Hi Milan, With Kiosk mode you can pin to a single task (ideally single app) and restrict all the other stuff from the user. Usually the requirement with firewall would be simply to restrict some apps from using it (cutting down the internet means basically blacklisting equivalent). With our app blacklisting feature user can simply get it done. But if we think further, firewall can be mostly usable only in COPE mode. In that case most organizations need to give access only to a certain app which they would allow the end user to use. We can achieve that in Kiosk mode cleanly. Kiosk mode will enable us to enable a certain app in a certain time interval disabling all other apps from usage.
Anyway we should have a detailed discussion on this and come to a conclusion on the way that we can provide a clean solution for this. IMO in above described VPN firewall mechanism, we should provide the app package names to be restricted which seems to have some usability concerns. Because in case we add firewall rules to multiple devices, it should be hard to achieve. Thanks On Tue, Mar 22, 2016 at 7:20 PM, Milan Perera <[email protected]> wrote: > Hi Kasun, > > I would also agree the fact that we should drop option 2 and the most > convenient way of doing it is to create VPN interface in the device and > filter network traffic. > However, I cannot understand how the "Kiosk mode" would help to do the > $subject. Would you please explain it bit further? > > Thanks, > > On Tue, Mar 22, 2016 at 1:05 PM, Kasun Dananjaya Delgolla <[email protected] > > wrote: > >> Hi All, >> >> In mobile operating systems, what we can do to do $subject is blocking >> applications by accessing device network. >> >> I have been working on the $subject and was able to do a 2 way >> implementation using following approaches. >> >> 1. Creating a local VPN and blocking apps from using device mobile data >> and WIFI connections. >> 2. Using IPTables to create firewall rules (this requires ROOT access and >> not recommendable in off the shelf devices. (Creating IPTable records >> require "su" command via android shell). >> >> From above 2 approaches, if we take EMM theories in to consideration, we >> will have to drop option 2 because it compromises access. So we are left >> with option 1. >> >> While discussing, we thought that enabling "Kiosk mode" [1] should also >> be a proper solution to address this use case. We can simply enable Kiosk >> mode by using our android agent app (since it has device administrator >> privileges). But in a usual device (BYOD) this requires user intervention >> (user needs to grant access). In COPE mode(where the devices are provided >> by the organization and they can vendor sign our agent app so that it can >> become a privileged system app), we can simply enable Kiosk mode (Screen >> pinning) by making our agent app the "device owner"[2]. >> >> Therefore I suggest tat we should re-think on $subject and try to make >> use of above discussed approach. WDYT? >> >> [1] - http://www.sureshjoshi.com/mobile/android-kiosk-mode-without-root/ >> [2] - https://support.google.com/work/android/answer/6294687?hl=en >> >> Thanks >> -- >> Kasun Dananjaya Delgolla >> >> Software Engineer >> WSO2 Inc.; http://wso2.com >> lean.enterprise.middleware >> Tel: +94 11 214 5345 >> Fax: +94 11 2145300 >> Mob: + 94 771 771 015 >> Blog: http://kddcodingparadise.blogspot.com >> Linkedin: *http://lk.linkedin.com/in/kasundananjaya >> <http://lk.linkedin.com/in/kasundananjaya>* >> > > > > -- > *Milan Perera *| Software Engineer > WSO2, Inc | lean. enterprise. middleware. > #20, Palm Grove, Colombo 03, Sri Lanka > Mobile: +94 77 309 7088 | Work: +94 11 214 5345 > Email: [email protected] <[email protected]> | Web: www.wso2.com > <http://lk.linkedin.com/in/milanharinduperera> > -- Kasun Dananjaya Delgolla Software Engineer WSO2 Inc.; http://wso2.com lean.enterprise.middleware Tel: +94 11 214 5345 Fax: +94 11 2145300 Mob: + 94 771 771 015 Blog: http://kddcodingparadise.blogspot.com Linkedin: *http://lk.linkedin.com/in/kasundananjaya <http://lk.linkedin.com/in/kasundananjaya>*
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
