AirWatch Android SDK Technical

Implementation Guide
Empowering your enterprise applications with MDM capabilities using
AirWatch v7.1
AirWatch Android SDKTechnical Implementation Guide | v.2014.02 | February 2014
Copyright 2014 AirWatch, LLC All rights reserved. Proprietary &Confidential.
2014 AirWatch, LLC All Rights Reserved.
This document, as well as the software described in it, is furnished under license. The information in this manual may only be used in accordance with the terms of the license. This
document should not be reproduced, stored or transmitted in any form, except as permitted by the license or by the express permission of AirWatch, LLC
Other product and company names referenced in this document are trademarks and/or registered trademarks of their respective companies.
Table of Contents
Introduction to the AirWatch SDK for Android 3
Overview 3
In This Guide 3
Before You Begin 4
Overview 4
In This Section 4
Supported Operating System Version 4
Recommended Reading 4
Getting Started 4
Implementing SDK Functionality 7
Overview 7
In This Section 7
Using the AirWatch SDK Library Javadoc 7
Deploying Your SDK-Enabled Application 9
Overview 9
In This Topic 9
Create an SDK Profile 9
Upload and Deploy Your Internal Application 12
AirWatch Android SDKTechnical Implementation Guide | v.2014.02 | February 2014
Copyright 2014 AirWatch, LLC All rights reserved. Proprietary &Confidential.
Page 2
Introduction to the AirWatch SDK for Android
Overview
The AirWatch Software Development Kit (SDK) for Android allows you to empower your enterprise applications with
MDM capabilities. By incorporating AirWatch SDK code within your Android app project, you can use AirWatch
information such as enrollment or compromised status to add a layer of security and business logic however you see fit
within your application. You can take advantage of any of the following Android SDK features:
l Retrieve SDK Information such as API version and SDK usage permission.
l Retrieve device enrollment information such as the enrollment state, AirWatch environment name and
Organizational Group.
l Retrieve device information such as AirWatch device ID, compliance status, compromised status and OEM enterprise
device status/details.
l Provide in-app authentication by AirWatch user account (basic or AD/LDAP) or passcode. Two-factor authentication
can be implemented as well with both Username/Password and passcode authentication.
l Enforce application restrictions, including Bluetooth, camera, offline mode and copy/paste.
In This Guide
l Before You Begin Viewsupported components and Complete these tasks so that your Android applications built
with the AirWatch SDK work with AirWatch.
l Implementing SDK Functionality Implement these Javadoc tools into your application.
l Deploying Your SDK-Enabled Application Add the application to your AirWatch deployment so you can manage it
along with your other internal applications.
AirWatch Android SDKTechnical Implementation Guide | v.2014.02 | February 2014
Copyright 2014 AirWatch, LLC All rights reserved. Proprietary &Confidential.
Page 3
Introduction to the AirWatch SDK for Android
Before You Begin
Overview
Before implementing an AirWatch SDK application for Android, you should consider the following prerequisites,
requirements, supporting materials and helpful suggestions from the AirWatch team. Familiarizing yourself with the
information available in this section will help prepare you for implementing you AirWatch SDK application for Android.
In This Section
l Supported Operating System Version Viewa list of supported operating systems.
l Recommended Reading Reviewhelpful background and supporting information available from other AirWatch
guides. Access all of these guides on the AirWatch Resources Portal (http://resources.air-watch.com).
l Getting Started Set up your AirWatch SDK application for Android using some recommendations and tips from the
AirWatch team to streamline implementation.
Supported Operating System Version
You must use Android OS v2.3+ in order to integrate with the AirWatch SDK for Android.
Recommended Reading
l Mobile Application Management (MAM) Guide Read about howto manage Android applications using the
AirWatch Admin Console.
l Android Platform Guide for AirWatch Read about the ways AirWatch manages Android capabilities for your mobile
fleet.
Getting Started
There are several steps you must complete before you can take advantage of SDK features within your application:
1. Add your developer public key to the list of trusted sources within the AirWatch Agent.
2. Set up a broadcast receiver within your application to detect when the AirWatch Agent has an SDK profile available
for installation.
3. Include the AirWatch SDK Library within your application to enable the framework to process and communicate with
the AirWatch Agent.
AirWatch Android SDKTechnical Implementation Guide | v.2014.02 | February 2014
Copyright 2014 AirWatch, LLC All rights reserved. Proprietary &Confidential.
Page 4
Before You Begin
Integrating with AirWatch Using the Agent
In order to securely authenticate and establish communication between your application and the AirWatch Agent, a
record of your developer public key must be added to a list of trusted sources embedded within the public AirWatch
Agent. The public key is added automatically when you use the AirWatch Agent to establish communication.
Establishing Communication
Deploy any AirWatch SDK-enabled application as a managed application in the AirWatch Admin Console. During the
MDM deployment of your application, some additional information embeds in your application so the SDK can initialize
correctly the first time.
This method works best for deploying your AirWatch SDK applications for production using the AirWatch Admin Console.
Note: You must enable the option Application Uses AirWatch SDK or the application does not integrate with the
AirWatch solution. You do not have to apply an SDK profile for testing. However, you must apply either a default
application or custom SDK profile in order for your features to work. You can access this option when you upload or
edit the setting of your application in the AirWatch Admin Console at Apps & Books Applications List View
Internal tab. See the Mobile Application Management (MAM) Guide for details on uploading and editing internal
applications.
SDK Process Flow
All communications between the AirWatch Admin Console and an enrolled device occur through the AirWatch Agent. The
steps belowdemonstrate the process flowof an application profile between the AirWatch Admin Console, the AirWatch
Agent and your SDK-enabled application.
1. The AirWatch Agent receives a profile targeted for your application from the AirWatch Admin Console.
2. Anotification is sent from the Agent to your application indicating that a profile is available.
3. Your application uses the built-in SDK functionality to bind to the Agents remote procedure call service (AIDL)
through a service API.
4. Your application processes the profile payload to use the SDK functionality for any logic coded within the application.
5. Once complete, an acknowledgement stating that the profile was received and processed is sent to the agent.
Setting Up a Broadcast Receiver
While you are becoming a trusted source, you can begin coding within your application by setting up a broadcast
receiver. When the agent receives a targeted profile from the AirWatch Admin Console, it sends a broadcast to the
application notifying there is a profile waiting. The application must implement a broadcast receiver to receive this
notification.
First, set the permissions and register the receiver in the AndroidManifest.xml for the application as follows, where
com.myapplication is the applications package identifier:
<permission android:name="com.airwatch.admin.sdk.BROADCAST"/>
<uses-permission android:name="com.airwatch.admin.sdk.BROADCAST"/>
AirWatch Android SDKTechnical Implementation Guide | v.2014.02 | February 2014
Copyright 2014 AirWatch, LLC All rights reserved. Proprietary &Confidential.
Page 5
Before You Begin

<application>
<receiver android:name=" com.myapplication.MyReceiver"
android:permission="com.airwatch.admin.sdk.BROADCAST" >
<intent-filter>
<action
android:name="com.myapplication.airwatchsdk.BROADCAST" />
</intent-filter>
</receiver>

</application>
Next, implement the AirWatchSDKIntentService class within the Root package directory as follows:
public class AirWatchSDKIntentService extend
AirWatchSDKBaseIntentService {
@Override
protected void onApplicationProfileReceived(Context context,
String profileId, ApplicationProfile awAppProfile) {
// ApplicationProfile Id and Object Received
}
}
}
Including the AirWatch SDK Library
Once you have fully set up a broadcast receiver within your application, you must include the AirWatch SDK library within
your project.
1. Locate the airwatchsdk.jar and gson-2.1.jar files provided by AirWatch.
2. Add these libraries to the Libs folder of your application and make sure they are exported in the Java build path.
AirWatch Android SDKTechnical Implementation Guide | v.2014.02 | February 2014
Copyright 2014 AirWatch, LLC All rights reserved. Proprietary &Confidential.
Page 6
Before You Begin
Implementing SDK Functionality
Overview
At this point, your application is able to receive broadcasts from the AirWatch Agent and securely process SDK Profiles
from the AirWatch Admin Console. You can nowbegin enhancing your application with security and configuration
settings available in the Android SDK.
In This Section
Using the SDK Library Javadoc implement these processes into your Android application.
Using the AirWatch SDK Library Javadoc
Get started with implementing SDK functionality by referring to the AirWatch SDK Library Javadoc where you can find a
complete list of packages, classes and available methods at your disposal. The AirWatch SDK Library Javadoc was
bundled as part of what AirWatch provided to you as a registered user of the AirWatch SDK for Android. To open it,
access Index.html from the AirWatch SDK Docs folder.
As you implement the various SDK functions in your application, keep in mind that AirWatchSDKManager.init(Context)
should be the first method used to get AirWatchSDKManager and establish a connection between your application and
the AirWatch Agent. On any failure, it will throwAirWatchSDKException. This is a blocking call and should not be called on
UI Thread.
AirWatch Android SDKTechnical Implementation Guide | v.2014.02 | February 2014
Copyright 2014 AirWatch, LLC All rights reserved. Proprietary &Confidential.
Page 7
Implementing SDK Functionality
The instance received from this initial call can then be used to perform method calls that are provided in the AirWatch
SDK Library Javadoc. An example used to detect enrollment status is shown below:
new Thread(new Runnable() {
@Override
public void run() {
try {
AirWatchSDKManager awSDKManager =
AirWatchSDKManager.init(getApplicationContext());
boolean result = awSDKManager.isEnrolled();
// process result
} catch(AirWatchSDKException e) {
// process exception
}
}
}).start();
AirWatch Android SDKTechnical Implementation Guide | v.2014.02 | February 2014
Copyright 2014 AirWatch, LLC All rights reserved. Proprietary &Confidential.
Page 8
Implementing SDK Functionality
Deploying Your SDK-Enabled Application
Overview
Once you have completed coding your application you can use AirWatch to automatically distribute and track your
application as it is deployed to your users. The deployment process has two steps.
1. Create a default application or custom SDK profile in the AirWatch Admin Console. If you want to apply certificates to
the application, also configure an application profile.
2. Upload your application to the AirWatch Admin Console, ensuring to apply the SDK profile and application profile to
the application.
In This Topic
l Create an SDK Profile Decide to add shared, custom or both SDK profiles settings to your internal application.
l Upload and Deploy Your Internal Application Upload and publish your internal application using the AirWatch
Admin Console.
Create an SDK Profile
You can create a default application or custom SDK profile. Adefault application SDK profile can set global configurations
across an OG. Acustom SDK profile customizes SDK application behavior. You can create one or both kinds depending on
the needs of your mobile environment.
Configuring Default Application SDK Profiles
Set default configurations for SDK applications to use a single set of options across multiple applications in the AirWatch
Admin Console. The configuration process is detailed in the Mobile Application Management (MAM) Guide in the
Advanced Management section. Find the default application SDK profiles settings in Groups & Settings All Settings
Apps Settings and Policies.
Configuring Custom SDK Profiles
If you want to create exceptions to your default application SDK configurations, use custom SDK profiles. You can
configure the following payloads:
l Authentication
l Restrictions
l Compliance
l Offline Access
l Proxy
AirWatch Android SDKTechnical Implementation Guide | v.2014.02 | February 2014
Copyright 2014 AirWatch, LLC All rights reserved. Proprietary &Confidential.
Page 9
Deploying Your SDK-Enabled Application
l Network Access
l Custom Settings
Initial Configuration
Followthese initial steps for all custom SDK profiles.
1. Navigate to Groups & Settings All Settings Apps Settings and Policies Profiles.
2. Click Add Profile, select SDK Profile and choose Android as the platform.
3. Complete the information on the General tab.
4. Select a payload to add to your custom SDK profile. Consider configuring one payload per profile because this makes
it easier to organize your profiles and configurations.
Authentication Payload
1. Single Sign On Enable SSO to apply a single identity, encrypted on the device, to access all AirWatch applications.
Note: You must have the AirWatch Workspace application installed in your mobile deployment for SSO
configurations to work.
Integrated Authentication Allows access to corporate resources, such as content repositories, through the
Workspace using corporate credentials. These credentials are not the same as the SSO credentials.
Enter systems in the Allowed Sites field if you want to restrict Workspace access to a specific set of sites. This feature
ensures that AirWatch does not expose credentials to non-trusted resources.
2. Authentication Type Sets howto authenticate with the application. Choose Passcode or User Name And
Password.
Passcode options include the following settings:
l Passcode Mode sets a passcode requirement for the AirWatch applications in the AirWatchWorkspace and for
AirWatch applications that have the default application SDK profile applied to them. If you enable SSO, then the
AirWatch Workspace application applies the Passcode Mode settings across all AirWatch applications. If you do
not apply SSO, then end-users have to log in to each AirWatch application, separately.
l Passcode Timeout Sets the allowable time the passcode accesses applications before it ceases access due to
inactivity.
l Allow Simple Sets the passcode to allowsimple strings.
l Minimum Passcode Length Sets the minimum number of characters for the passcode.
l Minimum Number Complex Characters, Alphanumeric Sets the minimum number of complex characters for
the passcode.
l Maximum Passcode Age (days) Sets the time frame for using the passcode.
l Passcode History Sets the number of passcodes the AirWatch Admin Console stores so that users cannot re-
use passcodes for a specified time frame.
AirWatch Android SDKTechnical Implementation Guide | v.2014.02 | February 2014
Copyright 2014 AirWatch, LLC All rights reserved. Proprietary &Confidential.
Page 10
Deploying Your SDK-Enabled Application
l Maximum Failed Attempts Sets the maximum times a user can login with the passcode before having an
action taken in response to the failed attempts.
User Name And Password options include the following settings:
l Passcode Timeout Sets the allowable time the passcode accesses applications before it ceases access due to
inactivity.
l Maximum Failed Attempts Sets the maximum times a user can login with the passcode before having an
action taken in response to the failed attempts.
Restrictions Payload
1. Enable Data Loss Prevention (iOS and Android) Sets restrictions on sensitive data on devices.
2. Enable Printing (iOS) Allows printing data from wrapped applications.
3. Enable Copy/Paste (iOS and Android) Allows the copying and pasting of data in wrapped applications.
4. Enable Watermark (iOS and Android) Allows you to put a watermark on documents you store and distrubute using
the Secure Content Locker (SCL).
Overlay Text Enter the text for the watermark. Enter static text or use lookup values for your watermark.
5. Restrict documents to be opened in following apps (iOS and Android) Authorizes only select applications to open
documents from wrapped applications. The feature requires the provision of the Bundle ID/Package ID of the
allowed application to open documents. Enter the allowed applications in the Applications field.
Compliance Payload
Enable Compromised Protection Sets protection for the application against a device in a compromised status.
Offline Access
Enable Offline Access Allowaccess to the application when devices are not connected to the mobile network. Set a
maximum time for offline access. The Maximum period of time allowed to be offline option ensures the system has
access to devices periodically to check their compliance and security status.
Proxy
1. Enable App Tunnel Allows the application to travel through a VPNor reverse proxy.
2. App Tunnel Mode Select what proxy to use for app tunneling: Mobile Access Gateway, F5 or Standard Proxy.
3. App Tunnel Domains Enter domains to route through the App Tunnel. All traffic not listed here, goes directly to the
Internet. If nothing is listed here, all traffic directs through the App Tunnel.
Network Access
Enable Network Access Allows applications to access the mobile network. Control the type of network, cellular or Wi-Fi,
and control the Service Set Identifiers (SSIDs) in the Allowed SSIDs field.
Custom Settings
Custom Settings Enter XML code to add functionality or features that does not currently support. If you do not want to
wait for the newest release of to be able to control these settings, you can use the Custom Settings options and
XMLcode to manually enable or disable certain settings.
AirWatch Android SDKTechnical Implementation Guide | v.2014.02 | February 2014
Copyright 2014 AirWatch, LLC All rights reserved. Proprietary &Confidential.
Page 11
Deploying Your SDK-Enabled Application
Configuring an Application Profile
An Application Profile works with an SDK profile. It configures a Credentials payload for Android applications and this
payload uses certificates to authenticate devices to internal applications associated with this application profile.
The AirWatch Admin Console integrates with your public key infrastructure (PKI) so that devices can communicate
securely on public networks.
Choose to upload certificates or distribute certificates from a defined certificate authority (CA).
1. Navigate to Groups & Settings All Settings Apps Settings and Policies Profiles
2. Click Add Profile and select Application Profile.
3. Select Android as the platform.
4. Complete the General information and then select the Credentials tab.
5. Credential Source Upload a certificate from your local machine or define a Defined Certificate Authority.
6. Credential Name for personal certificates [Upload] Upload the newcertificate using the Upload button or use
lookup values like {EmailDomain} and {DeviceModel} to find the credential file to use.
7. Certificate Authority for the Defined Certificate Authority Select the external or internal CAissuing encryption
keys for the PKI.
8. Certificate Template for the Defined Certificate Authority Select the predefined template for the CAto use when
requesting a certificate.
Upload and Deploy Your Internal Application
Upload your internal application to the AirWatch Admin Console. This process is outlined in the Mobile Application
Management (MAM) Guide.
On the Deployment tab, select Application uses the AirWatch SDK and then choose the SDK profile that you previously
created.
l Shared profile Use the option Android Default Settings @ [Organization Group].
l Custom profile Any custom Android SDK profile. If this application uses certificates, also select the applicable
Application Profile from the Application Profile menu.
Additional License Details
The Android SDK uses some open source components that require licenses to be disclosed in your application. You will
find the license files for any dependent resources in the distribution package and you must include the contents of this
file in your application licensing information.
AirWatch Android SDKTechnical Implementation Guide | v.2014.02 | February 2014
Copyright 2014 AirWatch, LLC All rights reserved. Proprietary &Confidential.
Page 12
Deploying Your SDK-Enabled Application