Zebra, OEMConfig, Ivanti Velocity, and Microsoft Intune

I work with a lot of organizations who manage a wide range of devices including organizations who manage rugged devices.

Rugged devices are utilized in a variety of scenarios, including warehouses, big box stores, field engineering, logistics, emergency services, government, and so on.  Typically, these devices are locked down in modes where it’s dedicated to a specific use case, such as inventory scanning. Some organizations deploy multiple apps to a locked down screen where those apps are used in specific scenarios such as inventory look up and/or data entry.

For this month’s post I’m focusing on a specific scenario I run into quite a bit with rugged devices and an app called Velocity (powered by Wavelink) by Ivanti.

According to the Ivanti Velocity user guide:

Ivanti Velocity is an Android client that can connect to Telnet hosts (including IBM 5250/3270 and VT100/220), web apps, and Oracle SIM hosts. For Telnet and Oracle SIM hosts, it can present applications to your users in a modern touch interface, either with automatic, predictive reformatting or with a customized experience.

Source: https://help.ivanti.com/wl/help/en_US/Velocity/2.0.0/admin/velocityConsoleHelp.htm

The Velocity app may downloaded directly from Ivanti and is found on Google Play: https://play.google.com/store/apps/details?id=com.wavelink.velocity

So naturally I was curious about managing the Ivanti Velocity app on an Android device managed with Microsoft Intune. For the device, I chose to utilize a Zebra TC-57 rugged device.

Requirements for this scenario

  • Microsoft Intune
  • Zebra device
  • Zebra OEMConfig powered by MX app from Google Play
  • Ivanti Velocity app from Google Play
  • Ivanti Velocity deployment bundle (.wldep file)

Special thanks to Alex Evans from Ivanti who supplied me with a demo deployment bundle, thanks Alex!

Let’s get started

Device enrollment
I chose to enroll my Zebra device as a dedicated device under Android Enterprise Device Owner enrollment. Fortunately, I posted on this already, so I don’t have to re-create the steps. To learn more about enrolling a device as a Dedicated (kiosk) device please visit: https://uem4all.com/2018/08/06/android-kiosk-enrollment-and-microsoft-intune/

Ivanti Velocity app deployment
Let’s add the Velocity app to Intune.

  1. Navigate to the Intune admin portal via https://devicemanagement.microsoft.com and select Client apps from the left hand navigation.
  2. Select Apps > Add > App type > Managed Google Play and search for “Ivanti Velocity” and should look something like the image below. Go ahead and approve the app and chose your approval settings when prompted, then save.
  3. After the app info has synchronized to Intune, assign the app to the device group you created you went through the device enrollment steps above. This will ensure the app is deployed to the device.

 

Intune Managed Home Screen config
After the Ivanti Velocity app is assigned, if it is a dedicated device, you’ll most likely be utilizing the Intune Managed Home Screen. Whether it’s a single- or multi-app add the app to the list so it’s available on the Managed Home Screen. Note: I covered this in the post I referenced above…

Once the apps are deployed to the Managed Home Screen you’ll see them populate. Again, assign the apps to device for installation purposes under “Client apps” and in addition, add the apps to the Managed Home Screen under device configuration, as shown above, so they’re available for users to launch and interact with.


Ivanti Velocity app configuration deployment
Next, we need to create an Intune profile to push the Ivanti Velocity deployment bundle to the device. For this I utilize Zebra OEMConfig, Zebra StageNow, and an FTP server to push the Ivanti Velocity deployment bundle to the device.

Let’s start with Zebra StageNow…

  1. Zebra StageNow is a Windows application and may be downloaded by visiting: https://www.zebra.com/us/en/products/software/mobile-computers/mobile-app-utilities/stagenow.html
  2. Open StageNow and create a new profile, select the proper MX version (e.g. MX 8.2) for your Zebra device, then select Xpert Mode and then Create.
  3. Give the profile a name and select Start
  4. From the Settings tab select FileMgr and select the + sign to add it under the CONFIG tab and select Add as shown in the example screenshot below.

  1. In the StageNow Config under File Action select Transfer/Copy File.
  2. Under Target Path and File Name add the following: /sdcard/com.wavelink.velocity/Your_Velocity_Bundle.wldep, this will add the .wldep file in a folder named com.wafelink.velocity on the device. The Velocity app knows to automatically look in that folder and apply the profile info in the bundle.

Note: you can rename the .wldep bundle to .zip to peek at the files if needed.

  1. Select File on a remote server if not already selected and select the … to open the dialog.
  2. Under Staging Server select “External” and for the Source Path and File Name add the ftp server info, Zebra has documented this well and can be viewed by visiting: http://techdocs.zebra.com/mx/filemgr/

The source path to my FTP server looks like the following: ftp-p://username:password@0.0.0.0:21/Velocity_Demo.wldep

  1. Once we’re finished with entering all the parameters select “Continue” until you see “Complete Profiles”.
  2. Select “Complete Profiles” and then select “Export for MDM” and save the .xml file.

Locate where you saved the .xml file and open it and it will look similar to xml output below. Copy the data beginning with <characteristic… to the last </characteristic> as outlined in red in the image below.


Intune OEMConfig Configuration
Frist we need to add the Zebra OEMConfig app from Managed Google Play; to do that, from the Intune admin portal, select Client Apps > Apps > Add > App type > Managed Google Play and search for “Zebra oemconfig”.  It will look something like the images below.

Go ahead and approve the app and chose your approval settings when prompted, then save.

Note: Intune also supports Datalogic, Honeywell, and Samsung OEMCOnfig. If you’d like to test settings for OEMConfig with other OEMS, search Managed Google Play from Intune and add their specific OEMConfig apps. Stay tuned for Intune expanding support of additional vendors who offer OEMConfig.

Create OEMConfig profile in Intune
We now need to create an OEMConfig profile in Intune. Do this by selecting “Device configuration” in the Intune portal > Profiles > Create profile.

Give the profile a name, from Platform select Android Enterprise, from Profile Type select OEMConfig. From here select “Zebra OEMConfig powered by MX” app.

Intune_OEMConfig

Select Configure > select the three dots next to Transaction Steps > and then select Add setting.

From the list of settings select, Device Administration Configuration.


  1. Under Device Administration Configuration only two settings are required.
  2. Action = SubmitXML
  3. Submit XML = the .xml data we copied above. Paste it into this field.

     

    Note: If needed, switch to the JSON view to see what the full JSON looks like. JSON view is really helpful when troubleshooting as well.

     

  4. Select OK and Save.

When the device syncs with Intune the apps and the OEMConfig settings will deploy to the file and push the Velocity app config file to the directory we specified.


 

The following video displays the profile I deployed using Zebra OEMConfig from Microsoft Intune in the Velocity app.

 The Velocity profile was populated on the device in a folder called com.wavelink.velocity.  

Finally, the Velocity app automatically knows to look there so it’s added when the app is launched.  

Next I scan some bar codes using the app to show inventory and other data.  You can’t see it, however I’m actualy scanning those barcodes in the video.

2019-09-09_14-57-23

 

Couple if items to be aware of:

  • In the Intune admin console, device sync status for app deployment, policies, etc. will show as “pending”, this is known.
  • At this time, only one OEMConfig profile may be assigned to a device.

That’s it!  This is incredible… the Intune team has made monumental investments across device platforms supporting a variety of different scenarios, from rugged devices, information workers, and bring your own.

Stay tuned for future updates and posts about Intune right here on UEM4all.com!

 

Intune, Samsung Knox, and OEMConfig

I work with many organizations who are beginning to migrate from Android device admin enrollments to device owner (i.e. Android Enterprise). While migration to device owner requires a factory reset on the device, once enrolled with device owner, devices have a more standardized approach to management and consistency vs. the fragmented management experience device admin enrollments exhibit when multiple OEMs are being managed.

Realizing there was a need to standardize and secure devices beyond the device admin APIs, years back Samsung introduced Knox. Samsung Knox provides an additional set of security and management APIs built on top of Android and is included with many Samsung devices. EMMs, including Microsoft Intune, also took steps to integrate with Samsung Knox to provide a rich set of management capabilities where the device admin APIs didn’t cover (e.g. email profiles).

Google requires device OEMs wanting their devices to be Android Enterprise Recommended (AER) to meet certain requirements thus standardizing and provide consistency across the Android Enterprise device ecosystem.  However, Samsung Knox remains available and continues to provide security and management features, in some cases, beyond what Android Enterprise offers with their current set of APIs.  Although Android continues to update/add security and management features with every API version.

With Android device owner enrollments, Samsung and other OEMs support OEMConfig.  OEMConfig provides a set of OEM specific features EMMs can configure along with standard device settings.

What is OEMConfig?

“OEMConfig policies are a special type of device configuration policy very similar to app configuration policy. OEMConfig is a standard defined by the AppConfig community (opens another web site) that allows OEMs (original equipment manufacturers) and EMMs (enterprise mobility management) to build and support OEM-specific features in a standardized way. Historically, EMMs, such as Intune, manually build support for OEM-specific features after they’re introduced by the OEM. This approach leads to duplicated efforts and slow adoption.

With OEMConfig, an OEM creates a schema that defines OEM-specific management features. The OEM embeds the schema into an app, and then puts this app on Google Play. The EMM reads the schema from the app, and exposes the schema in the EMM administrator console. The console allows Intune administrators to configure the settings in the schema.

When the OEMConfig app is installed on a device, it can use the settings configured in the EMM administrator console to manage the device. Settings on the device are executed by the OEMConfig app, instead of an MDM agent built by the EMM.

When the OEM adds and improves management features, the OEM also updates the app in Google Play. As an administrator, you get these new features and updates (including fixes) without waiting for EMMs to include these updates.”

Source: https://docs.microsoft.com/en-us/intune/android-oem-configuration-overview

Although Samsung offers OEMConfig settings, some Samsung features/settings require a Samsung license, for more details please visit: https://www.samsungknox.com/en/blog/knox-platform-and-android-enterprise

Intune documention on OEMConfig may be found here: https://docs.microsoft.com/en-us/intune/android-oem-configuration-overview

Let’s get started with OEMConfig with Intune and a Samsung device

Samsung Knox Service Plugin

First, let’s add the Knox Service Plugin from the Managed Google Play store which is required to deploy OEMConfig policies to Samsung devices.

Assumptions: Intune is already connected to Managed Google Play, if it’s not you can find details on how to do this by visiting: https://docs.microsoft.com/en-us/intune/connect-intune-android-enterprise

We’ll do this by navigating to https://devicemanagement.microsoft.com -> Client apps -> Apps -> Add -> App type = “Managed Google Play” -> select Managed Google Play Approve

To learn more about Samsung OEMConfig settings, browse through the Knox Service Plugin (KSP) admin guide: https://docs.samsungknox.com/knox-service-plugin/admin-guide/welcome.htm

Creating an OEMConfig profile for Samsung in Intune

Navigate to Device configuration -> Profiles -> Create profile -> add a name -> Platform = Android Enterprise -> Profile type = OEMConfig

Associated app = Knox Service Plugin – this is the app added in the previous step.

Select OK after selecting Knox Service Plugin.

After selecting OK we’re taken to Settings where we’ll see a full page of JSON. Don’t be intimidated it’s straight forward once you understand the structure which are just key/value pairs.

Update: as of the Intune 1907 release there is now a configuration designer with a UI, so no need to edit JSON.

2019-07-30_10-28-52

Continue reading for additional details about these settings and details about JSON if you prefer to edit manually:

Either select all and copy or select Download JSON template and open in your favorite text editor.

There are a couple values I want to point out in the JSON:

I mentioned at the beginning some Knox features/settings may require an additional Samsung license, this is where the license key would be set:

We want to turn on the policies, do this by setting doPoliciesIsControlled to “true

Troubleshooting – everyone likes an easy method to troubleshoot a device and by setting verboseMode to “true” will enable you to view the policies deployed to the device via the Knox Service Plugin app. More on this later in the post.

There many settings that are controlled with OEMConfig, however for the purposes of this post I’m going to turn off face recognition and only allow fingerprint. Disable face recognition by setting doPasswordBioFace to “false“.

Note: blocking the ability to use Face unlock to unlock the phone doesn’t prevent the device user from adding their face recognition. They just won’t be able to log in with face recognition as password and fingerprint are allowed in the OEMConfig.

Once you’ve completed filling out the JSON, copy and paste into Intune where you originally copied the JSON from and select OK then Save.

Note: you don’t have to have every key/value in the profile present, feel free to delete key/values from the JSON, just make sure the formatting is correct.

Device view

Once the policy is targeted to device it should only be a few seconds or so before the policy gets pushed to the device through Google services.

We can check if the policy deployed by opening the Knox Service Plugin app and selecting “Configuration on yyyy/mm/dd” (e.g. “Configuration on 2019/07/08”)

Select the “Configuration results” dropdown and select “Policies received” and from here we see the same JSON that was deployed from Intune.

Look for the password policy in the JSON as shown below:

On the same Samsung device navigate to Settings -> Biometrics and security -> Face recognition -> enter your password if prompted and we see “Face unlock” is disabled.  Again, we can add face recognition, however we can’t use it to unlock the device, so it’s essentially benign.

Here’s a video of the process above:

C02937BC-C8ED-4E0A-A3B2-3915A014D37A