IBM Support

Enhancements to Android Enterprise runtime permissions

Release Notes


Abstract

MaaS360 now allows administrators to control how Location, Storage, and Phone permissions are granted to the apps. In the previous releases, those permissions were auto-granted during the enrollment. MaaS360 removes the unsupported permissions, adds support to grant all permissions at once, and more.

Content

Removed unsupported permissions: In the previous releases, MaaS360 displayed a total of 176 permissions in the Configure runtime app permissions policy setting. In 10.83, MaaS360 removes all the unsupported permissions and retains the runtime permissions - bringing the total down to 36 permissions.

Path: Security > Policies > Android Enterprise Settings > Configure runtime app permissions > Default runtime permission for apps > Permission.

configure runtime permissions

Impact: If the administrators have already configured the policy setting with the unsupported (removed) permissions, an error message is displayed when that policy is published. Administrators cannot publish the policies until they re-configure the policy with the supported runtime permissions.

New validation messages: When configuring runtime permissions, MaaS360 displays validation messages in the following scenarios:

  • Prerequisite permissions: Administrators should not grant permission with a larger scope before granting permissions with lower scope. For example, Background location permission cannot be granted without granting Fine location and Coarse location permissions.
    Permission Prerequisite permission
    Background Location Coarse Location and Fine Location
    Write External Storage Read External Storage
    Read Phone Numbers Read Phone State
    Write Contacts Read Contacts
    Read Phone Numbers Read Phone State
  • Conflicting permissions: Administrators should not deny a permission with larger scope (Example: Write external storage) and allow a permission with lower scope (Example: Read external storage). permission error

Granting all runtime permissions at once: Administrators can use the All option in the runtime permissions to configure all the permissions required for an app at once. When the All option is selected, MaaS360 displays the list of permissions that the administrators can exclude from the permissions list. As of the 10.83 release, administrators can exclude Location permissions only. all permissions

Permission groups: Some of the permissions are available in groups. For example, Location permission includes fine, coarse, background permissions. Administrators can set a separate permission state (Allow, Deny, Prompt) for individual permissions in a group. For example, administrators can set Allow for Fine Location and Deny for Coarse Location. Note: For the MaaS360 app, when administrators set a permission state for individual permission in a group, that state is applicable to other permissions in the group. For example, if Fine Location permission is denied, the Background Location and Coarse Location permissions are also denied.

Auto-adjust order of permissions: MaaS360 ensures that permissions for any group are sent to the MaaS360 app in the correct order, irrespective of how they are configured in the MaaS360 portal. For example, if administrators configure  WRITE_EXTERNAL_STORAGE: grant and then configure READ_EXTERNAL_STORAGE: grant, MaaS360 ensures that the write permission is granted to the app.

Changes to the permissions granted to the MaaS360 app on Device Owner (DO) and Profile Owner (PO) devices:

Release version

Mode

Location

Storage

Phone
Before 7.60

DO

Set to Allow during enrollment

Set to Allow during enrollment

Set to Allow during enrollment
PO Set to Allow only if Geofencing is enabled, else it is User controlled Set to Allow During enrollment Set to Allow During enrollment
7.60 and later

DO

Set to Allow if nothing is configured in the policy. Administrators can change the permission through policies.

Set to Allow if nothing is configured in the policy. Administrators can change the permission through policies.

Set to Allow if nothing is configured in the policy. Administrators can change the permission through policies.
PO Set to User Controlled if nothing is configured in the policy. Administrators can change the permission through policies. Set to Allow if nothing is configured in the policy. Administrators can change the permission through policies. Set to Allow if nothing is configured in the policy. Administrators can change the permission through policies.

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSYSXX","label":"IBM MaaS360"},"ARM Category":[{"code":"a8m0z000000070yAAA","label":"POLICY"},{"code":"a8m0z000000GnQJAA0","label":"TROUBLESHOOTING"}],"Platform":[{"code":"PF003","label":"Android"}],"Version":"All Versions"}]

Document Information

Modified date:
12 October 2022

UID

ibm16489351

Page Feedback