Table of Contents
Overview
OLOID DeviceLock MFA is an Android/iOS application that hardens device security with multi‑factor authentication and granular session controls.
This guide walks Workspace ONE UEM administrators through publishing the SDK‑built app, establishing trust with the Omnissa SDK, and configuring launcher and kiosk settings so end‑users receive a secure, streamlined experience.
Prerequisites
Requirement | Details |
Workspace ONE UEM Console access | Admin role with rights to add internal apps and assign SDK profiles |
Signed application package |
|
SDK profile | Use Workspace ONE default profile or a custom SDK profile that meets your organisation’s security policy |
Smart Groups | Groups that represent the target devices/users |
(Android only) Device policy | Allows Device Admin, Overlay, and Accessibility permissions |
Deployment Workflow
Upload the signed app to Resources → Native Apps → Internal.
Assign an SDK profile to whitelist OLOID’s public signing key (establishes trust).
Save & Assign the app to Smart Groups.
(Optional) Adjust launcher layout so the icon is visible.
(Recommended) Enable App Data/Cache Clearing for logout hygiene.
Configure Excluded Package Names if needed.
Enable Lock Task Mode for kiosk/pinned scenarios.
On‑device: grant Device Admin, Overlay, and Accessibility permissions.
Future updates: upload new APK/IPA → push to devices → reboot.
Step‑by‑Step Configuration
1. Upload the Application
Log in to Workspace ONE UEM Console.
Navigate to Resources › Native Apps › Internal and click Add Application.
Browse to the signed
.apkor.ipa, then Upload.Enter app metadata as required (version, description, icon).
2. Assign an SDK Profile (CRITICAL)
In the newly added app, click Edit › More › SDK.
Select the appropriate SDK Profile from the dropdown.
Default profile is acceptable unless you have custom SDK settings.Save.
Why it matters: Workspace ONE extracts OLOID’s public signing key and whitelists it. When the user launches the app, Workspace ONE verifies this key to establish trust. Skipping this step causes installation failures or “untrusted app” errors.
3. Save & Assign
Click Save & Assign.
In the Assignment window:
Choose the Smart Groups (device/user cohorts).
Pick a Push Mode (Auto or On Demand).
Click Add → Save & Publish.
4. Configure Launcher Layout (Optional)
Go to Groups & Settings › Devices › Launcher › Layout.
Add Section if needed, then add the OLOID app to the canvas.
Position it for easy access and Save.
5. Enable App Data/Cache Clearing (Recommended)
In the same launcher profile
Locate Enable App Data/Cache Clearing.
Set to Enabled → saves privacy by wiping data at logout.
6. Set Excluded Package Names
Still in launcher settings, open Excluded Package Names.
Add any packages that must bypass launcher restrictions, e.g.:
com.oloid.devicelocklight
Save.
7. Lock Task Mode Setup (Critical for Kiosk)
In the device profile, open Lock Task Mode.
Allowlisted Apps → add
OLOID DeviceLockMFA.(Optional) Add additional allowed apps.
Configure buttons and system UIs:
SettingSuggestedHome ButtonDisabledGlobal ActionsDisabledStatus‑bar system infoHiddenLock ScreenDefault (or customised)
Save & Publish profile.
8. Device‑Side Permission Grant
After the profile pushes, instruct the user (or staging tech) to:
Launch OLOID DeviceLock MFA – the app runs in admin‑mode.
Grant the three Android permissions when prompted:
Device Admin
Display over other apps
Accessibility
The app supplies one‑tap links to each Settings page.
⚠️ All three permissions are mandatory; the app will loop on the setup screen until they are granted.
9. Updating the Application
Upload the new signed APK/IPA to the same Internal app entry (increment version).
Save & Publish to push to devices.
Previously granted permissions persist—no re‑grant required.
Instruct users to reboot once the update installs and re‑authenticate in Workspace ONE Launcher.
Troubleshooting
Symptom | Likely Cause | Resolution |
“Untrusted App” error | SDK profile not assigned | Verify step 2 – assign SDK profile and republish |
App not visible in launcher | App not included in layout or wrong Smart Group | Confirm launcher layout; verify group assignment & push mode |
App frozen on permission screen | One or more permissions not granted | Open Android Settings and enable Device Admin, Overlay, Accessibility |
Lock Task Mode isn’t enforced | App not allow‑listed | Add package to Allowlisted Apps and republish profile |
Post‑update crash | APK signed with different key | Re‑sign with original key or reinstall clean; then reboot |
Pinned‑mode instead of full kiosk | Device boot inconsistency | Reboot and relaunch via Workspace ONE Launcher |
Misc. crashes / policy conflicts | Overlapping UEM policies | Review other device profiles; collect logs for OLOID Support |
Need Help?
If issues persist, collect device logs and screenshots, then contact OLOID Support at support@oloid.com or through your customer portal. Provide:
Workspace ONE console version
Device model & OS version
App version (Settings › About)
Steps to reproduce
With this information, our team can accelerate diagnosis and resolution.
Last updated: July 28 2025