EUCZero Trust Journey 2021 Day 4 - Application TrustSecuring applications in the Android work profile

Securing applications in the Android work profile

In this lab we are going to configure work profile settings for and android device, so we can secure the behaviour of corporate aplications an the interaction between these and personal apps.

You'll be using the android device you already enrolled and used in previous labs.

Part 1: Downloading necessary applications

On this part we are going to download applications that will allow us to test the interaction between the personal and work profiles.

  1. On your Android device
    • Select the PERSONAL profile
    • Select Play Store
  1. To download a screen recorder app:
    • In the Search bar type screen recorder
    • tap on AZ Screen Recorder
  1. In the AZ Screen Recorder application window, Select Install
  1. In your Playstore App, at the top of the application window, select the Search icon

 

 

  1. In the Search bar, type keep and select the Blue Search Icon in the bottom, right-corner
  1. Next to Google Keep, select Install
  1. Once the download completes move on to the next part.

Part 2: Testing initial copy and paste behaviour

In this part we are testing the default copy and paste behaviour between apps in the personal and work profiles, without any policies applied to them.

  1. On your Android device
    • Revert back to your devices Application Menu.
    • Select your WORK Profile
    • In your WORK Profile, open the Chrome browser
  1. If prompted, in the Welcome to Chrome screen Select Accept & continue
  1. If prompted, to Turn on Sync, select No thanks
    • If prompted, in the Lite mode window, Select Next
  1. If prompted, in the Sign in to Chrome window, select No Thanks
  1. In the Chrome Browser,
    • In the Search area,
      • Enter a website , like https://en.m.wikipedia.org/

 

  1. In your Wikipedia page
  • Copy a section of text , If you are using the emulator, double click on the text and move the selection indicators to include more.
  • When you are complete, Close the Chrome window (Use the "Menu"button and swipe up on your chrome application)
  1. Open your Application Menu,
    • Select the Personal apps
    • Select the Google Keep app.
  1. On the Google Keep app select the Plus Sign to add a new note.
  1. Tap and hold within the main text field and Select Paste

Your paste operation should have been successful, that means theres no limitation on copy and paste operations between personal and work profiles with the current settings in Workspace ONE UEM. You can now close this window.

Part 3: Testing initial screen recording behaviour

  1. On your Android device
    • In the Application menu , select your PERSONAL profile
    • Open AZ Screen Recorder
  1. On the Draw over other apps prompt select  ALLOW, this will Permit drawing over other apps
  1. In the application permission window:
    • Tap Az screen Recorder
    • Move the slider next to Allow display over other apps from NO to YES (blue)
    • Tap back twice to return to the application
  1. Select OK to acknowledge the information window
  1. Select the camera icon to start recording
  1. In the Allow AZ Screen Recorder window select Allow to grant device Access
  1. In the Allow AZ Screen Recorder to record audio window select While using the app to grant audio recording permission
  1. In the Exposing sensitive info during casting/recording window select Start now
  1. On your Android device
    • Switch to the Application Menu
    • Select  your WORK profile
    • Open Chrome
  1. In the Chrome browser
    • Navigate to a different web page so we can try to capture a couple of seconds of video
    • Open the AZ Recorder menu by pressing the round red button stick half-way out on the right side
    • Select the stop button

 

  1. In the Video saved window
  • Select Play the resulting video
  • Tap Got it to continue watching the video in full screen
  • It should have captured what you did in your WORK profile Chrome application which means currently there is no limitation in the screen recording functionality and the capture of your corporate apps.

Part 4: Creating a profile to protect the work apps

We are now going to configure a device profile to control de interaction between apps in the work and personal profiles. This configuration is done on the Workspace One UEM console and you can do it from the browser on your own computer.

  1. From your browser,
    • Type https://cn-livefire.awmdm.com
    • Log in with the custom credentials you received in your email.
  1. In the Workspace ONE UEM Console follow the follow steps to create a device profile:
    • On the left side Menu, select Devices
    • Expand Profiles & Resources
    • Select Profiles
    • Under profiles select ADD
    • In ADD dropdown select Add Profile
  1. In the Add Profile window
    • Select  Android
  1. In the Add a New Android Profile window, General options
    • In the Name field, type Android Restrictions
    • In the "Managed By" field, ensure your Organizational Group is selected.
    • In the Smart Groups field, select All Devices
    • Scroll down to the end of the page
  1. Select VIEW DEVICE ASSIGNMENT
  1.  In the VIEW DEVICE ASSIGNMENT window
    • Check the device list, and verify you enrolled android device is there
    • Select CANCEL
  1. In the Add a New Android Profile window
    • In the left pane select Passcode
    • Select CONFIGURE in the main pane.
  1.  On the Passcode settings:
    • Check the box next to Enable Work Passcode policy
    • Change the Minimum Passcode Length to 6
    • Passcode Content dropdown menu select Any
    • Uncheck the box next to Allow One Lock.
      • This will force the user to configure a different passcode for the work profile.
  1. In the Add a New Android Profile window:
  • In the left hand menu, select Restrictions
  • Select CONFIGURE
  • Please take a moment to look at the available options while going through the steps in this guide.
  1. Under Device functionality,
    • Uncheck the boxes next to Allow screen capture
      • Under both Work Managed Device and Work Profile
  1. Scroll down to the Work and Personal section:
    • Verify the box next to Allow pasting clipboard between work and personal apps is unchecked
    • Select SAVE AND PUBLISH
  1. In the view assignment window
    • Select PUBLISH.
      • You can now close this browser window.
      • It can take up to 5 minutes for the policies to get to the device, so it's a good time for a brake.

Part 5: Testing the passcode policy

The following steps will make sure your device has synced and your profile has been downloaded. If you get a prompt saying "Your current passcode does not satisfy the requirement set by the organization" move on to step 3

  1. On your android device from your Application menu:
    • Select the WORK profile
    • Open the Intelligent hub
  1. On your Android Device's intelligent hub
  • Tap the "MD" icon on the top right (initials for Mark Debio)
  •  Under Accounts, select This Device
  • In This Device, select Sync device
    • This will ensure that your profile is synced and will trigger the policies in the next step
  1. When prompted
    • In the "Your current passcode does not satisfy the requirement set by your organization" message
      • Select REVIEW
  1. In the Create a passcode for your Work Profile window
    • Select CREATE WORK PROFILE PASSCODE
  1. On the Choose screen lock window,
    • Select Continue without Pixel imprint
  1.  In the Choose screen lock window
    • Select PIN
  1. In the Set a work PIN window    
    • Type 111111 for the device PIN
    • Select NEXT
  1. On the Re-enter screen
    • Type 111111 for the device PIN
    • Select CONFIRM
  1. On the Lock screen window
    • Select DONE
  1. In the This Device window
    • Observe that your device shows up as Enrolled and Compliant
  1. On your Android Device
    • Switch to the Applications menu
    • Select your WORK profile
    • Open Chrome
      • Note. If you have difficulty getting this to work.
        • On your laptop / Desktop.
          • Go to Android Studio.
          • Select your device and Cold Boot the device
        • The go back to your WORK profile
        • Open Chrome
  1. On the Re-enter your PIN
    • Enter 111111
    • Select Enter

Part 6: Testing application behaviour

In this part we will check the behaviour of the applications after the policy is applied.

  1. On the corporate Chrome browser
    • Select and Copy text from any website  you left open on the previous step
    • After copying, close the browser 
  1. From your Application menu,
    • Select your PERSONAL profile
    • Select Google Keep
  1. In Google Keep, Tap on the Plus Sign to create a new document
  1. In Google Keep
  • Tap and hold on the text field to attempt to Paste from the context menu.
  • The operation should fail due to the policy applied earlier
  1. In your application menu, In the PERSONAL profile, Open the AZ Screen recorder
  1. To start a recording:
    • Select the AZ icon sticking out of the right side
    • Select the Camera icon to start recording
    • When prompted tap Start now
  1. On your Applications menu,
    • Select the WORK profile
    • Open Chrome
  1. In your Chrome browser
    • Load a page, to test to see if the  Screen Recorder controls continue to record
    • stop the recording by taping the Stop icon on the AZ Recorder app menu
  1. On your Android Device
    • Play the recording, and if prompted tap Got it in the "Viewing full Screen" prompt
    • It should show a black screen when you open Chrome, this means the policy is blocking the recording of the screen.

These results mean we succesfully controlled interaction between personal and work profiles, in a real scenario this would help organizations prevent data leaks from the use of personal devices.

0 Comments

Add your comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.