Hi All, Currently EMM has policy management implementation for Android, Windows and iOS devices. Since these three device types are supposed to bundled with IoTS, and as IoTS device types are also needed to have policy management, we need to have more generic policy management mechanism and UIs to implement the policy flow.
Current policy implementation(*Fig 1*) is highly bound to device type. When user selected a device type from policy wizard, specific UI will provide to set device configuration profile. Currently device configuration profiles are only available for Android, Windows and iOS devices, and implemented in a single unit without separating them. So those UIs can't easily reuse with new device types. However after creating configuration profile and rules, back end receives policy payload in generic form and it has device type, configuration json and rules. Thus the received payload format is generic, it is in the same format for all device types and stored in the db. Device type plugin is retrieving stored policy from the database and sending to device when needed. So the plugin takes responsibility of converting the device configuration profile in to a specific form (i.e json for Android, plist for iOS etc.) which could be understandable to the device. Also plugin takes responsibility of checking the compliance when ever needed. Fig 1 In order to generalize the policy implementation, we need to; 1. Separate out *device configuration profile* setting and implement separate UI unit for each device type to setup device configuration profile. 2. Generalize rule definitions to have simple group based rules to support for all devices. 3. Modify policy retrieval mechanism to filter out applicable policy for each device when relevant device type plugin is asked to evaluate or send policies to particular device. As we are in the process of separating out the UI elements of device configuration profile page, it is only needed to implement the 2nd and 3rd functionalities. *Generalize rule definitions* - Current rule definition has option to select devices enrolled with BYOD or COPE scenarios. But it is only applicable for EMM devices. But we can introduce two groups to include BYOD and COPE devices and devices applicable to these two scenarios can add in to relevant group during the enrollment process. - With current implementation rules can be defined by owner's role or owner's name. However as long as device could have multiple users via device grouping and there is no any visible mapping between devices and user roles directly this rule become more complex and need to have complex evaluation. So the best way is simply show accessible groups which belongs to user and define the rule based on that. - Also it is not possible to apply policy for single device with the current implementation. But if we wants to add policy for single device it is also possible as long as device goup could have any number of devices. *Modify policy retrieval mechanism* - Current rule definitions make more complex policy retrieval mechanism as it has criteria with enrollment type as well as user names and roles. But having only group based rule, we can simply get the groups which particular device is belonging and compute the applicable policy for device by evaluating the policy priority. WDYT? Thanks & Regards, /charithag -- *Charitha Goonetilleke* Software Engineer WSO2 Inc.; http://wso2.com lean.enterprise.middleware mobile: +94 77 751 3669 <%2B94777513669> Twitter:@CharithaWs <https://twitter.com/CharithaWs>, fb: charithag <https://www.facebook.com/charithag>, linkedin: charithag <http://www.linkedin.com/in/charithag> <http://wso2.com/signature>
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
