Android doubts

(imported topic written by SystemAdmin)

Since some days, i’m trying to “play” with the MDM capabilities for Android.

As a result, i have various doubts. I’m going to post them in this thread, see if i can get any answer/tip.

I’m using Google’s Android SDK, emulating an Android 4.1.1 with command polling enabled and set to 120segs, and Android Device Notification Service active. My mobile client is version 8.2.31495.

My TEM server is version 8.2.

  • Problem with security settings:

So far i’ve been able to lock the screen, create a list of recommended apps and send it to the mobile. Works fine.

But then i’ve tried to create some simple security rules, like requiring a password, or disabling the camera, and here comes the problem: after days and days, the rule still shows that no computer is applicable.

It’s really weird because on the android emulator, it says “mobile client is not enforcing any policies” so it should be applicable to my new security rules… but i’m not able to get there. Any idea?

  • Another doubt i have, is that i have read that since the last release authenticated enrollment has to be used. I’m using the app version “TemAgent-8.2.31495.0.apk”, and i have enrolled just by typing my TEM address. Is it OK, or should i perform any additional step?

  • Is there a way to disable/enable data roaming on the android?? I don’t have the impression that it’s yet possible.

  • Is there a way to only enable the email account of the company?

Thank you!

(imported comment written by BenKus)

Hi Carmen,

  1. Security settings issue – The Fixlet should become relevant if: You have the supported Android version (>= “4.0” because you used the “disable camera” permission that is only supported on Android 4+) AND any one of the password or security policies is not set to what you specified. If this is not happening, then maybe the agent isn’t seeing your Fixlet. I am wondering if your polling cycle is too frequent and it might make the agent extremely slow to see new Fixlets… Can you please change your polling cycle to a higher number (like maybe 1 hour = 3600 secs)… and note that we support Google Cloud Messaging now so you don’t have to rely on a super frequent polling cycle:

https://www.ibm.com/developerworks/mydeveloperworks/wikis/home?lang=en#/wiki/Tivoli%20Endpoint%20Manager/page/Android%20Device%20Notifier%20Service

  1. Enrollment questions – There are 3 enrollment modes depending on you set up your system:
  • Basic – You just type in your username (no authentication).

  • Authenticated – You need your username and password and it is verified against your LDAP account.

  • “PIN Mode” – This lets a user fill out a set of custom enrollment questions and authenticates through ldap user in a browser and then associate the information to the device through a PIN number.

More info on all these at:

https://www.ibm.com/developerworks/mydeveloperworks/wikis/home?lang=en#/wiki/Tivoli%20Endpoint%20Manager/page/Authenticated%20and%20Custom%20Enrollment

  1. Roaming on Android – Nope… As far as I know, it is not possible to enable/disable roaming on most Android devices today (you can on many Apple iOS devices though).

  2. Email accounts – Can you explain more of what you mean here?

Ben

(imported comment written by SystemAdmin)

Ben, thank you for the tips! :slight_smile:

1- I have finally managed to create a security rule that actually is applicable to my android :slight_smile:

I dont know why simple rules like requiring a password, or disabling a camera, don’t apply to my device. I have followed IBM’s TEM POT instructions, and it doesn’t seem to work U_U

2- I have already installed the authenticated enrollment and the SSP and everything looks good.

3- It’s a pity that dataroaming cannot be disabled on an android.

What about the NITRODESK TOUCHDOWN that IBM’s official doc refers to? Is it worth using it on MDM?? Is it possible to control more features on the Android that only with the basic MDM???

4- I was talking about only allowing emails accounts like "@yourcompany.com". But it’s not important right now.

So thanks for your help Ben, it has been very useful so far, and if you or anybody else could tell me something about NitroDesk, you would make my day! :wink:

(imported comment written by BenKus)

Hi Carmen,

Nitrodesk Touchdown is a 3rd party email app:

http://www.nitrodesk.com/

The reason we integrate with Nitrodesk Touchdown is that the default email app on most Android devices can’t be natively managed by an MDM app like ours…

Using Nitrodesk Touchdown + IBM Endpoint Manager for mobile devices, we provide useful functions like:

  • Ability to wipe email data on the device without wiping the whole device for Android devices that connect to Exchange (we have this functionality for Apple iOS devices and Lotus Traveler without needing Nitrodesk Touchdown).
  • Ability to configure the email app so the user doesn’t need to (exists natively on Apple iOS devices, but not on Android).

Nitrodesk also has some interesting features like the ability to disable attachments from being exported to other parts of the device.

Note that we are working with other vendors that provide email apps to do similar functionality, but we started with Nitrodesk since it is a popular and nice email app.

Hope that helps,

Ben

(imported comment written by SystemAdmin)

Very useful again Ben.

Thank you for your help!!