《MobiDev：移動設備管理指南2023（英文版）（35頁）.pdf》由會員分享，可在線閱讀，更多相關《MobiDev：移動設備管理指南2023（英文版）（35頁）.pdf（35頁珍藏版）》請在三個皮匠報告上搜索。

1、Table of ContentsDeveloping A Solution For Mobile Device ManagementMobile device management features and capabilitiesAndroid Management API:out-of-the-box MDMHow to set up Android Management API MDM:Quick wayHow to fully manage Android deviceStep 1.Create Project and Service accountStep 2.Create a E

2、MM-managed enterpriseStep 3.Create a PolicyStep 4.Create an enrollment tokenStep 5.Prepare QR code for device enrollmentStep 6.Enroll deviceStep 7.Update permissionsStep 8.Remove device from EMMBenefits and limitations of Android management APIAndroid Open Source Project(AOSP):custom mobile device m

3、anagementBenefits and limitations of custom MDMHow to choose the best solution?Mobile Device Management solutions for iOSDeveloping A Solution For Mobile DeviceManagementMobile Device Management or MDM is an administrative area that deals with securityand monitoring of corporate mobile devices.MDM s

4、oftware suggests methods to quicklydeploy,integrate,and monitor a network of certain smartphones or tablets.One of the primary concerns of MDM is security.Since corporate mobile devices can accesscritical business data,they can threaten enterprise databases.Administrating devicesthrough MDM provides

5、 the means to distribute software packages,set permissions,andoptimize device functionality.But,ideally,MDM has to provide a way to oversee mobiledevices as easily as desktop computers.There are MDM systems for all mobile operating systems,including cross-platform ones.But today well focus on Androi

6、d as the only operating system that offers fully-fledgedcustomization in terms of MDM.With the biggest market share and open-source nature,lets look at how we can approach building mobile device management for Android devices.Mobile device management features and capabilitiesBefore analyzing the act

7、ual Android solutions,we need to clearly understand what MDM iscapable of.Mobile device management systems provide quite similar capabilities acrossthe market.Some of the most common functions are:Enrollment a procedure that entails installing MDM on a mobile device.Themajority of MDM software suppo

8、rts bulk enrollment to install software packages onmultiple devices at once.An Over-the-air(OTA)enrollment suggests distribution andinstallation of MDM through a dedicated web page or app.Profile management once we install the MDM package,we can now assignworking profiles for the device users.Policy

9、 management a policy is a bunch of rules or permissions set for a givendevice.By providing policies,we may lock or unlock some of the software orhardware functions,denote rules for accessing corporate data,etc.Device administration and troubleshooting further,all the policies can beupdated remotely.

10、This part of MDM functionality implements monitoring of thedevice and troubleshooting.Device location tracking-detecting device location via GPS.Remote wiping once we enroll MDM on the device,all the corporate dataaccessed through it will be stored on a protected profile.This data and the MDMitself

11、can be wiped to factory settings remotely to protect any data leakage from thestolen,lost,or compromised device.MDM is a complex solution.However,it consists of modular small parts that after closerinspection are actually not that hard to implement as long as a skillful team is involved.Generally,th

12、ese parts can be divided into an admin panel which includes a device policycontroller(DPC),and middleware to orchestrate enrolled devices.By middleware we meanan API interface that performs all the policy updates,and transfers data between the MDMserver and smartphones.So,MDM solutions basically pro

13、vide management of such features as WiFi,Bluetooth,NFC,USB file transfer,location tracking,phone,SMS,or just simply allowing users to accesssome settings on devices that otherwise wouldnt be available.If any additionalfunctionality is required,the best thing to do is to extend the existing API by ad

14、dingmethods,managers and services.It is done with certain policies on the backend,whichwould be later pushed to devices.Then,a system service is created as a simple way ofsharing these settings across devices.Based on our experience,such systems might scale to thousands of devices and requirenumerou

15、s custom policies.The majority of the security requirements are covered by theavailable MDM solutions on the market.However,some systems may require enhancedsecurity and independence of operating system providers.This will impose a challenge tobuild a custom Android MDM where any policy can be deplo

16、yed on the device.So first,lets look at the standard solutions for Android MDM,and then talk about thecustomizable options.Android Management API:out-of-the-box MDMAndroid Management API is a managed solution for building mobile device managementsystems for Android.Google ships the whole package of

17、MDM software,including backend,based on their Cloud Platform,a device policy controller,and user interface to administratecorporate devices out of the box.All of these components become available after a fewsteps of registration well describe later.The Android API itself is required to build your ow

18、n MDM solution and create custompolicies.Currently,the registration for new solutions is open,except for creating a customDPC.Which means,it is possible to develop an MDM platform based on the Androidmanagement API,but you wont be able to apply custom policies.To use a managed MDM,youll have to crea

19、te a dedicated Google account to log intoGoogle Workspaces.The account cannot be associated with the existing enterprise account.Google provides device policies for over 80+types of Android smartphones,exceptSamsung KNOX.There are three ways we can implement MDM with Android managementAPI:1.Work pro

20、file.A dedicated account on a device that stores and transfers corporatedata without affecting personal data.MDM policies are also applied to the profiledata only.2.Managed device,a smartphone or tablet enrolled with MDM.3.Dedicated device,a separate device used with restricted functionality.For exa

21、mple,this can be a tablet used as a bulletin board.The system allows enrolling target devices over-the-air,which means no cables arerequired.You can use a wireless connection to enroll and manage mobile devices onAndroid.The list of available policies includes nearly all of the native functionality

22、for Androiddevices.While the existing policies are not customizable,the ease of deployment and noneed for Android development outweigh this flaw.So now lets look at how to approachGoogle MDM.How to set up Android Management API MDM:Quick wayThe registration procedure to Googles MDM platform imposes

23、several requirements:Android device version 6.0 or higherAccess to Google Cloud PlatformEnabled Android management API in Google Cloud PlatformAfter all the requirements are completed,there are two ways to enroll your devices.Theeasiest one is a quickstart procedure suggested by Google.This entails

24、a few steps ofcreating a Google Cloud project,generating a QR code and enrolling the device with adefault policy.Note that a device can only have a single policy at a time.The more advanced way to complete setup is meant for creating your own MDM solutionbased on Googles API.Android Management API i

25、s a key feature for developing anenterprise mobility management(EMM)solution for Android.Official Android Enterpriseguide describes a full process of building such a solution.This guide helps to connect devices to EMM.You can do everything step by step withoutspending a lot of time in official docum

26、entationHow to fully manage Android deviceStep 1.Create Project and Service accountCreate a project in Google API Console:Enable Android Management API in API Library:Create a service account.Follow this guide.Step 2.Create a EMM-managed enterpriseYou have to call enterprises.create method from Andr

27、oid Management API.You can use API Explorer on the page with Android Management API documentation.Anyother way to call API will also work(Postman,cURL,Google APIs Libraries,etc.),but youhave to create OAuth 2 credentials to use Postman or any other way to call API(e.g.backend source code).Use this a

28、nd this article as a reference.Request:curl-request POST https:/ Authorization:Bearer YOUR_ACCESS_TOKEN-header Accept:application/json-header Content-Type:application/json-data enterpriseDisplayName:Mobile Management Company-compressedResponsename:enterprises/LC03swpux5,enterpriseDisplayName:Mobile

29、Management CompanyStep 3.Create a PolicyPolicy represents a set of rules for Android devices.You have to call enterprises.policies.patch method from Android Management APILets create a policy with the name my_policy.There are 2 apps(Google I/O Android App,Telegram)that will be force installed.Access

30、 to the camera will be disabled.All available policies described here.Request:curl-request PATCH https:/ Authorization:Bearer YOUR_ACCESS_TOKEN-header Accept:application/json-header Content-Type:application/json-dataapplications:packageName:com.google.samples.apps.iosched,installType:FORCE_INSTALLED

31、,packageName:org.telegram.messenger,installType:FORCE_INSTALLED,cameraAccess:CAMERA_ACCESS_DISABLED-compressedResponse:name:enterprises/LC03swpux5/policies/my_policy,version:1,applications:packageName:com.google.samples.apps.iosched,installType:FORCE_INSTALLED,packageName:org.telegram.messenger,inst

32、allType:FORCE_INSTALLED,cameraAccess:CAMERA_ACCESS_DISABLEDStep 4.Create an enrollment tokenEnrollment token required for device enrollment(the first step towards managing device)Note:enrollment token has expiration timeYou have to call enterprises.enrollmentTokens.create method from Android Managem

33、entAPIRequest:curl-request POST https:/ Authorization:Bearer YOUR_ACCESS_TOKEN-header Accept:application/json-header Content-Type:application/json-datapolicyName:enterprises/LC03swpux5/policies/my_policy,duration:3600s-compressedResponse:name:enterprises/LC03swpux5/enrollmentTokens/JpSnPrULadqSHXPnc

34、A6pXRnC1df-j-hOHguRc2RaIFA,value:ZPKMEUEMDLZYZGIHBHEY,duration:3600s,expirationTimestamp:2022-02-23T10:56:00.531Z,policyName:enterprises/LC03swpux5/policies/my_policy,qrCode:android.app.extra.PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME:com.google.android.apps.work.clouddpc/.receivers.CloudDeviceAdminRe

35、ceiver,android.app.extra.PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM:I5YvS0O5hXY46mb01BlRjq4oJJGs2kuUcHvVkAPEXlg,android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION:https:/ contains Escaped symbols.You can remove them withhttps:/ service or any other similar tool.Response without

36、Escaped symbols:name:enterprises/LC03swpux5/enrollmentTokens/JpSnPrULadqSHXPncA6pXRnC1df-j-hOHguRc2RaIFA,value:ZPKMEUEMDLZYZGIHBHEY,duration:3600s,expirationTimestamp:2022-02-23T10:56:00.531Z,policyName:enterprises/LC03swpux5/policies/my_policy,qrCode:android.app.extra.PROVISIONING_DEVICE_ADMIN_COMP

37、ONENT_NAME:com.google.android.apps.work.clouddpc/.receivers.CloudDeviceAdminReceiver,android.app.extra.PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM:I5YvS0O5hXY46mb01BlRjq4oJJGs2kuUcHvVkAPEXlg,android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION:https:/ 5.Prepare QR code for device e

38、nrollmentGenerate QR code with QR code generator.Put Unescaped JSON from the previous response(enrollment token)as Text content andgenerate QR code.You can use generated qr code or code from value string.For example:ZPKMEUEMDLZYZGIHBHEYStep 6.Enroll device1.Charge your phone to 100%2.Shutdown device

39、3.(skip this step if you have a new unused phone)Press Volume Down+Powerbuttons4.(skip this step if you have a new unused phone)Do Factory Reset5.Turn on your device6.(skip for Android 6.0)Tap the same spot on the welcome screen six times to enterQR code mode.7.Follow initial steps(Connect to a WiFi

40、 network,etc.)8.(skip for Android 7.0 or above)When prompted to sign in,enter afw#setup insteadof username9.(skip for Android 7.0 or above)Tap Next,and then accept the installation of AndroidDevice Policy.10.Scan the QR code from previous step or input code manually from value stringStep 7.Update pe

41、rmissionsPermissions can be updated via applied policy.You can call enterprises.policies.patchmethod from Android Management API.We need to use the existing policy that was applied to devices.For example:enterprises/LC03swpux5/policies/my_policyExample below will update policy with camera support an

42、d applications for camera usage.Requestcurl-request PATCH https:/ Authorization:Bearer YOUR_ACCESS_TOKEN-header Accept:application/json-header Content-Type:application/json-dataapplications:packageName:com.google.samples.apps.iosched,installType:FORCE_INSTALLED,packageName:org.telegram.messenger,ins

43、tallType:FORCE_INSTALLED,packageName:com.android.camera,installType:FORCE_INSTALLED,packageName:com.android.gallery,installType:FORCE_INSTALLED,debuggingFeaturesAllowed:true,cameraAccess:CAMERA_ACCESS_ENFORCED-compressedResponse:name:enterprises/LC03swpux5/policies/my_policy,version:2,applications:p

44、ackageName:com.google.samples.apps.iosched,installType:FORCE_INSTALLED,packageName:org.telegram.messenger,installType:FORCE_INSTALLED,packageName:com.android.camera,installType:FORCE_INSTALLED,packageName:com.android.gallery,installType:FORCE_INSTALLED,debuggingFeaturesAllowed:true,cameraAccess:CAME

45、RA_ACCESS_ENFORCEDStep 8.Remove device from EMMFirst of all you need to request a list of devices that are managed with EMM.You can callenterprises.devices.list method from Android Management API.Request:curl https:/ Authorization:Bearer YOUR_ACCESS_TOKEN-header Accept:application/json-compressedRes

46、ponse:devices:name:enterprises/LC03swpux5/devices/387b0bc46c5a630d,managementMode:DEVICE_OWNER,state:ACTIVE,appliedState:ACTIVE,policyCompliant:true,nonComplianceDetails:settingName:applications,nonComplianceReason:APP_NOT_INSTALLED,packageName:com.android.camera,installationFailureReason:NOT_FOUND,

47、settingName:applications,nonComplianceReason:APP_NOT_INSTALLED,packageName:com.android.gallery,installationFailureReason:NOT_FOUND,settingName:cameraAccess,nonComplianceReason:API_LEVEL,enrollmentTime:2022-02-23T10:16:08.573Z,lastStatusReportTime:2022-02-23T10:42:35.161Z,lastPolicySyncTime:2022-02-2

48、3T10:42:32.030Z,appliedPolicyVersion:2,apiLevel:23,hardwareInfo:brand:google,hardware:hammerhead,deviceBasebandVersion:M8974A-2.0.50.2.30,manufacturer:LGE,serialNumber:09f07d5c02b36f8a,model:Nexus 5,policyName:enterprises/LC03swpux5/policies/my_policy,appliedPolicyName:enterprises/LC03swpux5/policie

49、s/my_policy,memoryInfo:totalRam:1945096192,totalInternalStorage:1058320384,powerManagementEvents:eventType:BOOT_COMPLETED,createTime:2022-02-23T10:03:17.068Z,userName:enterprises/LC03swpux5/users/106033060043208910001,enrollmentTokenName:enterprises/LC03swpux5/enrollmentTokens/ePC4xDsOhoQAxK5ar3o9-v

50、J25PDjscCdz8XB40w-REg,securityPosture:devicePosture:SECURE,ownership:COMPANY_OWNEDFind your device from the list and call enterprises.devices.delete method from AndroidManagement API.You need a field name from the previous request.For example:enterprises/LC03swpux5/devices/387b0bc46c5a630dThis reque

51、st will remove the device from current Enterprise(EMM)and will do a factoryreset.So,all data will be destroyed!Request:curl-request DELETE https:/ Authorization:Bearer YOUR_ACCESS_TOKEN-header Accept:application/json-compressedResponse:After calling this request the device will immediately start the

52、 factory reset process.Now,lets move on and sum up the strengths and weaknesses of Googles MDM.Benefits and limitations of Android management APIIn terms of a mobile device management platform,Google suggests a solid base either fordeploying a ready-made ecosystem,or using its API to build your own

53、one.So here wellhighlight some significant factors in choosing the solution type:Out-of-the-box solution.Googles MDM requires just a few steps to enroll your firstdevices.After that,the full range of capabilities for device management becomes availablefor the users.It doesnt require any additional A

54、ndroid development,so we can say its alow-code solution.Since minimal manipulations on the server side are required.Large list of supported devices.Usually,different types of Android devices can be used inthe organization.Integrating different devices and writing custom enrollment methodsmight be a

55、serious pain,unless your company uses a single type of Android device.Androidmanagement API solves this problem by providing support for over 80 Android devices bydefault.DPC is updated with Android.A device policy controller is a module that sits on yourtarget device and implements policies sent fr

56、om a server.This bit of software is operatingsystem dependent,meaning the updates in the OS will require DPC to be rewritten.Default DPC from Google is updated with the Android version,since its a managedsolution.So the only possible flaw here is that Google will abandon some of the olderAndroid ver

57、sions in the future.This becomes beneficial if you lack flexibility within Googles solution or want another set ofpolicies.Or,you can use Android management API as a groundwork for your own solution.All of the developed solutions using Googles DPC have to be registered and certified byGoogle.So here

58、,youll need an experienced engineering team that has expertise in mobileapplication development and mobile device management systems specifically.Besides these advantages,there are also two important factors you want to keep in mind.No customization options.In terms of Googles managed platform,there

59、 is no way youcan customize the existing software.Building your own solution based on Androidmanagement API allows you to customize the backend part,but the set of policies remainsunchanged.Vendor lock-in.Another problem is security.Since the backend part of a system runs onGoogle Cloud servers,all

60、of your corporate data will pass through it.This doesntnecessarily mean your sensitive data is compromised.However,some organizations wantto protect their information and keep it in house.To overcome these limitations,another option for Android mobile device management canbe approached.Android Open

61、Source Project(AOSP):custom mobiledevice managementAndroid Open Source Project or AOSP is an open source software stack for a wide rangeof mobile devices and a corresponding open source project led by Google.It can be used tocreate your own custom variants of the Android OC and mobile applications,a

62、nd connect itwith your custom back-end device management platform.There are already lots of forked versions of Android that provide users with differentfeatures or customization not currently available in stock Android devices or providingsome of the devices with ability to run Android OS,which is o

63、therwise not available forthem.LineageOS(a regular customized OS)and BlackPhone(developed by SilenCircle withemphasis on security)are great examples.AOSP provides a number of benefits for custom Android development:Active open-source solution.Some features that might be necessary are either alreadyi

64、mplemented,some might be available in the nearest future.As soon as a security patch iscommitted to AOSP,it can be applied and pushed to users.Full control over product life cycle.The product owner decides when to deliver a newfeature or security update.Product needs can be prioritized,instead of wa

65、iting forsomething that might never be rolled out by vendors,who naturally prioritize their ownneeds.Customization at any level.Linux kernel contains all the essential hardware drivers likecamera,keypad,display,and others.Above it,there is a set of libraries,including anopen-source Web browser engin

66、e WebKit,libc library,SQLite database,which is a usefulrepository for storage and sharing of application data,libraries to play and record audioand video,SSL libraries responsible for Internet security,and others.Then,the Android Framework layer provides many higher-level services to applications in

67、the form of Java classes.The application level is where Android developers usually work.Android applicationsextend the core Android operating system.There are two primary sources for applications:Pre-Installed Applications:Android has a set of pre-installed applications,includingphone,email,calendar

68、,web browser,and contacts.These function as userapplications as well as providers of key device capabilities that can be accessed byother applications.Pre-installed applications may be a part of the open sourceAndroid platform,or they may be developed by an OEM for a specific device.User-Installed A

69、pplications:Android provides an open development environmentsupporting any third-party applications.Our device administration app would fallinto this category,and our main work will be done primarily at the framework andapplication levels.Applications at these layers are written with Java,so a regul

70、arAndroid team will feel comfortable working with them.As a solution for businesses that use mobile device management,AOSP helps to resolveconcerns for security of functionality limitations and ownership over the product.As itspossible to create an Android stack that will provide any features and me

71、ans of devicemanagement that they might require.So lets quickly enlist the pros and cons of thisapproach.Benefits and limitations of custom MDMFlexibility.As we mentioned,custom development allows you to choose any architectureand solution type you want for mobile device management.This means you ca

72、n deploy acustom backend with policies of your choice.You can provide any enrollment methods,security management,and reporting.Independence of data collection.While AOSP is an open-source project led by Google,the solution based on it doesnt depend on their infrastructure.This means,your mobiledevic

73、e management system will be secured from data collection by third-partyorganizations.Operating system customization.Additionally,the operating system itself can becustomized to bring extra functionality and enhance security of the system.The onlylimitation here is hardware capabilities of the target

74、 device.Complexity.The approach of customizing the OS,creating your own applications andback-end management platform is a complex and time consuming project.Moreover,customizing Android OC core requires an experienced and skilled team.How to choose the best solution?Given the described options,how d

75、o you choose?Here is a quick run through the keypoints:Google mobile device management platform is capable of closing the majority of needs formobile device management systems.The only tangible limitation here is the closedregistration for developing custom device policy controllers,so no custom pol

76、icies can beimplemented.Another solution is using Google Cloud platform as your backend,which canbe a security,or architectural concern for some organizations.Using Android management API as a basis for your system allows some customization,butstill relies on Googles infrastructure.So approaching AO

77、SP-based MDM might be the bestchoice if you require a high degree of customization.Based on our experience,workingwith AOSP might be a time-consuming task.But at the end of the day,it fulfills projectobjectives at the same level as native Android MDM solutions.Mobile Device Management solutions for

78、iOSIts a rare case for the enterprise to use devices only on Android.So the first thing that popsup is the question,what about iOS?Apple devices have a built-in framework for enrollingand managing iOS smartphones and tablets.The capabilities are similar to Androidmanagement API,including enrollment options,and management flexibility.Because its ahuge topic,were going to describe MDM for iOS in a dedicated article.Please stay tuned tolearn about the implementation of the iOS framework in future material.