Enterprise Home Screen: Lock Down Your Zebra Android Devices

Edward Correia -
4 MIN READ
849
9

They're supposed to be picking orders and managing inventory, but the warehouse guys are frequently spotted standing around an MC92 laughing at viral videos. Android has gained plenty of traction as an enterprise deployment platform. But the speed, simplicity and versatility that helped springboard its popularity also might sometimes lead workers toward entertainment after their productivity tasks are complete.

 

IT administrators tasked with eliminating such potential side-tracks should consider Enterprise Home Screen, a free Android app from Zebra Technologies that provides an easy way to lock down a device without the need to write a single line of code. Simply install and launch the tool, select which apps the device's users will be allowed to use, and quit. After an automatic restart, the device will show only the selected apps, along with a few simple device settings. All other apps and settings are invisible without an admin password. EHS also can restrict access to all device settings, if needed. And that's just for starters; Enterprise Home Screen can do a whole lot more to help increase productivity for workers and administrators, and provides complete security for the device as well as its apps and data.


EHS works by inserting itself in place of the stock Android app launcher and home screen. When first run, it presents a screen like the one below, offering a choice of which home app to open and whether to make the selection permanent.

Selecting "Just once" simplifies the process of switching between EHS and the stock Android launcher while first setting up and learning how best to use it. To invoke this dialog, press the HOME key. Once EHS fully configured, selecting "Always" when the dialog reappears will prevent further changes without a password (which is 256-bit AES encrypted). Out of the box, EHS disables the following when running in User mode:

  • Airplane mode
  • USB debugging
  • Access to the file system
  • Keyguard (for unlocking the screen)
  • Keyguard-screen camera and search functions
  • The Status-bar Settings icon 
  • Full access to the System Settings panel

 

These and other settings can be enabled as desired for a particular user or role (more on roles later). The next step in the initial configuration is to select the apps to be made visible to the user. On launch, EHS displays all apps installed on the device in a single, scrollable window similar to the image below:

Long-pressing an icon presents dialog boxes for selecting or deselecting the app to appear in User mode, as below:

Once all apps are selected, a quick tap on the Menu button (highlighted) brings up the Tools menu. Tap again on the Admin Logout to enter User mode and a screen similar to the image below. A configurable timeout will revert to User mode after 60 seconds by default.

To return to Admin mode, simply tap the User mode menu and enter the admin password. Adding to security is a feature that tracks a configurable number of incorrect login attempts that will disable the login feature entirely if exceeded. This is reset by replacing the configuration file.

Once again in Admin mode, in-app settings for Enterprise Home Screen are shown in the two images below. They include access to display settings, the lock screen, file system and other system settings.  

There's far more to EHS than meets the eye. The elegantly simple configuration file shown below controls all aspects of the app. Starting from the top, a kiosk mode allows a single app to be launched at startup, disabling BACK and HOME keys. Controlling User mode settings are the and sections, which control the display of apps as icons and tools in the tools menu, respectively. Next is the admin-password attempts counter, followed by the

section, most of which is self-explanatory (click the image to enlarge).

EHS reads the config file every time the HOME key is pressed or when a new config is pushed to the /enterprise/usr folder on the device. If an app other than EHS is running when a new config file arrives, the config file will be read when EHS returns to the foreground. A key advantage of this configuration scheme is the ability of EHS to easily switch between user roles on a single device. For example, if a  device is to be shared by a retail clerk during store hours and an inventory clerk after closing, a simple way to achieve this would be to create and store config files on the device that include apps for each role. Then a small script could be used to switch between the two config files at the beginning of each shift.

 

Enterprise Home Screen is provided free to Zebra partners. Learn more in the Enterprise Home Screen 2.3 User Guide.

profile

Edward Correia

Please Register or Login to post a reply

9 Replies

E Edward Correia

Hi Dean-

A couple of things to check:
<ol>
<li>To edit the EnterpriseHomeScreen.xml, drag a copy of it <strong>OFF THE DEVICE</strong> and open it in any text editor. </li>
<li>When done editing, <strong>you MUST use ADB to deploy the edited </strong><strong>config file</strong> to the /enterprise/usr directory on the device. </li>
<li>After deploying the edited file, press the HOME key to force EHS to re-read it (EHS is supposed to re-read the config file whenever a new version lands in /enterprise/usr, but pressing HOME will double-check). </li>
<li>The relevant portion of your config file should look like the following before and after the ET1 video link is removed: </li>
</ol>

With ET1 link
----------------
...

&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <strong><strong><a href="https://outlook.office.com/owa/redir.aspx?REF=oithwveuMjhh3Yj1xGejmmIDg…;

...

Without ET1 link
-------------------
...

&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp;
...

Hope that helps.
Eddie Correia

</strong>

D DEAN EARL

Thanks.

Dean O. Earl
Senior Systems Engineer
Retail Hardware Engineering

Office: (208) 985-8587 (New)
Cell: (801) 891-5036

E Edward Correia

By the way, thanks for writing.

Please let me know if this solution worked so I can post it to the discussion forum and help other people.

D DEAN EARL

I will.

Dean O. Earl
Senior Systems Engineer
Retail Hardware Engineering

Office: (208) 985-8587 (New)
Cell: (801) 891-5036

D DEAN EARL

When I finally got ADB to work correctly, this worked just fine. I had realized that I had to edit the file locally on my desktop and then copy it back. It was the copying of the edited file that I had an issue with.
Thanks!!

Dean O. Earl
Senior Systems Engineer

E Edward Correia

Thanks Dean. I'll post this to the discussions forum, where others have had the same issue.

D DEAN EARL

There is nothing that tells how to get rid of the ET1 Video icon and I definitely do not want users to have access to it, although it will do them no good since they cannot access anything externally except Google. I checked the user documentation that came with the .apk and it had nothing about that. I went to the EnterpriseHomeScreen.xml and deleted the line referring to it and restarted the MC92N0 and it was still there.
Thanks

B Br Jenkinson

Hello do you have any advice on how to unbrick a TC8000 device that is in kiosk mode booting to Calculator. The xml file got read to kiosk mode during a reboot, it does not launch the actual app that was selected in the xml, and once its set to kiosk the device is locked permanently (I wish I knew the menus for EHS and everything else are also locked in this mode, so I can't get to the admin screen either)
I have adb installed but it will not connect to the device in this state (it can't find any usb devices, and windows explorer also will not allow files to be transferred or copied once in kiosk mode). So the device is not usable because it boots to calculator and does not allow any changes through adb or otherwise.
Is this device salvageable, or is there a way to get EHS out of kiosk mode if these is an issue like this. I don't want to reset because our licenses are tied to this device and will be rendered unusable if we wipe it out. Thanks for any help.

E Edward Correia

Hi Brian- Sorry to hear that you're having trouble. I've inquired with engineering about how/whether there's a way to recover without a reset. By any chance, do you know if USB Debugging is enabled on the device?&nbsp;
From TechDocs <a href="https://techdocs.zebra.com/ehs/4-2/guide/settings/#kioskmodeenabled">Ki… Mode Enabled section</a>:&nbsp;
Once enabled, Kiosk Mode can be disabled by pushing a new config file with its tag set to "0" if USB Debugging is enabled. Otherwise a factory reset is required. Kiosk Mode also can be enabled/disabled programmatically from an Android application using Android Intents. For more information, see the <a href="https://techdocs.zebra.com/ehs/4-2/guide/features/#disablekioskmode">Sp… Features Section</a>.