NFC blocked by security policy

NFC blocked by security policy

Hi,

I'm using SOTI cloud server v13.4 with Android+ devices (Samsung Xcover4) with OS 7, 8 and 9.

I have some random issues while using NFC on my devices.

I have for 10 devices (with exactly same configuration) in same profile/lockdown, some of them are displaying toast message when users try to connect to our app using their NFC card.

The toast is from SOTI and is like "Security policy didn't allow to change settings" (translated from french message) as you can see on my picture.

I discovered that issue is very very very random because when I just renammed the profile and assigned it, the issue disappeared but appears on other devices (which were working correctly with NFC).

In any case I enabled the log file, on one device where I have this issue if you can tell me what's going wrong.

2020-03-02 14:27:26.227|[INCOMING][349]|D|AP|[net.soti.mobicontrol.dl.o.e:107] Start watching permission changes.|
2020-03-02 14:27:26.228|[INCOMING][349]|D|AP|[MCMessageQueue][sendMessage] ==>(send) CommDevConfigMsg|
2020-03-02 14:27:26.240|[INCOMING][349]|D|AP|[IncomingMessageProcessor][run] awaiting next message. IncomingMessageQueue will time out in 72000 ms.|
2020-03-02 14:27:26.412|AsyncTask #3|D|AP|[ClientCertificateStorage][getClientAlias]|
2020-03-02 14:27:26.470|main|D|AP|[KioskLaunchers][onNavigation] user clicked launch://com.ier.tepv.base|
2020-03-02 14:27:26.476|main|D|AP|[KioskLaunchers][onNavigation] launching with v|
2020-03-02 14:27:26.478|pool-10-thread-1|D|AP|[SamsungMdmV5ManualBlacklistProcessor][getAppliedBlacklist] Blocked pkgs: com.android.camera2/com.android.camera.CameraActivity, com.android.launcher3, com.android.quicksearchbox/.SearchActivity, com.android.settings/.Settings, com.google.android.googlequicksearchbox/.SearchActivity, com.samsung.android.app.galaxyfinder, com.samsung.android.app.spage, com.samsung.android.bixby.agent, com.samsung.android.bixby.es.globalaction, com.samsung.android.bixby.plmsync, com.samsung.android.bixby.voiceinput, com.samsung.android.bixby.wakeup, com.samsung.android.rubin.app, com.samsung.android.visionintelligence, com.samsung.knox.securefolder/.containeragent.ui.settings.KnoxSettingsActivity, com.samsung.knox.securefolder/.containeragent.ui.settings.KnoxSettingsActivity2, com.samsung.knox.securefolder/.containeragent.ui.settings.KnoxSettingsActivity3, com.samsung.knox.securefolder/.containeragent.ui.settings.SFTileUtil, com.sec.android.app.camera, com.sec.android.app.controlpanel, com.vlingo.client|
2020-03-02 14:27:26.480|pool-10-thread-1|D|AP|[SamsungMdmV5ManualBlacklistProcessor][changeApplicationState] enable (com.android.settings/.Settings, com.google.android.googlequicksearchbox/.SearchActivity)|
2020-03-02 14:27:26.481|pool-10-thread-1|D|AP|[BaseApplicationControlManager][enableApplicationLaunch] - begin - packageName: com.android.settings/.Settings|
2020-03-02 14:27:26.491|AsyncTask #3|D|AP|[ClientCertificateStorage][getClientAlias] MobiControlIntermediateCA3C5524018A5B8A4CAF7EDEDC2232072D|
2020-03-02 14:27:26.508|AsyncTask #3|I|AP|[ClientCertificateStorage][getKeyManagers] Using MobiControlIntermediateCA3C5524018A5B8A4CAF7EDEDC2232072D for client authentication|
2020-03-02 14:27:26.509|main|D|AP|[net.soti.mobicontrol.lockdown.kiosk.t.b:57] Launch a package: com.ier.tepv.base activity: |
2020-03-02 14:27:26.510|pool-10-thread-1|D|AP|[SamsungMdmV5ManualBlacklistProcessor][getAllBlacklistToApply] Sorted blacklist to apply com.vlingo.client com.sec.android.app.controlpanel com.sec.android.app.camera com.samsung.knox.securefolder/.containeragent.ui.settings.SFTileUtil com.samsung.knox.securefolder/.containeragent.ui.settings.KnoxSettingsActivity3 com.samsung.knox.securefolder/.containeragent.ui.settings.KnoxSettingsActivity2 com.samsung.knox.securefolder/.containeragent.ui.settings.KnoxSettingsActivity com.samsung.android.visionintelligence com.samsung.android.rubin.app com.samsung.android.bixby.wakeup com.samsung.android.bixby.voiceinput com.samsung.android.bixby.plmsync com.samsung.android.bixby.es.globalaction com.samsung.android.bixby.agent com.samsung.android.app.spage com.samsung.android.app.galaxyfinder com.google.android.googlequicksearchbox/.VoiceSearchActivity com.android.quicksearchbox/.SearchActivity com.android.launcher3 com.android.camera2/com.android.camera.CameraActivity|
2020-03-02 14:27:26.559|pool-10-thread-1|D|AP|[SamsungMdmV5ApplicationControlManager][doEnableApplicationLaunch] Enabled com.android.settings/.Settings: true|
2020-03-02 14:27:26.560|pool-10-thread-1|D|AP|[SamsungMdmV5ApplicationControlManager][enableApplicationLaunch] - end|
2020-03-02 14:27:26.560|pool-10-thread-1|D|AP|[BaseApplicationControlManager][enableApplicationLaunch] - begin - packageName: com.google.android.googlequicksearchbox/.SearchActivity|
2020-03-02 14:27:26.569|pool-10-thread-1|D|AP|[SamsungMdmV5ManualBlacklistProcessor][getAllBlacklistToApply] Sorted blacklist to apply com.vlingo.client com.sec.android.app.controlpanel com.sec.android.app.camera com.samsung.knox.securefolder/.containeragent.ui.settings.SFTileUtil com.samsung.knox.securefolder/.containeragent.ui.settings.KnoxSettingsActivity3 com.samsung.knox.securefolder/.containeragent.ui.settings.KnoxSettingsActivity2 com.samsung.knox.securefolder/.containeragent.ui.settings.KnoxSettingsActivity com.samsung.android.visionintelligence com.samsung.android.rubin.app com.samsung.android.bixby.wakeup com.samsung.android.bixby.voiceinput com.samsung.android.bixby.plmsync com.samsung.android.bixby.es.globalaction com.samsung.android.bixby.agent com.samsung.android.app.spage com.samsung.android.app.galaxyfinder com.google.android.googlequicksearchbox/.VoiceSearchActivity com.android.settings/.Settings com.android.quicksearchbox/.SearchActivity com.android.launcher3 com.android.camera2/com.android.camera.CameraActivity|
2020-03-02 14:27:26.618|pool-10-thread-1|D|AP|[SamsungMdmV5ApplicationControlManager][doEnableApplicationLaunch] Enabled com.google.android.googlequicksearchbox/.SearchActivity: true|
2020-03-02 14:27:26.618|pool-10-thread-1|D|AP|[SamsungMdmV5ApplicationControlManager][enableApplicationLaunch] - end|
2020-03-02 14:27:26.631|pool-10-thread-1|D|AP|[SamsungMdmV5ManualBlacklistProcessor][getAllBlacklistToApply] Sorted blacklist to apply com.vlingo.client com.sec.android.app.controlpanel com.sec.android.app.camera com.samsung.knox.securefolder/.containeragent.ui.settings.SFTileUtil com.samsung.knox.securefolder/.containeragent.ui.settings.KnoxSettingsActivity3 com.samsung.knox.securefolder/.containeragent.ui.settings.KnoxSettingsActivity2 com.samsung.knox.securefolder/.containeragent.ui.settings.KnoxSettingsActivity com.samsung.android.visionintelligence com.samsung.android.rubin.app com.samsung.android.bixby.wakeup com.samsung.android.bixby.voiceinput com.samsung.android.bixby.plmsync com.samsung.android.bixby.es.globalaction com.samsung.android.bixby.agent com.samsung.android.app.spage com.samsung.android.app.galaxyfinder com.google.android.googlequicksearchbox/.SearchActivity com.android.settings/.Settings com.android.quicksearchbox/.SearchActivity com.android.launcher3 com.android.camera2/com.android.camera.CameraActivity|
2020-03-02 14:27:26.631|pool-10-thread-1|D|AP|[SamsungMdmV5ManualBlacklistProcessor][changeApplicationState] disable (com.google.android.googlequicksearchbox/.SearchActivity, com.android.settings/.Settings)|
2020-03-02 14:27:26.631|pool-10-thread-1|D|AP|[BaseApplicationControlManager][disableApplicationLaunch] - begin - packageName: com.google.android.googlequicksearchbox/.SearchActivity|
2020-03-02 14:27:26.704|pool-10-thread-1|D|AP|[SamsungMdmV5ApplicationControlManager][doDisableApplicationLaunch] Disabled com.google.android.googlequicksearchbox/.SearchActivity: true|
2020-03-02 14:27:26.704|pool-10-thread-1|D|AP|[BaseApplicationControlManager][disableApplicationLaunch] - end|
2020-03-02 14:27:26.705|pool-10-thread-1|D|AP|[BaseApplicationControlManager][disableApplicationLaunch] - begin - packageName: com.android.settings/.Settings|
2020-03-02 14:27:26.724|pool-10-thread-1|D|AP|[SamsungMdmV5ApplicationControlManager][doDisableApplicationLaunch] Disabled com.android.settings/.Settings: true|
2020-03-02 14:27:26.725|pool-10-thread-1|D|AP|[BaseApplicationControlManager][disableApplicationLaunch] - end|
2020-03-02 14:27:26.742|pool-10-thread-1|I|AP|[SamsungMdmV5ManualBlacklistProcessor][applyProfile] - end {[Lockdown blocked:[com.samsung.knox.securefolder/com.samsung.knox.securefolder.containeragent.ui.settings.SFTileUtil, com.samsung.android.rubin.app, com.sec.android.app.camera, com.samsung.android.bixby.wakeup, com.android.quicksearchbox/.SearchActivity, com.android.settings, com.samsung.android.bixby.agent, com.samsung.android.visionintelligence, com.samsung.knox.securefolder/com.samsung.knox.securefolder.containeragent.ui.settings.KnoxSettingsActivity3, com.samsung.knox.securefolder/com.samsung.knox.securefolder.containeragent.ui.settings.KnoxSettingsActivity2, com.samsung.android.app.galaxyfinder, com.android.launcher3, com.sec.android.app.controlpanel, com.android.camera2/com.android.camera.CameraActivity, com.samsung.knox.securefolder/com.samsung.knox.securefolder.containeragent.ui.settings.KnoxSettingsActivity, com.samsung.android.bixby.voiceinput, com.vlingo.client, com.samsung.android.app.spage, com.samsung.android.bixby.es.globalaction, com.samsung.android.bixby.plmsync, com.google.android.googlequicksearchbox], allowed:[com.android.settings/.CredentialStorage, com.android.settings/.Settings$AppDrawOverlaySettingsActivity, com.android.settings/.fingerprint.FingerprintEnrollEnrolling, com.android.settings/.ChooseLockPatternTutorial, com.android.settings/.notification.RedactionInterstitial, com.android.settings/com.samsung.android.settings.nfc.NfcForegroundDialog, com.android.settings/.EncryptionInterstitial, com.android.settings/.ConfirmLockPattern$InternalActivity, com.ier.tepv.base, com.android.settings/.ChooseLockGeneric$InternalActivity, com.android.settings/.bluetooth.RequestPermissionActivity, com.android.settings/.SubSettings, com.android.settings/.ConfirmLock, com.android.settings/.ChooseLockGeneric, com.android.settings/.password.SetNewPasswordActivity, com.google.android.googlequicksearchbox/.VoiceSearchActivity, com.android.settings/.ChooseLockPattern, com.android.settings/.ConfirmLockPassword$InternalActivity, com.android.settings/.Settings$SoundSettingsActivity, com.android.settings/.lockscreen.ChooseLockGeneric, com.android.settings/.ChooseLockPassword, com.android.settings/com.samsung.android.settings.nfc.NfcAdvancedRoutingSetting, com.android.settings/.bluetooth.BluetoothPairingDialog, com.android.settings/.Settings$NfcSettingsActivity, com.android.settings/.ChooseLock, com.android.settings/.nfc.PaymentDefaultDialog, com.android.settings/.fingerprint.RegisterFingerprint, com.android.settings/.ConfirmLockPassword, com.android.settings/.RedactionInterstitial, com.android.settings/.Settings$CryptKeeperSettingsActivity, com.android.settings/.fingerprint.FingerprintEnrollFindSensor, com.android.settings/.ChooseLockAdditionalPin, com.android.settings/com.samsung.android.settings.nfc.HowItWorks, com.android.settings/.fingerprint.FingerprintEnrollFinish, com.android.settings/.ConfirmLockGeneric], enabled:true, forcePolling:false, SamsungPackageDisabling:false]}|
2020-03-02 14:27:26.743|pool-10-thread-1|D|AP|[net.soti.mobicontrol.lockdown.ar.a:63] end applying lockdown restrictions|
2020-03-02 14:27:26.756|pool-10-thread-1|D|AP|[LockdownLauncherService][doLaunchLockdown] begin|
2020-03-02 14:27:26.756|pool-10-thread-1|D|AP|[BaseLockdownManager][clearHistoryAndStartKiosk]|
2020-03-02 14:27:26.820|RxComputationThreadPool-3|D|AP|[net.soti.mobicontrol.dl.o.onOpChanged:66] Agent doesn't need permissions true.|
2020-03-02 14:27:26.821|RxComputationThreadPool-3|D|AP|[net.soti.mobicontrol.dl.o.onOpChanged:67] Op change is not valid = false for type APP_ACCESS_NOTIFICATION VS received change type access_notification_op_type.|
2020-03-02 14:27:27.067|AsyncTask #3|D|AP|[AppCatJsonProcessor][getJsonObject]Connecting to: https://S008435.mobicontrolcloud.com/mc/mdm/appcatalog/json/355621085944357|
2020-03-02 14:27:27.113|main|D|AP|[net.soti.mobicontrol.lockdown.dx.a:88] begin|
2020-03-02 14:27:27.115|main|D|AP|[net.soti.mobicontrol.lockdown.dx.a:90] getting profile 2|
2020-03-02 14:27:27.116|main|D|AP|[net.soti.mobicontrol.lockdown.dx.b:46] begin|
2020-03-02 14:27:27.117|main|D|AP|[net.soti.mobicontrol.lockdown.dx.a:88] begin|
2020-03-02 14:27:27.121|main|D|AP|[net.soti.mobicontrol.lockdown.dx.a:90] getting profile 2|
2020-03-02 14:27:27.121|main|D|AP|[net.soti.mobicontrol.lockdown.dx.b:46] begin|
2020-03-02 14:27:27.124|main|D|AP|[net.soti.mobicontrol.lockdown.dx.a:88] begin|
2020-03-02 14:27:27.126|main|D|AP|[net.soti.mobicontrol.lockdown.dx.a:90] getting profile 2|
2020-03-02 14:27:27.127|main|D|AP|[net.soti.mobicontrol.lockdown.dx.b:46] begin|
2020-03-02 14:27:27.128|main|D|AP|[net.soti.mobicontrol.lockdown.dx.b:96] getProfile 2|
2020-03-02 14:27:27.175|pool-10-thread-1|D|AP|[LockdownLauncherService][doLaunchLockdown] finished|
2020-03-02 14:27:27.184|pool-10-thread-1|D|AP|[DefaultLockdownProcessor][updateLockdownState] inLockdownMode: true|
2020-03-02 14:27:27.187|pool-10-thread-1|I|AP|[SingleAppModeAdminModeGestureService][receive] Message:Message{destination='net.soti.mobicontrol.lockdown', action='start'} , Action:start|
2020-03-02 14:27:27.188|pool-10-thread-1|D|AP|[net.soti.mobicontrol.lockdown.dx.a:88] begin|
2020-03-02 14:27:27.191|pool-10-thread-1|D|AP|[net.soti.mobicontrol.lockdown.dx.a:90] getting profile 2|
2020-03-02 14:27:27.192|pool-10-thread-1|D|AP|[net.soti.mobicontrol.lockdown.dx.b:46] begin|
2020-03-02 14:27:27.193|pool-10-thread-1|I|AP|[SingleAppModeAdminModeGestureService][receive] Is not in single app mode; disable admin mode gesture|
2020-03-02 14:27:27.204|pool-10-thread-1|D|AP|[PendingActionProcessor][receive] - begin - message: Message{destination='net.soti.mobicontrol.lockdown', action='start'}|

 

I precise that all devices are working with agent 13.7.5.1013 ELM and were working perfectly with NFC detection before profile update.

Please check attachment for more details.

Many thanks for your helps.

 

5 Answers

Order By:   Standard | Newest | Votes
Raymond Chan | posted this 07 April 2020

Have you checled whether the "Change System Settings" permission of your device agent has been enabled on your problematic devices?  You can check/configure this option under MobiControl device agent app item in the App Manager tab of your device's Settings.  

  • 0
  • 0
Farid.S | posted this 07 April 2020

Hi Raymond,

I made a test, it's already granted on app manager of my device.

What I didn't undertstant is when I just update the profile by renaming the profile and assigned it, the problem disappeared on some devices, but appears on other devices...

  • 0
  • 0
Raymond Chan | posted this 08 April 2020

As your ten devices are running dfiferent Android firmware versions (7, 8 or 9),  the underlying Knox libraries may also be of different versions.  Could you please check if all problematic devices are running the same android version?

Please also verify that the version and  build numbers of all 10 devices are the same?

  • 0
  • 0
Farid.S | posted this 08 April 2020

Hi,

In any case, below is the link to see my issue on video:

 

https://drive.google.com/file/d/1CysgHscs3307ajhWgTCL6YZEWrl-bB76/view?usp=sharing

 

I don't think that issue is due to devices, but mainly due to SOTI issue because last week all devices was working correctly with NFC tag.

Since we updated their profile, most of them got the issue. If I reassigned again the profile, some of them will work correctly and other ones won't work.

We have almost 5500 Android devices on SOTI everything was working correctly before we change the template to add a new link.

Approximately 150 of the 5500 devices got NFC issue due to security policy whereas other devices with exactly same settings/versions are working.

The issue is, why assigning profile (just with new name) is solving this issue regarding NFC???

 

Please note that this issue appears on all OS version from 7 to 9.0

In any case, below is configuration of a device wich didn't work (until I reassign same profile on it):

  • 0
  • 0
Farid.S | posted this 08 April 2020

Hi Raymond,

SOTI support sent me the solution below which was working fine:

1. Disable "Package Blocking"

2. Enable "Samsung Package Disabling"

 

Hope thsi will help some other users.

  • 0
  • 0

Give us your feedback
Give us your feedback
Feedback