Hi all, Following is a diagram of the flow and architecture of auto enrollment of EMM agent for Android devices.
Currently in COPE scenario, before distributing the device to employees; organisation doesn't have a means to enroll devices to EMM without manually typing username and password to each device. In such a scenario, to improve the speed of enrolling a lot of devices to EMM and to minimize the end user intervention to EMM enrollment process, the above architecture is proposed. 1. A user with appropriate privileges to enroll devices, logins into EMM console(In the above scenario a technician login to as a tenant user) and uploads the serial numbers of the devices to be enrolled for each tenant. 2. Starts the app. In case If its BYOD, agent app and the service app needs to be downloaded by visiting a URL / or side loaded(installing an app by transferring the installation file between two local devices eg:- memory card to phone). In case of COPE scenario, the service app and the agent app are both embedded to the operating system it-self, where the app can start by it-self after booting. 3. Since we are trying to send some, commands to the device via adb(Android debug bridge), at this point, the agent app will call the service app and ask to enable USB debugging. Once enabled, the agent will notify the user to plugin the device to his PC. 4. User plugin his device to a PC where adb is installed. 5 User will run a command line tool designed to communicate with the EMM server as well as with the device connected via adb. 6,7 It will first execute a command and retrieve the serial number of the device. 8,9. Command line tool will make a request to EMM, asking for an one-time token(OTT). With this request, it will be sending user's credential, so that the request can be authenticated. EMM will validate the user and the serial and issue an OTT. 10. When it is received, the command line tool will execute another command passing the OTT to the specific activity of the agent. 11-14. Agent will pass the OTT to EMM server along with the serial, where it will be validated with a custom grant handler and the relevant oAuth tokens are sent back to the agent, which can be used for further communication. Above is one of the ways to implement auto enrollment, there can be more. Any suggestion on improvements and alternatives are appreciated. Regards, Inosh -- Inosh Perera Software Engineer, WSO2 Inc. Tel: 0785293686
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
