IBM Security MaaS360

Overview:

With the increasing adoption of kiosk mode on Android devices, businesses are frequently placing their devices in a lock-down mode where end users do not have access to general settings. This is especially prevalent in COSU(Corporate-Owned, Single-Use) environments, where devices are restricted to a single app or a set of specific functionalities. However, essential settings like Biometrics, Password, and NFC are crucial for day-to-day operations.

In response to this need, IBM MaaS360 has introduced a feature that allows administrators to add custom buttons to launch specific parts of the settings app. This feature eliminates the need to whitelist the entire settings app and display its icon in the Kiosk Launcher. Furthermore, it provides the capability to launch specific screens in other apps without whitelisting those apps in the kiosk policy. For instance, the biometric enrollment screen can be launched from the kiosk without enabling the full Settings app in the kiosk policy.

Recent Updates in Version 8.60:

New Policy: Show Settings Provided by Device Manufacturers

Under the COSU policy a new section "Kiosk Device Settings", a new policy "Show settings provided by device manufacturers" has been added.

The newly added policy enables the Android custom intent feature, allowing you to preconfigure settings and create custom workflows and buttons to launch specific parts of the Settings app on an Android device in Kiosk mode.

The following specific settings can be enabled/disabled under this policy:

• Accessibility settings: Ensure inclusive kiosk experiences by catering to a wider range of users with features like font size adjustment and screen readers.
• Biometrics and passcode settings: Balance security and convenience by enabling fingerprint unlock for faster access while maintaining strong passcode requirements for kiosk devices.
• Bluetooth Settings: Streamline workflows in specific environments by allowing controlled Bluetooth pairing with approved devices (e.g., medical equipment in healthcare settings).
• Location settings: Optimize location-based functionalities for kiosk tasks by enabling location services only for authorized apps (e.g., finding nearby facilities for delivery personnel).
• NFC Settings: Foster secure user interactions in specific use cases by enabling NFC for controlled functions like contactless printing or secure data transfer between devices.

 

The example above demonstrates how preconfigured settings can be enabled through COSU device settings policies in the MaaS360 portal. It shows where these settings will appear on a COSU-enabled device under Device Settings > Device Settings - System.

Adding Custom Launch Items:

Another significant addition is the policy "Add custom launch item". This policy enables admins to add custom launch items using the Android custom intent feature. Admins can specify any settings or applications using JSON code.

Note: While most device manufacturers restrict navigation within the Settings app when using this policy, there's a slight possibility that some settings on specific devices might be accessible. However, in most cases, only the whitelisted settings will function as intended.

Multiple custom launch items can be added, and each item includes the following fields:

• Item location on device: Admins can choose whether it is a "Settings" app intent or "Other Shortcuts".
• Item name: Admins can enter the key-value pair where the key represents the locale for the item name display and the value represents the item name. The item name can be added in multiple locales.
• Item description: Admins can enter the key-value pair where the key represents the locale for the item description display and the value represents the item description. The item description can be added in multiple locales.
• Custom intent: JSON code needs to be entered here for the Android custom intent.

 

The example above demonstrates how to configure Custom Launch Items in kiosk mode (also known as COSU) to create shortcuts for specific settings.

Here are some common scenarios where custom intents can be used in COSU mode:

Custom Intent Scenarios	Example Custom Intent (JSON)	Behavior
Dial a Number	{ "action": "android.intent.action.DIAL", "data": "tel:911" }	Opens the dialer with the number "911" pre-filled.
Open a Specific App	{ "action": "android.intent.action.MAIN", "packageName": "com.mycompany.mypackage", "categories": [ "android.intent.category.LAUNCHER" ] }	Opens the specified app.
Open NFC Settings	{ "action": "android.settings.NFC_SETTINGS" }	Opens NFC Settings.
Send Email using Gmail	{ "action": "android.intent.action.SENDTO", "packageName": "com.google.android.gm", "data": "mailto:abc@company.com?subject=The%20subject%20of%20the%20mail&body=The%20body%20of%20the%20email" }	Opens a new email in Gmail with recipient, subject, and body pre-filled.
Send Email using Secure Mail	{ "action": "android.intent.action.SENDTO", "packageName": "com.fiberlink.maas360.android.pim", "extras": [ { "type": "stringArray", "name": "android.intent.extra.EMAIL", "value": ["abc@company.com"] }, { "type": "string", "name": "android.intent.extra.SUBJECT", "value": "Email Subject Goes Here" }, { "type": "string", "name": "android.intent.extra.TEXT", "value": "Email Body Goes Here" } ] }	Opens a new email in Secure Mail with recipient, subject, and body pre-filled.
View a Website in Browser	{ "action": "android.intent.action.VIEW", "data": "https://www.google.com", "categories": [ "android.intent.category.BROWSABLE" ] }	Opens the specified URL in the web browser.
View a Website in Firefox	{ "action": "android.intent.action.VIEW", "data": "https://www.google.com", "packageName": "org.mozilla.firefox" }	Opens the specified URL in Firefox.
View Contacts List	{ "action": "android.intent.action.VIEW", "data": "content://contacts/people/" }	Opens the device's contacts list.

Conclusion:

The new features in IBM MaaS360's version 8.60 empower administrators with enhanced control over kiosk mode settings. By utilizing custom intents, admins can streamline access to essential device settings and specific app screens without compromising the security and integrity of the kiosk environment. This balance between usability and security is crucial for maintaining effective and efficient kiosk operations in a COSU environment.

For a comprehensive reference on MaaS360 kiosk mode management and COSU policies, refer to the official IBM MaaS360 documentation: IBM MaaS360 Kiosk Mode Documentation. This documentation provides detailed explanations, configuration steps, and best practices for leveraging these functionalities effectively.