== About Good Agent == Good Agent is a Good Dynamics Application Good Agent is the device side of solution which brings advanced security features to capable Android devices. == Advanced Security - Application 'spaces' == One of the main features is splitting the Android devices into various 'spaces', these 'spaces' utilize SEAndroid concepts to control the interaction rules between applications at a Kernel and system level. This configuration of Kernel and system level security provides additional security protection to augment the existing Good Dynamics container security. Existing GD security is not compromised or altered in any way. No application GD, or non GD, requires any modifications to function in these 'spaces'. Good Agent is the device side entity which controls the creation of and management of these 'spaces' on compatible Android devices. The management of 'spaces' (e.g. application membership of spaces) is controlled by the Enterprise IT Admin in the Good Control Server and not by the end user. The Good Agent App UI informs the user of the configuration of 'spaces' on the device and informs the user of configuration changes which impact their 'space' configuration Enterprise Space This is a Good specific space, it doesn't exist until Good Agent is activated. IT Admin controls which applications are placed into this space using a combination of App Package Name & Certificate which ensures the identity of a specific application. The Enterprise Space has no allowed interaction with the Personal Space. This has a few important security implications (a) Personal applications cannot launch or in any way interact with Enterprise applications (b) Data cannot be transmitted from Enterprise apps to personal apps. Shared Space This is a Good specific space, IT admin controls this space in the same way as Enterprise space. The Shared space is used to 'promote' applications from the personal space which the IT admin has sanctioned to have certain limited interaction with Enterprise applications. Applications in the shared space continue to interact with applications in the Personal space. Personal Space This is the default application space, the majority of applications pre-installed on the device and by default all applications installed via Google Play Store (or any 3rd party app store) are placed into the Personal Space when installed. System Space This is the space that contains the core system components of the device. These are core components required for device operation. The system space can interact with other spaces == Advanced Security - Attestation == The concept of Application 'spaces' is an important tool in ensuring Android Security. Another main security feature of Good Agent is Attestation. Attestation is the process of Attesting the device integrity to ensure the device itself is not compromised. A compromised device is one which has been rooted or exploited in some fashion or one which has been flashed with a custom ROM. Attestation is much more powerful than any application level root detection mechanisms. Attestation works by a remote entity generating a 32Byte Nonce and issuing it to the device to start the Attestation challenge. Attestation is executed on Trustzone co-processor which takes certain measurements of device/ bootloaders/ hardware/ kernel. These measurements are created into a blob which is signed with device private key. The remote Server decodes the blob and provides a decoded version of measurements. Based on these measurements the device integrity can be ascertained (for example it can be determined if a custom ROM has been flashed onto the device) == Advanced Security - MDM APIs == Good Agent is an active Device Management Agent. It has the ability to use MDM APIs to restrict or control certain aspects of device behavior. The Beta Trial version of Good Agent supports several device restrictions. These device restrictions are controlled by an enterprise IT admin in the Good Control Server and not by the end user. The restrictions are configured via the application policy for Good Agent in the Good Control console. Good Agent currently supports the following restrictions in the Beta version. Block Camera This restriction can be used by an IT admin to disable the camera without user interaction. User or third-party applications cannot enable the camera once it is disabled. This restriction disables the photo camera, video camera, and video telephony functionality. Block Bluetooth This restriction can be used by an IT admin to disable Bluetooth without user interaction. User or third-party applications cannot enable Bluetooth once it is disabled. Bluetooth can be turned on by setting this restriction to off. Disable Factory Reset This restriction can be used by an IT admin to disable the user performing a factory reset. If set, the user cannot change the option through the Settings application. Block SD Card This restriction can be used by an IT admin to disable data access to the external SD card. If set, any attempt to transfer data to the SD card fails. Block NFC This restriction can be used by an IT admin to enable or disable NFC without user interaction. If set, the user cannot change it through the Settings application Block Tethering This restriction can be used by an IT admin to block the device from sharing its carrier data with another device through USB, WiFi, or Bluetooth Block Debug Mode This restriction can be used by an IT admin to block USB debugging. If set, this blocks any kind of device debugging through Dalvik Debug Monitor Server (DDMS) or adb. Block Screen Capture This restriction can be used by an IT admin to prevent a user from taking screenshots of the device screen. This restriction also blocks the user from taking screenshots using the Dalvik Debug Monitor Server (DDMS). Block KIES via USB This restriction can be used by an IT admin to enable or disable device detection by Samsung Kies through a USB connection. Disable Google Play Store This restriction can be used by an IT admin to disable access to the Google Play Store Disable Native Browser This restriction can be used by an IT admin to disable usage of the native browser. This setting applies to the native Android browser provided by the Android platform. This restriction does not apply to any third-party browser. Block Wi-Fi This restriction can be used by an IT admin to disable Wi-Fi without user interaction. User or third-party applications cannot enable Wi-Fi once it is disabled.