Access Manager

Note: To display only the features present on a particular device, select one or more filters from the SmartDocs bar below.

StageNow - 3.3

Overview

The Access Manager (AccessMgr) enables an admin to configure a device to control which user or "installable" application(s) can be used on the device and what actions the application(s) can perform.

A key feature of AccessMgr is the ability to enable and disable "whitelisting," a process that allows only those applications explicitly specified in a list to run. Whitelisting is disabled by default and imposes no restrictions. When whitelisting is turned on, various restrictions can be applied using AccessMgr. Applications NOT included in the "whitelist" are prevented from running. AccessMgr allows whitelist applications to be installed, launched and maintained, and can control which applications are allowed to submit XML for all CSPs, including AccessMgr itself.

Whitelisting applies only to user applications and has no effect on System applications, which are applications built into the device and are therefore always present. To control aspects of System applications, see AppMgr.

User applications are those NOT built into the device and hence must be installed before they can be used. Whitelisting can be used to control whether a device user is allowed to install a user application, but cannot control whether an application can be installed programmatically by using AppMgr. Whitelisting also can be used to control whether a user application can be launched (by any means) once it is installed.

Note: It is important to understand that if an app uses AccessMgr to enable whitelisting, then that app becomes subject to whitelisting. If the app does not add itself to the "whitelist," the app is prevented from running. Also, if such an app does not explicitly allow itself to submit XML, it would be unable to alter that configuration once successfully applied.

AccessMgr also provides the option to control whether the device user can access a full or reduced version of the in-device Settings panel.

Main Functionality

  • Turn whitelisting on or off
  • Manage the "whitelist" of applications that a device user can install and launch
  • Turn verification of application signatures on or off
  • Control which applications are allowed to submit XML
  • Select whether the device user can access Full or Reduced Settings
  • Set Application Verification Mode to Verify All App Signatures
  • Allow, disallow and verify service binding
  • Allow, disallow and verify calls to a service
  • Designate CSPs on a device as "Protected" from access by apps
  • Approve apps for accessing CSPs designated as Protected

Operation Mode

This is the On/Off switch for Whitelisting, which restricts the apps that a device user can install and/or launch. Whitelisting is Off by default, imposing no restrictions. Whitelisting provides device security by preventing the installation and/or use of unauthorized apps, and by complicating the process of app deployment.

Parm Name: OperationMode

Option Name Description Note Requires
0 Do not change This value (or the absence of this parm from the XML) causes no change; any prior settings are retained.

MX: 9.2+

1 Single User without Whitelist Turns off Whitelisting and all associated functionality.

OSX: 1.0+

MX: 4.1+

2 Single User with Whitelist Turns on Whitelisting and associated functionality.

OSX: 1.0+

MX: 4.1+

System Settings Access

Controls the level of access to the Android Settings panel a device user is granted.

Note: This parameter takes priority over the "Quick Settings" parameter of UI Manager. If Reduced Access is enabled, later attempts enable Quick Settings result in failure.

Shown if: The Operation Mode is "Single User With Whitelist"

Parm Name: SystemSettings

Option Name Description Note Requires
1 Full Access Allows full access to the Android Settings panel.

OSX: 3.5+

MX: 4.1+

2 Reduced Access Limits Settings panel access to Display, Volume and About features.

OSX: 3.5+

MX: 4.1+

Application Verification Signing Mode

Controls whether Whitelisting verifies the signatures of apps, and if so, which app signatures are verified. Signature verification is turned off by default.

When Whitelisting is turned on but Signature verification is turned off, the determination of whether an application is on the "whitelist" is made solely by comparing the Android Package Name. This is insecure since it cannot prevent a potentially rogue application from setting it's Package Name to be one that is known to be on the "whitelist," and hence circumvent Whitelisting by impersonating a trusted application.

To increase security, Signature verification can be turned on. When Signature verification is turned on, the determination of whether an application is on the "whitelist" will be based on both its Package Name and its Signature. For that to work, the Signature must be provided for every application that is added to the "whitelist" so it can be compared against the actual Signature of that application.

Signature verification is more secure since only a specific "authentic" version, as identified by its Signature, of a given application, whose Package Name is on the "whitelist," will be allowed to be installed and launched. Turning on Signature verification also complicates the process of deploying applications since a unique Signature will need to be configured for each application as part of adding that application to the "whitelist."

Shown if: The Operation Mode is "Single User With Whitelist"

Parm Name: AppVerifySignMode

Option Name Description Note Requires
0 Do not change This value (or the absence of this parm from the XML) causes no change; any previously selected setting is retained.

OSX: 3.5+

MX: 4.3+

1 Do not verify app signature This value will cause Signature verification to be turned off, thus causing Package Names alone to be used in to determine if an application is on the "whitelist."

OSX: 3.5+

MX: 4.3+

2 Verify user app signature This value will cause Signature verification to be turned on, thus causing Signature verification to be used in addition to Package Names to determine if a user, or "installable," application is on the "whitelist."

OSX: 3.5+

MX: 4.3+

3 Verify all apps signature This value will cause Signature verification to be turned on, thus causing Signature verification to be used in addition to Package Names to determine if any application, "built-in" or "installable," is on the "whitelist."

OSX: 3.5+

MX: 4.3+

Delete Packages

Used to delete Packages from the Whitelist.

Shown if: The Operation Mode is "Single User With Whitelist"

Parm Name: DeletePackagesAction

Option Name Description Note Requires
0 Delete NO Packages This value (or the absence of this parm from the XML) causes no change to device settings; all packages remain on the device.

OSX: 1.0+

MX: 4.1+

1 Delete specified Packages(s) Causes the selected Package Name(s) to be deleted from the "white list," blocking user or "installable" applications with those Package Names from being installed by the device user or launched.

OSX: 1.0+

MX: 4.1+

2 Delete ALL Packages Causes all Package Names to be deleted from the "white list," blocking all user or "installable" applications from being installed by the device user or launched.

OSX: 1.0+

MX: 4.1+

3 Delete specified Signature(s) When Signature verification is turned on, deletes one or more Signatures from the "white list," thus blocking user or "installable" applications with those Signatures from being installed by the device user or launched.

OSX: 1.0+

MX: 4.1+

Service Access Action

Used to control which "installable" (non-System) applications can call controllable services running on the device. This allows an administrator to manage access to the services present in a device and the ability of apps to bind to and leverage callable services. This can be used, for example, to prevent access to services relating to sensitive functionality, or to prevent use of such services when they are not explicitly required for a particular usage scenario or app.

Parm Name: ServiceAccessAction

Option Name Description Note Requires
0 Do nothing. This value (or the absence of this parm from the XML) causes no change to device settings; any previously selected setting is retained.

MX: 8.3+

1 AllowBinding Allows apps to bind to the specified service.

MX: 8.3+

2 DisallowBinding Prevents apps from binding to the specified service.

MX: 8.3+

3 VerifyBinding Confirms that an app is permitted to bind to a service.

MX: 8.3+

4 AllowCaller Allows the specified app(s) to call a specified service.

MX: 8.3+

5 DisallowCaller Prevents the specified app(s) apps from calling a specified service.

MX: 8.3+

6 VerifyCaller Confirms that the specified app(s) is permitted to call a specified service.

MX: 8.3+

Caller Signature

Used to enter the signature file on the device that contains the app certificate.

Parm value input rules:

  • String with a minimum of 1 character

Shown if: The Service Access Action is "Allow Caller," "Disallow Caller" or "Verify Caller"

Parm Name: CallerSignature

Requires:

  • MX: 8.3+

Delete Package Name(s)

Used to enter Package Names to be deleted from the "whitelist."

Parm value input rules:

  • String with a minimum of 1 character
  • Package names must be separated by commas, such as "com.mycompany.mypackage,com.mycompany2.mypackage2"

Shown if: The Operation Mode is "Single User With Whitelist" *AND* Delete Packages is "Delete specified Packages(s)"

Parm Name: DeletePackageNames

Requires:

  • OSX: 1.0+
  • MX: 4.1+

Caller Package Name

Used to enter the application package name on which to perform a Service Access Action.

Parm value input rules:

  • String with a minimum of 1 character
  • Package names must be separated by commas, such as "com.mycompany.mypackage,com.mycompany2.mypackage2"

Shown if: The Service Access Action is "Allow Caller," "Disallow Caller" or "Verify Caller"

Parm Name: CallerPackageName

Requires:

  • MX: 8.3+

Service Identifier

Used to enter the service on which to perform a Service Access Action.

Parm value input rules:

  • String with a minimum of 1 character
  • Service names must be separated by commas, such as "com.mycompany.mypackage,com.mycompany2.mypackage2"

Shown if: The Service Access Action is NOT "Do Nothing"

Parm Name: ServiceIdentifier

Requires:

  • MX: 8.3+

Delete Package Signature(s)

Used to enter package signatures to be deleted.

Parm value input rules:

  • String with a minimum of 1 character
  • The package signatures must be separated by commas

Shown if: Delete Packages is "Delete specified Signature(s)" *AND* the Application Verification Signing Mode is "Do not verify app signature," "Verify user app signature," or "Verify all apps signature"

Parm Name: DeletePackageSign

Requires:

  • OSX: 3.4+
  • MX: 4.3+

Add Packages

Used to add Packages to the "whitelist," which prevents the app from submitting XML. To allow an app to submit XML, see the "Add Packages and Allow to Submit XML" parameter.

Note: It is important to understand that if an application uses the AccessMgr to turn on Whitelisting, the app itself becomes subject to Whitelisting. If the app does not add itself to the "white list," that application is prevented from running. Also, if such an app does not explicitly allow itself to submit XML, it is not able to alter that configuration once successfully applied.

Shown if: The Operation Mode is "Single User With Whitelist"

Parm Name: AddPackagesAction

Option Name Description Note Requires
0 Add No Packages This value will not cause any Package Names to be added to the "whitelist."

OSX: 1.0+

MX: 4.1+

1 Add Specified Package(s) This value will cause the specified Package Names to be added the "whitelist."

OSX: 1.0+

MX: 4.1+

Add Package Name(s)

Used to enter Package Names to add to the "whitelist."

Parm value input rules:

  • String with a minimum of 1 character
  • Package names must be separated by commas, such as "com.mycompany.mypackage,com.mycompany2.mypackage2"

Shown if: The Operation Mode is "Single User With Whitelist" *AND* Add Packages is "Add Specified Package(s)"

Parm Name: AddPackageNames

Requires:

  • OSX: 1.0+
  • MX: 4.1+

Add Package Signature(s)

Used to enter Signature files to be added to the "whitelist."

Parm value input rules:

  • String with a minimum of 0 character

Shown if: The Application verification signing mode is "Do not verify app signature" or "Verify user app signature" AND Add Packages is "Add Specified Package(s)"

Parm Name: AddPackageSign

Requires:

  • OSX: 3.4+
  • MX: 4.3+

Add Packages and Allow to Submit XML

Select whether to add Packages to the "whitelist" and allow them to submit XML.

Shown if: The Operation Mode is "Single User With Whitelist"

Parm Name: AddPackagesActionAllowXML

Option Name Description Note Requires
0 Add NO Packages This value (or the absence of this parm from the XML) causes no change; any previously selected setting is retained.

OSX: 4.1+

MX: 4.2+

1 Add specified Package(s) This value will cause the specified Package Names to be added to the "whitelist" and also allows the applications identified by those Package Names to submit XML.

OSX: 4.1+

MX: 4.2+

Add Package Name(s) and Allow XML

Used to enter Package Name(s) to add to the "whitelist," granting them the ability to submit XML. Entering an empty (length of zero) value (or the absence of this parm from the XML) adds no package names to the list.

Parm value input rules:

  • String with a minimum of 1 character
  • Package names must be separated by commas, such as "com.mycompany.mypackage,com.mycompany2.mypackage2"

Shown if: The Operation Mode is "Single User With Whitelist" *AND* Add Packages and Allow to Submit XML is "Allow specified application(s)"

Parm Name: AddPackageNamesAllowXML

Requires:

  • OSX: 4.1+
  • MX: 4.2+

Add Package Signature(s) and Allow XML

Used to enter Signatures be add to the "whitelist."

Parm value input rules:

  • String with a minimum of 1 character
  • Separate multiple package signatures with commas, such as "com.mycompany.mypackage,com.mycompany2.mypackage2"

Shown if: The Operation Mode is "Single User With Whitelist" *AND* Add Packages and Allow to Submit XML is "Allow specified application(s)" *AND* Application Verification Signing Mode is "Do not verify app signature," "Verify user app signature," or "Verify all apps signature"

Parm Name: AddPackageSignAllowXML

Requires:

  • OSX: 3.4+
  • MX: 4.3+

Allow App To Submit XML

Select whether to allow the application to submit XML and thereby submit device configuration changes through the MX Management Framework.

Notes:

  • Can be used only when the Whitelist feature is enabled.
  • Requires the EMDK for Android service package com.symbol.emdkservice on device.

Shown if: The Operation Mode is "Single User With Whitelist"

Parm Name: AllowSubmitXMLAction

Option Name Description Note Requires
0 Allow NO applications This value (or the absence of this parm from the XML) causes no change; any previously selected setting is retained.

OSX: 4.1+

MX: 4.2+

1 Allow specified application(s) This value will cause the applications identified by the specified list of Package Names to be allowed to submit XML. This value also allows a list of Package Names to be specified that will NOT be allowed to submit XML, thus providing an option to enter "these but not those."

OSX: 4.1+

MX: 4.2+

2 Allow ALL applications that are permitted to be executed. Causes all of the applications that are on the "whitelist" (i.e. that are allowed to be launched) to be allowed to submit XML. This value also allows a list of Package Names to be specified that will NOT be allowed to submit XML, thus providing an option to enter "all except these."

OSX: 4.1+

MX: 4.2+

Allow Package Name(s) to Submit XML

Used to enter Package Names to allow to submit XML. Entering an empty (length of zero) value (or the absence of this parm from the XML) prevents all package(s) from submitting XML.

Parm value input rules:

  • String with a minimum of 0 characters
  • Package names must be separated by commas, such as "com.mycompany.mypackage,com.mycompany2.mypackage2"

Shown if: Allow the Application To Submit XML is "Allow specified application(s)"

Parm Name: AllowSubmitXMLPackageNames

Requires:

  • OSX: 4.1+
  • MX: 4.2+

Disallow Package Name(s) to Submit XML

Used to enter Package Name(s) to prevent from submitting XML. Entering an empty (length of zero) value (or the absence of this parm from the XML) allows all packages to submit XML.

Parm value input rules:

  • String with a minimum of 0 characters
  • Package names must be separated by commas, such as "com.mycompany.mypackage,com.mycompany2.mypackage2"

Shown if: Allow the Application To Submit XML is "Allow specified application(s)" or "Allow ALL applications that are permitted to be executed"

Parm Name: DisallowSubmitXMLPackageNames

Requires:

  • OSX: 4.1+
  • MX: 4.2+

CSP Access Action

Used to control which CSPs on a device are "Protected" from access by apps and which apps are approved to access Protected CSPs. This can be used, for example, to prevent access to CSPs that provide sensitive functionality, or to allow only certain apps to access such CSPs. By default, all CSPs are Unprotected and accessible by all apps.

Note: Supported on SDM660-platform devices only.

Parm Name: CspAccessAction

Option Name Description Note Requires
0 Do Nothing This value (or the absence of this parm from the XML) causes no change; any prior settings are retained.

MX: 9.2+

Android API: 26+

1 Protect Designates a CSP as inaccessible by all apps except those specifically Approved (see Option 4).

MX: 9.2+

Android API: 26+

2 Unprotect Removes "Protected" designation from a CSP, making it available to all apps.

MX: 9.2+

Android API: 26+

3 VerifyProtected Confirms that a CSP is designated as "Protected" and inaccessible to unapproved apps.

MX: 9.2+

Android API: 26+

4 ApproveApplication Designates an app as "permitted to access" a Protected CSP.

MX: 9.2+

Android API: 26+

5 UnapproveApplication Removes approval from an app previously "permitted to access" a Protected CSP.

MX: 9.2+

Android API: 26+

6 VerifyApproved Confirms that an app is designated as "permitted to access" a Protected CSP.

MX: 9.2+

Android API: 26+

Auto-approve CSP (checkbox)

Controls whether the application package calling the Protect Action is automatically approved to access the CSP on which the Protect Action is being applied.

Shown if: The CSP Access Action is "Protect"

Parm Name: CspAutoApprove

Option Name Description Note Requires
0 (unchecked) Requires the app calling the Protect Action to be approved separately to access the specified CSP on the device.

MX: 9.2+

Android API: 26+

1 (checked) Automatically approves the app calling the Protect Action to access the specified CSP on the device (default).

MX: 9.2+

Android API: 26+

Auto-unapprove CSP (checkbox)

Controls whether the name and signature of the application package calling the Unprotect Action is automatically removed from the "approved" list of the CSP on which the Unprotect Action is being applied.

Shown if: The CSP Access Action is "Unprotect"

Parm Name: CspAutoUnapprove

Option Name Description Note Requires
0 (unchecked) Requires the app calling the Unrotect Action to be manually removed from the "approved" list.

MX: 9.2+

Android API: 26+

1 (checked) Automatically removes the app calling the Unrotect Action from the "approved" list (default).

MX: 9.2+

Android API: 26+

CSP Name

Used to enter the CSP Name for the selected CSP Access Action.

Shown if: The CSP Access Action is NOT "Do Nothing"

Parm Name: CspName

Option Name Description Note Requires
0 Custom Allows a CSP name not shown on the CSP Names list to be specified.

MX: 9.2+

1 AccessMgr

MX: 9.2+

2 AnalyticsMgr

MX: 9.2+

3 AppGalleryMgr

MX: 9.2+

4 AppMgr

MX: 9.2+

5 AudioMgr

MX: 9.2+

6 AudioVolUIMgr

MX: 9.2+

7 AutoTriggerMgr

MX: 9.2+

8 Batch

MX: 9.2+

9 BatteryMgr

MX: 9.2+

10 BluetoothMgr

MX: 9.2+

11 BrowserMgr

MX: 9.2+

12 BugReportMgr

MX: 9.2+

13 CameraMgr

MX: 9.2+

14 CellularMgr

MX: 9.2+

15 CertMgr

MX: 9.2+

16 Clock

MX: 9.2+

17 ComponentMgr

MX: 9.2+

18 ConditionMgr

MX: 9.2+

19 DevAdmin

MX: 9.2+

20 DeviceCentralMgr

MX: 9.2+

21 DisplayMgr

MX: 9.2+

22 EncryptMgr

MX: 9.2+

23 EnterpriseKeyboard

MX: 9.2+

24 EthernetMgr

MX: 9.2+

25 FileMgr

MX: 9.2+

26 GmsMgr

MX: 9.2+

27 GprsMgr

MX: 9.2+

28 HostsMgr

MX: 9.2+

29 Intent

MX: 9.2+

30 KeyMappingMgr

MX: 9.2+

31 LicenseMgr

MX: 9.2+

32 LifeGuardOTAManager

MX: 9.2+

33 NfcMgr

MX: 9.2+

34 PersistMgr

MX: 9.2+

35 PersonalDictionary

MX: 9.2+

36 PowerKeyMgr

MX: 9.2+

37 PowerMgr

MX: 9.2+

38 RemoteScannerMgr

MX: 9.2+

39 RfidMgr

MX: 9.2+

40 SdCardMgr

MX: 9.2+

41 SettingsMgr

MX: 9.2+

42 Stats

MX: 9.2+

43 StatusMgr

MX: 9.2+

44 ThreatMgr

MX: 9.2+

45 TouchMgr

MX: 9.2+

46 UiMgr

MX: 9.2+

47 UsbMgr

MX: 9.2+

48 Wi-Fi

MX: 9.2+

49 WirelessMgr

MX: 9.2+

50 WorryFreeWiFiMgr

MX: 9.2+

51 XmlMgr

MX: 9.2+

CSP Custom Name

Used to enter the custom CSP name for a CSP Access Action when the CSP name is not shown on the CSP Names list.

Parm value input rules:

  • String with a minimum of 1 character

Shown if: The CSP Access Action is NOT "Do Nothing"

Parm Name: CspNameCustom

Requires:

  • MX: 9.2+

App Package Name

Used to enter the application package name on which to perform certain CSP Access Actions.

Parm value input rules:

  • String with a minimum of 1 character
  • Separate multiple package names with commas, such as "com.mycompany.mypackage,com.mycompany2.mypackage2"

Shown if: The CSP Access Action is "Approve Application" or "Unapprove Application" or "Verify Approved"

Parm Name: AppPackageName

Requires:

  • MX: 9.2+

App Signature

Used to enter the signature file for app certification.

Parm value input rules:

  • String with a minimum of 1 character

Shown if: The CSP Access Action is "Approve Application" or "Unapprove Application" or "Verify Approved"

Parm Name: AppSignature

Requires:

  • MX: 9.2+

Examples

Add an Application to the "whitelist"


<wap-provisioningdoc>
    <characteristic version="4.3" type="AccessMgr">
        <parm name="OperationMode" value="2" />
        <parm name="SystemSettings" value="1" />
        <parm name="DeletePackagesAction" value="0" />
        <parm name="AddPackagesAction" value="1" />
        <parm name="AddPackageNames" value="com.mypackage" />
    </characteristic>
</wap-provisioningdoc>

Select Applications to Allow and Disallow from Submitting XML


<wap-provisioningdoc>
    <characteristic version="4.3" type="AccessMgr">
        <parm name="OperationMode" value="2" />
        <parm name="SystemSettings" value="1" />
        <parm name="DeletePackagesAction" value="0" />
        <parm name="AddPackagesAction" value="0" />
        <parm name="AllowSubmitXMLAction" value="1" />
        <parm name="AllowSubmitXMLPackageNames" value="com.mypackage" />
        <parm name="DisallowSubmitXMLPackageNames" value="com.mypackage2" />
    </characteristic>
</wap-provisioningdoc>

Queries

Query the Package Names in the Whitelist, the Operation Mode, and the Application Verification Signing Mode


<wap-provisioningdoc>
    <characteristic type="AccessMgr" >
        <parm-query name="PackageNames"/>  
        <parm-query name="OperationMode"/>  
        <parm-query name="AppVerifySignMode"/>  
    </characteristic>
</wap-provisioningdoc>