Inosh's Blog

WSO2 EMM provides capability to auto enroll a device with the server. This is done through the use of mutual SSL/TSL underneath to authenticate clients. To follow this section basics of mutual SSL is needed[1]. Let's see how the enrollment flow works. A user with adequate permission to enroll devices access the certificate section of WSO2 EMM. User generates a certificate signed by a certificate authority, upload this certificate via the certificate section in EMM console. When generating the certificate, user must make sure they provide the serial number of the device as the common name of the certificate. When uploading the certificate to EMM, it is expected to provide the same serial number as well. User also embed the generated client certificate in the Agent and compiles the Agent. Please note that for each device that needs to enroll with EMM needs to have a certificate embedded. As described in the basics of mutual SSL article[1], when the user starts the An...

In contrast to usual 1-way SSL where client verifies the identity of the server, in mutual SSL, the server will also validate the identity of the client, so that both parties trust each other. This build a system with very tight security and avoid any need of username/password to be presented from the client, as long as the server is aware of which certificate belongs to which client. Let's take a look at how it all works, Before the process begins the client and server's certificates are stored in there relevant keystores. In case of Java these are jks files, and in WSO2 products certificates are stored in wso2carbon.jks and clienttruststore.jks in server side while the Android agent side certificates are stored in bouncycastle keystores(bks) files found in res/raw in Android agent source code.  These certificates are signed and issued by a certificate authority that both client and server are capable of communicating freely.  1. Client tries to access a protected ...

With Android 5.0, Google has introduced Device owner and device profile concepts to make android enterprise ready. Device owner app is an application with special privileges to perform task such as monitor and manage settings and other privileged tasks. This means in a literal sense,the devices ownership is given to the organization managing it making the device owner concept ideal for COPE scenario. Once the device ownership is assigned to an app, in order to remove it, the device needs to be factory reseted, for example in a situation where the device needs to be given to a different user.  When the device ownership is given to a specific app, the app gets access to a set of Android APIs that are only available to device owner app. These APIs are not available to regular Android apps. At a given time there can only be one device owner app in a device, which prevents another device owner app overriding the policies enforced by the first device owner app.  The service...

If you need to quickly setup and have a look at the capabilities of WSO2 EMM; easiest to configure and enroll is an Android device. First of all, download, WSO2 EMM from here .  Documentation provides all the information required for downloading the product.  IMPORTANT: Following only shows the out of the box experience of WSO2 EMM and it not a production ready setup. Prior to running the server, make sure you have, a. Installed  Oracle Java SE(JDK/JRE ) version 7 or 8 b. Both the server machine and the Android device you are enrolling are on the same WiFi   network. Once you download the server, extract the zip file to a desired location. Now from command prompt, go to the location of the extracted folder; lets call this EMM_HOME folder.       3. From command prompt, go to bin directory inside EMM_HOME and start the server by issuing following command, On windows -  wso2server.bat On Linux/Mac -  sh wso2server.sh  ...

Enterprise mobility is an essential part of an organization that needs to manage and monitor the devices that are either owned by the organization or brought into the organization by employees and other parties. Since the popularity of smart devices increases day by day and employees prefer to use their personal devices to do official work; managing devices that are getting connected to an organization becomes critical. Example: EMM for a College or a University Let's straight away jump into an example to find out the usage of an EMM. Let's imagine a college or a university where the students bring in their phones or tablets. In order to use these devices inside the college without violating college rules, administration needs to have a way to gain some control over these devices, so that they can manage and monitor these devices. Therefore, when a student brings a device, he has to enroll his device to the EMM of the college. He can enroll his device to EMM by ent...