Hi Lakshman,
+1 for two options in EMM 1. White list is enabled or not 2. Which app store is used to provide the white list But the operation I think it is very expensive. 1. Getting app list from the device ( If user has multiple devices, you need to get them separately) 2. Sending all of them to app manager to check the compliance. 3. Then block apps which do not comply with each devices. Following operation would be much easy. 1. Getting subscribed app list from the user in app manager. 2. Sending that app list to user's devices for white listing. On Tue, Mar 1, 2016 at 5:32 AM, Lakshman Udayakantha <lakshm...@wso2.com> wrote: > Hi Chathura et al, > > @Chathura:Thanks for the detailed information. > > As per the offline discussion with PrabathA, EMM should specify explicitly > that EMM is using app manager white list. Therefore when policy is created, > below information should provided. > > 1. White list is enabled or not > 2. Which app store is used to provide the white list > > When consider policy compliance, It will get installed application list > from device and will pass that application list to app manager. There > should be an API in app manager to return true if application list has > access to the user and if not return false with application list which is > not access by user and if there is mismatch emm will pass with relevant > application list to device to block them or uninstall. > > Please comment if you have any concern about this approach. > > Thanks > > On Mon, Feb 29, 2016 at 5:47 PM, Lakshman Udayakantha <lakshm...@wso2.com> > wrote: > >> Hi All, >> >> After bit of discussion with EMM team, it is decided to move creation of >> white list policy to the app manager it self. We will provide a >> configuration whether white list is enabled or not. If white list enabled >> in the configuration, a new policy will created in EMM when new application >> is going to publish. All other later application will be added to existing >> white list policy when they are going to publish. This new policy will list >> in policy list and can be edit later to add a new policy criteria. >> >> When considering policy compliance, EMM will request application list >> with roles and update the existing policy and will request installed >> application list from device and will compare both for compliance Or >> another option would be to update the existing policy when something happen >> in app manager that would break existing app to role mapping. Ex: >> >> 1. Remove a role from a user >> 2. Remove a role from an application >> >> and request installed application list from device and check both for >> compliance. >> >> Another thing is these application restrictions will be implement based >> on COPE at initial stage. BYOD scenario will be considered later because of >> the complications mentioned in previous reply. >> >> WDYT about this approach? >> >> Thanks >> >> On Tue, Feb 23, 2016 at 3:26 PM, Lakshman Udayakantha <lakshm...@wso2.com >> > wrote: >> >>> Hi DilanA/EMM Team, >>> >>> @DilanA :Thanks for the information. >>> >>> I have assumed policy creator know the package names of the applications >>> which need to be restricted in the device and implemented the mdm policy UI >>> for app restriction list and able to publish the restriction list to the >>> device successfully as the first step. >>> >>> Some terminology has been changed after this thread initialised. As of >>> now If AWL is enabled we will provide role based application access. Policy >>> creator will define application white list with set of roles along with the >>> application. Only those roles will be able to access the application. If >>> ABL is enabled, policy creator will define black list via the UI and those >>> application list will not be allowed to run on any device. >>> >>> @EMM Team: I got several questions regarding the restriction apps using >>> mobile agent app. >>> 1. If we provide AWL, only those applications will show in app manager >>> store. Other app stores, side loading and google play store needs to be >>> blocked. This kind of behaviour can be provided only via system app(which >>> is now developing) for COPE situation. What kind of solution are we going >>> to provide for BYOD scenario? >>> 2. If we provide ABL, we need to restrict the application execution and >>> installation. Again this will be feasible with COPE scenario because of the >>> system app. But for BYOD scenario, according to posts I have read there is >>> no broadcasts for application launch event or application install start >>> events. So one option would be to create a periodically running background >>> service which search for application that are running in the foreground and >>> blocking that app if found in restriction list. WDYT about this approach? >>> Anyway even via this approach, It is not possible to detect which >>> application is installing at the moment of checking. In that case how we >>> blocking app installation. Any idea to resolve this is much appreciated. >>> >>> Thanks >>> >>> On Mon, Feb 8, 2016 at 5:36 AM, Dilan Udara Ariyaratne <dil...@wso2.com> >>> wrote: >>> >>>> Hi Lakshman, >>>> >>>> With respect to EMM space, I think that this requirement should be >>>> handled from device policy level. >>>> >>>> FYI, a device policy is a set of configurations that we set to be >>>> published for a number of devices based on Roles and Users. >>>> If we think about this requirement too in the same way, it is a >>>> application level configuration that we publish for a set of devices based >>>> on Roles and Users. >>>> >>>> Therefore, It seems that you can integrate this use case with the >>>> existing device policy UI [1] as two more feature additions to the >>>> "Configure Profile" section. >>>> i.e. One feature for White Listed Apps and the other for Black Listed >>>> Apps. >>>> >>>> Thanks, >>>> Dilan. >>>> >>>> >>>> *Dilan U. Ariyaratne* >>>> Software Engineer >>>> WSO2 Inc. <http://wso2.com/> >>>> Mobile: +94725197942 >>>> lean . enterprise . middleware >>>> >>>> On Tue, Feb 2, 2016 at 5:47 PM, Lakshman Udayakantha < >>>> lakshm...@wso2.com> wrote: >>>> >>>>> [adding Dakshika] >>>>> >>>>> On Tue, Feb 2, 2016 at 5:45 PM, Lakshman Udayakantha < >>>>> lakshm...@wso2.com> wrote: >>>>> >>>>>> Hi All, >>>>>> >>>>>> @KasunD/PrabathA: Thanks for your suggestions. I will check for >>>>>> methods to block application installations for lower api level than 23 >>>>>> also. >>>>>> I have created mockup UIs to create, edit , view lists which should >>>>>> be added to app publisher UI and attached mockup UIs to this mail. >>>>>> @UX team: Could you do a quick review and make suggestions to make >>>>>> them better. >>>>>> >>>>>> >>>>>> Thanks >>>>>> >>>>>> On Tue, Feb 2, 2016 at 9:54 AM, Harshan Liyanage <hars...@wso2.com> >>>>>> wrote: >>>>>> >>>>>>> Hi Inosh, >>>>>>> >>>>>>> There may be some cases where enterprises need to have application >>>>>>> policies for individual users. But I think that scenario is very >>>>>>> unlikely. >>>>>>> If we take an organization, every user will map to one or more >>>>>>> user-roles. >>>>>>> There might be situations where a role has only one user (i.e like CEO, >>>>>>> MD). But still we can achieve it via the application policies for >>>>>>> user-roles. >>>>>>> >>>>>>> Thanks, >>>>>>> >>>>>>> Harshan Liyanage >>>>>>> Software Engineer >>>>>>> Mobile: *+94724423048* >>>>>>> Email: hars...@wso2.com >>>>>>> Blog : http://harshanliyanage.blogspot.com/ >>>>>>> *WSO2, Inc. :** wso2.com <http://wso2.com/>* >>>>>>> lean.enterprise.middleware. >>>>>>> >>>>>>> On Tue, Feb 2, 2016 at 9:37 AM, Inosh Perera <ino...@wso2.com> >>>>>>> wrote: >>>>>>> >>>>>>>> Hi all, >>>>>>>> >>>>>>>> Role based application restriction will be provided. Administrator >>>>>>>> will define a list of applications as a black list and a set of roles >>>>>>>> which >>>>>>>> is to be restricted to the application, along with the applications. >>>>>>>> Is there any particular reason for not having application policies >>>>>>>> for individual users? >>>>>>>> >>>>>>>> Regards, >>>>>>>> Inosh >>>>>>>> >>>>>>>> On Mon, Feb 1, 2016 at 11:05 PM, Prabath Abeysekera < >>>>>>>> praba...@wso2.com> wrote: >>>>>>>> >>>>>>>>> >>>>>>>>> On Mon, Feb 1, 2016 at 6:14 PM, Kasun Dananjaya Delgolla < >>>>>>>>> kas...@wso2.com> wrote: >>>>>>>>> >>>>>>>>>> Hi Lakshman, >>>>>>>>>> >>>>>>>>>> In terms of Android you can use blocking APIs[1] in Marshmallow >>>>>>>>>> SDK (SDK 23) to achieve this. We already use DevicePolicyManager API >>>>>>>>>> so you >>>>>>>>>> can straightaway add these new stuff into the same android agent API >>>>>>>>>> layer. >>>>>>>>>> Also for older API levels ( < 23) earlier we used a mechanism just >>>>>>>>>> to warn >>>>>>>>>> the user if a blacklisted app is installed on the device since >>>>>>>>>> blocking of >>>>>>>>>> apps is not supported in those API levels. >>>>>>>>>> >>>>>>>>> >>>>>>>>> We might need to dig slightly deep into some of the APIs around >>>>>>>>> and see if we've already got anything to mimic what's done in >>>>>>>>> DevicePolicyManager, which is part of Marshmallow SDK; in previous >>>>>>>>> versions >>>>>>>>> of Android SDK. So, please check if there's any mechanism that'd >>>>>>>>> potentially allow us to go beyond merely warning the user when a >>>>>>>>> blacklisted application is installed and then block the installation >>>>>>>>> completely particularly targeting SDKs < 23. >>>>>>>>> >>>>>>>>> Cheers, >>>>>>>>> Prabath >>>>>>>>> >>>>>>>>> >>>>>>>>>> >>>>>>>>>> One more thing, we can add this to the system app which I'm in >>>>>>>>>> the process of building. Then we can enable COPE (rooted/system >>>>>>>>>> access >>>>>>>>>> granted) devices to blacklist/whitelist apps even though the API >>>>>>>>>> level is < >>>>>>>>>> 23. >>>>>>>>>> >>>>>>>>>> [1] - >>>>>>>>>> http://developer.android.com/reference/android/app/admin/DevicePolicyManager.html >>>>>>>>>> >>>>>>>>>> Thanks >>>>>>>>>> >>>>>>>>>> On Mon, Feb 1, 2016 at 5:50 PM, Lakshman Udayakantha < >>>>>>>>>> lakshm...@wso2.com> wrote: >>>>>>>>>> >>>>>>>>>>> Hi, >>>>>>>>>>> >>>>>>>>>>> There is a requirement to implement application white listing >>>>>>>>>>> and application black listing support in Enterprise Mobility >>>>>>>>>>> Manager. >>>>>>>>>>> Application white listing means creating a list of applications >>>>>>>>>>> which are >>>>>>>>>>> only allowed to run on mobile devices which are connected to EMM. >>>>>>>>>>> Application blacklisting is the opposite meaning in which there is >>>>>>>>>>> a list >>>>>>>>>>> of applications which are only not allowed to run on mobile devices >>>>>>>>>>> which >>>>>>>>>>> connected to EMM. >>>>>>>>>>> As a solution for this we thought to introduce a configuration >>>>>>>>>>> to identify black listing, white listing enabled or not and exactly >>>>>>>>>>> which >>>>>>>>>>> listing is enabled and If each configuration enabled separately EMM >>>>>>>>>>> will >>>>>>>>>>> behave in following manner. >>>>>>>>>>> >>>>>>>>>>> If ABL enabled, >>>>>>>>>>> >>>>>>>>>>> Role based application restriction will be provided. >>>>>>>>>>> Administrator will define a list of applications as a black list >>>>>>>>>>> and a set >>>>>>>>>>> of roles which is to be restricted to the application, along with >>>>>>>>>>> the >>>>>>>>>>> applications. >>>>>>>>>>> >>>>>>>>>>> If AWL enabled, >>>>>>>>>>> >>>>>>>>>>> Administrator will check specific list of applications from >>>>>>>>>>> admin UI. Only these applications will load on app store. Other >>>>>>>>>>> means of >>>>>>>>>>> applications installing will be blocked. >>>>>>>>>>> 1. Blocking side-loading. >>>>>>>>>>> 2. Third party app store blocking except EMM app store. >>>>>>>>>>> 3. Google Play app blocking >>>>>>>>>>> >>>>>>>>>>> Any suggestions and thoughts are highly appreciated. >>>>>>>>>>> >>>>>>>>>>> Thanks >>>>>>>>>>> -- >>>>>>>>>>> Lakshman Udayakantha >>>>>>>>>>> WSO2 Inc. www.wso2.com >>>>>>>>>>> lean.enterprise.middleware >>>>>>>>>>> Mobile: *0714388124 <0714388124>* >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> Kasun Dananjaya Delgolla >>>>>>>>>> >>>>>>>>>> Software Engineer >>>>>>>>>> WSO2 Inc.; http://wso2.com >>>>>>>>>> lean.enterprise.middleware >>>>>>>>>> Tel: +94 11 214 5345 >>>>>>>>>> Fax: +94 11 2145300 >>>>>>>>>> Mob: + 94 771 771 015 >>>>>>>>>> Blog: http://kddcodingparadise.blogspot.com >>>>>>>>>> Linkedin: *http://lk.linkedin.com/in/kasundananjaya >>>>>>>>>> <http://lk.linkedin.com/in/kasundananjaya>* >>>>>>>>>> >>>>>>>>>> _______________________________________________ >>>>>>>>>> Architecture mailing list >>>>>>>>>> Architecture@wso2.org >>>>>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Prabath Abeysekara >>>>>>>>> Technical Lead >>>>>>>>> WSO2 Inc. >>>>>>>>> Email: praba...@wso2.com >>>>>>>>> Mobile: +94774171471 >>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> Architecture mailing list >>>>>>>>> Architecture@wso2.org >>>>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Inosh Perera >>>>>>>> Software Engineer, WSO2 Inc. >>>>>>>> Tel: 077813 7285, 0785293686 >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> Architecture mailing list >>>>>>>> Architecture@wso2.org >>>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> Architecture mailing list >>>>>>> Architecture@wso2.org >>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Lakshman Udayakantha >>>>>> WSO2 Inc. www.wso2.com >>>>>> lean.enterprise.middleware >>>>>> Mobile: *0714388124* >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> Lakshman Udayakantha >>>>> WSO2 Inc. www.wso2.com >>>>> lean.enterprise.middleware >>>>> Mobile: *0714388124* >>>>> >>>>> >>>>> _______________________________________________ >>>>> Architecture mailing list >>>>> Architecture@wso2.org >>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>> >>>>> >>>> >>>> _______________________________________________ >>>> Architecture mailing list >>>> Architecture@wso2.org >>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>> >>>> >>> >>> >>> -- >>> Lakshman Udayakantha >>> WSO2 Inc. www.wso2.com >>> lean.enterprise.middleware >>> Mobile: *0714388124* >>> >>> >> >> >> -- >> Lakshman Udayakantha >> WSO2 Inc. www.wso2.com >> lean.enterprise.middleware >> Mobile: *0714388124* >> >> > > > -- > Lakshman Udayakantha > WSO2 Inc. www.wso2.com > lean.enterprise.middleware > Mobile: *0714388124* > > -- Regards, Chatura Dilan Perera *Senior Software Engineer** - WSO2 Inc.* www.dilan.me
_______________________________________________ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
