Once enabled, Kiosk Mode can be disabled by pushing a new config file with its tag set to "0" if USB Debugging is enabled. Otherwise a factory reset is required. Kiosk Mode also can be enabled/disabled programmatically from an Android application using Android Intents. For more information, see the Special Features section.
Possible values:
- 1
- 0 (default)
Example
<kiosk_mode_enabled>0</kiosk_mode_enabled>
Install Shortcuts
Applies to Marshmallow and Nougat devices only. Controls whether shortcuts to local apps or websites can be added programmatically. Disabled by default. See Shortcuts and Intents for more information. For shortcuts in Oreo devices, see Pinned Shortcuts, below.
Possible values:
- 1
- 0 (default)
Example
<install_shortcuts>0</install_shortcuts>
Pinned Shortcuts
Applies to Oreo devices only. Controls whether shortcuts to local apps or websites can be added programmatically. Disabled by default. See Shortcuts and Intents for more information.
Possible values:
- 1 (allow pinned shortcuts)
- 0 (default, block pinned shortcuts)
Example
<preferences>
<pin_shortcuts>0</pin_shortcuts>
</preferences>
Reboot on Install Enabled
Controls whether the device will automatically reboot when EHS is launched for the first time after a successful installation, a requirement to activate EHS. Permits Mobile Device Management (MDM) systems to maintain device control following installation. Automatic device reboot is disabled by default.
Possible values:
- 1
- 0 (default, do not reboot)
Example
<preferences>
<reboot_on_install_enabled>0</reboot_on_install_enabled >
</preferences>
Airplane Option Disabled
This feature is obsolete, and has been removed from EHS 3.0 and higher.
Use Power Key Manager through Zebra EMDK or StageNow tools.
Bypass Keyguard
This feature is obsolete, and has been removed from EHS 3.0 and higher.
Use DevAdmin through Zebra EMDK or StageNow tools.
Keyguard Camera Disabled
Controls whether the device camera is accessible from the Keyguard screen (also known as the "Lock Screen") when the screen lock is set to "Swipe" mode. Camera access from the Keyguard screen is disabled if this tag has a value of 1 (default) or is left unspecified.
The Keyguard camera is disabled only if all of the following conditions are true:
- The camera app is enabled on the device
- The Keyguard screen is in "Swipe" mode
- The camera icon is visible on the Keyguard screen
Unless all four of the above conditions are true, the value in this tag is ignored.
Notes:
- To prevent use of the camera, Zebra recommends using this tag and removing the camera app from the User Mode screen.
- If no camera shortcut exists on the device lock screen, use of this tag is not required.
- Display of the camera app icon on the Admin home screen can be delayed by as much as five seconds after unlocking the screen following a configuration change.
- On some devices running Nougat (except TC20/TC25), disabling access to the camera and/or search apps from the lock screen also might disable them from the User-Mode screen, even if camera/search usage is permitted on the device. To prevent this issue, use the Screen Lock Type parameter of DevAdmin CSP and disable the lock screen by selecting the "None" option.
Possible values:
- 1 (default)
- 0
Example
<keyguard_camera_disabled>1</keyguard_camera_disabled>
Keyguard Search Disabled
Controls whether the Search app is accessible from the Keyguard screen (also known as the "Lock Screen") when the screen lock is set to "Swipe" mode. Search access from the Keyguard screen is disabled if this tag has a value of 1 (default) or is left unspecified.
Applies only if all of the following conditions are true:
- The search app is enabled on the device
- The Keyguard screen is in "Swipe" mode
- The search icon is visible on the Keyguard screen
Unless all four of the above conditions are true, the value in this tag is ignored. Note: If no search-app shortcut exists on the device lock screen, use of this tag is not required.
IMPORTANT:
- To prevent use of search, Zebra recommends using this tag and removing the search app from the User Mode screen.
- Display of the search app icon on the Admin home screen can be delayed by as much as five seconds after unlocking the screen following a configuration change.
- If no search shortcut exists on the device lock screen, use of this tag is not required.
- On some devices running Nougat (except TC20/TC25), disabling access to the camera and/or search apps from the lock screen also might disable them from the User-Mode screen, even if camera/search usage is permitted on the device. To prevent this issue, use the Screen Lock Type parameter of DevAdmin CSP and disable the lock screen by selecting the "None" option.
Possible values:
- 1 (default)
- 0
Example
<keyguard_search_disabled>1</keyguard_search_disabled>
USB Debugging Disabled
Controls whether communication via USB is permitted between the device and a computer while the device is in Admin or User Mode. A setting of 1 (default) or if left unspecified will prevent user access to the file system and all ADB functionality on the device. Zebra recommends manually returning USB Debugging to its desired state before uninstalling EHS.
Possible values:
- 1 (default)
- 0
Example
<usb_debugging_disabled>1</usb_debugging_disabled>
System Settings Restricted
Controls whether full or limited settings are available when the device is in Admin or User Mode. A setting of 1 (default) or if left unspecified limits user access to Display and Sound settings and the "About phone" panel. A setting of 0 permits user access to all device settings.
Possible values:
- 1 (default)
- 0
Example
<system_settings_restricted>1</system_settings_restricted>
Notes and Warnings:
- The System settings app must be explicitly enabled in advance to make use of this setting. See the Enable/Disable Apps feature for more information.
- This does not block Settings features, but only prevents their display in the Settings panel. Android makes restricted settings available to the user in some situations. For example, if the charge in a device battery becomes critically low, Android provides access to apps in the low battery warning display so they can be stopped, disabled or uninstalled. This can be prevented only by disabling the Settings app completely.
- It is still possible to add shortcuts to restricted System-settings components (i.e. apps) using a third-party shortcut creator. However, such shortcuts also are available in User Mode. If a system setting component should be accessible only to administrators, it should not be mapped using a shortcut.
- Uninstalling EHS does not revert Restricted System Settings to its original state. If required, this must be done manually before uninstalling EHS.
Recent Apps Button Disabled
Applies only to devices running Android Nougat and higher. Controls whether the Recent Apps button can be used to potentially launch unapproved apps and/or a non-EHS home screen. Setting applies to Admin and User Modes. Recent apps button is disabled by default on Nougat (and higher) devices. Default value is used if this tag left blank, absent from the config file or contains an invalid value. See important EHS Security Notes.
This setting persists after EHS is removed.
Recent apps button cannot be disabled on devices running Android M (shown).
Possible values:
- 1 (disabled by default)
- 0
Example
<preferences>
<Recent_apps_button_disabled>1</Recent_apps_button_disabled>
</preferences>
Logging Disabled
Controls logging of EHS activities, failures and security events. These include failed attempts to enter Admin Mode, switches of the operating mode and all EHS errors. Enabled by default. Logs are stored in the /enterprise/usr/enterprisehomescreen.log file as plain text file that can be retrieved with ADB or an MDM and viewed with any text editor.
Possible values:
- 1
- 0 (logging is enabled by default)
Example
<logging>
<logging_disabled>0</logging_disabled>
</logging>
Log File Max Size
Permits a maximum size (in MB) to be specified for the EHS log file. When the maximum file size is reached, the current log is renamed to enterprisehomescreen.log.bak (overwriting the existing .bak file, if any) and a new enterprisehomescreen.log file is created. This effectively doubles the storage requirement of the specified maximum since two log files of maximum size is present at certain times.
Possible values:
- Integer from 1-99999
- Default = 10 (MB)
Example
<logging>
<log_file_max_size>10</log_file_max_size>
</logging>
Optional Feature Tags
This section covers optional features and tags not included in the enterprisehomescreen.xml file by default. These tags are added by EHS for enabled options or can be added as needed by an administrator.
Auto Launch
Permits any number of apps to be launched when EHS starts up. Similar to Kiosk Mode, auto-launch apps are specified in a separate section, can be launched with a specific app activity (optional) and the feature is activated with a tag in the Preferences section. Note: Package names might vary from one Android version to another.
Auto-launch differs from Kiosk Mode in that BACK and HOME keys can be used, and it allows apps to be set to launch after a specified delay to allow for SD card mounting. Works when the <auto_launch_enable> tag contains a value of 1; otherwise ignored. Auto-launch apps need not be listed in the <applications> section.
Important: The delay times for app and service auto-launch all begin at the same time--when EHS first starts up--relative to other apps or services. For example, if App1 is given a delay of 2000 ms, App2 a delay of 4000, Svc1 a delay of 3000 ms and Svc2 a delay of 1000 ms, the order of execution would be:
- App1 two seconds after EHS launch
- Svc1 one second later (3000 ms after EHS launch)
- Svc2 one second later (3000+1000 ms after EHS launch)
- App2 two seconds later (2000 + 4000 after EHS launch)
Possible values:
- application delay: integer (milliseconds)
- package: app package name
- activity (optional): name of the activity to be invoked when the app starts
Example
<auto_launch>
<application delay="8000" package="com.android.calculator2" activity=""/>
<application delay="5000" package="com.rovio.angrybirds" activity=""/>
</auto_launch>
Service Auto Launch
Permits any number of services to be launched when EHS starts up. This can be useful as a means of checking for software updates. Automatically launched services must be specified in a separate section of the enterprisehomescreen.xml file. The feature can be activated in the admin UI or with a tag in the Preferences section. Auto-launch services need not be listed in the <applications> section.
Important: The delay times for app and service auto-launch all begin at the same time--when EHS first starts up--relative to other apps or services. Delay times are cumulative for each type. For example, if App1 is given a delay of 2000 ms, App2 a delay of 4000, Svc1 a delay of 3000 ms and Svc2 a delay of 1000 ms, the order of execution would be:
- App1 two seconds after EHS launch
- Svc1 one second later (3000 ms after EHS launch)
- Svc2 one second later (3000+1000 ms after EHS)
- App2 two seconds later (2000 + 4000 after EHS)
The EHS 2.4 showing Service auto launch enabled in the UI.
Possible values:
- service delay: length of time (in ms) to delay before launching the service
- package: application package name of the service
- class: class name of the service
- action: allows one of the actions supported by a Service to be specified
Note: Package names might vary from one Android version to another.
Service Auto-Launch Rules:
- Services that support just a single action can be auto-launched using only the package name.
- For Services that support more than one action, each desired action must be specified separately.
- For Services that support more than one class, the correct class must be specified.
- Service Auto-Launch has no effect on manually launching services.
Examples
Specify all parameters:
<service_auto_launch>
<service delay="4000" package="com.sample.androidserviceexample"
class="com.sample.androidserviceexample.MyService" action="downloadfile"/>
</service_auto_launch>
Specify package, class and action names:
<service package="com.sample.androidserviceexample"
class="com.sample.androidserviceexample.MyService"
action="com.sample.androidserviceexample.MyService.downloadfile"/>
Specify package and class names:
<service package="com.sample.androidserviceexample" class="com.sample.androidserviceexample.MyService"/>
Specify package name only (when only one service exists in the package):
<service package="com.sample.androidserviceexample" />
Specify service action name only:
<service action="com.sample.androidserviceexample.MyService.downloadfile"/>
Foreground Service Auto Launch
Used to specify one or more foreground services to be automatically launched after EHS starts up. Automatically launched services are specified in a separate, optional section of the enterprisehomescreen.xml file. When enabled, apps are launched after a delay, if specified. The Foreground Service Auto Launch feature is enabled/disabled in the enterprisehomescreen.xml file or Admin-Mode UI (on Oreo devices only). Disabled by default.
Note: This feature appears in the UI only on devices running Android 8.x Oreo.
Appears in UI only on Oreo devices.
Possible values:
- 1
- 0 (default)
Example
<preferences>
<foreground_service_auto_launch_enable>1</foreground_service_auto_launch_enable>
</preferences>
//
// Set delay (optional):
//
<foreground_service_auto_launch>
<service delay="4000" package="com.sample.androidserviceexample"class="com.sample.androidserviceexample.MyService" action="downloadfile"/>
</foreground_service_auto_launch>
Bundle
Permits the option of injecting key-value pairs via XML into an app when it launches in User Mode. Bundled data can include application parameters, user data or any other information consumable by the application as an Android Intent. This feature can be used with User-Mode apps, Kiosk apps, auto-launch apps and those resulting from wildcard searches. When used with apps specified using the wildcard attribute, all apps receive the same data. The Bundle tag must be configured within the enterprisehomescreen.xml file. Bundle is not supported for Admin-mode apps or for use with links or services.
Bundle Notes:
- Bundled data is handled as a character string; app is responsible for converting data type as needed.
- The key and value portions of the bundle are separated by an equal sign (=).
- Bundles are separated by a semi-colon (;).
- Not supported for Admin-Mode apps, or for links or services.
Possible values:
- character string
Example
<applications>
<application label="Inventory" package="com.access.inventory" activity=" com.access.inventory.Login"
bundle="username=John Brown;country=USA;date=090615"/>
</applications>
Icon
Permits a custom graphic to be specified in place of the system or default icon for an application or link when displayed on the User-Mode screen. Supports .bmp, .jpg, and .png image formats. Image must be stored locally on the device and specified in the enterprisehomescreen.xml file using the full path. Default icon is used if tag is left blank or specified image file is missing or invalid. When used with apps specified using the wildcard attribute, all apps will display the same icon.
Examples
Replace the icon for an application:
<application label="DWDemo" package="com.symbol.datawedge" icon="/sdcard/datawedge/demo.png"/>
Replace the icon for a link:
<link label="yahoo" url="http://www.yahoo.com" package="org.mozilla.firefox" activity="org.mozilla.firefox.App" icon="/enterprise/usr/customfirefox.jpg" />
Replace the icon for an app launching with a specific activity:
<application label="WebMenu" package="com.symbol.rdp" activity="com.symbol.rdp.SessionActivity" icon="/enterprise/usr/ehs_data/images/webmenu.bmp"/>
Enable/Disable Apps
Allows apps on a device to be explicitly disabled or enabled in Admin and User Modes. Note: Package names might vary from one Android version to another.
Notes:
- Settings defined by these tags override EHS defaults and any settings applied with other tags.
- If one of these tags is present without the other, Settings and Search apps are disabled in Admin and User Modes.
- If the same package name is present under both (enable and disable) tags, that app is disabled.
- Uninstalling EHS will not re-enable apps disabled using the <apps_disabled> tag.
- Disabled apps must be manually returned to their desired state before uninstalling EHS.
- To re-enable an app that was disabled using the <apps_disabled> tag, the app must be explicitly enabled using the <apps_enabled> tag.
- After the device user takes a screenshot, some Android versions present apps (i.e. Gmail, Messaging, etc.) as a means of sharing the image. Disable such apps to prevent unwanted access.
- These tags cannot be used to disable DataWedge or other services.
Possible values:
- Package: app package name
Example
<preferences>
...
<apps_disabled>
<application package="com.android.settings"/>
<application package="com.android.quicksearchbox"/>
</apps_disabled>
<apps_enabled>
<application package="com.android.gallery3d"/>
</apps_enabled>
...
</preferences>
Admin Max Attempts
The number of failed attempts to log into Admin Mode before EHS disables Admin Mode login. EHS keeps a count of the failed consecutive login attempts with an attribute in the password admin node as in the Example Failed Login Counter below. The counter is reset if a successful login occurs before the maximum is reached. Once disabled, can be reset only by pushing a new enterprisehomescreen.xml file to the device. If this tag is not present or contains no value, the default of 10 is used. Failed login attempts are added to the EHS log.
Example
<preferences>
...
<admin_max_attempts>10</admin_max_attempts>
...
</preferences>
Example Failed Login Counter:
<passwords>
<admin attempts="10"></admin>
</passwords>
The counter clears after a successful login or when a new enterprisehomescreen.xml file is pushed to the device.
Admin Inactivity Timeout
Controls the time (in seconds) that a device will remain in Admin Mode without activity. Add this tag to the <Preferences> section to specify the timeout period. The default period is 60 seconds, which is used if this tag is missing or left unspecified. Minimum period is 15 seconds (lower values are ignored); zero or negative value disables timeout. The timeout counter runs only when EHS is in foreground, and resets when EHS returns to the foreground. Note: Use of the Android Search app has no effect on the timeout counter.
Possible values:
- integer (in seconds)
Notes:
- 15 is the minimum value; lower values are ignored
- 60 seconds is the default if tag is left blank or is not present
- 0 or negative value will disable the timeout function
Example
<preferences>
<admin_inactivity_timeout>600</admin_inactivity_timeout>
</preferences>
Shortcuts and Intents
On Marshmallow and Nougat
For devices running Oreo, see the section that follows.
When shortcuts that link to local or remote applications are added using Android Intents, EHS adds a link tag to the config file with the attributes listed below. Disabled by default. Must be enabled using the Install Shortcuts tag. Note: Package names might vary from one Android version to another.
Label
Represents the shortcut name; equivalent to the Intent.EXTRA_SHORTCUT_NAME value.
URI
Represents the intent in text format; equivalent to the URI representation of the Intent.EXTRA_SHORTCUT_INTENT intent data.
Icon
Specifies the the path of the icon file stored in the device. If the extra data Intent.EXTRA_SHORTCUT_ICON is available in the received broadcast intent, the icon is stored in the device as an image file.
icon_ref
Specifies the package name to retrieve the icon later. If the extra data Intent.EXTRA_SHORTCUT_ICON_RESOURCE is available in the received broadcast intent, the icon is generated at runtime using the package name (and there is therefore no need to store the icon image in the device).
Example
A shortcut added to the remote application "Microsoft Excel" via Citrix Receiver is represented by the following link node:
<link label="Microsoft Excel" icon="/enterprise/usr/ehs_data/images/MicrosoftExcel.png" uri="citrixreceiver://launchapp?pid=1&inname=citrixcloud%3AMicrosoft+Excel+MS&fname=Microsoft+Excel&shortcutCookie=681181718&mobile=0&unikey=0#Intent;action=android.intent.action.VIEW;launchFlags=0x14000000;end" />
EHS Notes:
- This feature is not supported on devices running Android 8.x Oreo (see Oreo section below).
- When Install Shortcuts is enabled, EHS listens for the Android broadcast intent
com.android.launcher.action.INSTALL_SHORTCUT. - When an intent is received, EHS creates the shortcut on the user screen using data carried within the intent.
- The data also is saved in the <Applications> section of the
enterprisehomescreen.xmlfile as indicated above. - To remove a shortcut from user screen, delete the corresponding "link" tag from the config file.
- Adding duplicate shortcuts for the same local or remote application is allowed.
- Shortcuts intended for use by EHS must be added after EHS is installed and made the default launcher.
- EHS does not check the validity of shortcuts; it's up to the administrator to ensure that shortcuts are valid in all circumstances.
Android Notes:
- The Android Launcher monitors the same broadcast intent as EHS, and therefore also receives shortcuts sent to EHS.
- If the Android home screen space limit is reached, Android Launcher displays an error message in EHS.
- To eliminate the error message, temporarily enable the Android Launcher and delete the shortcuts.
On Oreo
For Marshmallow and Nougat Devices, see section above.
EHS has historically offered the ability to add shortcuts programmatically using the INSTALL_SHORTCUT broadcast intent. Android 8.x Oreo replaces this intent with the requestPinShortcut() method of the ShortcutManager class. When shortcuts that link to local apps or remote websites are added in this way, EHS adds a link tag to the config XML file with the attributes listed below and displays the shortcut on the User screen.
To identify a pinned shortcut, EHS uses two attributes in a link tag:
label
The short name for of the pinned shortcut, returned by the ShortcutInfo.getShortLabel() method.
pinned_activity
The activity the shortcut links to, returned by the ShortcutInfo.getPackage() method.
Notes:
When shortcuts that link to local apps or websites are added using the method described above, EHS adds a link tag to the config file as in the sample below:
<applications> <link label="Yahoo" pinned_activity="org.mozilla.firefox" /> </applications>The ability to pin shortcuts to an EHS User-mode screen and write pinned shortcut information to the config file in this way is disabled by default. Before adding shortcuts programmatically, this feature must be enabled using the Pinned Shortcuts tag.
Mass deployment is not supported for pinned shortcuts. Each pinned shortcut must be added manually by an administrator. As with all versions of EHS, shortcuts cannot be cloned from one device to another.
Duplicate shortcuts are permitted. As with all versions of EHS, multiple shortcuts can exist on a device with precisely the same attributes.
To remove added shortcuts, manually delete them from the configuration XML file, as with shortcut handling of prior EHS versions.
On multi-user devices, only the user adding the pinned shortcuts has access to them. Other users see the User-screen shortcut icons but are unable to launch them. This shortcut behavior is consistent with the Android Launcher.
App Launch Flags
EHS supports the option of specifying one or more Android Intent flags when an application is launched, overriding any Intent flag(s) statically defined in the Android Manifest. This can be used to allow an app to launch not with its main activity, for example, but with its most recent one, retaining acquired data that would otherwise have been lost after an inadvertent press of the HOME key immediately after a scan.
App Launch Flags can be assigned only to Kiosk apps or those designated as part of a group. The flag will apply to all apps in groups of the following types:
- Auto-Launch apps
- User-Mode apps
- Tools-Menu apps
- Kiosk apps
EHS does not support assignment of Launch Flags to individual apps.
Supported flags:
- Intent.FLAG_ACTIVITY_BROUGHT_TO_FRONT;
- Intent.FLAG_ACTIVITY_CLEAR_TASK;
- Intent.FLAG_ACTIVITY_CLEAR_TOP;
- Intent.FLAG_ACTIVITY_CLEAR_WHEN_TASK_RESET;
- Intent.FLAG_ACTIVITY_EXCLUDE_FROM_RECENTS;
- Intent.FLAG_ACTIVITY_FORWARD_RESULT;
- Intent.FLAG_ACTIVITY_LAUNCHED_FROM_HISTORY;
- Intent.FLAG_ACTIVITY_MULTIPLE_TASK;
- Intent.FLAG_ACTIVITY_NEW_TASK;
- Intent.FLAG_ACTIVITY_NO_ANIMATION;
- Intent.FLAG_ACTIVITY_NO_HISTORY;
- Intent.FLAG_ACTIVITY_NO_USER_ACTION;
- Intent.FLAG_ACTIVITY_PREVIOUS_IS_TOP;
- Intent.FLAG_ACTIVITY_REORDER_TO_FRONT;
- Intent.FLAG_ACTIVITY_RESET_TASK_IF_NEEDED;
- Intent.FLAG_ACTIVITY_SINGLE_TOP;
- Intent.FLAG_ACTIVITY_TASK_ON_HOME;
Refer to the Android Intents docs for information about the intended behavior of these flags.
Examples
For User-Mode applications (applies to all apps in the <applications> node):
<applications app_launch_flags="FLAG_ACTIVITY_RESET_TASK_IF_NEEDED;FLAG_ACTIVITY_NEW_TASK">
...
<application label="contacts" package="ccom.android.contacts" activity=""/>
<application label="Manual Scanning" package="com.access.scanassist" activity=""/>
<application label="Calculator" package="com.android.calculator2" activity=""/>
...
</applications>
For Auto-Launch apps (applies to all apps in the <auto_launch> node):
<auto_launch app_launch_flags="FLAG_ACTIVITY_RESET_TASK_IF_NEEDED;FLAG_ACTIVITY_NEW_TASK">
...
<application label="Manual Scanning" package="com.access.scanassist" activity=""/>
...
</auto_launch>
For Tools Menu apps (applies to all apps in the <tools> node):
<tools app_launch_flags="FLAG_ACTIVITY_RESET_TASK_IF_NEEDED;FLAG_ACTIVITY_NEW_TASK">
...
<application label="Calculator" package="com.android.calculator2" activity=""/>
<application label="Rapid Deployment" package="com.motorola.msp" activity="com.motorola.msp.client.RDMenu"/>
<application label="Manual Scanning" package="com.access.scanassist" activity=""/>
...
</tools>
For a Kiosk app:
<kiosk app_launch_flags="FLAG_ACTIVITY_RESET_TASK_IF_NEEDED; FLAG_ACTIVITY_NEW_TASK">
<application label="Calculator" package="com.android.calculator2" activity=""/>
</kiosk>
See the Special Features Guide for information about Kiosk Mode, Privileged Settings and other special EHS features and behaviors.
-->