IBM MaaS360

 View Only

Lock that device down!  Managing restricted profiles in mobile devices

By Eamonn O'Mahony posted 25 days ago

  

Industry and specific use cases

Our customers often ask for solutions which allow them to restrict and control the settings, apps and configurations used on devices, particularly in a number of specific use cases: 

  • Shared devices in a work setting, such as manufacturing or health care
  • Public- or consumer-facing devices, such as in retail
  • Specific use cases such as transport and distribution. 

These are broad descriptions of the industries that some of our customers find themselves in. What should be noted is that in all of these cases, the type of configuration required is not an open, liberal approach but more of a locked-down approach where the user of the device can only use a smaller number of features and apps on the device. If your organisation works in one of these environments (or another which we haven’t mentioned but which is where technology usage is similar), then this approach may be for you.

Locking down settings

As you probably know MaaS360 gives you the opportunity to configure devices remotely, even when they are not in your hand or office, using Security Policies, and Compliance Rules. You might say that the Security Policies are the measures to prevent unauthorised behaviour or usage, whereas Compliance Rules are used to correct devices where unauthorised configurations or usage have already taken place. For iOS we have App Lock, and for Android we have COSU (previously known as “Kiosk mode”). Each platform allows you to configure the device and restrict usage.

Device configurations and restrictions for iOS devices

Apple has provided for a number of settings, so that you can configure iPhones and iPads, and restrict the settings. Using a combination of the iOS device policy, and a compliance rule, can help you configure preventative and corrective measures respectively.

Go to Security / Policies / an iOS device policy / and under Supervised Settings, you find the App Lock page (screenshot below). In here you check the box to “Configure App Lock settings” and you put in the App ID for the app that you want users to see. Some points worth noting:

-        This is only available for devices enrolled in Supervised Mode, which requires you to use Apple Configurator (not common any more), or Device Enrollment Program. We will provide information for these enrollment types at the end, and if you want to check whether your existing device is enrolled in Supervised Mode, look at the device home (Summary) page from the device inventory, and look for the field “Device Enrollment Mode” which should say Apple DEP or Apple Configurator. If one of these is not mentioned your device is probably in Normal/Standard mode and Supervised settings will not apply meaning you cannot configure AppLock unless you re-enroll the device into Supervised mode.

-        The Apple approach allows you to permit only one (1) app in AppLock mode, meaning that if you need to have multiple apps available for the user, you will need to do it outside of AppLock (so the device is now usable for all installed apps).

-        A number of settings are available on the App Lock configuration page in the policy, such as whether you allow device screen rotation, and helping you to control button usage.

Device Enrollment Mode = Manual => App Lock not possible

Device Enrollment Mode = DEP or Apple Configurator => App Lock IS possible

Please remember to use some best practices for Device Policies and device testing, which we have described elsewhere. 

Device configurations and restrictions for Android devices

Google provides settings for you to configure Android phones and tablets. The Android device policy, and a compliance rule, can help you configure preventative and corrective measures respectively. COSU mode (the new name for ‘Kiosk mode’) means Corporate Owned / Single Use which is a specific use case devised by Google for customers to configure devices, and which is supported by MaaS360.

Go to Security / Policies / an Android device policy / and under Supervised Settings, you find the COSU page (screenshot below). In here you check the box to “Configure App Lock settings” and you put in the App ID for the app that you want users to see. Some points worth noting:

-        This is only available for devices enrolled in Device Owner mode (Android Enterprise). Please remember that Device Administrator mode (the old way of enrolling and configuring devices), is no longer supported by either Google or IBM. Device Owner mode (DO mode), can be configured if the device enrollment is initiated after a full device wipe, or if the device is new out of the box.

-        If you want to find out the current enrollment type used on your device, go to Devices / Inventory, locate your device, and on the first page (Summary) there is a field called “Container Type” which will either specify Device Owner, Device Administrator or Profile Owner.

-        COSU mode is not available for devices enrolled in either Device Administrator mode, or in Profile Owner mode – only for devices enrolled into Device Owner mode. Any devices enrolled in any other mode than Device Owner, will need to have a full wipe and then enrollment into Device Owner.

-        Fortunately, the Google approach has been a little more flexible than that of Apple, meaning you can have multiple apps within COSU mode, and the user can have a configured ‘home page’ meaning you can decide which app icons the user should see.

-        A number of settings are available on the COSU page in the policy, such as whether you allow device screen rotation, and helping you to control button usage.


Device “Container Type” = Profile Owner => COSU mode not possible

Device “Container Type” = Device Administrator => COSU mode not possible

Device “Container Type” = Device Owner => COSU mode IS possible


Policy settings: you can choose from 2 options.

1.     Auto-launch a required app (one app only, similar to iOS AppLock)

2.     Show a custom home page with a number of allowed apps

Documentation

App Lock mode (iOS): https://www.ibm.com/docs/en/maas360?topic=device-app-lock

COSU mode (Android): https://www.ibm.com/docs/en/maas360?topic=device-cosu-corporate-owned-single-use-kiosk-mode

1 comment
13 views

Permalink

Comments

19 days ago

Very useful article. Thanks Eamonn!!