This documentation is for WSO2 Enterprise Mobility Manager 2.2.0. View documentation for the latest release.
Feature Categorization for Supported Device Types - Enterprise Mobility Manager 2.2.0 - WSO2 Documentation
||
Skip to end of metadata
Go to start of metadata

WSO2 EMM currently supports iOS, Android, and Windows devices. However, the device configuration features will vary based on the mobile OS. The device configuration features that are available, mobile OS wise are illustrated as follows: 
 

Android device operations

BYOD and COPE operations

The default operations that are available for Android devices are accessible for BYOD devices. The COPE devices can only carry out selected operations.If you want to enable the COPE devices to carry out more operations or if you want to limit BYOD devices from carrying out selected operations, you can do so via policies.

The following operations can be carried on the BYOD and COPE Android devices, respectively.

OperationBYODCOPE
Screen lock a device.
Unlock a device that was screen locked via the lock operation.
Retrieve the location of a device.
Enable the silent profile on your own device or mute the device via the EMM server.
Enterprise wiping a device. When this operation is executed, the device will be unregistered from EMM.
Remove your passcode orlockcodevia the EMM server.
Change the provided passcode or lock code.
Ring the device via the EMM server.
Send a message to the device via the EMM server. The EMM admin can use
this device operation to send group messages or even private messages to the EMM users.
Carry out a factory reset on your own device via the EMM server. The users having BTOD devices will have
to provide the PIN, which he/she entered when registering to EMM, to be able to wipe his/her device.

Alert mechanism to report critical device events.

Check for applications that your organization has made available in their app store via the app catalog application.
Schedule application installations and updates.

System service application operations

WSO2 EMM provides a separate service application that can be signed by a firmware signing key and installed on the devices as a system application alongside the EMM Agent application. This enables you to have better control over the devices registered with WSO2 EMM. to install the system service application on the devices, you need to integrate it WSO2 EMM. For more information, see Integrating the Android System Service Application.

You can perform the following operations if you have the system service application installed on your Android device.

  • Schedule firmware upgrades on the device.
  • Reboot or restart your device.
  • Install and update applications in silent mode that is without the user's confirmation via the system service application.
  • Hard lock an Android device, where the Administrator permanently locks the device.
  • Unlock a device that was hard locked.

Policies for Android devices

The EMM administrator can add a new policy to a preferred device type, such as BYOD, or COPE. The following policies are available for the Android platform.

PolicyDescription
Passcode policyDefine a password policy for the devices.
Restrictions

Allow or disallow users from using the following features on Android devices:

  • Adjusting the master volume.
  • Using the camera on the device.
  • Configuring Bluetooth.
  • Configuring cell broadcasts.
  • Configuring user credentials.
  • Configuring mobile networks.
  • Configuring Tethering & portable hotspots.
  • Configuring VPN.
  • Changing Wi-Fi access.
  • Restrict windows beside the app window from being created.
  • Restrict items copied to the clipboard from beingpastedon related profiles.
  • Enabling or accessing debugging features.
  • Factory resetting the device from Settings.
  • Adding new users and profiles.
  • Installing applications.
  • Enabling the "Unknown Sources" setting.
  • Adding and removing accounts unless they are programmatically added by the Authenticator.

    For more information, see the details on adding an account directly.

  • Mounting physical external media.
  • Resetting the network settings from Settings.
  • Restrict the use of Near Filed Communication (NFC) to beam out data from apps.
  • Making outgoing phone calls.
  • Removing other users.
  • Device rebooting.
  • Turning on location sharing.
  • Restrict the user from sending or receiving Short Message Service (SMS )messages.
  • Uninstalling applications.
  • Adjusting the microphone volume.
  • Transferring files over USB.
  • Allows apps in the parent profile to handle web links from the managed profile.
  • Disallow users from disabling application verification.
  • Enable the auto time feature in the device that is in Settings > Date & Time.
  • Disable the screen shot option on the device.
  • Disable the status bar on the device.
Encrypt storageEncrypt data on the device, when the device is locked and make it readable when the passcode is entered.

Wi-Fi

Ability to configure the Wi-Fi access on a device. WSO2 EMM provides advanced Wi-Fi configuration settings, as shown below:
  • You are able to configure the Wi-Fi settings for the WEPWPA/WPS 2PSK and 802.1 EAP security types. 
  • The 802.1 EAP security type works only for Android 4.3 and above.
  • WSO2 EMM supports the following EAP methods: PEAPTLSTTLSPWDSIM, and AKA.
  • If you want to provide the identity of the user that access the Wi-Fi through their Android device, you can provide [user] as the value for Identity and it will provide the username used by the user to enroll their Android device with WSO2 EMM. This setting is only applicable for the following EAP methods:PEAPTLSTTLS, and PWD.
 
VPNAbility to specify the VPN and per app VPN settings.
Work-Profile Configurations

Ability separate the personal and work related data on your device via the managed profile feature.

For more information on how it works, see Data Containerization for Android Device.

Application restrictions

Ability blacklist and whitelist applications on the Android platform. Let's take a look at how it works:

Blacklist applications

Prevents you from using the applications defined in the policy. For Android operation systems before Lollipop, when a blacklisted application is clicked a screen is displayed to prevent you from using the app. For the Lollipop Android operating systems and after, the blacklisted apps will be hidden. Blacklisting can be used on both BYOD and COPE devices.

Whitelisting applications

Allows you to only install the applications defined in the policy. This feature requires another application, i.e., WSO2 EMM System app, that is signed by the device firmware owner. Therefore, generally it will be available for COPE devices but if you are able to get the WSO2 EMM system application signed via a firmware signing key, then you are able to use it for BYOD devices too.

In addition to the above, you are able to enable application restrictions via the restrictions policy. The restrictions policy has two settings to restrict application installation and uninstallation. For this, the WSO2 EMM application needs to have device owner privileges or the device needs to have the WSO2 EMM System app installed.

Information on enrolled Android devices

You are able to get the following information about an enrolled Android device via the WSO2 EMM console.

  • Device overview that includes details, such as the device ID, name, model, status, owner, ownership type (BYOD or COPE), IMEI, date and time the device was last updated, and the firmware build date if you have installed the Android system service application.
  • The battery charged percentage.
  • The internal storage information.
  • The RAM usage.
  • The External storage information.
  • The list of installed applications on a device and the memory consumption of each application in the device.
  • The operation log information that contains the details of successful, failed and pending operations.
  • The details of the policy that is been enforced on the device and the compliance details.
  • The location of the device

iOS device operations

The operations listed below can be carried on iOS devices.

By default WSO2 EMM only supports the BYOD registration process for the iOS platform.

  • Lock your own device via the EMM server.
  • Receive the location of the device.
  • Enable the silent profile on your own device via the EMM server.
  • Wipe all the profiles and data, including apps provisioned via WSO2 EMM using the enterprise wipe operation.
  • Remove your own device lock via the EMM server.
  • Ring the device via the EMM server.
  • Send a message to the device via the EMM server. The EMM admin can use this device operation to send group messages or even private messages to the EMM users.
  • Set the APN configurations on a user's device. In iOS, the EMM server does not detect whether a device (i.e., iPad) has only Wifi, or whether the device has 3G and Wifi. If there is only Wifi, the APN configurations can not be pushed, and a policy violation will occur. 
  • Set the google calendar configurations on the user's device.
  • Set the LDAP account configurations on the user's device.
  • Reboot or restart your device.
  • Schedule firmware upgrades on the device.

Policies for iOS devices

The EMM administrator is able to restrict operations on iOS devices by adding a new policy . The following policies are available for the iOS platform.

PoliciesDescription

Passcode policy

Define a password policy for the devices.

Restrictions

Restricts the usage of the camera and other functions.

You are able to allow or disallow users from using the following features on the device:

  • Restrict users from installing applications on the device.
  • Prohibit users from adding friends to the Game Center.
  • Restrict users from removing applications from the device.
  • Restrict users from using Siri.
  • Prevent Siri from querying user-generated content from the web.
  • Prevent users from using Siri when the device is locked. Availability: iOS 5.1 and later. 

  • Restrict users from using the camera. If this operation is not allowed the camera icon will be removed from the home screen.
  • Prevent users from backing up the device data to iCloud. Availability: iOS 5.0 and later. 

  • Disable documents and key-value syncing to iCloud. Availability: iOS 5.0 and later.

  • Disable Cloud keychain synchronization. Availability: Only in iOS 7.0 and later. 

  • Prevent the device from automatically submitting diagnostic reports to Apple. Availability: Only in iOS 6.0 and later. 

  • Hide explicit music or video content purchased from the iTunes Store. Explicit content is marked by content providers, such as record labels,when sold through the iTunes Store. 
  • Prevent the Touch ID from unlocking a device. Availability: iOS 7 and later. 

  • Disable the global background fetch activity when an iOS phone is on roaming.
  • Prohibit in-app purchasing.
  • Prevent the Control Center from appearing on the Lock screen. Availability: iOS 7 and later. 

  • Disable host pairing with the exception of the supervision host. If no supervision host certificate has been configured, all pairing is disabled. Host pairing lets the administrator control which devices an iOS 7 device can pair with. Availability: Only in iOS 7.0 and later.

  • Disable the 'Today view' in the Notification Center of the lock screen. Availability: Only in iOS 7.0 and later. 

  • Prohibit multiplayer gaming.
  • Allow managed apps and the accounts to only open in other managed apps and accounts. Availability: Only in iOS 7.0 and later.

  • Allow unmanaged apps and the accounts will only open in other unmanaged apps and accounts. Availability: Only in iOS 7.0 and later. 

  • Disable over-the-air PKI updates. Setting this restriction does not disable CRL and OCSP checks.  Availability: Only in iOS 7.0 and later. 

  • Disable Passbook notifications. Availability: Only in iOS 7.0 and later. 

  • Disable Photo Streams. Availability: Only in iOS 7.0 and later. 

  • Disable the Safari web browser application and remove the icon from the Home screen. This also prevents users from opening web clips. 
  • Disable Safari auto-fill.
  • Enable the Safari fraud warning.
  • Prevent Safari from executing JavaScript.
  • Prevent Safari from creating pop-up tabs.
  • Restrict users from saving a screenshot of the display.
  • Disable shared Photo Stream. Availability: iOS 6.0 and later. 

  • Disable video conferencing.
  • Disable voice dialing.
  • Disable the YouTube application and remove its icon from the home screen. Users will not be able to preview, purchase, or download content too. Availability: iOS 7.0 and later. 

  • Force the use of the profanity filter assistant.
  • Encrypt all backups.
  • Force user to enter their iTunes password for each transaction. Availability: iOS 5.0 and later. 

  • Limit ad tracking. Availability: iOS 7.0 and later. 

  • Force all devices receiving AirPlay requests from the user's device to use a pairing password. Availability: iOS 7.1 and later. 

  • Force all devices sending AirPlay requests to the user's device to use a pairing password.

  • Prevent the managed applications from using cloud sync.
  • Disable Activity Continuation.
  • Prevents the backing up of enterprise books.
  • Prevents the syncing of notes and highlights in the enterprise books.
  • Allow the user to modify the touch ID.
  • Determine the conditions under which the device will accept cookies. The conditions are as follows:
    • Never
    • From visited sites only 
    • Always 
  • Force users to unlock their Apple Watch with a passcode once the watch has been removed from their wrist. Availability: iOS 8.3 and later. 

  • Restrict access to apps based on the rating given for age. The ratings given are as follows:

    • Don't allow apps
    • 4+
    • 9+
    • 12+
    • 17+
    • Allow all apps
  • Restrict access to movies based on movie ratings. The ratings given are as follows:

    • Don't allow movies
    • G
    • PG
    • PG-13
    • R
    • NC-17
    • Allow all movies
  • Rate operations based on the region.
  • Restrict access to TV shows based on the ratings given. The ratings given are as follows:

    • Don't allow TV shows
    • TV-Y
    • TV-Y7
    • TV-G
    • TV-PG
    • TV-14
    • TV-MA
    • All all TV shows
  • Allow the apps to be identified by the bundle IDs listed in the array to autonomously enter Single App Mode. Availability: iOS 7.0 and later. 

Wifi

Configure the Wi-Fi access on a device.

Email

Configure settings for connecting to your POP or IMAP email accounts.
AirPlayConfigure settings for connecting to AirPlay destinations.
LDAPConfigure settings for connecting to LDAP servers.
CalendarConfigure settings for connecting to CalDAV servers.
Calendar SubscriptionConfigure settings for calendar subscriptions.
APNSpecify Access Point Names ( APN ).
Cellular NetworkSpecify Cellular Network Settings on an iOS device
VPNSpecify the VPN and per app VPN settings.

Information on enrolled iOS devices

You are able to get the following information about an enrolled iOS device via the WSO2 EMM console.

  • The battery charged percentage.
  • The internal storage information.
  • The list of installed application on the specific device.
  • The operation log information that contains the details of successful, failed and pending operations.
  • The details of the policy that is been enforced on the device and the compliance details.
  • The location of the device

Windows device operations

The operations listed below can be carried on Windows devices.

  • Lock your own device via the EMM server.
  • Disenroll or unregister your device from WSO2 EMM.
  • Remove your own device lock via the EMM server.
  • Change the provided passcode or lock code.
  • Ring the device via the EMM server.
  • Carry out a factory reset on your own device via the EMM server. The user will have to provide the PIN, which he/she entered when registering to EMM, to be able to wipe his/her device.

Policies for Windows devices

The EMM administrator is able to restrict operations on Windows devices by adding a new policy. The following policies are available for the iOS platform.

PoliciesDescription

Passcode policy

Define a password policy for the devices.
RestrictionsRestricts the usage of the camera and other functions. Windows only supports device restrictions on the camera.
Encrypt storageEncrypt data on the device, when the device is locked and make it readable when the passcode is entered.

Information on enrolled Windows devices

You are able to get the following information about an enrolled Windows device via the WSO2 EMM console.

  • The operation log information that contains the details of successful, failed and pending operations.
  • The details of the policy that is been enforced on the device and the compliance details.
  • No labels