This documentation is for WSO2 IoT Server 3.2.0. View the documentation for the latest release.
Data Containerization for Android Device - IoT Server 3.2.0 - WSO2 Documentation
                                                                                                                                                                                                                                                                                                                                                                                                                                                                         
||
Skip to end of metadata
Go to start of metadata

WSO2 IoT Server enables you to register mobile devices via the BYOD or COPE device enrollment scenario. Data containerization allows you to have a separation between data. Therefore, if you are registering your device via the BYOD scenario you are able to have a clear separation between your personal data and the enterprise data. To understand the underlying concept clearly, take a look at the example given below.

Example:

MobX uses WSO2 IoT Server to manage and monitor the employees mobile devices and applications. Alex joins as the new Engineering team manager and needs to register the personal mobile device with WSO2 IoT Server, but is concerned because Alex doesn't want to expose the personal data on the device to the Organization. On the other hand, MobX is concerned about not letting the other applications installed in Alex's device to access the confidential enterprise data. For example, Alex has installed an application for enterprise docs on the device. This application has access to all the enterprise docs and the personal docs as they are all stored in the same location. Therefore, it is important to clearly separate the enterprise and personal data in a BYOD device enrollment scenario. Follow the steps given below to enable data containerization on your device.

 Click here for more information on registering an Android device with data containerization, see End-user Registering an Android Device via the Managed Profile.

Follow the instructions given below to set up the Android work profile:

  1. Tap INSTALL to start installing the Android agent.

  2. Tap OPEN, once the WSO2 Android Agent is successfully installed.

  3. Tap SETUP WORK-PROFILE to proceed with registering the Android device via the Work-Profile.

  4. Tap SET UP.

    If your device was not encrypted previously, you will be prompted to encrypt the device.

  5. Enter the server address based on your environment, in the text box provided and tap START REGISTRATION. A confirmation message appears.

    • Developer Environment - Enter the server IP as your server address.
      Example: 10.10.10.123:8280
    • Deployment Environment - Enter the domain as your server address.

      The Android Agent app's default port is 8280. If you are using any other port, the server address should state the new port in the following format: www.abc.com:<PORT>, e.g., if the port is 8289 the server IP is as follows: www.abc.com:8289.

  6. Enter your details and tap SIGN IN.
    • Organization - Enter the organization name only if the server is hosted with multi-tenant support or enter the default carbon.super, which is the default organization name on a non-multi-tenant environment.
    • Username - Enter the WSO2 IoTS username.
    • Password - Enter the WSO2 IoTS password.

    Read the policy agreement, and tap AGREE to accept the agreement.  
  7. Tap ALLOW to allow the WSO2 Android agent to access photos, media, and files, make and manage phone calls, and access the device location respectively.

  8. Set a PIN code of your choice with a minimum of 4 digits. A confirmation message appears.

    You will be prompted to provide a PIN code only if your device is a BYOD device. The PIN code will be used to secure your personal data. Thereby, WSO2 IoT server will not be able to carry out critical operations on your personal data without using this PIN. 

    Example: A device management admin cannot wipe your device or remove data from the device without the PIN code. You have to provide the PIN code to get your device wiped or you can log into the device management console and wipe your device by entering the PIN code.

  9. You have now successfully registered your Android device. Tap Device Information to get device specific information, and tap Unregister if you wish to unregister your device from WSO2 IoT Server.


Once the registration process is complete, navigate to the launcher of your device. Notice the duplication of application icons. The applications with red icons are the ones used by WSO2 IoT Server.

To deactivate Android Work Profile:

  1. Navigate to Settings > Accounts on your device.
  2. Click Remove work profile.
  3. Tap DELETE and proceed with the deactivation.

    Once the deactivation is complete, navigate to the launcher of the device. Notice the disappearance of the applications with red icons.



The following subsections will provide details on how data containerization is achieved via the managed-profile feature.

Setting up the work profile

Data containerization for Android devices was implemented using the Managed Profile feature that is available on the Android devices that support the Android Lollipop OS or upwards. Let's take a look at the how data containerization works on WSO2 IoT Server.

  • When you download and install the Android Agent on your Android mobile device, the agent will check if the device supports the managed profile feature. 
  • If the device supports the managed profile feature, the agent will prompt the user to set up the work profile before the installation.

    Having the Android Lollipop OS version or above will not enable you to set up the work profile. The setup might fail because of the OS customizations that would have been done on some of the devices by the manufacturers.

  • Once the profile is set up, the Android agent is automatically copied into the new work profile. Therefore, WSO2 IoT Server will prompt you to uninstall the agent you downloaded previously as it was installed in the devices personal profile.
  • After setting up the work profile you need to follow the default steps to register an Android device with WSO2 IoT Server.
    Once the registration process is completed, navigate to the launcher of the device and you will be able to see the applications that are used by the worker profile and the personal profile. The applications having the red icon are used by the WSO2 IoT Server work profile.

    • Using this approach, you don't have to switch between the personal profile and work profile as all the applications used by each profile is shown in the same launcher. 
    • Based on the underlying architecture, the profiles have their own storage locations that can not be accessed by each other.

Applying Android device operations

After registering your device with WSO2 IoT Server you can apply operations on a device. 

For more information on the operations that can and can not be applied once data containerization is enabled, see below:
  • The Android agent is the profile owner of the newly created work profile and only has control over it. Therefore, now the agent is unable to perform operations that affect the entire device, such as changing the device PIN and wiping data of the entire device.

  • If your Organization has imposed a policy to restrict the usage of the camera, you will not be able to use the camera application that is installed in the work profile. You will only be allowed to used the camera application that is installed in your personal profile.

  • The enterprise wipe operation will delete the enterprise-related data along with the work profile on your device while keeping the personal data intact.

  • No labels