Figured out how to enable Enterprise Multi User which now prompts for the Multi User login which I created in the Control.EnterpriseAndroid.Multiuser.Users settings object. Figured out how to disable the Enterprise Multi-user by sending the ET1.Enterprise.MU.Disable package. Have not figured out how to change the UserID / Password combination on the fly. In my case the customer would like to rotate the USER ID / Password combo on a monthly basis. I see a Control.EnterpriseAndroid.MultiUser.Config.setting.xml but have no idea how to implement this as it appears to refresh Users and Groups on an Interval. I see a Control.Android.DeviceSecurity.Attributes.setting.xml available, however this does not appear to report the Enterprise Device Security attributes. Am I not implementing this correctly or should this report the number of failed login attempts using the Enterprise MU features built into MSP?
ET1 - MSP Advanced Features// Expert user has replied. |
1 Replies
John; You said you " Have not figured out how to change the UserID / Password combination on the fly." If you were able to create a User, using a Control.EnterpriseAndroid.Multiuser.Users settings object, then you are nearly there. In that Settings Object, there are various Actions. You used Add User. To change a passwords, you need to use Delete User or Delete All Users and re-add one or more Users with a different password. You cannot Add a User that already exists with a different password, that will fail. But if you delete a User and re-add it, you can give it any password you want. A Control.EnterpriseAndroid.MultiUser.Config settings object allows you to specifiy a time in the future that should be determined by adding a specified interval to the time the settings object is applied and sending the resulting "time to refresh" up to the MSP Server as the value of a Device Attribute. Once there, that value be used in a Policy Override Rule to force a Policy to become non-compliant when that time is reached. Of course, for that to do any good, the Policy will need to have a Dynamic way to acquire password data otherwise when it is sent, it will apply the same passwords to the Users as it did the last time. The best way to do that would be to use a Web Service call (via an External Source) to acquire the passwords. But lacking that, you might import a CSV file periodically that has new passwords in it. Each device would get the "latest" passwords whenever its "refresh time" is reached. Also note that as explained above, in order for that to work, the Control.EnterpriseAndroid.Multiuser.Users settings object would need to start with a Delete All Users followed by one ore more Add Users. That way, each time it is applied it would delete all Users and then Add them again with the latest Passwords. Regarding Control.Android.DeviceSecurity.Attributes.setting.xml , I think you are mixing things up a bit here. That Settings Class is part of a collection of Settings Classes that are designed to be used together to configure and control the Android DeviceSecurity Control Module. Android DeviceSecurity can coexist and interoperate with MultiUser, but it is not designed to have one of its Settings Classes used independently of the rest. Being able to query things like password attempts requires that the Device User opt-in as described in the information about the Android DeviceSecurity Control Module. Allan