Overview

Today, more than 63% of the population owns mobile phones and tablets. While this opens new possibilities for employee productivity, it also brings new threats of uncontrolled access to networks and confidential data within your organization. WSO2 Enterprise Mobility Manager (WSO2 EMM) offers a complete enterprise mobility management solution to address these pros and cons by enhancing convenience and security for your workforce. The enterprise mobility management capabilities given by WSO2 EMM are bundled within WSO2 IoT Server.

Open source EMM backed by enterprise support

Open source technology brings significant flexibility to your mobile projects. It enables you to get started quickly without time-consuming licensing or legal reviews, and it protects you from vendor lock-in. It gives you the flexibility to take the product in new directions, preserves full flexibility to commercialize your products, and ensures that the code is examined by many parties to ensure its reliability, security, and feature fit. WSO2 is a leading open source vendor that provides enterprise support. To learn more about the benefits of open source, see Why Open Source for Your IoT and Mobile Projects?

Why use WSO2 EMM?

WSO2 EMM provides the essential capabilities required to implement a scalable server-side EMM platform. These capabilities include device management, app management, APIs, analytics, customizable web portals, and transport extensions for MQTT, XMPP, and more. Furthermore, WSO2 EMM is released under the Apache Software License Version 2.0, one of the most business-friendly licenses available today.

You can use WSO2 EMM to:

Boost productivity of your workforce.
Manage the mobile devices used by your employees to access company data.
Manage the mobile applications used by your employees.
Allow your employees to securely share and access data among devices.
Monitor and analyze the activities performed by the devices.

To learn more about how WSO2 EMM can help your business, see Why Manage Enterprise Mobile Applications and Devices?

Mobile Device Management (MDM)

WSO2 EMM manages the Android, iOS, and Windows mobile devices of your workforce. Does your organization allow employees to bring their own devices to work, or does it provide corporate-owned devices to employees? WSO2 EMM allows you to enroll Bring Your Own Devices (BYOD) and Corporate Owned, Personally Enabled (COPE) devices.

With WSO2 EMM, you can:

Install the WSO2 EMM profile on the device. You can choose the BYOD or COPE enrollment path for the device.
Apply policies on devices so that they adhere to company security policies, such as disabling the device's camera when the device enters a certain geo area.
Customize the device enrollment process to enroll Corporate Owned, Single Use (COSU) and more.
Remotely control, upgrade the firmware, wipe data, transfer files, and much more.
Add geofences, monitor, and analyze device data using real-time analytics.
Group and manage devices in one go.

Mobile Application Management (MAM)

In addition to managing devices, WSO2 EMM helps you manage your mobile applications. For example, you might want your employees to access only the mobile applications made available to them via the organization's app store and not via the Play Store or iTunes.

With WSO2 EMM, you can:

Manage the lifecycle of mobile applications from the point of creating the application to installing it on a device.
Make certain applications visible only to those with defined permissions.
Manage mobile application versioning and update mobile applications.
Install mobile applications on multiple devices simultaneously using enterprise subscriptions.
Blacklist or whitelist mobile applications.

Mobile Identity Management (MIM)

WSO2 EMM supports user and device certificates, authentication, and single sign-on. Therefore, WSO2 EMM ensures that only trusted devices and users can access enterprise data or applications.

With WSO2 EMM, you can:

Authenticate and authorize users that sign in to WSO2 EMM.
Enable users to sign in to the WSO2 device management console, application publisher, and application store user interfaces using single sign-on (SSO). WSO2 EMM supports the SAML2.0 and OpenID Connect protocols for SSO.
Protect all the API communications of WSO2 EMM via the OAuth2 protocol.
Use the world-renowned WSO2 Identity Server (IS) capabilities to manage users and devices.

Want to learn more? See Securing Communication Between Devices and the IoT Platform.

Supported device operations

Let's take a look at the device operations available on WSO2 EMM.

Android device operations

Before getting to know the different Android operations that are available, let's understand the different Android enrollment types supported by WSO2 EMM.

BYOD enrollment

Bring Your Own Device (BYOD)
The operations listed under BYOD can only be carried out on devices that belong to the employees or are enrolled as a BYOD device. This is the normal enrollment process of WSO2 EMM. For more information on how to enroll a device as a BYOD device, see Android.
Work Profile devices
A work profile creates a containerized environment in a BYOD device to run corporate data and applications. This enables device admins to take control of the corporate data and applications running on the device without preventing the device owner from using the primary profile functionality. For more information, see Setting Up the Work Profile.

COPE enrollment

System Service Application
You can enroll Original Equipment Manufacturer (OEM) devices as Corporate Owned, Personally Enabled (COPE) devices using the WSO2 EMM's System Service Application. For more information, see Integrating the Android System Service Application.
Corporate Owned, Single Use (COSU) devices
A Corporate Owned, Single Use (COSU) device, also known as a kiosk device, can be enrolled with WSO2 EMM as a COPE device. For more information, see Setting Up Single-Purpose Devices.
Device Owner
Another way to enroll a device as a COPE device is to install the Android agent as a device owner. A device owner is an application that runs as a device administrator on your Android device. Because the device owner gets access to a set of unique APIs, it has more control over the device than a device administrator. For more information, see Device Ownership Application.

The following operations can be carried out on BYOD and COPE Android devices, respectively.

Operation	BYOD	Work Profile	System Service app	COSU	Device Owner app
Get the device's runtime information.	√	√	√	√	√
Get the device's current location.	√	√	√	√	√
Get the device's installed application list.	√	√	√	√	√
Ring the device for the purpose of locating the device in case of misplacing it.	√	√	√	√	√
Upload file to a specific folder on the device.	√	√	√	√	√
Download file to a specific folder on the device.	√	√	√	√	√
Enable the silent profile on the device or mute the device.	√	√	√	√	√
Change the provided passcode or lock code.	√	√	√	√	√
Remove the passcode or lock code set by the device owner.	√	√	√	√	√
Send a message to the device. The device administrator can use this device operation to send group messages or even private messages to the Android devices.	√	√	√	√	√
Enterprise wipe a device. When this operation is executed, the device is unregistered from WSO2 EMM.	√	√	√	√	√
Carry out a factory reset on the device. Users with BYOD devices need to provide the PIN, which they entered when registering with EMM, to be able to wipe their device.	√	`X`	√	√	√
Lock the device remotely. This is similar to locking the device by pressing the power button.	√	√	√	√	√
Restart the device. This feature is useful when you need to troubleshoot devices.	`X`	`X`	√	√	`X`
Upgrade the firmware on an Android device. For the firmware to be successfully upgraded, the firmware and the device must be compatible. This use case is only applicable to OEM devices.	`X`	`X`	√	`X`	`X`
Remotely execute the shell commands on the device's command prompt.	√	√	√	`X`	√
Get the device logs of the WSO2 EMM's Android agent application.	√	√	√	√	√
Allow the admin to remotely lock the device. Once the device is remotely locked, only the admin is able to unlock the device.	√	`X`	√	√	`X`
Install a shortcut link to a web page or web application on the device's home screen.	√	√	√	`X`	√
Install an app from the Google play store.	√	√	√	√	√
Install, uninstall, and update mobile applications.	√	√	√	√	√
Remotely view the device's screen.	√	`X`	√	`X`	√
Remotely control the device.	`X`	`X`	√	`X`	`X`
View the log of the operating system.	√	√	√	`X`	√
Install and update applications in silent mode (that is, without the user's confirmation) via the system service application.	`X`	`X`	√	√	`X`

iOS device operations

The operations listed below can be carried out on Bring Your Own Device (BYOD) iOS devices.

Operation	BYOD
Get device information.	√
Get installed applications.	√
Receive the location of the device.	√
Install, uninstall, and update mobile applications.	√
Carry out a factory reset on the device. Users with BYOD devices need to provide the PIN, which they entered when registering with EMM, to be able to wipe their device.	√
Lock the device.	√
Send a message to the device. The device administrator can use this device operation to send group messages or even private messages to the device users.	√
Clear the passcode or lock code set by the device owner.	√
Wipe all the profiles and data, including apps provisioned via WSO2 EMM using the enterprise wipe operation.	√

Windows device operations

The operations listed below can be carried out on Windows devices.

Lock devices
Disenroll or unregister devices.
Remove the device lock.
Change the provided passcode or lock code.
Ring the device.
Carry out a factory reset on the own device. The device owner needs to provide the PIN, which they entered when registering with WSO2 EMM, to be able to wipe their device.

Supported policy configurations

Policies for Android devices

The mobile device management administrator can add a new policy to a preferred device type, such as BYOD or COPE. The following policies are available for the Android platform.

Policy Description

Passcode policy Define a password policy for the devices.

Restrictions

Allow or disallow users from using the following features on Android devices. Most of the restrictions require the Android work profile to be set up, the system app installed, or the device to be a single-purpose device.

Please note that the restrictions mentioned under device ownership application do not work for Samsung devices at the moment.

Restrictions	BYOD	Work profile	System Service app	COSU	Device Owner app
Using the camera on the device.	√	√	√	√	√
Configuring user credentials.	`X`	√	`X`	`X`	√
Configuring VPN.	`X`	√	`X`	`X`	√
Restricting items copied to the clipboard from being posted on related profiles.	`X`	√	`X`	`X`	√
Enabling or accessing debugging features.	`X`	√	√	√	√
Installing applications.	`X`	√	`X`	`X`	√
Enabling the "Unknown Sources" setting.	`X`	√	√	√	√
Adding and removing accounts unless they are programmatically added by the Authenticator. For more information, see the details on adding an account directly. Note! If you enabled this policy before configuring the Google Play Store with a Google Account, the following message is displayed when you open the Google Play app: “This change is not allowed by the device administrator”. To use the Google Play Store with this policy, you need to set up the Google account and configure Google Play before applying this policy.	`X`	√	√	√	√
Restrict the use of Near Field Communication (NFC) to beam out data from apps.	`X`	√	√	√	√
Turning on location sharing.	`X`	√	√	√	√
Uninstalling applications.	`X`	√	√	√	√
Allows or disallow apps in the parent profile to handle web links from the managed profile.	`X`	√	√	√	√
Disabling application verification.	`X`	`X`	√	√	√
Enabling the auto time feature in Settings > Date & Time.	`X`	`X`	√	√	√
Disabling the screenshot option on the device.	`X`	`X`	√	√	√
Restricting the user from sending or receiving Short Message Service (SMS) messages.	`X`	`X`	√	√	√
Adjusting the master volume.	`X`	`X`	√	√	√
Configuring cell broadcasts.	`X`	`X`	√	√	√
Configuring Bluetooth.	`X`	`X`	√	√	√
Configuring mobile networks.	`X`	`X`	√	√	√
Transferring files over USB.	`X`	`X`	√	√	√
Changing Wi-Fi access.	`X`	`X`	√	√	√
Device rebooting.	`X`	`X`	√	√	√
Making outgoing phone calls.	`X`	`X`	√	√	√
Mounting physical external media.	`X`	`X`	√	√	√
Restricting windows beside the app window from being created.	`X`	`X`	√	√	√
Factory resetting the device from Settings.	`X`	`X`	√	√	√
Removing other users.	`X`	`X`	√	√	√
Adding new users and profiles.	`X`	`X`	√	√	√
Resetting the network settings from Settings.	`X`	`X`	√	√	√
Adjusting the microphone volume.	`X`	`X`	√	√	√
Disabling the status bar on the device. This restriction is only supported in Android version 6.0 Marshmallow and higher	`X`	`X`	√	√	√

Encrypt storage Encrypt data on the device when the device is locked and make it readable when the passcode is entered.

Wi-Fi

Ability to configure the Wi-Fi access on a device. WSO2 EMM provides advanced Wi-Fi configuration settings, as shown below:

You are able to configure the Wi-Fi settings for the WEP, WPA/WPS 2PSK, and 802.1 EAP security types.
The 802.1 EAP security type works only for Android 4.3 and above.
WSO2 EMM supports the following EAP methods: PEAP, TLS, TTLS, PWD, SIM, and AKA.
If you want to provide the identity of the user that accesses the Wi-Fi through their Android device, you can provide [user] as the value for Identity, and it will provide the username used by the user to enroll their Android device with WSO2 EMM. This setting is only applicable for the following EAP methods: PEAP, TLS, TTLS, and PWD.

VPN Ability to specify the VPN and per-app VPN settings.

Work-Profile Configurations

Ability to separate the personal and work-related data on your device via the managed profile feature.

For more information on how this works, see Data Containerization for Android Device.

Application restrictions

Ability to blacklist and whitelist applications on the Android platform, as described below:

Blacklist applications

Prevents you from using the applications defined in the policy. For Android operation systems before Lollipop, when the user clicks a blacklisted application, a screen appears that prevents you from using the app. For the Lollipop Android operating systems and later, the blacklisted apps are hidden. Blacklisting can be used on both BYOD and COPE devices.

Whitelisting applications

Allows you to install only the applications defined in the policy. This feature requires another application, the WSO2 EMM System app, which is signed by the device firmware owner. Therefore, this app is generally used on COPE devices, but if you can get the WSO2 EMM System app signed via a firmware signing key, you can use it on BYOD devices, too.

In addition to the above, you can enable application restrictions via the restrictions policy. The restrictions policy has two settings to restrict application installation and uninstallation. To use the restrictions policy, the WSO2 EMM application must have device owner privileges, or the device must have the WSO2 EMM System app installed.

Policies for iOS devices

The mobile device management administrator can restrict operations on Windows devices by adding a new policy. The following policies are available for the iOS platform.

Policies	Description
Passcode policy	Define a password policy for the devices.
Restrictions	Restricts the usage of the camera and other functions. You can allow or disallow users from using the following features on the device: Restrict users from installing applications on the device. Prohibit users from adding friends to the Game Center. Restrict users from removing applications from the device. Restrict users from using Siri. Prevent Siri from querying user-generated content from the web. Prevent users from using Siri when the device is locked. Availability: iOS 5.1 and later. Restrict users from using the camera. If this operation is not allowed, the camera icon will be removed from the home screen. Prevent users from backing up the device data to iCloud. Availability: iOS 5.0 and later. Disable documents and key-value syncing to iCloud. Availability: iOS 5.0 and later. Disable Cloud keychain synchronization. Availability: iOS 7.0 and later. Prevent the device from automatically submitting diagnostic reports to Apple. Availability: iOS 6.0 and later. Hide explicit music or video content purchased from the iTunes Store. Explicit content is marked by content providers such as record labels when sold through the iTunes Store. Prevent the Touch ID from unlocking a device. Availability: iOS 7 and later. Disable the global background fetch activity when an iOS phone is roaming. Prohibit in-app purchasing. Prevent the Control Center from appearing on the Lock screen. Availability: iOS 7 and later. Disable host pairing with the exception of the supervision host. If no supervision host certificate has been configured, all pairing is disabled. Host pairing lets the administrator control which devices an iOS 7 device can pair with. Availability: iOS 7.0 and later. Disable the 'Today view' in the Notification Center of the lock screen. Availability: iOS 7.0 and later. Prohibit multiplayer gaming. Allow managed apps and the accounts to open only in other managed apps and accounts. Availability: iOS 7.0 and later. Allow unmanaged apps and accounts to open only in other unmanaged apps and accounts. Availability: iOS 7.0 and later. Disable over-the-air PKI updates. Setting this restriction does not disable CRL and OCSP checks. Availability: iOS 7.0 and later. Disable Passbook notifications. Availability: iOS 7.0 and later. Disable Photo Streams. Availability: iOS 7.0 and later. Disable the Safari web browser application and remove the icon from the Home screen. This also prevents users from opening web clips. Disable Safari auto-fill. Enable the Safari fraud warning. Prevent Safari from executing JavaScript. Prevent Safari from creating pop-up tabs. Restrict users from saving a screenshot of the display. Disable shared Photo Stream. Availability: iOS 6.0 and later. Disable video conferencing. Disable voice dialing. Disable the YouTube application and remove its icon from the home screen. Users will not be able to preview, purchase, or download content. Availability: iOS 7.0 and later. Force the use of the profanity filter assistant. Encrypt all backups. Force user to enter their iTunes password for each transaction. Availability: iOS 5.0 and later. Limit ad tracking. Availability: iOS 7.0 and later. Force all devices receiving AirPlay requests from the user's device to use a pairing password. Availability: iOS 7.1 and later. Force all devices sending AirPlay requests to the user's device to use a pairing password. Prevent the managed applications from using cloud sync. Disable Activity Continuation. Prevent the backing up of enterprise books. Prevent the syncing of notes and highlights in the enterprise books. Allow the user to modify the touch ID. Determine the conditions under which the device will accept cookies. The conditions are as follows: Never From visited sites only Always Force users to unlock their Apple Watch with a passcode once the watch has been removed from their wrist. Availability: iOS 8.3 and later. Restrict access to certain age groups based on the ratings. The ratings given are as follows: Don't allow apps 4+ 9+ 12+ 17+ Allow all apps Restrict access to movies based on movie ratings. The ratings given are as follows: Don't allow movies G PG PG-13 R NC-17 Allow all movies Rate operations based on the region. Restrict access to TV shows based on the ratings given. The ratings given are as follows: Don't allow TV shows TV-Y TV-Y7 TV-G TV-PG TV-14 TV-MA All TV shows Allow the apps to be identified by the bundle IDs listed in the array to autonomously enter Single App Mode. Availability: iOS 7.0 and later.
Wi-Fi	Configure the Wi-Fi access on a device.
Email	Configure settings for connecting to your POP or IMAP email accounts.
AirPlay	Configure settings for connecting to AirPlay destinations.
LDAP	Configure settings for connecting to LDAP servers.
Calendar	Configure settings for connecting to CalDAV servers.
Calendar Subscription	Configure settings for calendar subscriptions.
APN	Specify Access Point Names (APN).
Cellular Network	Specify Cellular Network Settings on an iOS device.
VPN	Specify the VPN and per-app VPN settings.

Policies for Windows devices

The mobile device management administrator can restrict operations on Windows devices by adding a new policy. The following policies are available for the Windows platform.

Policies	Description
Passcode policy	Define a password policy for the devices.
Restrictions	Restrict the usage of the camera.
Encrypt storage	Encrypt data on the device when the device is locked and make it readable when the passcode is entered.

Want to contribute or need help?

Would you like to contribute to WSO2 EMM and get involved with the WSO2 community? For more information, see how you can participate in the WSO2 community.
Do you need help on customizing WSO2 EMM to meet your business requirement? We will be glad to assist you! Just send us your requirement.