Dear,

The MobiControl Android Agent has put Chrome under the “Never Block List”. This is because Android WebView relies on Chrome, which is used for the Agent’s Lockdown Mode. Blocking Chrome would essentially be asking the Android OS to close the Android Agent, which can create undesirable behaviour.

Send Manual Blacklist script command to block Chrome. The Agent will blacklist Chrome via Activity Suppression Method since Chrome is on the “Never Block List”.  Whenever Chrome becomes the foreground activity, it will be suppressed and the device-user will not be able to interact with it. 

Script: manualblacklist add <Chrome Package>

also you can block the pages or options which are offering to open another link via sending command 

identify_activity and and u can get package name in the logs . 

The answer is not straightforward.

Apart from the default  browser app (e.g. Chrome) bundled in the firmware image of a device, different Android devices might include one or more additional Webview/Webkit html rendering engine(s) to serve other apps, and the bundle-ID or activity name can vary between device models and Android versions.   So, unless you specify clearly the model and firmware version, and there is such hardware-firmware combination to do some tests, it is never 100% sure to be able to find the correct name to add to the application-run-control blacklist.

Even worse,  any app can include its own html renderer, such as WebKit or other open-source ones available on the internet.  If you allow such app to be running on your device, and its "about" button or other UI element actually start the embedded browser, and has loophole to allow browsing to any user-specified URL, there might then be security concern.   In such case, your only options could be:

1. replace the app with another one with similar function(s), but without any html renderer embedded or

2. use MobiControl firewall or similar payload (if supported on your device) to restrict some or even totally disallow network traffic of the app

As you have not specified clearly your device models/firmware-versions, and your use-case is not well defined, it is probably not possible to recommend any solution at this stage.

Thank you for your feedback. As stated in my initial post, we see this happening on:

Samsung Galaxy Tab Active2, SM-T395 with Android 7.1.1 and OEM NMF26X.T395XXU3ARF3
Samsung Galaxy XCover 4, SM-G390F with Android 7.0 and OEM NRD90M.G390FXXU2ARA4

Is there more information about the device model/firmware-versions you need?

Our use-case is that we supply and manage Android devices for transportation organizations. Their truck drivers are handed a device with an easy-to-use interface (MobiControl Lockdown), a fleet management app we develop ourselves, a navigation app and some small tools. They can make phonecalls through our fleetmanagement app, take photos with it, send documents to their offices with it, but they're restricted from most other functionality. As the devices are meant for work and work alone, most of our clients want the browser or Play store or YouTube unavailable to their drivers.

One of the applications we see this loophole happening on, is the default Clock (com.sec.android.app.clockpackage). We let the driver use the clock because they need the alarm clock, timer and stopwatch functionality and sometimes the world clock. In the world clock, a small weather widget is included. When pressed, it opens Google Chrome and shows a website with recent weather data. Although Google Chrome is blacklisted in MobiControl, the user is now free to browse the web.

Another one is the default PDF reader which is included by Samsung. When the driver gets a pdf file sent to him through our fleet management app, Android opens it. In the "About" section, various links are included and when pressed, again Google Chrome starts even though it is blacklisted.

And a third one is the navigation app itself, PTV Navigator. We use this because of its components for trucks (length, width, height, payload, etc) but again there's a small URL available in it's help-section that leads to Google Chrome opening their website. 

In these cases, it's not just the Webview that displays some information. Because it's the actual browser that starts, this has indeed become a security concern to us. Basically, it's the reason why we blacklisted the browsers in the first place. Replacing the apps might be a possiblity, as is restricting the network traffic of a specific app, but it isn't a solution to the inital problem.

I can assure you that it is definitely possible to blacklist all browser loopholes if one has the right skill and knowledge, and also a test device to work on.   My company have solved exactly the same problems as yours on various devices for many of our customers in Hong Kong.  The process can take hours to complete and the required configurations are very specific to the device model and apps version on the device for each case.   Unfortunately, we can't disclose details of the process on a public forum due to business reasons.  I suggest you open an official support ticket with Soti support team so that their experts can help you directly.

An alternative approach is to totally disable Chrome app by disabling it in app manager in Settings (or excluding it for managed device in Android Enterprise platform).  This of course assumes you also disallow access of Settings by device end-users under normal circumstances.  Also, for apps like clock and alarm, there are plenty of simple free alternatives that do not have the loopholes you mentioned, and you can push such app on your device and disable/remove the problematic ones.

Thank you, this explains a lot. The manual blacklist script works fine and is sufficient as a solution.