Zebra's GMS Restricted Mode

Darryn Campbell -
11 MIN READ
1390

Zebra’s GMS Restricted Mode is a device state that provides complete control over which GMS applications and services are available on a Zebra device. Activating this mode disables all Google applications and services that are part of Google Mobile Services, providing improved control over data privacy.

In practice, this means that many applications on a GMS Restricted device are disabled, including Google Chrome, the Play Store app, YouTube, Gmail, Google Maps, Photos, etc. Any applications that depend on Google Play Services in any way can no longer rely on those Play Services being available; Play Services cover a range of functionality, with the most commonly used in enterprise being location, safetynet, maps and Firebase cloud messaging.

Important Notes:

  • When location services are disabled, the device is set to “Device Only” location mode when in a restricted state unless otherwise specified as part of a profile.
    • This will have a knock-on effect on applications which request the coarse LOCATION permission and any functionality dependant on that (e.g. the BluetoothDevice.ACTION_FOUND Intent) since coarse location only provides access to the NETWORK_PROVIDER. 
    • Location is available when the Maps profile is enabled.
  • Zebra make no guarantees that third-party applications from the Play Store will run under GMS Restricted since the dependencies of these applications on Play Services are unknown.
  • Firebase Cloud Messaging (FCM) is used by many third-party applications to provide on-demand notification delivery. Applications that use FCM will no longer receive cloud messages through this framework when GMS Restricted is in effect, unless the corresponding profile is enabled.
  • The ability to add or manage users on a device is prevented by GMS Restricted; GMS Restricted is not compabible with any existing Google accounts existing on the device.
  • The default Google Package Verifier will not be available in GMS Restricted and is replaced with the Qualcomm package verifier.  Zebra offer many other ways to prevent malicious applications from being sideloaded for example MX Whitelisting via the Access Manager.
  • GMS Restricted and Android Multi-User are mutually exclusive features.

In exchange for the absence of Google applications and services, a GMS Restricted device cannot communicate with Google servers for any purpose. This can help alleviate privacy concerns, reduce network bandwidth, and to a lesser degree help reduce the device memory footprint.

Example device experience out of the box

Example device experience after applying GMS Restricted

 

A device in the GMS Restricted state enforces no limitations on non-GMS applications. Since not all GMS applications are mandatory, the GMS apps on a Zebra device might differ from a consumer smartphone to best suit enterprise use cases. A GMS Restricted device is still able to:

  • Run applications that are not part of GMS (on the condition that they do not have dependencies on GMS components).
  • Run third party applications (on the condition that they do not have dependencies on GMS components).
  • Run Zebra value-add applications built into the device, unless otherwise specified.
  • Run Zebra value-add applications that are post-loaded onto the device (for example, Enterprise Browser), unless otherwise specified.
  • Make and receive phone calls
  • Use a WAN data connection
  • Send Zebra analytics (unless disabled) or analytics for third-party applications.  Note that many analytics end points will be hosted by Google infrastructure.

GMS Restricted Profiles

GMS Restricted Profiles allow an administrator to select GMS functionality from a curated list to run on an otherwise restricted device.  For example, by default a GMS Restricted device does not have a browser but by applying the ‘Chrome’ profile you can use the Chrome browser.

Applying a profile will enable the application associated with that profile (if applicable) and any underlying GMS applications or services on which that application depends.  An application’s dependencies may change from Android version to Android version and so a definitive list of those dependencies is not publicly available but by applying GMS Restricted with a profile, you will not have to worry about changes to those dependencies since that is all handled by Zebra’s MX layer.

By enabling a profile, you are opening the possibility for your device to communicate with Google services and the amount of data exchanged with Google services will depend on the profile which has been enabled and the applications therein.  The table below gives an indication of the amount of data exchanged but should be considered as guidance only.

Available profiles:

Profile Name

Description

Dependencies

Dependency on Google servers

Chrome

Enables the Chrome browser

Few

Light

Maps

Enables the Google Maps application, enables location mode and sets the location accuracy to the highest mode available on the device.

Many including Google Play Services

Heavy since all map data and some location data will be gleaned from Google servers.

Firebase Cloud Messaging

Allows applications to receive Firebase Cloud Messages which are particularly useful for pushing asynchronous messages to the device and performing background operations during doze mode.

Many including Google Play Services

Medium since Firebase Cloud Messaging is owned by Google and runs on their infrastructure

Additional profiles may be added in the future, please consult the techdocs documentation for GMS Manager for an authoritative list of available profiles.

Important Notes for GMS Restricted Profiles:

  • Only the version of the GMS application which ships with the device has been validated in GMS Restricted Mode.  You should not install or update the GMS app from the Play Store prior to applying Restricted Mode.
  • Only one profile can be applied at a time and you cannot combine profiles.

Entering GMS Restricted

GMS Restricted is a configuration setting applied to a GMS device; it is not a separate product or OS image.

To activate GMS Restricted on a device using Zebra StageNow:

CSP

Action

Description

Applies to

GMS Manager

Restricted

Disables all GMS applications and services on a device.  For example, the Play Store app, YouTube, Gmail, Google Maps, Photos, Chrome and Play Services.

MX: 8.3+

Android API: 26+

SDM-660 platform devices only

GMS Manager

All

Enables all GMS application and services on the device.  This is the default condition out of the box.

MX: 8.3+

Android API: 26+

SDM-660 platform devices only

GMS Manager

Profiled

Causes a specific GMS app [and its dependencies] to be enabled on the device whilst disabling all other GMS packages

MX: 9.0+

Android API: 26+

SDM-660 platform devices only

Related to the functions in GMS Manager are App Manager’s EnableGMSApps and DisableGMSApps actions.  Where possible, the GMS Manager should be used in preference to App Manager.

The GMS Manager’s Restricted action acts immediately to disable all GMS packages except those required to boot the device. When a device is in this state:

  • No GMS packages are able run or communicate with Google servers including (but not limited to) the following apps:
  •           The Play Store
    • Hangouts
    • Google Photos
    • Google Play Movies
    • Google Maps
    • Google Drive
    • Play Music
    • Gmail
    • Search
    • YouTube
    • Chrome
    • The list of GMS apps can vary from one Android version to another
    • This includes (but is not limited to) the following services:
    • Because enhanced location is not available, the only way for a device to determine its position is through GPS (if it has the appropriate hardware) or through off-device RTLS technologies (unless an appropriate profile is applied).
  • Neither built-in GMS applications nor the platform itself can exchange diagnostic data, analytics data or location information with Google.
    • This does not include the Zebra analytics service which can be separately disabled using the Analytics Manager.
  • Applications that depend on GMS packages or applications have reduced functionality, notably any application that depends on Google Play Services.
    • Some examples of use cases that are not available on a GMS Restricted device:
      • Applications that use the Google Maps component must find an alternative or enable the Maps profile.
      • Applications that verify the integrity of the device will not be able to use the attestation API.
  • The device keyboard is handled as a special case. When GMS Restricted is applied, the GMS keyboard is disabled but alternative keyboards are available on the device. Administrators are free to enable one of the available keyboards using the MX UI Manager Input Method Package Name attribute:
    • For the AOSP keyboard, specify:
      • InputMethodPackageName: com.android.inputmethod.latin
      • InputMethodClassName: com.android.inputmethod.latin.LatinIME
    • For Zebra’s own Enterprise Keyboard, specify:
      • InputMethodPackageName: com.symbol.mxmf.csp.enterprisekeyboard
      • InputMethodClassName: com.android.inputmethod.latin.LatinIME
    • Note: GMS Restricted may default to the AOSP keyboard automatically but in early releases it may be necessary to specify the desired keyboard with the MX UI Manager
  • Having a secondary or guest user on the device is not compatible with GMS Restricted; only the primary user is supported. In most instances the user is prevented from creating secondary users when the device is in the GMS Restricted state. Although a Device Owner is still technically capable of creating additional users on a device in the GMS Restricted state, Zebra strongly discourages this practice because GMS Restricted is not in effect for those additional users.

When to Apply

If GMS Restricted state is to be used, Zebra strongly recommends that it be employed as soon as possible after device boot and before establishing a Wi-Fi connection. Before the GMS Restricted Action is applied, the device can communicate with Google, potentially allowing data to “escape.” This can be achieved in StageNow by applying the GMS Restricted Action as one of the first steps in the initial staging profile.

  • Set-up wizard bypass barcode is scanned, and automatically launches the StageNow client on the device. This is not required for GMS Restricted but is common to many workflows.
  • A staging profile is scanned and performs the following actions:
    1. GMS Restricted is applied using the Restricted Action of GMS Manager CSP or one of the available profiles.
    2. Perform additional staging actions, such as configuring the Wi-Fi network.

If a deployment uses a SIM card that can access a public APN, Zebra recommends that this SIM card be installed after the device is put into a GMS Restricted state to prevent data from leaving the device.

Google Play Services will attempt to install very soon after the device receives a WiFi or data connection, even without a Google account on the device – allowing Play services to install or partially install can in some instances interfere with or disable the default device WebView therefore it is important to apply GMS Restricted at the earliest opportunity.

Moving from AOSP to GMS Restricted

The following applications are present on non-GMS (AOSP) devices but do not have an out-of-box equivalent on a GMS-Restricted device:

  • Browser, unless the Chrome profile has been applied
  • Email
  • Gallery
  • Calendar
  • Music
  • Search

Where available, a GMS Restricted Profile can be used to re-introduce the functionality for example the Chrome profile will provide a browser on a GMS Restricted device.

It is not possible to re-enable system applications piecemeal on a device in Restricted mode. Alternative third-party applications could be deployed to re-enable any missing capabilities, although Zebra does not make any recommendations on which alternative applications to use.

Doze mode is disabled on devices in the GMS Restricted state. This matches the behaviour of non-GMS (AOSP) devices, which do not have doze mode enabled.

Line-of-business or third-party applications that ran on AOSP devices continue to run on devices in the GMS Restricted state. However, third-party applications often make use of Google Play Services to provide core functionality, so be sure to thoroughly test any application not specifically designed to run on non-GMS (AOSP) devices before deployment to a device in GMS Restricted Mode.

Although the Play Store is not available on a GMS-Restricted device, any of the techniques for distributing applications that work for non-GMS devices also work to distribute applications to GMS-Restricted devices. The most popular technique is to use the StageNow AppManager CSP to install and upgrade applications. Side-loading apps also is an option, but side-loading of GMS applications is not supported or allowed under the terms of conditions of those apps.

How does it work?

GMS Restricted works at the application level, not the network level. This means that although no GMS packages on the device can communicate externally, non-GMS applications such as a third-party web browsers are not prevented from communicating with www.google.com, for example.

Persisting GMS Restricted

Device Reboot, OS Update and relation to App Manager 

Whilst both operations will survive a device reboot, there is an important distinction between the functions of the GMS Manager and the related “DisableGMSApps” action of App Manager when updating the Operating System:

  • AppManager actions only apply to the applications on the device at the time “DisableGMSApps” is called.  New GMS applications present in any new OS update will not be disabled following that update.
  • GMSManager actions can be relied upon to persist across an OS update and any newly introduced GMS apps in that update will be disabled automatically.  Any new or changed dependencies of the GMS apps will be automatically taken care of by MX during the OS upgrade process.

Notes:

  1. Where “DisableGMSApps” has been applied on a device, Zebra recommends invoking the "EnableGMSApps" prior to an OS update to exit GMS Restricted state to ensure the device is in a known working state.
  2. When transitioning from an OS which does not support GMS Restricted (i.e. it is running an MX version earlier than 8.3) to an OS that does, you cannot transition from the AppManager’s “DisableGMSApps” state in a single step during an OS update.  To move to GMS Restricted in this scenario It is necessary to first invoke AppManager’s “EnableGMSApps”, then perform the OS Update, then enter GMS Restricted mode via the GMSManager after the update has completed.

Enterprise Reset

To enable persistence following an Enterprise Reset, it is necessary to use the Persistence Manager,  set the Power Manager’s ‘Setup Wizard Bypass’ action to “true,” and initiate the Enterprise Reset via the Power Manager. This prevents the setup wizard (a GMS component) from being displayed while GMS Restricted is being applied following the reset.

Factory Reset

It is not possible to persist the GMS Restricted state following a Factory Reset.

profile

Darryn Campbell

Please Register or Login to post a reply

Replies