Extensions (Mx) by Motorola Solutions

Version 7

    What is Mx?


    • Mx represents a suite of Enterprise Features on Top of standard, commercially available AOSP (Android Open Source Project)
    • Mx maintains Compatibility with Standard Android Applications
    • There is no generally available exposed API Surface for Mx (currently exclusive to MDM partners)

    Mx Features


    • Multiuser Authentication
      • Separation of User Data Spaces
      • Reduced System Settings Dialog
    • Whitelist Application
    • Secure Storage
      • Volume Encryption
      • Full SD Card Encryption
    • Certificate Management
    • Silent Application Installation
    • Ability to enable/disable
    • USB Mass Storage & ADB
    • Set a New APK as the Default Home Screen System
    • Settings Configurable through MDM

    Multi-user Framework

    • Overview
      • Allows multiple users to access the device
        • Each user optionally has their own data space and settings
      • Unlock screen replaced by a credentials dialog
        • Username and password required to unlock the device
      • Notification area will indicate the current user. Tapping on the notification will trigger the logout process
      • Choice of Local or Remote Authentication
        • Local database on the device
        • Authenticate against an Active Directory server
        • When remote authentication is selected, users in the local database are permitted as well.
      • Only administrator users are permitted to modify any system setting
    • Development Impact
      • The multiuser framework is transparent
      • Although data separation adds a layer of abstraction, no special coding is needed
        • Avoid using hard coded paths
      • All open applications are forced closed upon logout
        • Exception: those applications or services that are required to span users
    • Tips
      • Always create at least one administrative user in the local database. This will allow a device using remote authentication to be unlocked and configured if connection to the AD server is lost.

    Mx Application Lock

    • Overview
      • Works in conjunction with Multiuser Framework
      • Each user is assigned to a group(s)
      • Each group is assigned a white list of packages which are permitted
      • Each white list consists of three separate pieces
        • System list – applications needed for the system to operate properly
        • Common list – applications permitted for ALL groups
        • Individual list – applications permitted for the individual group
      • Users included in multiple groups are permitted the sum of the individual list for each group
      • Packages are defined by their package name
      • Any application not included on the white list is NOT permitted to be installed or launched
    • Development Impact
      • All applications spawned from another application must be included on the same white list
    • Tips
      • Be sure to create an administrator group for users that are permitted to use ALL applications
      • Be careful with use of the wildcard character in the white list, this may lead to permitting applications that are unintended for that group

    Mx Secure Storage

    • Overview
      • Encryption can span the entire SD Card or only an individual folder tree
      • When the entire SD Card is encrypted:
        • The card will be reformatted
      • When only a folder tree is encrypted:
        • Different folder trees can use different keys
        • The folder tree can be mounted under /data or /sdcard
      • Encryption / decryption occurs between the file system and the application making this feature transparent to applications.
      • The auto mount feature can be used to direct the system to mount the encrypted data automatically on reset
      • If the encryption key is known, the data within the encrypted area can be copied to a Linux system and read
    • Development Impact
      • None: once the encrypted area is mounted, the data from the application is read and written using standard algorithms
    • Tips
      • In many cases the SD Card is used to deploy OS updates. If the entire SD Card is encrypted, the recovery mechanism will not be able to read the SD Card
      • When a folder tree is mounted under /data, make sure the path is correct for the intended application
      • A folder tree cannot be mounted if the mount point contains unencrypted data
      • Factory reset will erase the encryption keys. Be sure to record and secure encryption keys to re-install into a device that has been factory reset.

    Other Tips and Samples


    • Configuring network proxy for Gingerbread
      • Use the secure settings properties

        String host;  // string describing the URL of the host
        int port;        // port number of the host
        String exclList;    // semicolon delimited list of URLs 

        ContentResolver res = mContext.getContentResolver(); 
        Settings.Secure.putString(res, "global_http_proxy_host", host);
        Settings.Secure.putString(res, "global_http_proxy_port", port);
        Settings.Secure.putString(res, "global_http_proxy_exclusion_list", exclList);
    • Storing application data
      • Linux sandboxing of application data limits the application to its own data space. Do not use hard coded folder names. Use the standard Google API to determine the application’s home folder getFilesDir().getAbsolutePath()

    View the Enterprise Extensions (MX) Whitepaper here

     

    Download the Enterprise MX Utilities here