29 Mar 2019

Knox Code Bytes: Control apps on devices

By Josh (Programmer Writer)

Welcome to the second “Knox Code Bytes” blog post. Throughout this series, we walk you through some of our most popular API calls. It is also meant for those who are new to the SDK, have not used all the APIs yet, or want to improve their understanding of the Knox security platform.

This blog describes common ways to control app settings and properties on devices so that you can enforce a stronger and more secure mobile platform for your company.

 

Prerequisites

This tutorial assumes you have a basic understanding of Android Studio and have already set up the Knox SDK to call Knox APIs–installed the Knox SDKset up device admin, and licensed the Knox SDK.

 

What will we discuss in this blog post?

 

Code setup

Open the Android Studio project where you intend to implement these security features on your mobile app. Create a method that performs your intended tasks. Give it a descriptive name, such as controlAppsOnDevices. Your main UI elements can then call this method, for example, through its onClick() method when the user clicks a button or through calling it from your mainActivity.

When writing this method, start with the following two API calls:

// Create an instance of a device manager that contains API methods for granular device control
EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(this);

// Create the object to administer and control app package settings on a Samsung device such as adding to a blacklist and managing installation
ApplicationPolicy appPolicy = edm.getApplicationPolicy();

Next, in the AndroidManifest.xml file, request the following permission with a signature-level protection to use the APIs:

<uses-permission android:name="com.samsung.android.knox.permission.KNOX_APP_MGMT" />
<uses-permission android:name="com.samsung.android.knox.permission.KNOX_RESTRICTION_MGMT" />

 

 

Common app control tasks

After writing the first two API calls and requesting the Knox Restriction permissions in your manifest file, you can use any of the following six code snippets. These six features do not require a paid license to manage, meaning you can use them to secure your device for free.

 

Retrieve all blacklisted app package names

public List<AppControlInfo> getAppPackageNamesAllBlackLists()

You may find some mobile apps and app packages to be unacceptable, untrustworthy, and unsafe to use either for yourself or for your company. This API method returns a list of these blacklisted package names that you can use to either restrict access to these apps or warn your device user to stop them from installing that app.

To implement this call in your controlAppsOnDevices method, type:
List appList = appPolicy.getAppPackageNamesAllBlackLists();

 

Disable the install feature for an app

public void setApplicationInstallationDisabled (String packageName)

In addition to retrieving blacklisted package names, this API call lets you silently disable the install feature for an app package by adding it to a blacklist. Disable the install feature to prevent the device user from installing that app through Google Play, side-loading, or any other way. This API is especially useful to disable the installation of malware or unauthorized app packages forbidden by enterprises.

To implement this call in your method, type:
appPolicy.setApplicationInstallationDisabled(“com.test.app”);

 

Disable an app

public boolean setDisableApplication (String packageName)

You can also disable an app package by using this API call. This API call does not uninstall the app, but restricts the device user from using it.

If the disabled app package is uninstalled and then re-installed, the app is enabled again. To avoid this use case, the IT admin can disable the app package and prevent re-installation using setApplicationInstallationDisabled(String).

Note: You cannot disable an admin app. For example, disabling the Settings application package will cause booting conflict.

To implement this call in your method, type:
appPolicy.setDisableApplication(“com.test.app”);

 

Enable or disable a list of apps

public String[] setApplicationStateList (String[] pkgList, boolean state)

Use this API call to either enable or disable multiple app packages at once.

  • true = all package names are enabled
  • false = all package names are disabled

A common example of using this API is disabling all blacklisted app package names returned by appPolicy.getAppPackageNamesAllBlackLists().

This task is a long-running operation and should be called from a worker thread rather than the main UI thread, which ensures the best UI performance. You can use AsyncTask or Handler to communicate with the main UI thread.

To implement this call in your method, type:
String[] pkgList = appPolicy.setApplicationStateList(new String[] { "com.test.app", "com.android.test" }, false);

 

Enable the uninstall feature for an app

public void setApplicationUninstallationEnabled (String packageName)

Your device user may not be able to uninstall an app package from their phone because their company requires it. If you think that package is not necessary on your company phone – for example, apps on their personal space – this API call can let your enable this uninstall feature.

For example, you can allow a device user to uninstall the default mailing app if they prefer using Outlook instead.

To implement this call in your method, type:
appPolicy.setApplicationUninstallationEnabled(“com.test.app”);

 

Allow or disallow non-Google Play apps

public boolean setAllowNonMarketApps (boolean allow)

Some companies have in-house apps that are not available on Google Play or apps that are only available as an open source implementation. For example, you might want to install an in-house mobile tracking app, an in-house MDM app, or provide access to Amazon’s app store.

This API call lets you either allow or disallow installation of non-market apps for your device users. If set to false, installation of non-Google-Play apps is disabled and the user cannot access the UI until the admin enables access again. If set to true, UI access to enabling installation of non-Google-Play apps is enabled. Enabling UI access does not enable the actual functionality.

To implement this call in your method, type:
restrictionPolicy.setAllowNonMarketApps(false);

 

 

Putting it all together

The following is an example of how you would write the controlAppsOnDevices method for all six app control features. Although this snippet works as-is, consider customizing it to ensure a better fit with your particular requirements and specifications for securing the different hardware features.

The best practice is to wrap API calls in a try-catch block to log any errors that might occur. If you want some examples of these code blocks, refer to the API reference sections that are linked in the sample code.

private void controlAppsOnDevices() {

     EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(this);
     ApplicationPolicy appPolicy = edm.getApplicationPolicy();
	
     // Retrieve all blacklisted app package names
     try {
          List appList = appPolicy.getAppPackageNamesAllBlackLists();
     } catch (SecurityException e) {
          Log.w(TAG, “SecurityException: ” + e);
     }
	
     // Disable the install feature for an app
     try {
          appPolicy.setApplicationInstallationDisabled(“com.test.app”);
     } catch (SecurityException e) {
          Log.w(TAG, “SecurityException: ” + e);
     }
	
     // Disable an app
     try {
          appPolicy.setDisableApplication(“com.test.app”);
     } catch (SecurityException e) {
          Log.w(TAG, “SecurityException: ” + e);
     }
	
     // Enable or disable a list of apps
     try {
          String[] pkgList = appPolicy.setApplicationStateList(new String[] {“com.test.app”, “com.android.test”}, false);
     } catch (SecurityException e) {
          Log.w(TAG, “SecurityException: ” + e);
     }
	
     // Enable the uninstall features for an app
     try {
          appPolicy.setApplicationUninstallationEnabled(“com.test.app”);
     } catch (SecurityException e) {
          Log.w(TAG, “SecurityException: ” + e);
     }


     // Allow or disallow non-Google Play apps
     RestrictionPolicy restrictionPolicy = edm.getRestrictionPolicy();

     try {
          restrictionPolicy.setAllowNonMarketApps(false);
     } catch (SecurityException e) {
          Log.w(TAG, “SecurityException: ” + e);
     }

}

 

 

Next steps

 

Knox Code Bytes 2019 blog series

Check our SEAP blog site every month for new posts on commonly used API calls in the Knox SDK. This blog series runs from February to August 2019.