The "SmartDocs" bar can customize this page to show only the features present on a particular Zebra device.
OSX, MX and Android version information for a device can be found in the Android Settings panel or by querying the device through ADB, EMDK or the MX CSP. More info.
The Access Manager (AccessMgr) enables an admin to configure a device to control which user or "installable" application(s) can be used on the device and what actions the application(s) can perform.
A key feature of AccessMgr is the ability to enable and disable "whitelisting," a process that allows only those applications explicitly specified in a list to run. Whitelisting is disabled by default and imposes no restrictions. When whitelisting is turned on, various restrictions can be applied using AccessMgr. Applications NOT included in the "whitelist" are prevented from running. AccessMgr allows whitelist applications to be installed, launched and maintained, and can control which applications are allowed to submit XML for all CSPs, including AccessMgr itself.
Whitelisting applies only to user applications; it has no effect on System applications, which come preinstalled on the device. To control aspects of System applications, see AppMgr. Whitelisting can be used to control whether a device user is allowed to install a user application, but cannot control whether an application can be installed programmatically by using AppMgr. Whitelisting also can be used to control whether a user application can be launched (by any means) once it is installed. AccessMgr also provides the option to control whether the device user can access a full or reduced version of the Android Settings panel.
IMPORTANT: If an app uses AccessMgr to enable whitelisting, the app itself becomes subject to whitelisting and is prevented from running if it fails to add itself to the whitelist. Also, if such an app does not explicitly allow itself to submit XML, it would be unable to alter that configuration, once successfully applied.
Signature files can be used by Access Manager to provide added levels of application security, including control over approving apps to run and permission to add apps (or one or more of an app's functions) to a Function Group.
To understand how to obtain an app signature, please see the SigTools sample app.
This is the On/Off switch for whitelisting, which restricts the apps that a device user can install and/or launch. Whitelisting is Off by default, imposing no restrictions. Whitelisting provides device security by preventing the installation and/or use of unauthorized apps, and by complicating the process of app deployment.
IMPORTANT: Access Manager controls access to apps; it does NOT install or uninstall apps. Activating whitelist restrictions after an app is installed or removing an app from an existing whitelist blocks access to that app, it does not uninstall it. Such apps remain on the device and become accessible if whitelisting restrictions are removed.
Parm Name: OperationMode
| Option | Name | Description | Note | Status | Requires |
|---|---|---|---|---|---|
| 0 | Do not change | This value (or the absence of this parm from the XML) causes no change; any prior settings are retained. |
MX: 9.2+ |
||
| 1 | Single User without Whitelist | Turns off whitelisting and all associated functionality. |
OSX: 1.0+ MX: 4.1+ |
||
| 2 | Single User with Whitelist | Turns on whitelisting and associated functionality. |
OSX: 1.0+ MX: 4.1+ |
Select whether to add Packages to the "whitelist" and allow them to submit XML.
Status: Deprecated. In devices running Android 13 and later, this feature is replaced by Delegation Scopes, accessible only through StageNow and OEMConfig.
Shown if: The Operation Mode is "Single User With Whitelist"
Parm Name: AddPackagesActionAllowXML
Used to enter Package Names to be deleted from the "whitelist."
Parm value input rules:
com.mycompany.mypackage,com.mycompany2.mypackage2" Shown if: The Operation Mode is "Single User With Whitelist" AND Delete Packages is "Delete specified Packages(s)"
Parm Name: DeletePackageNames
Requires:
- OSX: 1.0+
- MX: 4.1+
Used to enter Package Names to add to the "whitelist."
Parm value input rules:
com.mycompany.mypackage,com.mycompany2.mypackage2" Shown if: The Operation Mode is "Single User With Whitelist" AND Add Packages is "Add Specified Package(s)"
Parm Name: AddPackageNames
Requires:
- OSX: 1.0+
- MX: 4.1+
Used to add Packages to the "whitelist," which prevents the app from submitting XML. To allow an app to submit XML, see the "Add Packages and Allow to Submit XML" parameter.
Note: It is important to understand that if an application uses the AccessMgr to turn on Whitelisting, the app itself becomes subject to Whitelisting. If the app does not add itself to the "white list," that application is prevented from running. Also, if such an app does not explicitly allow itself to submit XML, it is not able to alter that configuration once successfully applied.
Shown if: The Operation Mode is "Single User With Whitelist"
Parm Name: AddPackagesAction
| Option | Name | Description | Note | Status | Requires |
|---|---|---|---|---|---|
| 0 | Add No Packages | This value will not cause any Package Names to be added to the "whitelist." |
OSX: 1.0+ MX: 4.1+ |
||
| 1 | Add Specified Package(s) | This value will cause the specified Package Names to be added the "whitelist." |
OSX: 1.0+ MX: 4.1+ |
Controls the level of access to the Android Settings panel a device user is granted.
Note: This parameter takes priority over the "Quick Settings" parameter of UI Manager. If Reduced Access is enabled, later attempts enable Quick Settings result in failure.
Parm Name: SystemSettings
| Option | Name | Description | Note | Status | Requires |
|---|---|---|---|---|---|
| 0 | Do not change | This value (or the absence of this parm from the XML) causes no change; any prior settings are retained. |
MX: 11.3+ |
||
| 1 | Full Access | Allows full access to the Android Settings panel. |
OSX: 3.5+ MX: 4.1+ |
||
| 2 | Reduced Access | Limits Settings panel access to Display, Volume and About features. |
OSX: 3.5+ MX: 4.1+ |
||
| 3 | None | Prevents user access to the Android Settings panel. |
OSX: 3.5+ MX: 4.1+ |
Controls whether Whitelisting verifies the signatures of apps, and if so, which app signatures are verified. Signature verification is turned off by default.
When Whitelisting is turned on but Signature verification is turned off, the determination of whether an application is on the "whitelist" is made solely by comparing the Android Package Name. This is insecure since it cannot prevent a potentially rogue application from setting it's Package Name to be one that is known to be on the "whitelist," and hence circumvent Whitelisting by impersonating a trusted application.
To increase security, Signature verification can be turned on. When Signature verification is turned on, the determination of whether an application is on the "whitelist" will be based on both its Package Name and its Signature. For that to work, the Signature must be provided for every application that is added to the "whitelist" so it can be compared against the actual Signature of that application.
Signature verification is more secure since only a specific "authentic" version, as identified by its Signature, of a given application, whose Package Name is on the "whitelist," will be allowed to be installed and launched. Turning on Signature verification also complicates the process of deploying applications since a unique Signature will need to be configured for each application as part of adding that application to the "whitelist."
Shown if: The Operation Mode is "Single User With Whitelist"
Parm Name: AppVerifySignMode
| Option | Name | Description | Note | Status | Requires |
|---|---|---|---|---|---|
| 0 | Do not change | This value (or the absence of this parm from the XML) causes no change; any previously selected setting is retained. |
OSX: 3.5+ MX: 4.3+ |
||
| 1 | Do not verify app signature | This value will cause Signature verification to be turned off, thus causing Package Names alone to be used in to determine if an application is on the "whitelist." |
OSX: 3.5+ MX: 4.3+ |
||
| 2 | Verify user app signature | This value will cause Signature verification to be turned on, thus causing Signature verification to be used in addition to Package Names to determine if a user, or "installable," application is on the "whitelist." |
OSX: 3.5+ MX: 4.3+ |
||
| 3 | Verify all apps signature | This value will cause Signature verification to be turned on, thus causing Signature verification to be used in addition to Package Names to determine if any application, "built-in" or "installable," is on the "whitelist." |
OSX: 3.5+ MX: 4.3+ |
Used to enter Signature files to be added to the "whitelist."
Parm value input rules:
Shown if: The Application verification signing mode is "Do not verify app signature" or "Verify user app signature" AND Add Packages is "Add Specified Package(s)"
Parm Name: AddPackageSign
Requires:
- OSX: 3.4+
- MX: 4.3+
Used to delete Packages from the Whitelist.
Shown if: The Operation Mode is "Single User With Whitelist"
Parm Name: DeletePackagesAction
| Option | Name | Description | Note | Status | Requires |
|---|---|---|---|---|---|
| 0 | Delete NO Packages | This value (or the absence of this parm from the XML) causes no change to device settings; all packages remain on the device. |
OSX: 1.0+ MX: 4.1+ |
||
| 1 | Delete specified Packages(s) | Causes the selected Package Name(s) to be deleted from the "white list," blocking user or "installable" applications with those Package Names from being installed by the device user or launched. |
OSX: 1.0+ MX: 4.1+ |
||
| 2 | Delete ALL Packages | Causes all Package Names to be deleted from the "white list," blocking all user or "installable" applications from being installed by the device user or launched. |
OSX: 1.0+ MX: 4.1+ |
||
| 3 | Delete specified Signature(s) | When Signature verification is turned on, deletes one or more Signatures from the "white list," thus blocking user or "installable" applications with those Signatures from being installed by the device user or launched. |
OSX: 1.0+ MX: 4.1+ |
Used to enter package signatures to be deleted.
Parm value input rules:
Shown if: Delete Packages is "Delete specified Signature(s)" AND the Application Verification Signing Mode is "Do not verify app signature," "Verify user app signature," or "Verify all apps signature"
Parm Name: DeletePackageSign
Requires:
- OSX: 3.4+
- MX: 4.3+
Used to control which "installable" (non-System) applications can call controllable services running on the device. This allows an administrator to manage access to the services present in a device and the ability of apps to bind to and leverage callable services. This can be used, for example, to prevent access to services relating to sensitive functionality, or to prevent use of such services when they are not explicitly required for a particular usage scenario or app.
Status: Deprecated. In devices running Android 13 and later, this feature is replaced by Delegation Scopes, accessible only through StageNow and OEMConfig.
Parm Name: ServiceAccessAction
Used to enter the signature file on the device that contains the app certificate.
Parm value input rules:
Status: Deprecated. In devices running Android 13 and later, this feature is replaced by Delegation Scopes, accessible only through StageNow and OEMConfig.
Shown if: The Service Access Action is "Allow Caller," "Disallow Caller" or "Verify Caller"
Parm Name: CallerSignature
Requires:
- MX: 8.3+
Used to enter the name of the caller token to be verified.
Parm value input rules:
Status: Deprecated. In devices running Android 13 and later, this feature is replaced by Delegation Scopes, accessible only through StageNow and OEMConfig.
Shown if: The Service Access Action is "Verify Caller Token"
Parm Name: ServiceAccessToken
Requires:
- MX: 10.1+
Used to enter the service on which to perform a Service Access Action.
Parm value input rules:
com.mycompany.mypackage,com.mycompany2.mypackage2" Status: Deprecated. In devices running Android 13 and later, this feature is replaced by Delegation Scopes, accessible only through StageNow and OEMConfig.
Shown if: The Service Access Action is NOT "Do Nothing"
Parm Name: ServiceIdentifier
Requires:
- MX: 8.3+
Used to enter the application package name on which to perform a Service Access Action.
Parm value input rules:
com.mycompany.mypackage,com.mycompany2.mypackage2" Status: Deprecated. In devices running Android 13 and later, this feature is replaced by Delegation Scopes, accessible only through StageNow and OEMConfig.
Shown if: The Service Access Action is "Allow Caller," "Disallow Caller" or "Verify Caller"
Parm Name: CallerPackageName
Requires:
- MX: 8.3+
Used to enter Package Name(s) to add to the "whitelist," granting them the ability to submit XML. Entering an empty (length of zero) value (or the absence of this parm from the XML) adds no package names to the list.
Parm value input rules:
com.mycompany.mypackage,com.mycompany2.mypackage2"Status: Deprecated. In devices running Android 13 and later, this feature is replaced by Delegation Scopes, accessible only through StageNow and OEMConfig.
Shown if: The Operation Mode is "Single User With Whitelist" AND Add Packages and Allow to Submit XML is "Allow specified application(s)"
Parm Name: AddPackageNamesAllowXML
Requires:
- OSX: 4.1+
- MX: 4.2+
Used to enter Signatures add to the "whitelist."
Parm value input rules:
com.mycompany.mypackage,com.mycompany2.mypackage2"Status: Deprecated. In devices running Android 13 and later, this feature is replaced by Delegation Scopes, accessible only through StageNow and OEMConfig.
Shown if: The Operation Mode is "Single User With Whitelist" AND Add Packages and Allow to Submit XML is "Allow specified application(s)" AND Application Verification Signing Mode is "Do not verify app signature," "Verify user app signature," or "Verify all apps signature"
Parm Name: AddPackageSignAllowXML
Requires:
- OSX: 3.4+
- MX: 4.3+
Select whether to allow the application to submit XML and thereby submit device configuration changes through the MX Management Framework.
NOTES:
- Can be used only when the Whitelist feature is enabled.
- Requires the EMDK for Android service package
com.symbol.emdkserviceon device.
Status: Deprecated. In devices running Android 13 and later, this feature is replaced by Delegation Scopes, accessible only through StageNow and OEMConfig.
Shown if: The Operation Mode is "Single User With Whitelist"
Parm Name: AllowSubmitXMLAction
Used to enter Package Names to allow to submit XML. Entering an empty (length of zero) value (or the absence of this parm from the XML) prevents all package(s) from submitting XML.
Parm value input rules:
com.mycompany.mypackage,com.mycompany2.mypackage2"Status: Deprecated. In devices running Android 13 and later, this feature is replaced by Delegation Scopes, accessible only through StageNow and OEMConfig.
Shown if: Allow the Application To Submit XML is "Allow specified application(s)"
Parm Name: AllowSubmitXMLPackageNames
Requires:
- OSX: 4.1+
- MX: 4.2+
Used to enter Package Name(s) to prevent from submitting XML. Entering an empty (length of zero) value (or the absence of this parm from the XML) allows all packages to submit XML.
Parm value input rules:
com.mycompany.mypackage,com.mycompany2.mypackage2"Status: Deprecated. In devices running Android 13 and later, this feature is replaced by Delegation Scopes, accessible only through StageNow and OEMConfig.
Shown if: Allow the Application To Submit XML is "Allow specified application(s)" or "Allow ALL applications that are permitted to be executed"
Parm Name: DisallowSubmitXMLPackageNames
Requires:
- OSX: 4.1+
- MX: 4.2+
Used to control which CSPs on a device are "Protected" from access by apps, and which apps are approved to access Protected CSPs. This can be used, for example, to prevent access to CSPs that provide sensitive functionality, or to allow only certain apps to access such CSPs. By default, all CSPs are Unprotected and accessible by all apps.
NOTE: This parameter is part of a Function Group called CSP Access Management, which can be used to prevent sensitive functions from being accessed by unauthorized apps.
Status: Deprecated. In devices running Android 13 and later, this feature is replaced by Delegation Scopes, accessible only through StageNow and OEMConfig.
Parm Name: CspAccessAction
Controls whether the application package calling the Protect Action is automatically approved to access the CSP on which the Protect Action is being applied.
Status: Deprecated. In devices running Android 13 and later, this feature is replaced by Delegation Scopes, accessible only through StageNow and OEMConfig.
Shown if: The CSP Access Action is "Protect"
Parm Name: CspAutoApprove
Controls whether the name and signature of the application package calling the Unprotect Action is automatically removed from the "approved" list of the CSP on which the Unprotect Action is being applied.
Status: Deprecated. In devices running Android 13 and later, this feature is replaced by Delegation Scopes, accessible only through StageNow and OEMConfig.
Shown if: The CSP Access Action is "Unprotect"
Parm Name: CspAutoUnapprove
Used to enter the CSP Name for the selected CSP Access Action.
Status: Deprecated. In devices running Android 13 and later, this feature is replaced by Delegation Scopes, accessible only through StageNow and OEMConfig.
Shown if: The CSP Access Action is NOT "Do Nothing"
Parm Name: CspName
Used to enter the custom CSP name for a CSP Access Action when the CSP name is not shown on the CSP Names list.
Parm value input rules:
Status: Deprecated. In devices running Android 13 and later, this feature is replaced by Delegation Scopes, accessible only through StageNow and OEMConfig.
Shown if: The CSP Access Action is NOT "Do Nothing"
Parm Name: CspNameCustom
Requires:
- MX: 9.2+
Used to enter the application package name on which to perform certain CSP Access Actions.
Parm value input rules:
com.mycompany.mypackage,com.mycompany2.mypackage2" Shown if: The CSP Access Action is "Approve Application" or "Unapprove Application" or "Verify Approved"
Parm Name: AppPackageName
Requires:
- MX: 9.2+
Used to enter the signature file for app certification.
Parm value input rules:
Shown if: The CSP Access Action is "Approve Application" or "Unapprove Application" or "Verify Approved"
Parm Name: AppSignature
Requires:
- MX: 9.2+
Used to select a Permission Action to perform on an app from the list of available permissions in the Permission Access Permission Name parameter. Once granted, permission is retained by the app unless explicitly revoked by a subsequent Permission Action, app is uninstalled by any means or an Enterprise Reset or Factory Reset is performed. If an app loses permission through uninstallation, permission can be re-granted only after the app is reinstalled. This feature requires MX 10.0.5.1 or later on the device. Which MX version is installed?
Note: This feature requires MX 10.0.5.1 or later on the device.
Parm Name: PermissionAccessAction
| Option | Name | Description | Note | Status | Requires |
|---|---|---|---|---|---|
| 0 | Do Nothing | This value (or the absence of this parm from the XML) causes no change; any prior settings are retained. |
MX: 10.0+ Android API: 26+ |
||
| 1 | Allow | Grants permission to an app. |
MX: 10.0+ Android API: 26+ |
||
| 2 | Deny | Denies permission to an app. |
MX: 10.0+ Android API: 26+ |
||
| 3 | Allow User to choose | Prompts device user to grant or deny permission to an app. |
MX: 10.0+ Android API: 26+ |
||
| 4 | Verify | Verifies whether permission is granted to an app. |
MX: 10.0+ Android API: 26+ |
Used to enter the Package Name of an application on which to perform the selected Permission Access Action.
Parm value input rules:
Shown if: The Permission Access Action is NOT "Do Nothing"
Parm Name: PermissionAccessPackageName
Requires:
- MX: 10.0+
- Android API: 26+
Used to enter the signature file for the app being acted upon by the selected Permission Access Action.
Parm value input rules:
Shown if: The Permission Access Action is NOT "Do Nothing"
Parm Name: PermissionAccessSignature
Requires:
- MX: 10.0+
Used to select the subsystem on the device to which to apply the permission being assigned to an app by the Permission Access Action parameter.
Note: This parameter can be used to grant or deny permission to installed apps. On devices running Android 10+, also can "pre-grant" or "pre-deny" permission for apps yet to be installed.
Parm Name: PermissionAccessPermissionName
| Option | Name | Description | Note | Status | Requires |
|---|---|---|---|---|---|
| 1 | android.permission.ACCESS_NOTIFICATIONS | Controls permission to access Notifications on the device. |
MX: 10.0+ Android API: 27+ |
||
| 2 | android.permission.PACKAGE_USAGE_STATS | Controls permission to access app usage statistics for the device. |
MX: 10.0+ Android API: 27+ |
||
| 3 | android.permission.SYSTEM_ALERT_WINDOW | Controls permission to use the System Alert Window, which allows one app to draw its window(s) over another. |
MX: 10.0+ Android API: 27+ |
||
| 4 | android.permission.GET_APP_OPS_STATS | Controls permission to access app operations statistics, used to determine the resources being used by apps on the device. |
MX: 10.0+ Android API: 27+ |
||
| 5 | android.permission.BATTERY_STATS | Controls permission to access battery statistics for the device. |
MX: 10.0+ Android API: 27+ |
||
| 6 | android.permission.MANAGE_EXTERNAL_STORAGE | Controls management of USB and/or SD card storage media attached to the device. |
MX: 10.4+ Android API: 30+ |
Used to select an Action to perform on new or existing Function Groups. A Function Group is a set of functions that an administrator can designate as "sensitive" and worthy of protection from unauthorized use by apps. For example, a "Communications" Function Group might designate certain functions from CellularMgr, GprsMgr and Wi-Fi CSPs as sensitive and limit access to authorized apps only.
By default, all features are Unprotected and all apps are Authorized to access all functions. Once a Function Group is created and set as Protected, all apps are prevented from accessing functions within that group except apps specifically Approved for access.
Status: Deprecated. In devices running Android 13 and later, this feature is replaced by Delegation Scopes, accessible only through StageNow and OEMConfig.
Parm Name: GroupAccessAction
Used to enter the Package Name of an application on which to perform the selected Group Access Action.
Parm value input rules:
Shown if: The Group Access Action is "ApproveApplication" or "UnapproveApplication" or "VerifyApproved"
Parm Name: GroupPackageName
Requires:
- MX: 10.0+
- Android API: 26+
Used to enter the signature of an application on which to perform the selected Group Access Action.
Parm value input rules:
Shown if: The Group Access Action is "ApproveApplication" or "UnapproveApplication" or "VerifyApproved"
Parm Name: GroupSignature
Requires:
- MX: 10.0+
- Android API: 26+
Used to enter the name of the Custom Function Group on which to perform the chosen Group Access Action.
Parm value input rules:
Shown if: The Group Select is "Custom" AND Group Access Action is NOT "Do Nothing" or "Create" or "Delete"
Parm Name: GroupSelectCustomName
Requires:
- MX: 10.0+
- Android API: 26+
Controls whether the application package calling a Protected Function Group is automatically unapproved to access the Function Group.
Status: Deprecated. In devices running Android 13 and later, this feature is replaced by Delegation Scopes, accessible only through StageNow and OEMConfig.
Shown if: The Group Access Action is "Unprotect"
Parm Name: GroupAutoUnapprove
Used to enter the Name of the Custom Function Group being defined.
Parm value input rules:
Status: Deprecated. In devices running Android 13 and later, this feature is replaced by Delegation Scopes, accessible only through StageNow and OEMConfig.
Shown if: The Group Access Action is "Create" or "Delete"
Parm Name: GroupCustomName
Requires:
- MX: 10.0+
- Android API: 26+
Used to enter the CSP names and (optionally) the CSP parameter(s) and parameter values to add to a Custom Function Group. Entering the CSP name alone adds all CSP functions to the Function Group.
Parm value input rules:
CSPname, CSPname:parmName, CSPname:CSPparm={parmValue}Example:
BluetoothMgr,UiMgr:NotificationPullDown,SdCardMgr:SdCardUsage={0}
Status: Deprecated. In devices running Android 13 and later, this feature is replaced by Delegation Scopes, accessible only through StageNow and OEMConfig.
Shown if: The Group Access Action is "Create"
Parm Name: GroupCustomDetails
Requires:
- MX: 10.0+
- Android API: 26+
Controls whether the application package calling a Protected Function Group is automatically approved to access the group.
Status: Deprecated. In devices running Android 13 and later, this feature is replaced by Delegation Scopes, accessible only through StageNow and OEMConfig.
Shown if: The Group Access Action is "Protect"
Parm Name: GroupAutoApprove
<wap-provisioningdoc>
<characteristic version="4.3" type="AccessMgr">
<parm name="OperationMode" value="2" />
<parm name="SystemSettings" value="1" />
<parm name="DeletePackagesAction" value="0" />
<parm name="AddPackagesAction" value="1" />
<parm name="AddPackageNames" value="com.mypackage" />
</characteristic>
</wap-provisioningdoc>
<wap-provisioningdoc>
<characteristic version="4.3" type="AccessMgr">
<parm name="OperationMode" value="2" />
<parm name="SystemSettings" value="1" />
<parm name="DeletePackagesAction" value="0" />
<parm name="AddPackagesAction" value="0" />
<parm name="AllowSubmitXMLAction" value="1" />
<parm name="AllowSubmitXMLPackageNames" value="com.mypackage" />
<parm name="DisallowSubmitXMLPackageNames" value="com.mypackage2" />
</characteristic>
</wap-provisioningdoc>
<wap-provisioningdoc>
<characteristic type="AccessMgr" >
<parm-query name="PackageNames"/>
<parm-query name="OperationMode"/>
<parm-query name="AppVerifySignMode"/>
</characteristic>
</wap-provisioningdoc>