: ServiceAccessAction
Option | Name | Description | Note | Requires |
---|---|---|---|---|
0 | Do nothing. | This value (or the absence of this parm from the XML) causes no change to device settings; any previously selected setting is retained. |
MX: 8.3+ |
|
1 | AllowBinding | Allows apps to bind to the specified service. |
MX: 8.3+ |
|
2 | DisallowBinding | Prevents apps from binding to the specified service. |
MX: 8.3+ |
|
3 | VerifyBinding | Confirms that an app is permitted to bind to a service. |
MX: 8.3+ |
|
4 | AllowCaller | Allows the specified app(s) to call a specified service. |
MX: 8.3+ |
|
5 | DisallowCaller | Prevents the specified app(s) apps from calling a specified service. |
MX: 8.3+ |
|
6 | VerifyCaller | Confirms that the specified app(s) is permitted to call a specified service. |
MX: 8.3+ |
Used to specify the application package name on which to perform a Service Access Action.
Parm value input rules:
com.mycompany.mypackage
,com.mycompany2.mypackage2
" Shown if: The Service Access Action is "Allow Caller," "Disallow Caller" or "Verify Caller"
Parm Name: CallerPackageName
Requires:
- MX: 8.3+
Used to specify the signature file on the device that contains the app certificate.
Parm value input rules:
Shown if: The Service Access Action is "Allow Caller," "Disallow Caller" or "Verify Caller"
Parm Name: CallerSignature
Requires:
- MX: 8.3+
Used to specify the service on which to perform a Service Access Action.
Parm value input rules:
com.mycompany.mypackage
,com.mycompany2.mypackage2
" Shown if: The Service Access Action is NOT "Do Nothing"
Parm Name: ServiceIdentifier
Requires:
- MX: 8.3+
Used to specify Package Names to be deleted from the "whitelist."
Parm value input rules:
com.mycompany.mypackage
,com.mycompany2.mypackage2
" Shown if: The Operation Mode is "Single User With Whitelist" *AND* Delete Packages is "Delete specified Packages(s)"
Parm Name: DeletePackageNames
Requires:
- OSX: 1.0+
- MX: 4.1+
Used to specify package signatures to be deleted.
Parm value input rules:
Shown if: Delete Packages is "Delete specified Signature(s)" *AND* the Application Verification Signing Mode is "Do not verify app signature," "Verify user app signature," or "Verify all apps signature"
Parm Name: DeletePackageSign
Requires:
- OSX: 3.4+
- MX: 4.3+
Used to add Packages to the "whitelist," which prevents the app from submitting XML. To allow an app to submit XML, see the "Add Packages and Allow to Submit XML" parameter.
Note: It is important to understand that if an application uses the AccessMgr to turn on Whitelisting, the app itself becomes subject to Whitelisting. If the app does not add itself to the "white list," that application is prevented from running. Also, if such an app does not explicitly allow itself to submit XML, it is not able to alter that configuration once successfully applied.
Shown if: The Operation Mode is "Single User With Whitelist"
Parm Name: AddPackagesAction
Option | Name | Description | Note | Requires |
---|---|---|---|---|
0 | Add No Packages | This value will not cause any Package Names to be added to the "whitelist." |
OSX: 1.0+ MX: 4.1+ |
|
1 | Add Specified Package(s) | This value will cause the specified Package Names to be added the "whitelist." |
OSX: 1.0+ MX: 4.1+ |
Used to specify Package Names to add to the "whitelist."
Parm value input rules:
com.mycompany.mypackage
,com.mycompany2.mypackage2
" Shown if: The Operation Mode is "Single User With Whitelist" *AND* Add Packages is "Add Specified Package(s)"
Parm Name: AddPackageNames
Requires:
- OSX: 1.0+
- MX: 4.1+
Used to specify Signature files to be added to the "whitelist."
Parm value input rules:
Shown if: The Application verification signing mode is "Do not verify app signature" or "Verify user app signature" AND Add Packages is "Add Specified Package(s)"
Parm Name: AddPackageSign
Requires:
- OSX: 3.4+
- MX: 4.3+
Select whether to add Packages to the "whitelist" and allow them to submit XML.
Shown if: The Operation Mode is "Single User With Whitelist"
Parm Name: AddPackagesActionAllowXML
Option | Name | Description | Note | Requires |
---|---|---|---|---|
0 | Add NO Packages | This value (or the absence of this parm from the XML) causes no change; any previously selected setting is retained. |
OSX: 4.1+ MX: 4.2+ |
|
1 | Add specified Package(s) | This value will cause the specified Package Names to be added to the "whitelist" and also allows the applications identified by those Package Names to submit XML. |
OSX: 4.1+ MX: 4.2+ |
Used to specify Package Name(s) to add to the "whitelist," granting them the ability to submit XML. Specifying an empty (length of zero) value (or the absence of this parm from the XML) adds no package names to the list.
Parm value input rules:
com.mycompany.mypackage
,com.mycompany2.mypackage2
"Shown if: The Operation Mode is "Single User With Whitelist" *AND* Add Packages and Allow to Submit XML is "Allow specified application(s)"
Parm Name: AddPackageNamesAllowXML
Requires:
- OSX: 4.1+
- MX: 4.2+
Used to specify Signatures be add to the "whitelist."
Parm value input rules:
com.mycompany.mypackage
,com.mycompany2.mypackage2
"Shown if: The Operation Mode is "Single User With Whitelist" *AND* Add Packages and Allow to Submit XML is "Allow specified application(s)" *AND* Application Verification Signing Mode is "Do not verify app signature," "Verify user app signature," or "Verify all apps signature"
Parm Name: AddPackageSignAllowXML
Requires:
- OSX: 3.4+
- MX: 4.3+
Select whether to allow the application to submit XML and thereby submit device configuration changes through the MX Management Framework.
Notes:
- Can be used only when the Whitelist feature is enabled.
- Requires the EMDK for Android service package
com.symbol.emdkservice
on device.
Shown if: The Operation Mode is "Single User With Whitelist"
Parm Name: AllowSubmitXMLAction
Option | Name | Description | Note | Requires |
---|---|---|---|---|
0 | Allow NO applications | This value (or the absence of this parm from the XML) causes no change; any previously selected setting is retained. |
OSX: 4.1+ MX: 4.2+ |
|
1 | Allow specified application(s) | This value will cause the applications identified by the specified list of Package Names to be allowed to submit XML. This value also allows a list of Package Names to be specified that will NOT be allowed to submit XML, thus providing an option to specify "these but not those." |
OSX: 4.1+ MX: 4.2+ |
|
2 | Allow ALL applications that are permitted to be executed. | Causes all of the applications that are on the "whitelist" (i.e. that are allowed to be launched) to be allowed to submit XML. This value also allows a list of Package Names to be specified that will NOT be allowed to submit XML, thus providing an option to specify "all except these." |
OSX: 4.1+ MX: 4.2+ |
Used to specify Package Names to allow to submit XML. Specifying an empty (length of zero) value (or the absence of this parm from the XML) prevents all package(s) from submitting XML.
Parm value input rules:
com.mycompany.mypackage
,com.mycompany2.mypackage2
"Shown if: Allow the Application To Submit XML is "Allow specified application(s)"
Parm Name: AllowSubmitXMLPackageNames
Requires:
- OSX: 4.1+
- MX: 4.2+
Used to specify Package Name(s) to prevent from submitting XML. Specifying an empty (length of zero) value (or the absence of this parm from the XML) will cause no package names to be disallowed from submitting XML.
Parm value input rules:
com.mycompany.mypackage
,com.mycompany2.mypackage2
"Shown if: Allow the Application To Submit XML is "Allow specified application(s)" or "Allow ALL applications that are permitted to be executed"
Parm Name: DisallowSubmitXMLPackageNames
Requires:
- OSX: 4.1+
- MX: 4.2+
Used to control which CSPs on a device are "Protected" from access by apps and which apps are approved to access Protected CSPs. This can be used, for example, to prevent access to CSPs that provide sensitive functionality, or to allow only certain apps to access such CSPs. By default, all CSPs are Unprotected and accessible by all apps.
Note: Supported on SDM660-platform devices only.
Parm Name: CspAccessAction
Option | Name | Description | Note | Requires |
---|---|---|---|---|
0 | Do Nothing | This value (or the absence of this parm from the XML) causes no change; any prior settings are retained. |
MX: 9.2+ Android API: 26+ |
|
1 | Protect | Designates a CSP as inaccessible by all apps except those specifically Approved (see Option 4). |
MX: 9.2+ Android API: 26+ |
|
2 | Unprotect | Removes "Protected" designation from a CSP, making it available to all apps. |
MX: 9.2+ Android API: 26+ |
|
3 | VerifyProtected | Confirms that a CSP is designated as "Protected" and inaccessible to unapproved apps. |
MX: 9.2+ Android API: 26+ |
|
4 | ApproveApplication | Designates an app as "permitted to access" a Protected CSP. |
MX: 9.2+ Android API: 26+ |
|
5 | UnapproveApplication | Removes approval from an app previously "permitted to access" a Protected CSP. |
MX: 9.2+ Android API: 26+ |
|
6 | VerifyApproved | Confirms that an app is designated as "permitted to access" a Protected CSP. |
MX: 9.2+ Android API: 26+ |
Controls whether the application package calling the Protect Action is automatically approved to access the CSP on which the Protect Action is being applied.
Shown if: The CSP Access Action is "Protect"
Parm Name: CspAutoApprove
Option | Name | Description | Note | Requires |
---|---|---|---|---|
0 | (unchecked) | Requires the app calling the Protect Action to be approved separately to access the specified CSP on the device. |
MX: 9.2+ Android API: 26+ |
|
1 | (checked) | Automatically approves the app calling the Protect Action to access the specified CSP on the device (default). |
MX: 9.2+ Android API: 26+ |
Used to specify the CSP Name for the selected CSP Access Action.
Shown if: The CSP Access Action is NOT "Do Nothing"
Parm Name: CspName
Option | Name | Description | Note | Requires |
---|---|---|---|---|
0 | Custom | Allows a CSP name not shown on the CSP Names list to be specified. |
MX: 9.2+ |
|
1 | AccessMgr |
MX: 9.2+ |
||
2 | AnalyticsMgr |
MX: 9.2+ |
||
3 | AppGalleryMgr |
MX: 9.2+ |
||
4 | AppMgr |
MX: 9.2+ |
||
5 | AudioMgr |
MX: 9.2+ |
||
6 | AudioVolUIMgr |
MX: 9.2+ |
||
7 | AutoTriggerMgr |
MX: 9.2+ |
||
8 | Batch |
MX: 9.2+ |
||
9 | BatteryMgr |
MX: 9.2+ |
||
10 | BluetoothMgr |
MX: 9.2+ |
||
11 | BrowserMgr |
MX: 9.2+ |
||
12 | BugReportMgr |
MX: 9.2+ |
||
13 | CameraMgr |
MX: 9.2+ |
||
14 | CellularMgr |
MX: 9.2+ |
||
15 | CertMgr |
MX: 9.2+ |
||
16 | Clock |
MX: 9.2+ |
||
17 | ComponentMgr |
MX: 9.2+ |
||
18 | ConditionMgr |
MX: 9.2+ |
||
19 | DevAdmin |
MX: 9.2+ |
||
20 | DeviceCentralMgr |
MX: 9.2+ |
||
21 | DisplayMgr |
MX: 9.2+ |
||
22 | EncryptMgr |
MX: 9.2+ |
||
23 | EnterpriseKeyboard |
MX: 9.2+ |
||
24 | EthernetMgr |
MX: 9.2+ |
||
25 | FileMgr |
MX: 9.2+ |
||
26 | GmsMgr |
MX: 9.2+ |
||
27 | GprsMgr |
MX: 9.2+ |
||
28 | HostsMgr |
MX: 9.2+ |
||
29 | Intent |
MX: 9.2+ |
||
30 | KeyMappingMgr |
MX: 9.2+ |
||
31 | LicenseMgr |
MX: 9.2+ |
||
32 | LifeGuardOTAManager |
MX: 9.2+ |
||
33 | NfcMgr |
MX: 9.2+ |
||
34 | PersistMgr |
MX: 9.2+ |
||
35 | PersonalDictionary |
MX: 9.2+ |
||
36 | PowerKeyMgr |
MX: 9.2+ |
||
37 | PowerMgr |
MX: 9.2+ |
||
38 | RemoteScannerMgr |
MX: 9.2+ |
||
39 | RfidMgr |
MX: 9.2+ |
||
40 | SdCardMgr |
MX: 9.2+ |
||
41 | SettingsMgr |
MX: 9.2+ |
||
42 | Stats |
MX: 9.2+ |
||
43 | StatusMgr |
MX: 9.2+ |
||
44 | ThreatMgr |
MX: 9.2+ |
||
45 | TouchMgr |
MX: 9.2+ |
||
46 | UiMgr |
MX: 9.2+ |
||
47 | UsbMgr |
MX: 9.2+ |
||
48 | Wi-Fi |
MX: 9.2+ |
||
49 | WirelessMgr |
MX: 9.2+ |
||
50 | WorryFreeWiFiMgr |
MX: 9.2+ |
||
51 | XmlMgr |
MX: 9.2+ |
Controls whether the name and signature of the application package calling the Unprotect Action is automatically removed from the "approved" list of the CSP on which the Unprotect Action is being applied.
Shown if: The CSP Access Action is "Unprotect"
Parm Name: CspAutoUnapprove
Option | Name | Description | Note | Requires |
---|---|---|---|---|
0 | (unchecked) | Requires the app calling the Unrotect Action to be manually removed from the "approved" list. |
MX: 9.2+ Android API: 26+ |
|
1 | (checked) | Automatically removes the app calling the Unrotect Action from the "approved" list (default). |
MX: 9.2+ Android API: 26+ |
Used to specify the custom CSP name for a CSP Access Action when the CSP name is not shown on the CSP Names list.
Parm value input rules:
Shown if: The CSP Access Action is NOT "Do Nothing"
Parm Name: CspNameCustom
Requires:
- MX: 9.2+
Used to specify the application package name on which to perform certain CSP Access Actions.
Parm value input rules:
com.mycompany.mypackage
,com.mycompany2.mypackage2
" Shown if: The CSP Access Action is "Approve Application" or "Unapprove Application" or "Verify Approved"
Parm Name: AppPackageName
Requires:
- MX: 9.2+
Used to specify the signature file for app certification.
Parm value input rules:
Shown if: The CSP Access Action is "Approve Application" or "Unapprove Application" or "Verify Approved"
Parm Name: AppSignature
Requires:
- MX: 9.2+
<wap-provisioningdoc>
<characteristic version="4.3" type="AccessMgr">
<parm name="OperationMode" value="2" />
<parm name="SystemSettings" value="1" />
<parm name="DeletePackagesAction" value="0" />
<parm name="AddPackagesAction" value="1" />
<parm name="AddPackageNames" value="com.mypackage" />
</characteristic>
</wap-provisioningdoc>
<wap-provisioningdoc>
<characteristic version="4.3" type="AccessMgr">
<parm name="OperationMode" value="2" />
<parm name="SystemSettings" value="1" />
<parm name="DeletePackagesAction" value="0" />
<parm name="AddPackagesAction" value="0" />
<parm name="AllowSubmitXMLAction" value="1" />
<parm name="AllowSubmitXMLPackageNames" value="com.mypackage" />
<parm name="DisallowSubmitXMLPackageNames" value="com.mypackage2" />
</characteristic>
</wap-provisioningdoc>
<wap-provisioningdoc>
<characteristic type="AccessMgr" >
<parm-query name="PackageNames"/>
<parm-query name="OperationMode"/>
<parm-query name="AppVerifySignMode"/>
</characteristic>
</wap-provisioningdoc>