How the UCM framework works

The UCM framework uses an application whitelist to control credential storage and access. UCM determines whether or not an app is legitimately authorized to access a storage space or a particular credential by checking the whitelist and the application's UID.

Whitelisting access to credentials

The UCM framework has two types of whitelists to access credentials:

  • Whitelist per Storage: If an application is added to this whitelist, then the application can access the third-party UCM plugin that manages credentials on the third-party storage device. MDMs with the proper UCM permission can configure the whitelist exclusively.
  • Whitelist per Credential: The MDM that installs the credential owns the credential and is the only one that can configure the whitelist.

Pre-installed credentials do not have an MDM installer, and cannot be managed through the WhiteList per Credential. Instead, these credentials are managed through the Whitelist per Storage.

Managing multiple users

The UCM framework supports user space isolation for multiple user accounts, depending on plugin configuration. All UCM Cryptography actions involve user ID and application UID. The UCM plugin retrieves the user’s information when an MDM or 3rd party tries to install credentials. The UCM plugin can then store the credentials separately by a user and return the proper credentials. This isolated access depends on the plugin's implementation. For more information, see Create a UCM plugin.

Handling credential requests

The Android KeyStore provides the following types of credential storage on Android devices:

  • KeyChain: The credentials installed by KeyChain are accessible by all applications using KeyChain and KeyChainActivity.
  • KeyStore: Credentials installed by KeyStore are accessible exclusively through the installer.
  • Wi-Fi: The credentials for accessing Wi-Fi allows users to access only the Wi-Fi module. Depending on the plugin's implementation, UCM Cryptography can have the same approach using a UCM resource ID.

When an application requests credentials, the UCM framework sends a different UCM resource ID to the plugin for authentication. If the application uses:

  • KeyChain: The UCM framework sends SHARED_KEYCHAIN_RESOURCE.
  • KeyStore: The UCM framework sends PRIVATE_RESOURCE.
  • Wi-Fi: The UCM framework sends SHARED_WIFI_RESOURCE.

The UCM plugin then retrieves the requested credentials and sends them through the UCM framework to the requesting application.