Hi Chathura, The approach you mentioned can be broken for two incidents mentioned below.
1. Remove a role from a user 2. Remove a role from an application If I explained first case, Let's suppose *application1* has restricted to *role1* and *user1* has *role1*. User will be able to see the *application1* and subscribed to it. After subscribed to *application1*, *role1* has removed from *user1*. After that also user can see *application1* is a subscribed application. If we get subscribed application list in this moment in order to send to the device for white listing, It should list *application1* (which is wrong) also. So shall we go with the approach that I mentioned or is there any better of doing this? Thanks On Tue, Mar 1, 2016 at 7:28 PM, Chathura Dilan <chathu...@wso2.com> wrote: > Hi Lakshman, > > > +1 for two options in EMM > > 1. White list is enabled or not > 2. Which app store is used to provide the white list > > > But the operation I think it is very expensive. > 1. Getting app list from the device ( If user has multiple devices, you > need to get them separately) > 2. Sending all of them to app manager to check the compliance. > 3. Then block apps which do not comply with each devices. > > Following operation would be much easy. > 1. Getting subscribed app list from the user in app manager. > 2. Sending that app list to user's devices for white listing. > > > > On Tue, Mar 1, 2016 at 5:32 AM, Lakshman Udayakantha <lakshm...@wso2.com> > wrote: > >> Hi Chathura et al, >> >> @Chathura:Thanks for the detailed information. >> >> As per the offline discussion with PrabathA, EMM should specify >> explicitly that EMM is using app manager white list. Therefore when policy >> is created, below information should provided. >> >> 1. White list is enabled or not >> 2. Which app store is used to provide the white list >> >> When consider policy compliance, It will get installed application list >> from device and will pass that application list to app manager. There >> should be an API in app manager to return true if application list has >> access to the user and if not return false with application list which is >> not access by user and if there is mismatch emm will pass with relevant >> application list to device to block them or uninstall. >> >> Please comment if you have any concern about this approach. >> >> Thanks >> >> On Mon, Feb 29, 2016 at 5:47 PM, Lakshman Udayakantha <lakshm...@wso2.com >> > wrote: >> >>> Hi All, >>> >>> After bit of discussion with EMM team, it is decided to move creation of >>> white list policy to the app manager it self. We will provide a >>> configuration whether white list is enabled or not. If white list enabled >>> in the configuration, a new policy will created in EMM when new application >>> is going to publish. All other later application will be added to existing >>> white list policy when they are going to publish. This new policy will list >>> in policy list and can be edit later to add a new policy criteria. >>> >>> When considering policy compliance, EMM will request application list >>> with roles and update the existing policy and will request installed >>> application list from device and will compare both for compliance Or >>> another option would be to update the existing policy when something happen >>> in app manager that would break existing app to role mapping. Ex: >>> >>> 1. Remove a role from a user >>> 2. Remove a role from an application >>> >>> and request installed application list from device and check both for >>> compliance. >>> >>> Another thing is these application restrictions will be implement based >>> on COPE at initial stage. BYOD scenario will be considered later because of >>> the complications mentioned in previous reply. >>> >>> WDYT about this approach? >>> >>> Thanks >>> >>> On Tue, Feb 23, 2016 at 3:26 PM, Lakshman Udayakantha < >>> lakshm...@wso2.com> wrote: >>> >>>> Hi DilanA/EMM Team, >>>> >>>> @DilanA :Thanks for the information. >>>> >>>> I have assumed policy creator know the package names of the >>>> applications which need to be restricted in the device and implemented the >>>> mdm policy UI for app restriction list and able to publish the restriction >>>> list to the device successfully as the first step. >>>> >>>> Some terminology has been changed after this thread initialised. As of >>>> now If AWL is enabled we will provide role based application access. Policy >>>> creator will define application white list with set of roles along with the >>>> application. Only those roles will be able to access the application. If >>>> ABL is enabled, policy creator will define black list via the UI and those >>>> application list will not be allowed to run on any device. >>>> >>>> @EMM Team: I got several questions regarding the restriction apps using >>>> mobile agent app. >>>> 1. If we provide AWL, only those applications will show in app manager >>>> store. Other app stores, side loading and google play store needs to be >>>> blocked. This kind of behaviour can be provided only via system app(which >>>> is now developing) for COPE situation. What kind of solution are we going >>>> to provide for BYOD scenario? >>>> 2. If we provide ABL, we need to restrict the application execution and >>>> installation. Again this will be feasible with COPE scenario because of the >>>> system app. But for BYOD scenario, according to posts I have read there is >>>> no broadcasts for application launch event or application install start >>>> events. So one option would be to create a periodically running background >>>> service which search for application that are running in the foreground and >>>> blocking that app if found in restriction list. WDYT about this approach? >>>> Anyway even via this approach, It is not possible to detect which >>>> application is installing at the moment of checking. In that case how we >>>> blocking app installation. Any idea to resolve this is much appreciated. >>>> >>>> Thanks >>>> >>>> On Mon, Feb 8, 2016 at 5:36 AM, Dilan Udara Ariyaratne <dil...@wso2.com >>>> > wrote: >>>> >>>>> Hi Lakshman, >>>>> >>>>> With respect to EMM space, I think that this requirement should be >>>>> handled from device policy level. >>>>> >>>>> FYI, a device policy is a set of configurations that we set to be >>>>> published for a number of devices based on Roles and Users. >>>>> If we think about this requirement too in the same way, it is a >>>>> application level configuration that we publish for a set of devices based >>>>> on Roles and Users. >>>>> >>>>> Therefore, It seems that you can integrate this use case with the >>>>> existing device policy UI [1] as two more feature additions to the >>>>> "Configure Profile" section. >>>>> i.e. One feature for White Listed Apps and the other for Black Listed >>>>> Apps. >>>>> >>>>> Thanks, >>>>> Dilan. >>>>> >>>>> >>>>> *Dilan U. Ariyaratne* >>>>> Software Engineer >>>>> WSO2 Inc. <http://wso2.com/> >>>>> Mobile: +94725197942 >>>>> lean . enterprise . middleware >>>>> >>>>> On Tue, Feb 2, 2016 at 5:47 PM, Lakshman Udayakantha < >>>>> lakshm...@wso2.com> wrote: >>>>> >>>>>> [adding Dakshika] >>>>>> >>>>>> On Tue, Feb 2, 2016 at 5:45 PM, Lakshman Udayakantha < >>>>>> lakshm...@wso2.com> wrote: >>>>>> >>>>>>> Hi All, >>>>>>> >>>>>>> @KasunD/PrabathA: Thanks for your suggestions. I will check for >>>>>>> methods to block application installations for lower api level than 23 >>>>>>> also. >>>>>>> I have created mockup UIs to create, edit , view lists which should >>>>>>> be added to app publisher UI and attached mockup UIs to this mail. >>>>>>> @UX team: Could you do a quick review and make suggestions to make >>>>>>> them better. >>>>>>> >>>>>>> >>>>>>> Thanks >>>>>>> >>>>>>> On Tue, Feb 2, 2016 at 9:54 AM, Harshan Liyanage <hars...@wso2.com> >>>>>>> wrote: >>>>>>> >>>>>>>> Hi Inosh, >>>>>>>> >>>>>>>> There may be some cases where enterprises need to have application >>>>>>>> policies for individual users. But I think that scenario is very >>>>>>>> unlikely. >>>>>>>> If we take an organization, every user will map to one or more >>>>>>>> user-roles. >>>>>>>> There might be situations where a role has only one user (i.e like CEO, >>>>>>>> MD). But still we can achieve it via the application policies for >>>>>>>> user-roles. >>>>>>>> >>>>>>>> Thanks, >>>>>>>> >>>>>>>> Harshan Liyanage >>>>>>>> Software Engineer >>>>>>>> Mobile: *+94724423048* >>>>>>>> Email: hars...@wso2.com >>>>>>>> Blog : http://harshanliyanage.blogspot.com/ >>>>>>>> *WSO2, Inc. :** wso2.com <http://wso2.com/>* >>>>>>>> lean.enterprise.middleware. >>>>>>>> >>>>>>>> On Tue, Feb 2, 2016 at 9:37 AM, Inosh Perera <ino...@wso2.com> >>>>>>>> wrote: >>>>>>>> >>>>>>>>> Hi all, >>>>>>>>> >>>>>>>>> Role based application restriction will be provided. Administrator >>>>>>>>> will define a list of applications as a black list and a set of roles >>>>>>>>> which >>>>>>>>> is to be restricted to the application, along with the applications. >>>>>>>>> Is there any particular reason for not having application policies >>>>>>>>> for individual users? >>>>>>>>> >>>>>>>>> Regards, >>>>>>>>> Inosh >>>>>>>>> >>>>>>>>> On Mon, Feb 1, 2016 at 11:05 PM, Prabath Abeysekera < >>>>>>>>> praba...@wso2.com> wrote: >>>>>>>>> >>>>>>>>>> >>>>>>>>>> On Mon, Feb 1, 2016 at 6:14 PM, Kasun Dananjaya Delgolla < >>>>>>>>>> kas...@wso2.com> wrote: >>>>>>>>>> >>>>>>>>>>> Hi Lakshman, >>>>>>>>>>> >>>>>>>>>>> In terms of Android you can use blocking APIs[1] in Marshmallow >>>>>>>>>>> SDK (SDK 23) to achieve this. We already use DevicePolicyManager >>>>>>>>>>> API so you >>>>>>>>>>> can straightaway add these new stuff into the same android agent >>>>>>>>>>> API layer. >>>>>>>>>>> Also for older API levels ( < 23) earlier we used a mechanism just >>>>>>>>>>> to warn >>>>>>>>>>> the user if a blacklisted app is installed on the device since >>>>>>>>>>> blocking of >>>>>>>>>>> apps is not supported in those API levels. >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> We might need to dig slightly deep into some of the APIs around >>>>>>>>>> and see if we've already got anything to mimic what's done in >>>>>>>>>> DevicePolicyManager, which is part of Marshmallow SDK; in previous >>>>>>>>>> versions >>>>>>>>>> of Android SDK. So, please check if there's any mechanism that'd >>>>>>>>>> potentially allow us to go beyond merely warning the user when a >>>>>>>>>> blacklisted application is installed and then block the installation >>>>>>>>>> completely particularly targeting SDKs < 23. >>>>>>>>>> >>>>>>>>>> Cheers, >>>>>>>>>> Prabath >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> One more thing, we can add this to the system app which I'm in >>>>>>>>>>> the process of building. Then we can enable COPE (rooted/system >>>>>>>>>>> access >>>>>>>>>>> granted) devices to blacklist/whitelist apps even though the API >>>>>>>>>>> level is < >>>>>>>>>>> 23. >>>>>>>>>>> >>>>>>>>>>> [1] - >>>>>>>>>>> http://developer.android.com/reference/android/app/admin/DevicePolicyManager.html >>>>>>>>>>> >>>>>>>>>>> Thanks >>>>>>>>>>> >>>>>>>>>>> On Mon, Feb 1, 2016 at 5:50 PM, Lakshman Udayakantha < >>>>>>>>>>> lakshm...@wso2.com> wrote: >>>>>>>>>>> >>>>>>>>>>>> Hi, >>>>>>>>>>>> >>>>>>>>>>>> There is a requirement to implement application white listing >>>>>>>>>>>> and application black listing support in Enterprise Mobility >>>>>>>>>>>> Manager. >>>>>>>>>>>> Application white listing means creating a list of applications >>>>>>>>>>>> which are >>>>>>>>>>>> only allowed to run on mobile devices which are connected to EMM. >>>>>>>>>>>> Application blacklisting is the opposite meaning in which there is >>>>>>>>>>>> a list >>>>>>>>>>>> of applications which are only not allowed to run on mobile >>>>>>>>>>>> devices which >>>>>>>>>>>> connected to EMM. >>>>>>>>>>>> As a solution for this we thought to introduce a configuration >>>>>>>>>>>> to identify black listing, white listing enabled or not and >>>>>>>>>>>> exactly which >>>>>>>>>>>> listing is enabled and If each configuration enabled separately >>>>>>>>>>>> EMM will >>>>>>>>>>>> behave in following manner. >>>>>>>>>>>> >>>>>>>>>>>> If ABL enabled, >>>>>>>>>>>> >>>>>>>>>>>> Role based application restriction will be provided. >>>>>>>>>>>> Administrator will define a list of applications as a black list >>>>>>>>>>>> and a set >>>>>>>>>>>> of roles which is to be restricted to the application, along with >>>>>>>>>>>> the >>>>>>>>>>>> applications. >>>>>>>>>>>> >>>>>>>>>>>> If AWL enabled, >>>>>>>>>>>> >>>>>>>>>>>> Administrator will check specific list of applications from >>>>>>>>>>>> admin UI. Only these applications will load on app store. Other >>>>>>>>>>>> means of >>>>>>>>>>>> applications installing will be blocked. >>>>>>>>>>>> 1. Blocking side-loading. >>>>>>>>>>>> 2. Third party app store blocking except EMM app store. >>>>>>>>>>>> 3. Google Play app blocking >>>>>>>>>>>> >>>>>>>>>>>> Any suggestions and thoughts are highly appreciated. >>>>>>>>>>>> >>>>>>>>>>>> Thanks >>>>>>>>>>>> -- >>>>>>>>>>>> Lakshman Udayakantha >>>>>>>>>>>> WSO2 Inc. www.wso2.com >>>>>>>>>>>> lean.enterprise.middleware >>>>>>>>>>>> Mobile: *0714388124 <0714388124>* >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>>>>> Kasun Dananjaya Delgolla >>>>>>>>>>> >>>>>>>>>>> Software Engineer >>>>>>>>>>> WSO2 Inc.; http://wso2.com >>>>>>>>>>> lean.enterprise.middleware >>>>>>>>>>> Tel: +94 11 214 5345 >>>>>>>>>>> Fax: +94 11 2145300 >>>>>>>>>>> Mob: + 94 771 771 015 >>>>>>>>>>> Blog: http://kddcodingparadise.blogspot.com >>>>>>>>>>> Linkedin: *http://lk.linkedin.com/in/kasundananjaya >>>>>>>>>>> <http://lk.linkedin.com/in/kasundananjaya>* >>>>>>>>>>> >>>>>>>>>>> _______________________________________________ >>>>>>>>>>> Architecture mailing list >>>>>>>>>>> Architecture@wso2.org >>>>>>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> Prabath Abeysekara >>>>>>>>>> Technical Lead >>>>>>>>>> WSO2 Inc. >>>>>>>>>> Email: praba...@wso2.com >>>>>>>>>> Mobile: +94774171471 >>>>>>>>>> >>>>>>>>>> _______________________________________________ >>>>>>>>>> Architecture mailing list >>>>>>>>>> Architecture@wso2.org >>>>>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Inosh Perera >>>>>>>>> Software Engineer, WSO2 Inc. >>>>>>>>> Tel: 077813 7285, 0785293686 >>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> Architecture mailing list >>>>>>>>> Architecture@wso2.org >>>>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> Architecture mailing list >>>>>>>> Architecture@wso2.org >>>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Lakshman Udayakantha >>>>>>> WSO2 Inc. www.wso2.com >>>>>>> lean.enterprise.middleware >>>>>>> Mobile: *0714388124* >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Lakshman Udayakantha >>>>>> WSO2 Inc. www.wso2.com >>>>>> lean.enterprise.middleware >>>>>> Mobile: *0714388124* >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> Architecture mailing list >>>>>> Architecture@wso2.org >>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>> >>>>>> >>>>> >>>>> _______________________________________________ >>>>> Architecture mailing list >>>>> Architecture@wso2.org >>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>> >>>>> >>>> >>>> >>>> -- >>>> Lakshman Udayakantha >>>> WSO2 Inc. www.wso2.com >>>> lean.enterprise.middleware >>>> Mobile: *0714388124* >>>> >>>> >>> >>> >>> -- >>> Lakshman Udayakantha >>> WSO2 Inc. www.wso2.com >>> lean.enterprise.middleware >>> Mobile: *0714388124* >>> >>> >> >> >> -- >> Lakshman Udayakantha >> WSO2 Inc. www.wso2.com >> lean.enterprise.middleware >> Mobile: *0714388124* >> >> > > > -- > Regards, > > Chatura Dilan Perera > *Senior Software Engineer** - WSO2 Inc.* > www.dilan.me > -- Lakshman Udayakantha WSO2 Inc. www.wso2.com lean.enterprise.middleware Mobile: *0714388124*
_______________________________________________ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture