Product Documentation

Configuring App Monitoring for Android Apps

Oct 20, 2015

Android app monitoring in Device Manager provides a secure application-browsing environment on Android devices. You can define blacklisted or whitelisted applications and take action on applications, such as preventing the applications from opening or, in real time, selectively allowing applications to run.

You can define blacklisted or whitelisted applications in an XML file that you package and push to Android devices. Sample XML files are available for reference under <installation directory>/XenMobile Device Manager/samples/appmon/. For example, the default Android app monitoring policy XML file is located at: <installation directory>/XenMobile Device Manager/samples/appmon/appControlPolicyConfiguration.xml. The configuration tags that you can include in the XML file are as follows:

  • <whitelist> and <blacklist>. These tags define applications to be blocked or allowed by package name. Some sample native application package names are as follows:
    • Camera. com.android.camera
    • Browser. com.android.browser
    • Email. com.android.email or com.htc.android.mail
  • <appblockmessage>. This tag allows customized message to appear as part of the block screen to a user and when a blacklisted or non-whitelisted application opens.
  • <appcontrolpolicylogo>. This tag allows you to add a custom image to your app block display message when a user is prevented from installing an app. When this element is set to true, the custom logo appears. You must name the custom image appControlPolicyLogo.png and upload the file to Device Manager and then deploy the image file to the device on which you want to display the image.
  • <enforceblacklist> and <enforcewhitelist>. These tags enforce applications through <blacklist> or <whitelist> tags. In case both these tags are set to true, applications defined in a whitelist XML file take precedence, and the blacklisted applications are ignored.
  • <prevent_uninstall>. This tag allows you to block a user from uninstalling the Citrix Mobile Connect app from their device. When set to true, a user cannot uninstall the app from their device.
    Note: If you set this option to true, you will not be able to uninstall any other apps from the device.
  • <password>. This tag allows a device to access blacklisted or non-whitelisted applications by using an administrator-defined passcode. There are no restrictions on the length or type of characters in the passcode. You can choose to not include this tag as part of the XML file. As a result, the user cannot enter the passcode in a text box. Instead, block screen appears with a custom company logo file (optional), customized text that you define by using the <appblockmessage> tag, and a button that users tap to close the block screen.
  • <dorestart>. This tag defines if the application control service should be running or not running on the device. If set to false, the service does not run on the device.

Multiple Configuration Files

You can define​ multiple Android app monitoring policy files. For ​example, you can create a blacklist or a whitelist policy for different groups in your organization, such as a policy for your engineering group, a separate policy for your finance group, sales group, and so on. In order to create multiple app list configuration files, you need to retain the string appControlPolicyConfiguration in the file name. You can, however, modify the other part of the file name to help indicate the purpose of the file. For example:

  • appControlPolicyConfigurationOff.xml. An app monitoring policy in which certain apps cannot to run on the device, such as the camera.
  • appControlPolicyConfigurationDisable.xml. An app monitoring policy in which certain apps are blacklisted and cannot be installed on the phone.
  • appControlPolicyConfigurationEnable.xml. An app monitoring policy in which certain apps are whitelisted and can run on the device.

Example XML Syntax for Blacklisting and Whitelisting Policies

The following code samples illustrate how to use App Monitoring to create application whitelists and blacklists for Android devices. Blacklisting app use case. Block an native email app on Android devices that are running operating systems Version 3.0 and earlier.

<?xml version="1.0" encoding="UTF-8" standalone="no"?> 
<appcontrol> 
                <appcatalog> 
                                <whitelist> 
                                                <name>org.mozilla.firefox</name> 
                                </whitelist> 
                                <blacklist> 
                                                <name>com.android.email</name> 
                                </blacklist> 
                </appcatalog> 
                <appblockmessage>This application has been blacklisted and blocked by your Mobile System Administrator. For further inquiries, please contact your IT department.</appblockmessage> 
                <enforceblacklist>true</enforceblacklist> 
                <enforcewhitelist>false</enforcewhitelist> 
                <dorestart>true</dorestart> 
                <password>P@ssw0rd</password> 
</appcontrol>

Whitelisting app use case. Only allow a XenMobile app to run on the Android device and block all other applications.

<?xml version="1.0" encoding="UTF-8" standalone="no"?> 
<appcontrol> 
                <appcatalog> 
                                <whitelist> 
                                                <name>com.citrix</name> 
                                                <name>com.android.launcher</name>  
                                                <name>com.android.launcher2</name> 
                                                <name>com.htc.launcher</name>  
                                </whitelist> 
                                <blacklist> 
                                                <name>com.android.email</name> 
                                </blacklist> 
                </appcatalog> 
                <appblockmessage>This application has been blacklisted and blocked by your Mobile System Administrator. For further inquiries, please contact your IT department.</appblockmessage> 
                <enforceblacklist>true</enforceblacklist> 
                <enforcewhitelist>false</enforcewhitelist> 
                <dorestart>true</dorestart> 
                <password>P@ssw0rd</password> 
</appcontrol> 

To add a logo to a customized block screen on an Android device

n Device Manager, you can customize the block screen that appears on an Android device by using the <appblockmessage> XML tag defined in an App Monitoring policy. The screen can also include a company logo.

  1. Save the logo file as appControlPolicyLogo.png on your computer.
  2. In the Import a file to the Device Manager database dialog box, import the logo file and then save the file to a destination folder on the device.

    Note: Make sure you use the following format to name the destination folder: %XenMobile folder%\files.
  3. Add the following line to your appControlPolicyConfiguration.xml (<installation directory>/XenMobile Device Manager/samples/appmon/appControlPolicyConfiguration.xml) file after the end of <appblockmessage> tags:

    <appcontrolpolicylogo>true</appcontrolpolicylogo>

  4. Create a deployment package that includes the application monitoring policy XML file, as well as an optional company logo file.

Common Issues with the App Monitoring Policy Implementation

With the App Monitoring feature, you might encounter the following issues:

If you notice that XenMobile is not blacklisting an application you have defined as forbidden, you can try the following tasks to remedy situation:

  • Check the XML file name; it should be appControlPolicyConfiguration.xml.
  • Make sure the package containing appControlPolicyConfiguration.xml policy is deployed to the device, and the device is connected to the server.
  • Check the package name for the blacklisted application. Use XenMobile Remote Support to verify native application package names under "Task Manager".
  • Validate your appControlPolicyConfiguration.xml file XML syntax with a validator, such as XML Validation.

If you can verify the preceding information, but the issue persists, open a support case and attach the XML file, as well as device logs. You can share device logs by using alogcat, a free Android marketplace application.

If you notice that your Company Logo is not included as part of the block screen, verify that the logo PNG file is saved as appControlPolicyLogo.png and is saved under %XenMobile folder%\files.

If you need to reset an application passcode, modify the <password> XML tag value to include the new passcode.

If you are not sure if the App Monitoring service is running, please note that the service is not running by default. You must push the XML policy file (appControlPolicyConfiguration.xml) to the device.

If you need to revoke device access to blacklisted applications, you can modify the <password> XML tag value to include the new passcode. The user needs to obtain and enter the new passcode.