Securing Zebra TC20 /TC25 hand scanners

We are investigating moving from Windows CE hand scanners in the warehouse to Android based Zebra TC20 and TC25 hand held scanners. The Zebra reseller advises SOTI for Mobile Device Management. I prefer a one solution environment as Sophos Central. 

What we want to do is lock down the device:

- user cannot change the configuration of the device.

- remote install apps, some are from the app store like Wavelink Velocity or Zebra Enterpise Browser but one is from our own Neptune for SAP development tool. 

- user can only access predefined apps and destinations and cannot change the configuration of the device.

- Administer the devices remotely

- Be able to connect to a device remotely as help desk.

- Allow the user to create print screens and send it to the help desk

These are things the reseller could do with SOTI. 

On the TC25 the user can also call and receive calls. 

 

I have enrolled one Android test device in Sophos Central Mobile but I fail to see how I can creat user profiles and lock profiles down.

Further more does it have a remote connection manager to administer the device? Create print sceens.

Pointers are appreciated.

Kind regards,

Fred Blum

 

 

  

  • Hi  

    I'd like to know the Operating system these Android-based scanners have. 

    Please refer to this release notes where support OSes are mentioned.

    Please refer to this document which has all the information on how you can configure the mobile device.

  • In reply to Jasmin:

    The OS of the TC20 is Android 8.1.0.

    This is a pre-sales situation for Sophos Mobile with a test licence of a month with only 17 days left. Help from pre-sales or a reseller would be helpfull. Our current reseller is not.

    Basicly we want two user profiles.

    TC20 

    1] A basic user, can unlock it with a pin, autostart runs the default app Velocity with 1 session Url. 

    2] A Admin user, can unlock it, and has no limitiations

     

    TC25

    1] A basic user, can unlock it with a pin, autostart runs the default app Velocity with 1 session Url. 

    He can use the phone and be called. 

    2] A Admin user, can unlock it, and has no limitiations

     

     

    From what I understand I need to blacklist all apps on the Android device! Withlisting just one app is a lot easier.   

     

    Regards,

    Fred

  • In reply to Fred Blum:

    Hi  

    Please refer to this document and refer the sections Android Enterprise and Sophos Container from the left side pane in detail. You'll get the overview on how you can configure this device.

  • In reply to Jasmin:

    These mobile devices are on a VLAN with no internet access.

    Which destinations and ports need to be open for the Sophos Mobiel Control app to communicatie to Sophos Central Mobile?

    Kind regards,

    Fred

  • In reply to Fred Blum:

    Hi  

    Internet connection on the devices is needed in order to enrol the devices and make them able to communicate with Sophos Central.

  • In reply to Jasmin:

    Hello Jasmin,

     

    The question was which ports and destinations need to be enabled for the Sophos Mobile Control Client to connect to Sophos Central Mobile. 

    And I did not find an option to remotely connect and control the device. So an app like teamviewer is also necessary?

    Kind regards,

    Fred

  • In reply to Fred Blum:

    Hi  

    Internet connection is the primary requirement which is not available on the devices as per your comment above. 

    Generally scenarios we have never found that devices within the corporate network which needs to be enrolled with Sophos mobile, still please refer to this article.

    Apart from that, all the google service domains and port should be opened to install applications on them.

    For remote administration, you need to have different software.

  • In reply to Jasmin:

    "Internet connection is the primary requirement which is not available on the devices as per your comment above.

    Generally scenarios we have never found that devices within the corporate network which needs to be enrolled with Sophos mobile,"

     

    The TC20 are dum kiosk handscanners that only need to connect to our companies SAP ITS Mobile server. Nothing more, nothing less. Android is a box full of security risks and for that reason we need to be able to lock down the mobile device to kiosk mode to only allow the use of one application Wavelink Velocity, an Industrial Browser. With Microsoft you were able to do that with accounts. 

    This is not a bring your own device scenario. Thanks for the information I will allow those destinations out on the XG firewall.

    In Sophos Mobile the scanners are corporate owned, Google Enteprise Fully managed and kiosk mode enabled in the Policy with an App Group with the allowed apps. I have executed an task bundle to update the policy. That shows as succesfull. 

    The device is complaint in the Sophos App and connected but still I can use whatever app I choose. 

    I have set the App Group in App Permissions and in Kiosk Mode of the assigned Policy to the device. Still this does not seem to be a white list of only the apps allowed.

    Kind regards,

    Fred

     

     

     

     

     

  • In reply to Fred Blum:

    Hi  

    In the Kiosk mode, you have only included the group of the two applications you mentioned above. The app permission is only useful for the default android application like calendar, etc. You can use app control to block the remaining installed apps on the devices which will block the listed application from being opened.

  • In reply to Jasmin:

    My trial period has been extended for another month.

    The status is that none of the Android Enterprise Policies defined worked as the devices are still in device mode. Android Enterpise was set up using the Wizard but after enrolling a device the management mode was not set to Enterprise. Hence Enterprise Policies could not be applied, hence the won't work.

    I created a Legacy policy and then everything works as expected. 

    I have reported the following issues to the pre-sales consultant, but they remain silent.

    -       Sophos assumes that users will install the devices themselves, download the app and enroll from an e-mail. The Enroll QR code is only shown once to administrators in central just after creating of the device. The QR code or manual code cannot be accessed anymore in central. 

    -       The google account for downloading the app afw#sophos in the app store does not work. Used own google account to download and removed it afterwards. The devoices do not have a google account.

    -       App installs without problems. User needs to acknowledge giving rights to the app. After allowing everything the right to change system settings are still set to no in android settings. Also Follow User rights are set to off. Are does not reqquired by the Control and Intercept APPs?

    -       Enrollen both Mobile Control and Intercept X with the same QR code won't work. Message code already used on another device.

    -       Enrollen of Intercept X and Mobile Control via seperate wizards results in two QR codes buth also in two devices with the same name!

    -       Removing of not allowed apps (task bundle remove apps) has to be accepted by the user on the device! Forced delte not possible.

    -       Some none essential Android and device manufacturer system apps can't be removed with task bundle remove apps. This will give a non-complaince but better would have been blocking access to the apps.

    -       Allthough Android Enteprise is setup in Central, the devices remain in device management after enrolling. Apply task bundle update policy with Android Enterprise will not work. App Control block list won't block apps as the status is that the device never received the policy. 

    -       Compliance Policy with an allowed app list does not work as a white list (all other apps still work)

    -       Compliance Policy with a Blocked app list does not work as a black list (all apps can still be used, not set to disabled)

    -       In Mobile Control and Intercept X apps is no list of controlled apps received. 

    -       Users are allowed to unenrollen themselves and remove the apps. This will only give a non-complaince for not synchronizing after one day.

     

    Creating a Legacy Policy will work fine. App Control is enforced.

    How do I get Android Enterprise MDM management mode enabled on the device?

    How do I enroll both Control and Intercept without ending up with two identical devices in Central?

    Regards,

    Fred

     

     

     

     

     

     

     

  • In reply to Fred Blum:

    Hi  

    I have reported the following issues to the pre-sales consultant, but they remain silent.

    -       Sophos assumes that users will install the devices themselves, download the app and enroll from an e-mail. The Enroll QR code is only shown once to administrators in central just after creating of the device. The QR code or manual code cannot be accessed anymore in central. - While Adding a new device, during enrollment process itself, you will be shown with QR code, there is the alternate procedure as well just to add information manually about enrollment token and Sever URL which is present in Sophos Central.

    -       The google account for downloading the app afw#sophos in the app store does not work. Used own google account to download and removed it afterwards. The devices do not have a google account. - The google account is needed in order to download the SMC or you can use the Sophos Mobile control apk to install on all the devices.

    -       App installs without problems. User needs to acknowledge giving rights to the app. After allowing everything the right to change system settings are still set to no in android settings. Also Follow User rights are set to off. Are does not require by the Control and Intercept APPs? - Permissions required for both the applications are mentioned in these KB articles  https://community.sophos.com/kb/en-us/117499 and https://community.sophos.com/kb/en-us/116995

    -       Enrollen both Mobile Control and Intercept X with the same QR code won't work. Message code already used on another device. - If you have enrolled the device Sophos mobile control, you don't need to enroll for Intercept X for mobile. You can push the Intercept X for mobile through policy but for that, you need google play store.

    -       Removing of not allowed apps (task bundle remove apps) has to be accepted by the user on the device! Forced delte not possible. - That needs detailed troubleshooting. Please let us know if you have open a case for that.

    -       Some none essential Android and device manufacturer system apps can't be removed with task bundle remove apps. This will give a non-complaince but better would have been blocking access to the apps. - Please refer to these documents - https://docs.sophos.com/central/Mobile/help/en-us/esg/Sophos-Mobile/references/ConfigurationAppControlAfWDO.html, applications section in https://docs.sophos.com/central/Mobile/help/en-us/esg/Sophos-Mobile/references/ConfigurationRestrictionsAfWDO.html

    -       Allthough Android Enteprise is setup in Central, the devices remain in device management after enrolling. Apply task bundle update policy with Android Enterprise will not work. App Control block list won't block apps as the status is that the device never received the policy. - It needs detailed troubleshooting, please ask pre sales whether they have case open with support or not.

    -       Compliance Policy with an allowed app list does not work as a white list (all other apps still work) - Applications out of the allowed apps list will work but device will show as non-complaint.

    -       In Mobile Control and Intercept X apps is no list of controlled apps received. - Please describe more about the issue.

    -       Users are allowed to unenrollen themselves and remove the apps. This will only give a non-complaince for not synchronizing after one day. - to disable uninstallation for apps, please check the security section in https://docs.sophos.com/central/Mobile/help/en-us/esg/Sophos-Mobile/references/ConfigurationRestrictionsAfWDO.html 

  • In reply to Fred Blum:

    - How do I get Android Enterprise MDM management mode enabled on the device?

    Connect to Sophos Play Store during initial setup of the device or after factory defaults reset with afw#sophos. It might take a couple of tries on several days as connecting to the play store with afw#sophos and after instalation to the managed play store might not work as you expect.

    How do I enroll both Control and Intercept without ending up with two identical devices in Central?

    I have two task bundles, one is for a new install with all the approved apps to push, enroll Mobile Control and push the Enterprise policy and Mobile Defence policy,  and another task bundle to update the policies. The mobile defence policy will take care of registering and enrolling Intercept. If it does not work with an update policy task buncle, try by pushing the new install policy even when the apps are already installed.