This is the next post of a series of blogs I have written while working on a pretty innovative Line of Business use case. Like the post about Managing Public Apps Updates or Managed App Config for apps Business Developed Apps, this post is about a creative solution to clear configurations/files when employing Workspace ONE UEM's Check-In/Check-Out shared device model.
The configuration for this lives here (Clear Android App Data) and here (select App Cache Clearing).
The built-in solution for shared devices with Workspace ONE Launcher just covers App Cache. However if your user downloads a pdf (which Chrome saves to Downloads folder), and then opens it in Adobe Reader (which makes a copy and saves it to /Android/data/com.adobe.reader/files/Download/) the user 2 in the example above will be able to see these Files. This isn't app cache, this is the actual file system. Here is where we can get creative.
Here is how one could configure a Product:
(Done in Workspace ONE UEM 19.11, steps may change with future versions)
Now once you check-in (or log off) the device the Workspace ONE Launcher and Intelligent Hub will clear app data per your settings, and the Intelligent Hub will run the Product 'Install Delete Files on Check-In Action' which will delete the folders and contents you list. In my experience the list of folders/files which you will want to manually remove is dependent on the use case. Even though Launcher with its massive options to not allow access to things like Camera or File System App, I've opted to just use the File System App to see all default folders and add those to my File/Action. Better to be safe than sorry when it comes to security. Be sure to test your applications after implementing this in your development environment, as some apps do have certain expectations of folders and files.
That's all folks for 2019. It's been a slow year for Blog Posts but a very busy year in general. I hope everyone has a Happy Holidays and enjoys some time off from this crazy Mobility world we live in.
- Joe
** Edit 1 (12/26/2019) - It was pointed out that Workspace ONE Launcher clear app data uses standard Android Enterprise APIs with Android 9+. However it still works on Samsung and Zebra devices prior to Android 9 specifically as those two OEMs provide their own API for clear app data prior to Android Enterprise support.
Shared Devices
In the context of Android and Workspace ONE UEM, a shared device is a device that utilizes Workspace ONE Launcher, and a special staging user that has multi-user staging enabled. This tells Workspace ONE Launcher along with Intelligent Hub to present a logon (or Check-Out) screen post enrollment. This allows the admin to assign generic profiles to the staging user, such as applications and various restrictions to secure the device, but then allows final configuration to be assigned to real end users. Once the end user Checks-Out (or logs into) the device they could be assigned a Passcode Profile, Mobile SSO, Certificates, Personalized Lock Screen, VPN and more. When the end users Checks-In (or logs out of) the device all of that personalization is cleared.But what about the apps?
Well this is where Workspace ONE UEM leverages Android 9's Android Enterprise API to clear app storage in a programmatic manner on user Check-In (Log Off)**. This is excellent because that means the user 1 who configured their email client like Microsoft Outlook or used Chrome and signed into their social media while using the device wont need to worry about user 2. User 2 will essentially see those apps as if they were just downloaded for the first time, without the need to actually uninstall/reinstall the app. The clearing app data feature is very handy as it means the Check-Out of a device can take just a couple minutes or less. No need to wait for long app downloads.The configuration for this lives here (Clear Android App Data) and here (select App Cache Clearing).
So why am I making this post?
But what about the downloads folder or the DCIM folder?The built-in solution for shared devices with Workspace ONE Launcher just covers App Cache. However if your user downloads a pdf (which Chrome saves to Downloads folder), and then opens it in Adobe Reader (which makes a copy and saves it to /Android/data/com.adobe.reader/files/Download/) the user 2 in the example above will be able to see these Files. This isn't app cache, this is the actual file system. Here is where we can get creative.
Enter Product Provisioning
Provisioning is the ace in the whole for certain use cases within Workspace ONE UEM. It allows actions that closer align to legacy management concepts rather than the modern management techniques of just calling standard APIs (Apple MDM, Android Enterprise, Windows CSPs). In this example I am able to create a 'Product' in Provisioning, which contains a Files/Action, where we delete the folders which a user could download files to when they have the device checked-out (don't worry we automatically recreate them for user 2).Here is how one could configure a Product:
- Assignment Group for all end users
- Named Checked-Out Users
- Assignment Group for Staging user
- Named Staging User
(Done in Workspace ONE UEM 19.11, steps may change with future versions)
- Create a new Files/Action
- Navigate to Devices -> Provisioning -> Components -> Files/Actions
- Click 'Add Files/Actions'
- Select Android
- In the General Tab give it a name for instance 'DeleteFilesForSharedDevices'
- Click the Manifest Tab
- Click Add Action
- Select 'Delete Files'
- Enter a paths we want to clear (common ones below)
- /storage/emulated/0/Download/
- /storage/emulated/0/DCIM/
- Click Add Action
- Select 'Create Folder'
- Enter the paths we previously deleted to recreate the folders
- /storage/emulated/0/Download
- /storage/emulated/0/DCIM
- Click Save
- Create a new Product to assign the File/Action
- Navigate to Devices -> Provisioning -> Product List View
- Click 'Add Product'
- Select Android
- In the General Tab give it a name for instance 'Install Delete Files on Check-In Action'
- In the General Tab assign it to the Smartgroup which contains the Staging user 'Staging user'
- Click the Manifest Tab
- Click 'Add'
- Select 'Install Files/Actions' as the Action to Perform
- Select the previously created File/Action named 'DeleteFilesForSharedDevices' and click Save
- Click Save
- Create a new Product to remove the File/Action from the End User
- Navigate to Devices -> Provisioning -> Product List View
- Click 'Add Product'
- Select Android
- In the General Tab give it a name for instance 'Uninstall Delete Files on Check-In Action'
- In the General Tab assign it to the Smartgroup which contains the the end users 'Checked-Out Users'
- Click the Manifest Tab
- Click 'Add'
- Select 'Uninstall Files/Actions' as the Action to Perform
- Select the previously created File/Action named 'DeleteFilesForSharedDevices' and click Save
- Click Save
Now once you check-in (or log off) the device the Workspace ONE Launcher and Intelligent Hub will clear app data per your settings, and the Intelligent Hub will run the Product 'Install Delete Files on Check-In Action' which will delete the folders and contents you list. In my experience the list of folders/files which you will want to manually remove is dependent on the use case. Even though Launcher with its massive options to not allow access to things like Camera or File System App, I've opted to just use the File System App to see all default folders and add those to my File/Action. Better to be safe than sorry when it comes to security. Be sure to test your applications after implementing this in your development environment, as some apps do have certain expectations of folders and files.
That's all folks for 2019. It's been a slow year for Blog Posts but a very busy year in general. I hope everyone has a Happy Holidays and enjoys some time off from this crazy Mobility world we live in.
- Joe
** Edit 1 (12/26/2019) - It was pointed out that Workspace ONE Launcher clear app data uses standard Android Enterprise APIs with Android 9+. However it still works on Samsung and Zebra devices prior to Android 9 specifically as those two OEMs provide their own API for clear app data prior to Android Enterprise support.
This comment has been removed by the author.
ReplyDelete