Device Management Policy Merging for WSO2 EMM and IoTS

selection_024

WSO2 EMM is an open source Mobility Manager includes two main aspects:

  1. Mobile Device Management (MDM)
  2. Mobile Application Management (MAM)

device management server that can be used to control Android, iOS and Windows devices. Management policies can be assigned to the devices based on the device type, user and roles.

WSO2 EMM is one of the best open-source Enterprise Mobility Manager with lot more features. It supports for Android, IOS, Windows platforms and BYOD, COPE device types. WSO2 EMM includes two key aspects:

  1. Mobile Device Management (MDM)
  2. Mobile Application Management (MAM).

Basically, EMM enables organizations to secure, manage and monitor powered devices (e.g., smartphones, iPod touch devices, and tablet PCs) using Policies and different types of Operations.

Working With Policies

The Policy is a set of configurations. It can be assigned to the device based on the device type, roles and users.  WSO2 EMM policies are enforced on EMM users’ devices, based on the policy hierarchy, when new users register with EMM and also when a policy is edited. The EMM policy functions will vary based on the mobile OS type (i.e., iOS or Android) of the device.

Policies make sure that the devices that belong to a user comply with the corporate rules and regulations. A policy will maximize the control of the devices and reduce the risk on corporate data. If a device does not comply with a given policy, the server will be notified of this corrective action, such as re-enforcing the same policy, will be taken. The policy may include restrictions such as camera disabled, configurations, such as VPN or Wi-Fi. This new feature helps merge discrete policies together and get composite effective policy

1

Problem Of Existing Policy Management 

Existing CDMF device management policy enforcement implementation in EMM/IOT supports applying only one policy upon devices based on an administrator-defined priority order.
For instance, assume an instance where two policies (mentioned below) are supposed to be applied on managed devices.

[1] Policy A :
Assigned Criteria – All android devices
Configured Features – Wifi, Camera disable
[2] Policy B :
Assigned Criteria – All android, BYOD devices
Configured Features – VPN
[3] Policy C :
Assigned Criteria – All android devices used by Managers
Configured Features – Camera enable

The following picture depicts how these three policies would affect four sets of devices.

attachment-0001

[1] Android, COPE devices not used by managers – Only policy A would be applicable.
[2] Android, BYOD devices not used by managers – Both policy A and B would be applicable.
[3] Android, COPE devices used by managers – Both policy A and C would be applicable.
[4] Android, BYOD devices used by managers – Policies A, B, and C would be applicable at the same time.

In situation [1], we have only one policy applicable; i.e. Policy A which can be straight away applied to the mentioned set of devices. In situation [2], since there exist no conflicts in between the set of configurations of policy A and B, we can either apply two policies separately to the mentioned set of devices or think of one merged policy which combines the configurations of both A and B to be applied. Considering the fact that maintenance is easy in keeping one effective policy for a device, policy merging can be understood as the ideal approach here. Even in situation [3] and [4], since policy A and C hold feature wise configuration conflicts, applying the policies separately does not seem to be practical and thinking of resolving the prevailing conflicts and merging all resolved feature configurations into one effective merged policy seems to be the ideal approach

Solution: Device Management Policy Merging

So, this new feature helps merge discrete policies together and get a composite effective policy without any conflicts. It should be enhanced further to be able to merge several of such discrete policies together (i.e camera disabled, wifi disabled) and enforce a composite effective policy upon managed devices.

A conflict means not multiple policies applicable to the same set of devices, but different configurations of the same feature in between multiple applicable policies to the same set of devices. For example, the different camera configurations of policy A (disable Camera) and policy B (enable Camera), applicable for Android devices.

In order to resolve this conflict, we are using the existing policy level priority model. Priorities are user-defined and If policy B holds a higher priority than policy A, then we can consider the specific camera configuration of policy B (enable Camera) as the ultimately effective camera a configuration of recognized devices.

d

(policy priority order)

Configure Device Management Policy Merging Feature 

Need to enable PolicyEvaluationPoint configurations in cdm-config.xml file. Change “Merged” state instead of using “Simple” configuration state.

e

 

 

 

Implementation

Merged PRs in EMM repos:

carbon-device-mgt
carbon-device-mgt-plugins
product-iots

 

One Comment Add yours

  1. Yesin says:

    Nice!

Leave a Reply

Your email address will not be published.