If you are an administrator in a company with an internal mobile application, no matter for what – be it a regular messenger or mail, or something special like a barcode scanner – sooner or later you will be faced with the task of remote configuration and management of applications. You can use crutches to prescribe a specific id or server address in all phones, but there is also a ready-made solution – de facto already a standard that can be used in conjunction with one of the existing EMM / UEM platforms (Enterprise Mobile Management / Unified Endpoint Management).

In this article, we decided to give instructions on how to make your Android application configurable if you are its developer. That is: what exactly needs to be changed in your application to meet the needs of the corporate audience. We also described all the work of the administrator using the platform as an example. Knox Manage…

Formulation of the problem

In an interview with colleagues from the SRI SOKB (Scientific and Testing Institute for Integrated Security Systems), we agreed that a modern corporate mobile infrastructure can no longer be imagined without a centralized control system.

For example, in the Swiss railway company SBB, each of 30,000 employees gets a phone customized for work tasks – there is not only mail and messenger, but also, for example, sending messages about malfunctions. To entrust an employee with the task of setting up this entire periphery is not only costly in man-hours, but is also fraught with possible errors in the process. And in some cases – for example, when failures appear – it is easier to completely reflash and re-initialize the phone than to look for an error. Therefore, a correctly chosen solution for a corporate application makes the life of an IT administrator of a company much easier.

Usually, when introducing centralized systems, we are faced with two tasks:

1. Primary connection of the device to the system. Everything is quite simple here, there have been standard tools for this for a long time: Knox Mobile Enrollment, Android Zero Touch and Android Enterprise Enrollment (EMM token, QR codes, etc.)
2. Initial configuration of the required corporate applications. This point is much more difficult, since different applications have completely different parameters and settings, and it is impossible to know all of them in advance.

General solution scheme

As a solution to the second problem, there is a mechanism AppConfig, this is not an initiative of a single company, but an operating convention of several vendors. Its essence is briefly as follows: the developer implements in his mobile application – mail, messenger, video communication client, etc. – support for managed configurations (Managed Configurations), customized for a specific user. The developer decides which parameters in the application can be set from the outside (identifier, username, server address). Through corporate Google play these parameters go to the EMM system. And it already allows you to create managed configurations and remotely assign them to specific devices and users.

To find out if such functionality is implemented in a specific application:

• Go to corporate Google Play.
• Find the app you want.
• If it supports managed configurations, you will see the icon “This application can be configured remotely” under the name:

The general process looks like this:

1. The developer adds support for managed configurations to their application. In the schema file XML it specifies the settings to be configured remotely, and deployed in the application code. Then he uploads the application to the corporate Google Play.
2. The EMM system provides an interface for the administrator through which the XML schema is retrieved from the application on Google Play using iframe…
3. The administrator enters the parameter values ​​that should appear on corporate devices. After that, the EMM system transfers the configuration to Google Play.
4. Google Play updates the app on all corporate devices to reflect the new configuration.

The process of adapting an enterprise mobile application to AppConfig

Suppose you need to remotely enter an address and username in an email client. Using Samsung Knox Manage as an example, the interface for setting these parameters using managed configuration will look like this:

For the Email address field, enter $ emailaddress $, and for the User name, set $ username $ (these variables will be dynamically substituted, depending on the specific user).

How can a developer add AppConfig support to their application?

Suppose we are developing a mobile application where the configurable parameter is the server address. According to recommendations Google, the developer must:

1. Find the XML resource file, which is usually found in the res / xml project folder. It contains information about all configurable parameters, which then enters the EMM system through Google Play APIs.

   <?xml version="1.0" encoding="utf-8"?>  
   <restrictions xmlns:android="http://schemas.android.com/apk/res/android">  
   <restriction  
            android:key="address"  
           android:title="@string/title"  
            android:restrictionType="string"  
            android:description="@string/description"  
            android:defaultValue="sample address" />  
    </restrictions>  
   

2. Explicitly list the app_restrictions.xml file in your application manifest inside the application tag.

   <application  
        android:allowBackup="true"  
        android:icon="@mipmap/ic_launcher"  
        android:label="@string/app_name"  
        android:roundIcon="@mipmap/ic_launcher_round"  
        android:supportsRtl="true"  
        android:theme="@style/AppTheme">  
    <meta-data android:name="android.content.APP_RESTRICTIONS"  
        android:resource="@xml/app_restrictions" />

3. Implement handling the ACTION_APPLICATION_RESTRICTIONS_CHANGED event in the application code. This step ensures that the application receives the new value as defined by the administrator.

   IntentFilter restrictionFilter = new IntentFilter(Intent.ACTION_APPLICATION_RESTRICTIONS_CHANGED);
   BroadcastReceiver restrictionReciever = new BroadcastReceiver() {  
        @Override  
        public void onReceive(Context context, Intent intent) {  
             Bundle appRestrictions = restrictionsManager.getApplicationRestrictions();  
             /* 
             Fetch the values of managed application configuration from this bundle and take 
             action in your app accordingly. 
             */  
        }  
   };  

As a result of this simple refinement, after publishing the application on the corporate Google Play, you will be able to receive custom configuration from the server:

Application before and after receiving configuration from server

How can an administrator configure an application through the Knox Manage console?

To set control configurations, the administrator needs to add the application itself through Knox Manage (KM) from the corporate Google Play store, or upload it from his computer as Managed Google Play Private (then publishing to the corporate Google Play is optional). To set a new configuration:

1. In KM, open the Group tab, select the group associated with your device and click the Application button
   
2. Now select your application and click Assign
   
3. Select Android Enterprise as the Target Device. Click on the Set Configuration button.
   
4. If you did everything correctly and your application has AppConfig support, then KM will fill in the necessary parameters with values. Just enter the server address (do not forget to enter the configuration name) and click the Save button.
   
5. Press the Assign button to download the new configuration to the device.
   
6. Click OK to confirm.
   

If the application is running, and the developer has correctly implemented AppConfig support, then the application will receive the new server address specified in the KM console.

Application with the server address entered through the KM console

We configure not only applications, but also the device itself

At some point, the developers thought: what if we want to configure not only applications, but also the parameters of the device itself in a similar way? OEMConfig Is a new standard for sending configurations to applications written by device manufacturers. Sending is done using the same XML schema. Android hardware manufacturers follow this standard to give administrators more control over their device. So, on Samsung smartphones with Knox support, there is a solution – Knox Service Plugin (KSP), you can download from Google Play. But we will talk about this another time.

Outcome

• Use AppConfig to support managed configurations for your applications. It’s quite simple to implement, and most importantly, it can be really useful.
• Create a new configuration and send it to devices of a large number of users using the EMM system (in our example, Knox Manage).
• As few crutches as possible, use ready-made solutions and standard methods!

Additional resources on the topic:

• https://docs.samsungknox.com/admin/uem/km-configure-appconfig.htm
• https://docs.samsungknox.com/dev/managed-configurations/introduction-to-managed-configurations.htm
• https://developer.android.com/work/managed-configurations
• https://www.samsungknox.com/en/solutions/it-solutions/knox-manage
• https://www.appconfig.org/android/
• https://docs.samsungknox.com/admin/knox-service-plugin/welcome.htm

Author: Pavel Lepeev,
Engineer, B2B Pre / Post Sales
Business Development Team
Samsung R&D Institute Russia