Delivering Managed Configurations (key/value pairs) to Android applications with Workspace ONE UEM profiles

Applications often have secrets that should not be hardcoded in the source code. This poses a challenge for developers, as ProGuard can change classes and method names, it won't help with secrets. Examples of secrets that can be removed from application source code include an API key or a OAuth refresh token. Another capability is for the MDM to dynamically deliver values to the application, such as the current logged in user, device serial number, or organization group. Google has made it more challenging to access non-resettable device identifiers like the serial number in recent years, and this remains a viable solution to provide non-resettable device identifiers (and other values) to applications running on the device. So how do we do it?



Workspace ONE UEM can deliver profiles to devices. Profiles can configure a number of settings, in addition to delivering key/value pairs to your applications.  Google refers to these key/value pairs as Managed Configurations, aka application restrictions. In this post, I will go cover;
  • how to add key/value pairs to a profile
  • read key/value pairs in the application source code

To begin, you will need;
  • Android Studio
  • Gradle
  • Workspace ONE UEM

Create a profile for your application secrets

Note - this demonstration will use the management console to create the profile. This task can also be completed using Workspace ONE UEM REST API's.
  1. Login to Workspace ONE UEM management console
  2. In the upper right corner, click Add -> Profile
  3. Select Android
  4. Name the profile
  5. Add the reference profile XML payload in 'Custom Settings'
  6. Save and publish the profile to your test device(s)
Reference Profile: 

The reference profile will deliver the device serial number, current user on the device (enrollment user. Yes - enrollment user is somewhat misleading, in that it is the current user logged in to the device), key/value pairs for VALUE1, URL, and ENVIRONMENT. 

Add Application Restrictions to your Android project



  1. Open Android Studio, create a project, and expand the project layout

  2. Create a class and name it AppConfig
  3. Now we'll add logic for getters, retrieving the values from the MDM profile, and storing them in variables. Copy and paste the text below in to your AppConfig class



  4. Create a class and name it AppConstants. You can optionally store it in a package
  5. Now we'll add the tag want to displayed in our log messages. Copy and paste this text in to your AppConstants class



  6. Create a class and name it MainActivity
  7. Now we'll add logic to log and display toast messages with the values retrieved from the MDM profile. Copy and paste this text in to your MainActivity class



  8. Now you can build an APK file, upload it to Workspace ONE UEM, and assign it to your test devices

Once the application is launched, it will log the values in logcat, visually display them on the Android device with a toast notification, and also log it with Java's system out print statement. If you wish to use the values from the MDM profile in your application, instantiate the AppConfig class and reference the getters. That is all there is to it.

The MainActivity is referenced by the layout file for the UI, and the MainActivity makes references to the AppConfig class, along with the AppConstants class. The values from the profile are passed as strings to the application source code, and can be used where appropriate. If you wish to know more about Managed Configurations, Google has a great post covering it as well.

Source code on GitHub


Hopefully this post has been helpful. Mahalo!
Location: O‘ahu, Hawaii, USA

Comments

Post a Comment

Popular posts from this blog

How to use Square's OkHttp Java library to access Workspace ONE UEM API's

Image
Digital workspace solutions often require consuming other services. When doing so, you may work with things like; REST API endpoints, Webhooks, gRPC, GraphQL - the list goes on. You can interact with these in a number of ways, but one way I've come to appreciate is with Java. It has been especially helpful when I've wanted to work with libraries like Appium, Selenium, OKHttp, or the Workspace ONE UEM SDK in a workflow. With that, I thought it would be helpful to share how to work with Workspace ONE UEM API's using Java. In this blog post, we will cover; Basics of JetBrain's IntelliJ IDE, touching on Apache Maven Using  Square's OkHttp   library  to call Workspace ONE UEM API's Why Java? Java is used by many and supported by most (Docker, Kubernetes, static code analysis tools, cloud service providers, Android, Windows, macOS, Tanzu Application Service, etc). Many languages compile to j ava
Read more

How to use Powershell with the Workspace ONE UEM API to search for users

Image
Using API's has been infinitely helpful in integrating Workspace ONE UEM with other enterprise services and applications. A question was asked recently about forming the correct HTTP header using Powershell, and returning the users in the users. Below is an example Powershell script I was able to create for this example. Make sure to include base64 encoded credentials in a folder (c:\creds\b64.txt in the example), and to update the $apiKey variable with an API key. #Workspace ONE UEM Environment Address / Authentication  $addy   =   "https://ws1.molokaibank.com" $b64   =   Get-Content   -Path   "c:\creds\b64.txt" $apiKey   =   "apikey" $b64EncodedAuth   =   " $b64 " # Header $content   =   "application/json"   $authHeader   =   "Basic "   +   $b64EncodedAuth $header   =  @{ "Authorization"   =   $authHeader ;  "aw-tenant-code"   =   $apiKey ;  "Accept"   =   $content ; 
Read more