Question & Answer
Question
Android Enterprise policy features an "Accounts" section with two fields for configurations. This article will explain the expected entries for these Accounts fields.
Answer
Within the Google ecosystem there are Account Types and Accounts.
The Account Types are unique to an app on the device, and are created when an application makes appropriate calls to the OS. Not all apps that require authentication create an account type, some are handled differently than others.
The Accounts are the strings that represent the name of the account, and would usually be in a format familiar to most users - username@domain.com for example.
An app would first create an account type and then the account string would be entered by the user as part of the authentication process. Defining accounts is pretty straightforward, while account types requires more knowledge of the apps in the ecosystem and what they're capable of doing.
|
Configure Restricted Account Types - Account Types have associated "authenticators" to ensure that random apps can't create accounts and behave maliciously. The format for an account type may look similar to an apps bundle ID.
Examples:
Google: com.google
Twitter: com.twitter.android.auth.login Facebook: com.facebook.auth.login
Configure Allowlisted Accounts - These are the acceptable accounts that can be configured on the device itself. Note: This feature doesn't prevent the user from putting the account on the device (the device doesn't know it's blocklisted until it's actually configured and the device reports that data to the MaaS360 compliance engine).
MaaS360 variables such as %email% and %username% may be used to allowlist directory data, or broader formats may be used to add a variety of accounts. For example: If an admin wants to allow all gmail accounts, they could add .*gmail.com. In this format, it's very important that the . [dot] comes before the * [star] so that the string recognizes all potential entries that come before gmail.com.
Devices with restricted accounts will appear as out of compliance, and custom actions may be enforced if necessary. If the desired result is to restrict users from adding any accounts at all, please refer to the "Allow modification of accounts" restriction in the MDM settings to prevent such actions.
|
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSYSXX","label":"IBM MaaS360"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
Modified date:
10 July 2023
UID
ibm11125519