Hi All
my new employer has a BYOD policy but insists on using Airwatch MDM to access any of the tools I need (email, files, calendar).
I have obvious concerns over giving work access to my personal information on my phone. So .... can I use an additional profile on my phone to segregate my personal data from my work data.
i.e. switch to a "work profile" when I need to access my work tools via MDM.
The real question here is do guest and additional profiles on android keep your personal (main account) details completely seperate from Airwatch.
Thanks in advance.
That depends on the device and set-up of Airwatch - in the BYOD environment most companies use the container which separates enterprise apps (emails and etc) from your stuff. The tricky part is the location services, but most BYOD don't use or enable this - if they did they'd have to tell you and it will be in the T&C's
The polices are set out on AW at the start, I you have a vision that MDM admins sit there looking at you internet history then your sadly wrong, you cant do this on any MDM yet.
I just checked and you can't even see the apps you've installed.
Depending on the enrollment (agentless or not) you can absolutely see installed apps. Regarding seperated work/private they should be able to use Knox if Samsung devices is used.
Related
I've been debating configuring my personal phone to access my employer's Exchange server; I would be checking it on occasion-- more of a convenience thing to know what's up before I head in for the day.
Using the default Android Mail client and choosing ActiveSync and doing the setup, I inevitably reach a screen with the following:
Activate security policies?
Exchange security policies
Your IT administrator requires that you activate these security policies in order to sync with your Exchange Server.
Activating this administrator will allow the application Mail to perform the following operations:
! Erase all data
Perform a factory reset, which deletes all of your data without any confirmation.
! Set password rules
Restrict the types of passwords that you are allowed to use.
! Monitor screen-unlock attempts
Monitor failed attempts to log into your device.
! Lock the screen
Control when your device locks, requiring that you re-enter your password.
! Device function limitation
Restrict some function on device like Wifi, Bluetooth, Camera etc.
Click to expand...
Click to collapse
Needless to say, this is highly unappealing for my personal phone-- way too much power for the Mail application.
So my questions-- what are my options?
-would a different Exchange connectivity application like Touchdown request those same permissions for access?
-would I be better off setting up ActiveSync on an alternate ROM and booting into that when I want to check work mail (not as frequently as some other users)?
-How far does that remote wipe control extend? Could they wipe the entire phone, including bootloader? Or is it just reference to internal storage? Could they wipe the external SD card?
-is there a way to revoke those permissions from the Mail application while retaining the ability to connect to the Exchange server?
try this:
http://forum.xda-developers.com/showpost.php?p=14577188
Thanks for that! I checked it out and unfortunately, HTC uses a different email program which is incompatible with rustamabd 's script. When there are daily driver AOSP ROMs avail for my phone, I'll try it out.
My wife has a RAZR MAXX. Her company is transitioning their corporate email from Groupwise (I'm amazed they are still on it) to Google for Business.
They currently allow the use of BYOD for email access. She has been using Touchdown to access their Groupwise infrastructure. Before allowing access to the new email system, they are requiring the installation of Google's Device Policy App.
Is anyone here familiar with it? We're very interested in it's capabilities prior to allowing it on her phone. If we decide it's too intrusive, she will opt out of the email access.
I understand it has remote wipe, of email, or the entire system and that it can enforce a device lock timeout and PIN. Those are fairly standard.
What I'm more concerned with is the other capabilities that I've heard about. I've read where it can apparently use the camera to take pictures. It can also report on the phone's movements. Can anyone confirm this? And if so, is this something that the admins will have a console for that's supplied by Google, or is it something a third-party application is used for? Are there any indications of things such as this being activated remotely? Are there any ways to limit what it can do? Are there ways on the phone to determine what the specific active policy contains, and also receive notification if the policy was to change?
Any other info regarding this would be very much appreciated.
Thanks.
I don't have a lot of answers for you, and would actually like answers to a lot of the same questions.
What I do have to offer is that my school Exchange server requires me to grant it similar access. I've never had an issue related to it. It is a bit unnerving to connect to the email server for the first time and allow it to wipe the device, take photos, activate location services...
How they make use of this access? I'm not sure.
Personally, I've never heard anything about it other than the initial granting of access, and to my knowledge they have never made use of the privileges. So if they have used it, there have been no alerts to it, but I strongly doubt they have.
But at any rate, when I accepted the policy it very specifically outlined what it requests, and allows you to accept or deny. At least in the implementation I used.
I am looking for a firewall that allows setting rules for individual apps, for example allow an application to connect to https://docs.google.com/* and nothing else. The firewalls I've tested so far (like avast! Mobile Security) only allow the selected application to connect or not, but not filtering by url, domain, ip or such.
The only firewall I've heard of is WhisperMonitor, and is not public yet. Furthermore, it is supposed to require device encryption.
Any other options available right now?
As far as I know, Avast has no plans to improve such features on their avast! mobile security. It will remain the way it is.
I'm building an Android application which will allow my sales team to quote projects and I want it to work while they're in remote areas, which means it will download price changes when they get into service areas and also upload any quotes they have done. Since it needs to work offline, I need to authenticate the user login but I'm hesitant to be authenticating them against the database stored locally on the device. Is there a proper way of doing this? I can't authenticate remotely because it has to work offline. Is the local NoSQL database secure? Should I not worry too much about it and just make sure they're authenticated remotely prior to the synchronization when a connection becomes available? Thanks a lot.
I need to run an app in Genymotion that is used for data entry and upload of the entered data into 3rd party sites. The logins to 3rd party sites are stored in this application (probably encrypted). The application will store multiple logins for my different customers of who need to have the data uploaded into the 3rd party sites. The data into the app will then be entered by other people to whom I outsource the data entry.
So I created Genymotion appliance, installed the app and in this application I entered logins for sites such as ebay. I am looking for suggestions on what can I do to secure the appliance to prevent the data being copied out from it.
I want to prevent the person to whom I outsource data entry to be able to install and load 3rd party other apps, modify system settings, install other apps, copy the system directory, copy the login and password information saved by the application.
Let's assume the worst possible case here when application is well written but the passwords mentioned above (for the ecommerce sites like ebay) is saved in plain text in this application in the internal application directory. What I know about the application is it doesn't support access to SD Card, only can read and write data to the internal memory.
What can I do in Gennymotion to improve the security of my appliance. Genymotion virtual machines are rooted. So I looked at following suggestions:
1. Setup restricted user on Android
2. Set restriction for the restricted user to only be able to use the one application. Disable anything else (including disabled browser, email, youtube etc..)
3. Try to get the restricted user loading on boot of Android. When Android restarts, however, it doesn't allow choice to login into the restricted user or the admin user, sort of like a Windows or MacOS login menu. To get the appliance to always start with restricted user by default, I need to add a script and the scripted will need to start using Tasker or MacroDroid.
However, how do I prevent the user from installing 3rd party apps? Is it good enough to disable all user apps (except that one used for data entry) from the restricted user? Is there any other way the user could abuse the access to the virtual appliance and load something there? Are there any system android apps I need to disable for the restricted user to prevent the user to be able to do anything bad with it?
The application used for data entry can not download any application or data, however, I believe it does use the webview because it loads sites like ebay and fills the forms on those sites. It only interacts with select websites only like Ebay to enter data into Ebay forms..
Is there anything I can do to secure Genymotion appliance any other than what I already mentioned. I would like to send the link to the Genymotion SaaS Android to people who will do data entry for me into Ebay and other sites. So I need to make sure the virtual appliance is secured as much as possible from tinkering with it. I need to make sure somebody doesn't get hand on the stored login details.
Just to clarify for the login credentials:
I am not sure how the user credentials are stored and I will find it out, however, for now, I go from the worst case scenario when the credentials are stored in plain text in the app settings. The user name and password is stored in the application with exception for Ebay because the many other sites do not have API key or any webservices interface, so the application would access those sites simply via a webview, and when it goes to login there it will do that by filling in the login information on the login form (simulates keystrokes). The user name and password is entered into the login form for the site. That's why the login info is stored in the application itself.
This question is not about how to secure the specific application I will be using, but how to secure the actual whole Android appliance from tinkering with.
I am aware I will the risks here, just want to do as much due diligence as I can.
Sources for Genymotion restricted user..
How to set restricted user as default user on reboot?
We would like to have an already added restricted user account be the default when we restart our Samsung SM-T580 tablets. At current we have 2 accounts installed, Admin and User The User is a use...
android.stackexchange.com
Root access - Device image User Guide
docs.genymotion.com
Done some digging so this cannot be done. Neither Genymobile or Appetize or other online Android emulators can offer fine-tuning in terms of user access. The closest is Genymobile because at least allows adding and removing access of users to individual appliances. That is however not resolving the issue with Android and in particular rooted Android, since all online emulators run rooted Android and I am not sure how that is secured against potentially malicious actors who receive access link.
The only easy way to solve it, kind of in a mickey-mousy way is to install Kiosk mode application. That kiosk app will run at every boot and it only shows the specific application. There is always risk of course the malicious user would do something to crash the application and the Kiosk app, but if the application is not a web browser or email client or similar it should be relatively safe.
There are plenty of Kiosk mode apps for Android but none of them is free (don't try to look, no chance to find one), the cheapest cost about 7 USD one-time purchase, the more expensive ones cost 20 per month per device or more and come with remote control etc... Not cheap but kiosk mode apps are almost exlusively used by businesses so that's why there is lack of free apps.
Anyhow I believe this is the closest as I could get to deal with this.