Managing app and data on a device (Block, Wipe and others)

Managing the lifecycle of mobiles apps, often referred as Mobile Application Management (MAM), is one of the key features of MobileFirst Platform Foundation. It includes:

• Managing app distribution (using the Application Center)
• Managing app versions (using the Operations Console)
• Managing app access (using the Operations Console)
• Managing usage, performance, warnings and errors (using the Analytics Console)
• Managing data access

In this article, let's see how data access can be controlled on a device that has been disabled. Whilst wiping data can be achieved through the usage of a Mobile Device Management solution (like IBM Maas360) in an enterprise context, there are various cases where the mobile device cannot be controlled by the company. This is especially the case in B2B contexts, when subcontractors or partners are granted to access sensitive data of the company: if any data is stored locally on the devices for offline availability (see my recent article on this subject for example), what happens when the company wants to deny access to a particular device for any reason (device stolen, lost or employee no longer granted access...)?

Managing app versions

There are two options to deny access to an app using MobileFirst Platform v7.0. The first one concerns the entire app, as shown in the following figure:

By doing this, all users having this specific version of the app on this platform will be informed that they should upgrade. By default, the client MobileFirst Platform SDK will display a dialog box with the message entered in the console and a button to access the new version specified in the URL. But this default behavior can be customized, as we will see later.

Managing app access

The second option, which is what we are aiming at here, is the ability to deny access to a particular user or even a specific device:

To take advantage of this feature, you must enable device tracking (see the documentation) by adding wl.device.tracking.enabled=true in the worklight.properties file.
Note that, depending on your application, a particular device can be found based on its id, user id or even a friendly name.
Once a device has been found, either the entire device can be "disabled" (e.g. the device is still usable but cannot make any request to the MobileFirst Platform server), or a specific app on the device. The following options are available for disabling a device:

and the following options for disabling an app:

So what happens when any of the device or app status has been changed using this panel? The app, when it connects to the MobileFirst Platform server, receives exactly the same challenge handler as when the entire app is disabled for everybody, except that the generic message received is "This device has been decommissioned" (whatever the status that was selected).

Managing data access

The last concern is regarding the data that still lives on the user device. With MobileFirst Platform data and documents can be fully encrypted so that when the app is blocked, enterprise data cannot be accessed. In this last section let's see how we can take advantage of the blocking message to wipe data on the device, by adding the following piece of code (in the default initOptions.js file in this case).

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
var wlInitOptions = {
	 onErrorRemoteDisableDenial : function (message, downloadLink) {
		 if(message==="This device has been decommissioned") {
		 	// this device has been disabled
			 wipeAppData();
		 } else {
		 	// This app version has been disabled
			 WL.SimpleDialog.show(
					 "Application Disabled",
					 message,
					 [{text: "Close application", handler: disableApp },
					  {text: "Download new version", handler: function() {WL.App.openURL(downloadLink, "_blank");}}]
			 );
		 }
	 }
};
function wipeAppData() {
	// Erase local data if any
	WL.JSONStore.destroy().then(function() {
		console.log("JSONStore successfully destroyed!");
	});
	// And more if needed...
	// Display denied access message
	WL.SimpleDialog.show("Non authorized device", "This application has been disabled",
			[{text: "Close", handler: disableApp}]);
}
function disableApp() {
	// Make app unusable
	document.body.innerHTML = '<strong>Please quit this application</strong>';
	if(WL.Client.getEnvironment()===WL.Environment.ANDROID) {
		// Eventually force exit the app
		WL.App.close();
	}
}

Conclusion

As you can see above, you can control what you want to do with local data in the event an app, or a device, or an app on a device has been disabled. You could also add some logic within your app so that local data has a time to live value and is also automatically erased if a server access has not been recently successful.
Although the sample was given is Javascript, you can achieve the same behavior using the SDK native APIs. MobileFirst Platform supports these features for every mobile development model, either hybrid or fully native.