Access Manager

To display only the features present on a particular device, select one or more filters from the SmartDocs bar below.

Input fields accept ENGLISH ONLY.

Queries from MX are not supported on Zebra devices running Android 11 or later. See alternative method.

StageNow - 5.13

Overview

The Access Manager (AccessMgr) enables an administrator to configure a device to control which user or "installable" application(s) can be used on the device and what actions the application(s) can perform.

A key feature of AccessMgr is the ability to enable and disable "whitelisting" (also referred to as "allowlisting"), a process that allows only those applications explicitly specified in a list to run. Whitelisting is disabled by default and imposes no restrictions. When whitelisting is turned on, various restrictions can be applied using AccessMgr. Applications NOT included in the "whitelist" are prevented from running. AccessMgr allows whitelisted applications to be installed, launched and maintained, and can control which applications are allowed to submit XML for all CSPs, including AccessMgr itself.

Whitelisting applies only to user applications; it has no effect on System applications, which come preinstalled on the device. To control aspects of System applications, see AppMgr. Whitelisting can be used to control whether a device user is allowed to install a user application, but cannot control whether an application can be installed programmatically by using AppMgr. Whitelisting also can be used to control whether a user application can be launched (by any means) once it is installed. AccessMgr also provides the option to control whether the device user can access a full or reduced version of the Android Settings panel.

IMPORTANT

  • If an app uses AccessMgr to enable whitelisting (aka "allowlisting"), the app itself becomes subject to whitelisting and is prevented from running if it fails to add itself to the whitelist. Also, if such an app does not explicitly allow itself to submit XML, it would be unable to alter that configuration, once successfully applied.
  • Running apps and/or activities in Android lock task mode might prevent other, desired apps from launching on the device.
    Learn more about Android lock task mode.

Signature Files

Signature files can be used by Access Manager to provide added levels of application security, including control over approving apps to run and permission to add apps (or one or more of an app's functions) to a Function Group.

To understand how to get an app signature, please see the SigTools sample app.

Main Functionality

  • Turn On/Off:
    • App whitelisting (aka "allow-listing")
    • Verification of app signatures
    • Auto-approve/unapprove app access Protected CSPs
    • Auto-approve/unapprove app access Protected Function Groups
    • Automatically deny usage permission to seldom-used apps
  • Perform Protected Function Groups Actions:
    • Create
    • Delete
    • Approve
    • Unapprove
    • Protect
    • Unprotect
  • Set Permission Access Actions:
    • Allow
    • Deny
    • Allow Device User to Choose
  • Control Device-user Access to:
    • System Settings panel
    • Notifications
    • App usage statistics
    • System Alert Window
    • App Ops Statistics
    • Battery Statistics
    • USB/SD Card Storage Management
  • Grant, Deny, "pre-grant" or "pre-deny" permission to apps for access to:
    • Battery stats
    • Notifications
    • Package usage stats
    • System alert window
    • App operations stats
    • External storage management
    • Resources deemed to require "Dangerous Permissions"
    • Permission for some Zebra apps to access system logs on the device
  • Manage the "whitelist" (aka "allow-list") of applications that a device user is allowed to install and launch
  • Control which applications are allowed to submit XML
  • Select whether the device user can access Full, Reduced or no device Settings
  • Set Application Verification Mode to Verify All App Signatures
  • Allow, disallow and verify:
    • Service binding
    • Calls to a service
  • Create, delete, protect and verify Function Groups
  • Designate CSPs on a device as "Protected" from access by apps
  • Approve apps for accessing CSPs designated as Protected
  • Acquire and verify a token for accessing a Protected service

Package names can vary from one Android version to another.


Operation Mode

This is the On/Off switch for whitelisting, which restricts the apps that a device user can install and/or launch. Whitelisting is Off by default, imposing no restrictions. Whitelisting provides device security by preventing the installation and/or use of unauthorized apps, and by complicating the process of app deployment.

IMPORTANT: Access Manager controls access to apps; it does NOT install or uninstall apps. Activating whitelist restrictions after an app is installed or removing an app from an existing whitelist blocks access to that app, it does not uninstall it. Such apps remain on the device and become accessible if whitelisting restrictions are removed.

Parm Name: OperationMode

Option Name Description Note Status Requires
0 Do not change This value (or the absence of this parm from the XML) causes no change; any prior settings are retained.

MX: 9.2+

1 Single User without Whitelist Turns off whitelisting and all associated functionality.

OSX: 1.0+

MX: 4.1+

2 Single User with Whitelist Turns on whitelisting and associated functionality.

OSX: 1.0+

MX: 4.1+

Add Packages and Allow to Submit XML

Used to select whether to add Packages to the "whitelist" and allow them to submit XML.

Shown if: The Operation Mode is "Single User With Whitelist"

Parm Name: AddPackagesActionAllowXML

Option Name Description Note Status Requires
0 Add NO Packages This value (or the absence of this parm from the XML) causes no change; any previously selected setting is retained.

OSX: 4.1+

MX: 4.2+

1 Add specified Package(s) Adds the specified Package Names to the "whitelist," allowing those apps to submit XML.

OSX: 4.1+

MX: 4.2+

Delete Package Name(s)

Used to enter Package Names to be deleted from the "whitelist."

Parm value input rules:

  • String with a minimum of 1 character
  • Package names must be separated by commas, such as "com.mycompany.mypackage,com.mycompany2.mypackage2"

Shown if: The Operation Mode is "Single User With Whitelist" AND Delete Packages is "Delete specified Packages(s)"

Parm Name: DeletePackageNames

Requires:

  • OSX: 1.0+
  • MX: 4.1+

Add Package Name(s)

Used to enter Package Names to add to the "whitelist" of apps allowed to execute.

Package names can vary from one Android version to another.

Parm value input rules:

  • String with a minimum of 1 character
  • Package names must be separated by commas, such as "com.mycompany.mypackage,com.mycompany2.mypackage2"

Shown if: The Operation Mode is "Single User With Whitelist" AND Add Packages is "Add Specified Package(s)"

Parm Name: AddPackageNames

Requires:

  • OSX: 1.0+
  • MX: 4.1+

Add Packages

Used to add Packages to the "whitelist," which prevents the app from submitting XML. To allow an app to submit XML, see the "Add Packages and Allow to Submit XML" parameter.

Note: It is important to understand that if an application uses the AccessMgr to turn on Whitelisting, the app itself becomes subject to Whitelisting. If the app does not add itself to the "white list," that application is prevented from running. Also, if such an app does not explicitly allow itself to submit XML, it is not able to alter that configuration once successfully applied.

Shown if: The Operation Mode is "Single User With Whitelist"

Parm Name: AddPackagesAction

Option Name Description Note Status Requires
0 Add No Packages This value will not cause any Package Names to be added to the "whitelist."

OSX: 1.0+

MX: 4.1+

1 Add Specified Package(s) This value will cause the specified Package Names to be added the "whitelist."

OSX: 1.0+

MX: 4.1+

System Settings Access

Controls the level of access to the Android Settings panel a device user is granted. This parameter takes priority over the "Quick Settings" parameter of UI Manager. If Reduced Access is enabled, any later attempt enable Quick Settings results in failure.

NOTE: On devices running Android 11 (and later) with OSX 11.5.21 or later, the Reduced Settings option also enables Accessibility features.

Use of this parameter is the Zebra-recommended method of limiting or preventing user access to the Android System Settings panel. Blocking access by any other means could lead to unwanted system behavior.

Parm Name: SystemSettings

Option Name Description Note Status Requires
0 Do not change This value (or the absence of this parm from the XML) causes no change; any prior settings are retained.

MX: 11.3+

1 Full Allows full access to the Android Settings panel.

OSX: 3.5+

MX: 4.1+

2 Reduced Settings without Accessibility Limits Settings panel access to Display, Volume and About features. See NOTE above.

OSX: 3.5+

MX: 4.1+

3 None Prevents user access to the Android Settings panel.

MX: 11.3+

4 Reduced Settings with Accessibility Limits Settings panel access to Display, Volume, About and Accessibility features. See NOTE above.

OSX: 11.5.21+

MX: 11.7+

Application Verification Signing Mode

Controls whether Whitelisting verifies the signatures of apps, and if so, which app signatures are verified. Signature verification is turned off by default.

When Whitelisting is turned on but Signature verification is turned off, the determination of whether an application is on the "whitelist" is made solely by comparing the Android Package Name. This is insecure since it cannot prevent a potentially rogue application from setting it's Package Name to be one that is known to be on the "whitelist," and hence circumvent Whitelisting by impersonating a trusted application.

To increase security, Signature verification can be turned on. When Signature verification is turned on, the determination of whether an application is on the "whitelist" will be based on both its Package Name and its Signature. For that to work, the Signature must be provided for every application that is added to the "whitelist" so it can be compared against the actual Signature of that application.

Signature verification is more secure since only a specific "authentic" version, as identified by its Signature, of a given application, whose Package Name is on the "whitelist," will be allowed to be installed and launched. Turning on Signature verification also complicates the process of deploying applications since a unique Signature will need to be configured for each application as part of adding that application to the "whitelist."

Shown if: The Operation Mode is "Single User With Whitelist"

Parm Name: AppVerifySignMode

Option Name Description Note Status Requires
0 Do not change This value (or the absence of this parm from the XML) causes no change; any previously selected setting is retained.

OSX: 3.5+

MX: 4.3+

1 Do not verify app signature This value will cause Signature verification to be turned off, thus causing Package Names alone to be used in to determine if an application is on the "whitelist."

OSX: 3.5+

MX: 4.3+

2 Verify user app signature This value will cause Signature verification to be turned on, thus causing Signature verification to be used in addition to Package Names to determine if a user, or "installable," application is on the "whitelist."

OSX: 3.5+

MX: 4.3+

3 Verify all apps signature This value will cause Signature verification to be turned on, thus causing Signature verification to be used in addition to Package Names to determine if any application, "built-in" or "installable," is on the "whitelist."

OSX: 3.5+

MX: 4.3+

Add Package Signature(s)

Used to enter Signature file(s) to be added to the "whitelist" and allowed to run on the device. Learn how to get a signature file.

Parm value input rules:

  • String with a minimum of 0 character

Shown if: The Application verification signing mode is "Do not verify app signature" or "Verify user app signature" AND Add Packages is "Add Specified Package(s)"

Parm Name: AddPackageSign

Requires:

  • OSX: 3.4+
  • MX: 4.3+

Delete Package Signature(s)

Used to enter package signatures to be deleted.

Parm value input rules:

  • String with a minimum of 1 character
  • The package signatures must be separated by commas

Shown if: Delete Packages is "Delete specified Signature(s)" AND the Application Verification Signing Mode is "Do not verify app signature," "Verify user app signature," or "Verify all apps signature"

Parm Name: DeletePackageSign

Requires:

  • OSX: 3.4+
  • MX: 4.3+

Delete Package Actions

Used to delete Packages from the Whitelist.

Shown if: The Operation Mode is "Single User With Whitelist"

Parm Name: DeletePackagesAction

Option Name Description Note Status Requires
0 Delete NO Packages This value (or the absence of this parm from the XML) causes no change to device settings; all packages remain on the device.

OSX: 1.0+

MX: 4.1+

1 Delete specified Packages(s) Causes the selected Package Name(s) to be deleted from the "white list," blocking user or "installable" applications with those Package Names from being installed by the device user or launched.

OSX: 1.0+

MX: 4.1+

2 Delete ALL Packages Causes all Package Names to be deleted from the "white list," blocking all user or "installable" applications from being installed by the device user or launched.

OSX: 1.0+

MX: 4.1+

3 Delete specified Signature(s) When Signature verification is turned on, deletes one or more Signatures from the "white list," thus blocking user or "installable" applications with those Signatures from being installed by the device user or launched.

OSX: 1.0+

MX: 4.1+

Service Access Action

Used to control which "installable" (non-System) applications can call controllable services running on the device. This allows an administrator to manage access to the services present in a device and the ability of apps to bind to and leverage callable services. This can be used, for example, to prevent access to services relating to sensitive functionality, or to prevent use of such services when they are not explicitly required for a particular usage scenario or app.

Status: This feature also can be implemented using Delegation Scopes through StageNow and/or OEMConfig.

Parm Name: ServiceAccessAction

Option Name Description Note Status Requires
0 Do nothing This value (or the absence of this parm from the XML) causes no change to device settings; any previously selected setting is retained.

MX: 8.3+

1 AllowBinding Allows apps to bind to the specified service.

MX: 8.3+

2 DisallowBinding Prevents apps from binding to the specified service.

MX: 8.3+

3 VerifyBinding Confirms that an app is permitted to bind to a service.

MX: 8.3+

4 AllowCaller Allows the specified app(s) to call a specified service.

MX: 8.3+

5 DisallowCaller Prevents the specified app(s) apps from calling a specified service.

MX: 8.3+

6 VerifyCaller Confirms that the specified app(s) is permitted to call a specified service.

MX: 8.3+

7 AquireToken Acquires a token for permission to call a specified service.

MX: 10.1+

8 VerifyCallerToken Confirms that a token allows calls to a specified service.

MX: 10.1+

Caller Signature

Used to enter the signature file on the device that contains the app certificate. Learn how to get a signature file.

Parm value input rules:

  • String with a minimum of 1 character

Shown if: The Service Access Action is "Allow Caller" or "Disallow Caller" or "Verify Caller"

Parm Name: CallerSignature

Requires:

  • MX: 8.3+

Service Access Token

Used to enter the name of the caller token to be verified.

Parm value input rules:

  • String with a minimum of 1 character

Shown if: The Service Access Action is "Verify Caller Token"

Parm Name: ServiceAccessToken

Requires:

  • MX: 10.1+

Service Identifier

Used to enter the service on which to perform a Service Access Action.

Parm value input rules:

  • String with a minimum of 1 character
  • Service names must be separated by commas, such as "com.mycompany.mypackage,com.mycompany2.mypackage2"

Shown if: The Service Access Action is NOT "Do Nothing"

Parm Name: ServiceIdentifier

Requires:

  • MX: 8.3+

Caller Package Name

Used to enter the application package name on which to perform a Service Access Action.

Package names can vary from one Android version to another.

Parm value input rules:

  • String with a minimum of 1 character
  • Package names must be separated by commas, such as "com.mycompany.mypackage,com.mycompany2.mypackage2"

Shown if: The Service Access Action is "Allow Caller" or "Disallow Caller" or "Verify Caller"

Parm Name: CallerPackageName

Requires:

  • MX: 8.3+

Add Package Name(s) and Allow XML

Used to enter Package Name(s) to add to the "whitelist," granting them the ability to submit XML. Entering an empty (length of zero) value (or the absence of this parm from the XML) adds no package names to the list.

Package names can vary from one Android version to another.

Parm value input rules:

  • String with a minimum of 1 character
  • Package names must be separated by commas, such as "com.mycompany.mypackage,com.mycompany2.mypackage2"

Shown if: The Operation Mode is "Single User With Whitelist" AND Add Packages and Allow to Submit XML is "Allow specified application(s)"

Parm Name: AddPackageNamesAllowXML

Requires:

  • OSX: 4.1+
  • MX: 4.2+

Add Package Signature(s) and Allow XML

Used to enter Signatures add to the "whitelist."

Parm value input rules:

  • String with a minimum of 1 character
  • Separate multiple package signatures with commas, such as "com.mycompany.mypackage,com.mycompany2.mypackage2"

Shown if: The Operation Mode is "Single User With Whitelist" AND Add Packages and Allow to Submit XML is "Allow specified application(s)" AND Application Verification Signing Mode is "Do not verify app signature," "Verify user app signature," or "Verify all apps signature"

Parm Name: AddPackageSignAllowXML

Requires:

  • OSX: 3.4+
  • MX: 4.3+

Allow App To Submit XML

Select whether to allow the application to submit XML and thereby submit device configuration changes through the MX Management Framework.

NOTES:

  • Can be used only when the Whitelist feature is enabled.
  • Requires the EMDK for Android service package com.symbol.emdkservice on device.

Shown if: The Operation Mode is "Single User With Whitelist"

Parm Name: AllowSubmitXMLAction

Option Name Description Note Status Requires
0 Allow NO applications This value (or the absence of this parm from the XML) causes no change; any previously selected setting is retained.

OSX: 4.1+

MX: 4.2+

1 Allow specified application(s) This value will cause the applications identified by the specified list of Package Names to be allowed to submit XML. This value also allows a list of Package Names to be specified that will NOT be allowed to submit XML, thus providing an option to enter "these but not those."

OSX: 4.1+

MX: 4.2+

2 Allow ALL applications that are permitted to be executed Causes all of the applications that are on the "whitelist" (i.e. that are allowed to be launched) to be allowed to submit XML. This value also allows a list of Package Names to be specified that will NOT be allowed to submit XML, thus providing an option to enter "all except these."

OSX: 4.1+

MX: 4.2+

Allow Package Name(s) to Submit XML

Used to enter Package Names to allow to submit XML. Entering an empty (length of zero) value (or the absence of this parm from the XML) prevents all package(s) from submitting XML.

Package names can vary from one Android version to another.

Parm value input rules:

  • String with a minimum of 0 characters
  • Package names must be separated by commas, such as "com.mycompany.mypackage,com.mycompany2.mypackage2"

Shown if: Allow the Application To Submit XML is "Allow specified application(s)"

Parm Name: AllowSubmitXMLPackageNames

Requires:

  • OSX: 4.1+
  • MX: 4.2+

Disallow Package Name(s) to Submit XML

Used to enter Package Name(s) of apps to prevent from submitting XML. Entering an empty (length of zero) value (or the absence of this parm from the XML) allows all packages to submit XML.

Parm value input rules:

  • String with a minimum of 0 characters
  • Package names must be separated by commas, such as "com.mycompany.mypackage,com.mycompany2.mypackage2"

Shown if: Allow the Application To Submit XML is "Allow specified application(s)" or "Allow ALL applications that are permitted to be executed"

Parm Name: DisallowSubmitXMLPackageNames

Requires:

  • OSX: 4.1+
  • MX: 4.2+

Automatic Permission Control

Controls whether to allow the Android system to automatically deny permissions previously granted by an admin or user for an app that has not been recently used.

Parm Name: AutomaticPermissionControl

Option Name Description Note Status Requires
0 Do not change This value (or the absence of this parm from the XML) causes no change to device settings; any previously selected settings are retained.

MX: 13.1+

Android API: 30+

1 Turn On Allows the Android system to automatically deny usage permissions to unused apps.

MX: 13.1+

Android API: 30+

2 Turn Off Prevents the Android system from automatically denying usage permissions to unused apps.

MX: 13.1+

Android API: 30+

Automatic Permission Package Name

Used to enter the package name of the app being acted upon by the selected Automatic Permission Control Action.

Parm value input rules:

  • String with a minimum of 1 character

Shown if: The Automatic Permission Control is "Turn On" OR "Turn Off"

Parm Name: AutoPermissionControlPackageName

Requires:

  • MX: 13.1+
  • Android API: 30+

Automatic Permission Signature File

Used to enter the signature file for the app being acted upon by the selected Automatic Permission Control Action. Learn how to get a signature file.

Parm value input rules:

  • String with a minimum of 1 character

Shown if: The Automatic Permission Control is "Turn On" OR "Turn Off"

Parm Name: AutoPermissionControlSignature

Requires:

  • MX: 13.1+
  • Android API: 30+

CSP Access Action

Used to control which CSPs on a device are "Protected" from access by apps, and which apps are approved to access Protected CSPs. This can be used, for example, to prevent access to CSPs that provide sensitive functionality, or to allow only certain apps to access such CSPs. By default, all CSPs are Unprotected and accessible by all apps.

NOTE: This parameter is part of a Function Group called CSP Access Management, which can be used to prevent sensitive functions from being accessed by unauthorized apps.

Parm Name: CspAccessAction

Option Name Description Note Status Requires
0 Do Nothing This value (or the absence of this parm from the XML) causes no change; any prior settings are retained.

MX: 9.2+

Android API: 26+

1 Protect Designates a CSP as inaccessible by all apps except those specifically Approved (see Option 4).

MX: 9.2+

Android API: 26+

2 Unprotect Removes "Protected" designation from a CSP, making it available to all apps.

MX: 9.2+

Android API: 26+

3 VerifyProtected Confirms that a CSP is designated as "Protected" and inaccessible to unapproved apps.

MX: 9.2+

Android API: 26+

4 ApproveApplication Designates an app as "permitted to access" a Protected CSP.

MX: 9.2+

Android API: 26+

5 UnapproveApplication Removes approval from an app previously "permitted to access" a Protected CSP.

MX: 9.2+

Android API: 26+

6 VerifyApproved Confirms that an app is designated as "permitted to access" a Protected CSP.

MX: 9.2+

Android API: 26+

Auto-approve CSP (checkbox)

Controls whether the application package calling the Protect Action is automatically approved to access the CSP on which the Protect Action is being applied.

Shown if: The CSP Access Action is "Protect"

Parm Name: CspAutoApprove

Option Name Description Note Status Requires
0 (unchecked) Requires the app calling the Protect Action to be approved separately to access the specified CSP on the device.

MX: 9.2+

Android API: 26+

1 (checked) Automatically approves the app calling the Protect Action to access the specified CSP on the device (default).

MX: 9.2+

Android API: 26+

Auto-unapprove CSP (checkbox)

Controls whether the name and signature of the application package calling the Unprotect Action is automatically removed from the "approved" list of the CSP on which the Unprotect Action is being applied.

Shown if: The CSP Access Action is "Unprotect"

Parm Name: CspAutoUnapprove

Option Name Description Note Status Requires
0 (unchecked) Requires the app calling the Unprotect Action to be manually removed from the "approved" list.

MX: 9.2+

Android API: 26+

1 (checked) Automatically removes the app calling the Unprotect Action from the "approved" list (default).

MX: 9.2+

Android API: 26+

CSP Name

Used to enter the CSP Name for the selected CSP Access Action.

Shown if: The CSP Access Action is NOT "Do Nothing"

Parm Name: CspName

Option Name Description Note Status Requires
0 Custom Allows a CSP name not shown on the CSP Names list to be specified.

MX: 9.2+

1 AccessMgr

MX: 9.2+

2 AnalyticsMgr

MX: 9.2+

3 AppGalleryMgr

MX: 9.2+

4 AppMgr

MX: 9.2+

5 AudioMgr

MX: 9.2+

6 AudioVolUIMgr

MX: 9.2+

7 AutoTriggerMgr

MX: 9.2+

8 Batch

MX: 9.2+

9 BatteryMgr

MX: 9.2+

10 BluetoothMgr

MX: 9.2+

11 BrowserMgr

MX: 9.2+

12 BugReportMgr

MX: 9.2+

13 CameraMgr

MX: 9.2+

14 CellularMgr

MX: 9.2+

15 CertMgr

MX: 9.2+

16 Clock

MX: 9.2+

17 ComponentMgr

MX: 9.2+

18 ConditionMgr

MX: 9.2+

19 DevAdmin

MX: 9.2+

20 DeviceCentralMgr

MX: 9.2+

21 DisplayMgr

MX: 9.2+

22 EncryptMgr

MX: 9.2+

23 EnterpriseKeyboard

MX: 9.2+

24 EthernetMgr

MX: 9.2+

25 FileMgr

MX: 9.2+

26 GmsMgr

MX: 9.2+

27 GprsMgr

MX: 9.2+

28 HostsMgr

MX: 9.2+

29 Intent

MX: 9.2+

30 KeyMappingMgr

MX: 9.2+

31 LicenseMgr

MX: 9.2+

32 LifeGuardOTAManager

MX: 9.2+

33 NfcMgr

MX: 9.2+

34 PersistMgr

MX: 9.2+

35 PersonalDictionary

MX: 9.2+

36 PowerKeyMgr

MX: 9.2+

37 PowerMgr

MX: 9.2+

38 RemoteScannerMgr

MX: 9.2+

39 RfidMgr

MX: 9.2+

40 SdCardMgr

MX: 9.2+

41 SettingsMgr

MX: 9.2+

42 Stats

MX: 9.2+

43 StatusMgr

MX: 9.2+

44 ThreatMgr

MX: 9.2+

45 TouchMgr

MX: 9.2+

46 UiMgr

MX: 9.2+

47 UsbMgr

MX: 9.2+

48 Wi-Fi

MX: 9.2+

49 WirelessMgr

MX: 9.2+

50 WorryFreeWiFiMgr

MX: 9.2+

51 XmlMgr

MX: 9.2+

CSP Custom Name

Used to enter the custom CSP name for a CSP Access Action when the CSP name is not shown on the CSP Names list.

Parm value input rules:

  • String with a minimum of 1 character

Shown if: The CSP Access Action is NOT "Do Nothing"

Parm Name: CspNameCustom

Requires:

  • MX: 9.2+

App Package Name

Used to enter the application package name on which to perform certain CSP Access Actions.

Package names can vary from one Android version to another.

Parm value input rules:

  • String with a minimum of 1 character
  • Separate multiple package names with commas, such as "com.mycompany.mypackage,com.mycompany2.mypackage2"

Shown if: The CSP Access Action is "Approve Application" or "Unapprove Application" or "Verify Approved"

Parm Name: AppPackageName

Requires:

  • MX: 9.2+

App Signature

Used to enter the signature file for app certification. Learn how to get a signature file.

Parm value input rules:

  • String with a minimum of 1 character

Shown if: The CSP Access Action is "Approve Application" or "Unapprove Application" or "Verify Approved"

Parm Name: AppSignature

Requires:

  • MX: 9.2+

Permission Access Action

Used to select a Permission Action to perform on an app from the list of available permissions in the Permission Access Permission Name parameter. Once granted, permission is retained by the app unless explicitly revoked by a subsequent Permission Action, app is uninstalled by any means or an Enterprise Reset or Factory Reset is performed. If an app loses permission through uninstallation, permission can be re-granted only after the app is reinstalled. This feature requires MX 10.0.5.1 or later on the device. Which MX version is installed?

Note: This feature requires MX 10.0.5.1 or later on the device.

Parm Name: PermissionAccessAction

Option Name Description Note Status Requires
0 Do Nothing This value (or the absence of this parm from the XML) causes no change; any prior settings are retained.

MX: 10.0+

Android API: 26+

1 Allow Grants permission to an app.

MX: 10.0+

Android API: 26+

2 Deny Denies permission to an app.

MX: 10.0+

Android API: 26+

3 Allow User to choose Prompts device user to grant or deny permission to an app for access to a device resource (such as a camera or scanner). This is the Android-default setting.

MX: 10.0+

Android API: 26+

4 Verify Verifies whether permission is granted to an app.

MX: 10.0+

Android API: 26+

Permission Access Package Name

Used to enter the Package Name of an application on which to perform the selected Permission Access Action.

Parm value input rules:

  • String with a minimum of 1 character

Shown if: The Permission Access Action is NOT "Do Nothing"

Parm Name: PermissionAccessPackageName

Requires:

  • MX: 10.0+
  • Android API: 26+

Permission Access Signature

Used to enter the signature file for the app being acted upon by the selected Permission Access Action.

Parm value input rules:

  • String with a minimum of 1 character

Shown if: The Permission Access Action is NOT "Do Nothing"

Parm Name: PermissionAccessSignature

Requires:

  • MX: 10.0+

Permission Access Permission Name

Used to select the subsystem on the device to which to apply the permission being assigned to an app by the Permission Access Action parameter.

Learn more about Android Permissions.

Note: Some options rely on Android 11 (or later). This parameter can be used to grant or deny permission to installed apps. On devices running Android 10+, also can "pre-grant" or "pre-deny" permission for apps yet to be installed.

Parm Name: PermissionAccessPermissionName

Option Name Description Note Status Requires
1 Access Notifications Controls permission to access Notifications on the device.

MX: 10.0+

Android API: 27+

2 Package Usage Stats Controls permission to access app usage statistics for the device.

MX: 10.0+

Android API: 27+

3 System Alert Window Controls "overlay" permission, which allows one app to draw its window(s) over another.

MX: 10.0+

Android API: 27+

4 Get AppOps Stats Controls permission to access app operations statistics, used to determine the resources being used by apps on the device.

MX: 10.0+

Android API: 27+

5 Battery Stats Controls permission to access battery statistics for the device.

MX: 10.0+

Android API: 27+

6 Manage External Storage Controls management of USB and/or SD card storage media attached to the device.

MX: 10.4+

Android API: 30+

7 Bind Notification Listener Controls permission to access the Android service that receives system calls relating to notifications.

MX: 11.5+

Android API: 30+

8 Read Logs (specially trusted Zebra apps only) Controls permission to access system logs on the device. Applies only to Zebra apps signed by the Zebra Privileged Key or Zebra Platform Key.

MX: 11.9+

Android API: 30+

9 All Dangerous Permissions Controls access to Dangerous Permissions declared by an app in its manifest. Allows for pre-granting, pre-denying or deferral to the user (the default) such permissions, which are deemed by Google to "provide an app with access to private user data or control over the device that could negatively impact the user." Learn more at the link above.

MX: 13.1+

Android API: 30+

Group Access Action

Used to select an Action to perform on new or existing Function Groups. A Function Group is a set of functions that an administrator can designate as "sensitive" and worthy of protection from unauthorized use by apps. For example, a "Communications" Function Group might designate certain functions from CellularMgr, GprsMgr and Wi-Fi CSPs as sensitive and limit access to authorized apps only.

By default, all features are Unprotected and all apps are Authorized to access all functions. Once a Function Group is created and set as Protected, all apps are prevented from accessing functions within that group except apps specifically Approved for access.

Parm Name: GroupAccessAction

Option Name Description Note Status Requires
0 Do Nothing This value (or the absence of this parm from the XML) causes no change; any prior settings are retained.

MX: 10.0+

Android API: 26+

1 Create Creates a Custom Function Group.

MX: 10.0+

Android API: 26+

2 Delete Deletes a Custom Function Group.

MX: 10.0+

Android API: 26+

3 Protect Declares a Function Group as Protected.

MX: 10.0+

Android API: 26+

4 Unprotect Declares a Function Group as Unprotected.

MX: 10.0+

Android API: 26+

5 VerifyProtected Verifies whether a Function Group is Protected.

MX: 10.0+

Android API: 26+

6 ApproveApplication Approves an application to use a Function Group.

MX: 10.0+

Android API: 26+

7 UnapproveApplication Removes approval from an application for using a Function Group.

MX: 10.0+

Android API: 26+

8 VerifyApproved Verifies that an application is Approved to use a Function Group.

MX: 10.0+

Android API: 26+

Group App Package Name

Used to enter the Package Name of an application on which to perform the selected Group Access Action.

Parm value input rules:

  • String with a minimum of 1 character

Shown if: The Group Access Action is "ApproveApplication" or "UnapproveApplication" or "VerifyApproved"

Parm Name: GroupPackageName

Requires:

  • MX: 10.0+
  • Android API: 26+

Group App Signature

Used to enter the signature of an application on which to perform the selected Group Access Action.

Parm value input rules:

  • String with a minimum of 1 character

Shown if: The Group Access Action is "ApproveApplication" or "UnapproveApplication" or "VerifyApproved"

Parm Name: GroupSignature

Requires:

  • MX: 10.0+
  • Android API: 26+

Group Select Custom Name

Used to enter the name of the Custom Function Group on which to perform the chosen Group Access Action.

Parm value input rules:

  • String with a minimum of 1 character

Shown if: The Group Select is "Custom" AND Group Access Action is NOT "Do Nothing" or "Create" or "Delete"

Parm Name: GroupSelectCustomName

Requires:

  • MX: 10.0+
  • Android API: 26+

Group Auto-unapprove (checkbox)

Controls whether the application package calling a Protected Function Group is automatically unapproved to access the Function Group.

Shown if: The Group Access Action is "Unprotect"

Parm Name: GroupAutoUnapprove

Option Name Description Note Status Requires
0 (unchecked) Requires the app calling the Protect Action to be approved separately to access the specified Function Group on the device.

MX: 10.0+

Android API: 26+

1 (checked) Automatically unapproves an app for access to a Function Group.

MX: 10.0+

Android API: 26+

Group Name

Used to enter the Name of the Custom Function Group being defined.

Parm value input rules:

  • String with a minimum of 1 character

Shown if: The Group Access Action is "Create" or "Delete"

Parm Name: GroupCustomName

Requires:

  • MX: 10.0+
  • Android API: 26+

Group Entries

Used to enter the CSP names and (optionally) the CSP parameter(s) and parameter values to add to a Custom Function Group. Entering the CSP name alone adds all CSP functions to the Function Group.

Parm value input rules:

  • String with a minimum of 1 character
  • Use commas to separate multiple CSP names and/or CSP parm(s)/parm values
  • Formats: CSPname, CSPname:parmName, CSPname:CSPparm={parmValue}

Example: BluetoothMgr,UiMgr:NotificationPullDown,SdCardMgr:SdCardUsage={0}

Shown if: The Group Access Action is "Create"

Parm Name: GroupCustomDetails

Requires:

  • MX: 10.0+
  • Android API: 26+

Group Auto-approve (checkbox)

Controls whether the application package calling a Protected Function Group is automatically approved to access the group.

Shown if: The Group Access Action is "Protect"

Parm Name: GroupAutoApprove

Option Name Description Note Status Requires
0 (unchecked) Requires the app calling a Protected Function Group to be approved separately to access the specified group on the device.

MX: 10.0+

Android API: 26+

1 (checked) Automatically approves the app for calling a Protected Function Group.

MX: 10.0+

Android API: 26+

Examples

Add an Application to the "whitelist"


<wap-provisioningdoc>
    <characteristic version="4.3" type="AccessMgr">
        <parm name="OperationMode" value="2" />
        <parm name="SystemSettings" value="1" />
        <parm name="DeletePackagesAction" value="0" />
        <parm name="AddPackagesAction" value="1" />
        <parm name="AddPackageNames" value="com.mypackage" />
    </characteristic>
</wap-provisioningdoc>

Select Applications to Allow and Disallow from Submitting XML


<wap-provisioningdoc>
    <characteristic version="4.3" type="AccessMgr">
        <parm name="OperationMode" value="2" />
        <parm name="SystemSettings" value="1" />
        <parm name="DeletePackagesAction" value="0" />
        <parm name="AddPackagesAction" value="0" />
        <parm name="AllowSubmitXMLAction" value="1" />
        <parm name="AllowSubmitXMLPackageNames" value="com.mypackage" />
        <parm name="DisallowSubmitXMLPackageNames" value="com.mypackage2" />
    </characteristic>
</wap-provisioningdoc>

Queries

Queries are not supported on Zebra devices running Android 11 or later.

Query the Package Names in the Whitelist, the Operation Mode, and the Application Verification Signing Mode


<wap-provisioningdoc>
    <characteristic type="AccessMgr" >
        <parm-query name="PackageNames"/>  
        <parm-query name="OperationMode"/>  
        <parm-query name="AppVerifySignMode"/>  
    </characteristic>
</wap-provisioningdoc>