Hi,
Indeed we are looking for an alternative to COSU mode.
The scenario I exposed applies only to Samsung tablets that, under AE with COSU, evidence some drawbacks not accepted by the client.
With COSU enabled, exactly as in your scenario, we have these problems:
- Access to Quick Settings Panel, when in COSU mode, randomly freezes the display. We opened a ticket for this that IBM passed to Samsung. Samsung stated that is a bug and will be corrected but without an availability date.
- Samsung SAFE framework, under COSU, interact with "Open With" prompt. If we try to open an attachment from GMail, supported by more than one app (e.g.: two pdf readers), it will not be opened. SAFE intercepts the fork of "Open With" as an attempt to open another app, not allowed in COSU, and stop the "Open With" prompt. The customer can not accept workarounds like leaving only a single app per attachment type. Whitelisting of system processes calling "Open With" had no success.
About GMail, we enroll the devices with afw#maas360 DO activation mode and this create a managed account that the end user can not manage.
Then we leave the end user add a GMail account with his corporate email, so it is right for them to have possibility to change their own password.
Unfortunately, while MaaS360 drives app distributions through the Google managed account, also the end user can search and install from Play Store with its own account.
As you highlighted, COSU mode allows to selectively enable GMail (and not Play Store) on the Launcher. This would be the perfect combination but due to the behaviors above we are looking for alternative approaches. Ideally we would need Play Store added to the "System Apps to be whitelisted" section in AE policy. I also tried to disable Play Store adding "com.android.vending" to the apps to be disabled but without success.
Thanks for your feedback, I hope to have provided a more complete description of the environment.
Paolo
------------------------------
Paolo Sanesi
------------------------------
Original Message:
Sent: Wed November 18, 2020 03:42 AM
From: Steve Birkett
Subject: Android Enterprise DO - Allow GMail account restricting Google Play use
Hi,
Firstly, are you using COSU KIOSK mode on your devices? My devices are locked down in COSU KIOSK mode and this works really well (enable admin bypass if you want to alter settings etc., (when you have it in front of you). I have a managed Google Play Store and the end user can only install the required app if you allow this, I set our apps to auto install. I whitelist the app in App Compliance under the Android Enterprise settings within the policy and then also add the app ID to COSU KIOSK launcher to make it available. My users do not have access to any other App and they cannot search for apps that have not been approved by you.
Gmail is OK but anyone can reset the password even if they do not know it. I use the native email app, set the account up and once that is done they cannot change the server settings or see the password as I have the settings locked down ( I use another policy to unlock the settings when I need to make changes and then change it back)
No need to disable 'Installation of apps' as the user cannot gain access to anything other than what you approve and you need apps to install and update if you have approved this.
Steve.
Original Message:
Sent: 11/17/2020 3:22:00 PM
From: Paolo Sanesi
Subject: Android Enterprise DO - Allow GMail account restricting Google Play use
Hi All,
On Android Enterprise devices enrolled in DO mode I am trying to setup this use case:
- Allow the end user to add a GMail account.
- Distribute corporate required apps via Managed Google Play
- Inhibit Play Store for personal usage
I enabled "Allow modification of accounts" in policy to allow addition of GMail account.
The drawback is that the end user is also able to install personal apps from Play Store.
To avoid this I tried to disable "Allow installation of apps" but this inhibits also MaaS360 apps distribution.
Do you have any idea about how to achieve the results?
I'm coming to the conclusion that my only option is to distribute the app via MaaS360 App Catalog and to disable "Allow installation of apps".
Thanks for any suggestion
------------------------------
Paolo Sanesi
------------------------------