Most enterprises use devices that are customized for their requirement. For example having a custom android device that functions as a POS. In such situations organizations prefer to have and maintain custom firmwares or get device vendors to build a custom device to suite their requirement. For example apps or devices having the capability to sign their POS app with the vendor firmware signing key and install it on devices as a system app.
WSO2 EMM provides a separate service application that can be signed by a firmware signing key and installed on the devices as a system application alongside the EMM Agent application. This enables you to have better control over the devices registered with WSO2 EMM. Since this is a system app it provides system level capabilities, such as device firmware upgrade, reboot and enforcing security policies, and much more.
For more information on managing the system service Android application see the following subsections:
When the system service app is installed on a device that is registered with WSO2 EMM, the EMM Android Agent communicates with it to trigger system level operations from the WSO2 EMM server. The communication between the system service application and the Android agent is secured by two layers of protection as listed below:
Via the signature - The system will grant permission only if the requesting application is signed with the same certificate as the application that is declared in the permission.
For more information on securing the communication, see <permissions> on the Android Developer documents.
- Check the package name of the intent who makes the call to verify that it’s a request from the EMM Android agent.
Integrating WSO2 EMM and the system service application
Follow the steps given below to integrate the system service Android application with WSO2 EMM:
- Build the system service application.
- Download the source code.
- The system service app can not be built via the usual android developer SDK, as it requires access to developer restricted APIs. Therefore, you need to replace the existing
android.jarfile that is under the
<SDK_LOCATION>/platforms/android-<COMPILE_SDK_VERSION>directory with the explicitly built
android.jarfile that has access to the restricted APIs.
Download the Android Open Source Project (AOSP) and build the source code to get the
jarfile for the required SDK level.
- Open the system service application source code via Android Studio and clean build it as a usual android application.
Sign the system service.
Sign the application via the device firmware signing key. If you don’t have access to the firmware signing key, you have to get the system application signed via your device vendor.
For more information of singing the system service, see Signing Your Applications.
Install the system service application by following any of the methods given below:
If you have your own firmware, the system service application will be available out of the box with your firmware distribution.
Copy the signed system service APK file to the
/system/priv-appsdirectory of the device.
When the device boots or restarts for the first time, it will automatically install the application as a system application.
Install the system service application externally via an Android Debug Bridge command.
For more information on how this takes place on WSO2 EMM, see Configuring the WSO2 EMM service application
Enable the system service invocations through the WSO2 EMM Agent application
Make sure to sign the EMM-Agent using the same device firmware signing key that was used to sign the System Service Application, else you will run into security exceptions.
Navigate to the
Constants.javaclass, which is in the
org.wso2.emm.agent.utilspackage and configure the
SYSTEM_APP_ENABLEDfield as follows:
- Rebuild the EMM agent application.
Operations supported via the system service application
The following operations are supported via the system service application:
Device Reboot: Restart or reboot your Android device.
Firmware upgrade: Upgrade the firmware of Android devices.
Enforcing user restrictions: Restrict different functions on the user's device using this REST API. When adding a policy you will have the option of saving the user restriction policy or saving and publishing the user restriction policy.
Silent app installation, removal and update
Application installation, removal and update will be performed without the user's confirmation when the Android system service application is available on an Android device.
This operation is only available for enterprise applications (apps that were created by your organization.) and is not available for public applications (publicly available apps, such as free apps available online).