Sandbox

What is Sandbox?

Sandbox is a Web browser for mobile devices that restricts users to a predefined list of allowed websites (called a “whitelist”). Sandbox is a great solution for classrooms or kiosks where users should only be browsing specified sites. This may include a list of predefined news articles for students, or your company’s homepage for a kiosk in a visitors' center.

Features

Sandbox allows you to…

Configuring Sandbox

To configure an individual device, install Sandbox and then open the Settings application. Near the bottom of the first screen, you’ll find a section for Sandbox configuration options. Here are your options:

Setting Description
Start Page This is the home page -- the page that Sandbox loads when you tap the Home button. This is also the page that Sandbox loads when the app starts if Reset on Exit is enabled.
Domain Whitelist These are the domains that users are allowed to access; you may list up to 20 of them.
Bookmarks The bookmarks appear under the bookmarks menu in the application; these are automatically "whitelisted."
Message This is the title of the message that appears to the user when he/she attempts to visit a page that they do not have access to.
Idle Time This setting is especially useful if you're setting up a kiosk--it allows you to specify a period of time to wait before it automatically resets to the start page. So, for example, if no one has touched the screen in five minutes, return to the start page (you need to enable Reset on Idle too).
Reset on Idle When enabled and the Idle Time is specified, the app will return to Start Page.
Reset on Exit Sandbox returns to the Start Page whenever the app launches.
Edit URL Disable this option to prevent the user from manually entering a URL.
Status Bar Disable this option to hide the status bar (the bar with the clock and battery indicator).
Navigation Bar Disable this option to hide the address bar. On the iPad, this hides all of the buttons. On the phone, this only hides the refresh button.
Toolbar Disable this to hide the bar at the bottom of the screen on the phone. This doesn't affect anything on the tablet.
Disable Sleep Lock Enable this option to prevent the device from falling asleep while the app is open.
Kiosk Mode Enable this option to tell the app to ignore all touches from the user. The user will not be able select any links or scroll the page.
Data Detectors The app can automatically turn phone numbers, addresses, and calendar events to links. By default, these are all disabled.
Passcode Enable this option to set a passcode to prevent users from changing the settings without the passcode. Once enabled, open Sandbox to actually set the passcode.

Disabling Safari on iOS Devices

Once you've set up Sandbox, you may want to consider disabling Safari (the built-in browser) on the device and removing any other browser apps (like Chrome). This makes Sandbox the only browser on the device ensuring that the user is only able to access the websites that have been allowed.

To disable Safari:

  1. Open the Settings app and select the General section.
  2. Select Restrictions.
  3. Select Enable Restrictions and set a passcode.
  4. Disable Safari.

Safari's settings will be preserved, so you are free to enable it again later (you'll need to enter the passcode you set up in step 3, so don't forget it).

Be sure to enable the Passcode in Sandbox to protect the configuration you've set up from changing!

Disabling Web Browsers on Android Devices

Once you've set up Sandbox, you may want to consider disabling other web browsers on the device. This ensures that the user is only able to access the websites that have been allowed.

The following directions use the restricted profile feature available in Android 4.3 and later. If you do not have version 4.3 or later, try using the app Sure Lock to mimic this functionality.

To disable web browsers:

  1. Open the Settings app and Select the Users section.
  2. Touch add user or profile then select Restricted Profile.
  3. Using the ON/OFF toggles, select the Sandbox app.
  4. Make sure that no other web browsers are enabled on the restricted profile.

Be sure to set a password on the device's main profile to prevent individuals from tampering with the configured settings.

Be sure to enable the Passcode in Sandbox to protect the configuration you've set up from changing!

Preventing Sandbox from Closing on iOS

Once you've set up Sandbox, you may want to set up the device so that Sandbox is the only app that it will run. If you want to prevent users from closing Sandbox (or even turning off the device), enable Guided Access.

To enable Guided Access:

  1. Open the Settings app and select the General section.
  2. Select Accessibility.
  3. Scroll down and select Guided Access.
  4. Enable Guided Access.
  5. Return to Sandbox and triple-click the home button.
  6. Set a passcode (if you haven't already).
  7. Review which Guided Access options you want to enable; be sure to hit Start to enable Guided Access mode.

Attempting to close Sandbox while Guided Access is enabled will trigger a message to appear at the top of the screen notifying about Guided Access. To disable Guided Access, triple-click the home button and enter the passcode you set up in step 6 above.

Consider disabling the Navigation Bar, Toolbar, and Status Bar settings in Sandbox so that the browser appears full screen. You can even enable Kiosk Mode to ignore touches on the screen.

Preventing Sandbox from Closing on Android

Once you've set up Sandbox, you may want to set up the device so that Sandbox is the only app that it will run. This can be done by using a Restricted Profile as explained in the "Disabling Web Browsers on Android Devices" section.

If you want to prevent users from closing Sandbox (or even turning off the device) install the app Sure Lock.

Consider disabling the Navigation Bar and Status Bar settings in Sandbox so that the browser appears full screen.

Configuring Sandbox on Multiple Devices (iOS only)

Once you've got Sandbox set up on one device, you can "clone" that device so that multiple devices follow the exact same configuration.

Be sure to set up a Passcode before cloning to protect the configuration on all devices.

To clone the first device, we'll create a back up of the device and restore it to multiple devices. Although you can do this using iTunes, the process is a little easier using Apple Configurator. To clone the device using Apple Configurator:

  1. Connect your device to your computer and launch Apple Configurator.
  2. Under the Devices menu, select Back Up....
  3. Select your connected device and choose a location to save the back up.
  4. Once the back up has been completed, disconnect your device and reconnect one (or multiple) iPads on which to restore the back up.
  5. From the Prepare screen, configure the restore (e.g. device name) how you want and select the back up you just created in the Restore menu.
  6. Click Prepare at the bottom of the window.
  7. Once it is complete, you may connect more devices or click Stop.

Apple Configurator will erase the connected devices and restore the back up to them and Sandbox will be configured across all of your devices.

If you only want to configure Sandbox without backing up and erasing the whole device, you can create a configuration file. See the Advanced Configuration section.

Advanced Configuration for iOS Devices

Sandbox enables users to configure the application using a Sandbox configuration plist file. This functionality is particularly useful to administrators who wish to configure Sandbox on multiple devices, relieving them from having to manually configure each device individually. To configure Sandbox with a configuration plist file, it is necessary to construct a Sandbox configuration property list file (also known as a plist file). Property list files have the file extension ‘.plist’. A template configuration plist file is available at http://sandbox.floatlearning.com/exampleConfig.plist.

Once a configuration plist has been created, administrators may now easily load the profile onto many devices. Sandbox accommodates this through the use of a custom URL schema. Using Mobile Safari (or a link in an email, a webclip, etc.), navigate to floatsandbox://configuration/example.com/configuration.plist.
For example, floatsandbox://configuration/sandbox.floatlearning.com/exampleConfig.plist.

For your convenience, here are some sample Configuration files to get you started on setting up Sandbox:

A Sandbox configuration plist is an XML file that conforms to Apple’s Property List document type. The configuration plist must be valid XML, meaning it must begin with an XML-type declaration followed by a DOCTYPE declaration. Both of these lines may be copied from the profile template available on Float’s website.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
    <dict>
      ... your settings parameters
    </dict>
</plist>
    

The configuration plist itself is a collection of key-value pairs, each corresponding to a particular settings field within the application:

<key>key name</key>
<string>string value</string>
<key>key name</key>
<integer>integer value</integer>
<key>key name</key>
<true />

Configuration Options

User Interface options

Sandbox allows administrators to customize the user interface via manual or profile configurations:

iOS Status Bar

This settings allows hiding of iOS’s default status bar. Set this value to true to show the status bar. Set it to false to hide the status bar. Its default value is true.

key:            statusBarKey 
type:           boolean
default:        <false/>

Set this value to <true/> to disable the status bar.

Note: The status bar is an iOS default interface element. It is the upper-most interface element. This setting affects both iPhone and iPad versions of Sandbox.

Navigation Bar

This settings allows the hiding of Sandbox’s navigation bar. Set this value to true to show the navigation bar. Set it to false to hide the navigation bar. Its default value is true.

key:            navBarKey 
type:           boolean
default:        <false/>

Set this value to <true/> to disable the navigation bar.

Note: The navigation bar is the bar that appears at the top of the Sandbox interface. This setting affects both iPhone and iPad versions of Sandbox.

Toolbar

This settings allows the hiding of Sandbox’s toolbar. Set this value to true to show the toolbar. Set it to false to hide the toolbar. Its default value is true.

key:            toolBarKey 
type:           boolean
default:        <false/>

Set this value to <true/> to disable the toolbar.

Note: The toolbar is only used in the iPhone version of Sandbox. It is the interface at the bottom of the screen. The value of this setting will not affect the interface of Sandbox running on an iPad.

Customizing the “Restricted” message

When a user attempts to visit a website blocked by Sandbox, the user is presented with the “restricted message.” This is the message that alerts the user that they are not being granted access to the URL they’re trying to access.

key:            restrictedMessageKey 
type:           string
default:        "Invalid permissions."

Configuring the Home Page

When the application launches, Sandbox will display the URL set in the start page setting. This is the first page users will see when interacting with a configured version of Sandbox.

key:            startPageKey
type:           string
default:        (blank)

Configuring the Idle Timer

Sandbox has the ability to keep the device awake at all times. If the idle timer is enabled, the application will return to its home page when the time has elapsed.

key:            idleRestartKey
type:           boolean
default:        <false/>

Set this to <true/> if you want to enable Sandbox’s idle timer.

key:            idleTimeKey
type:           integer
default:        1

Set this value to the number of minutes Sandbox should wait before returning to its home page.

Configuring the Application’s Lifecycle

Sandbox has the ability to either retain its most recent state, or return to its home page if the application is exited and then resumed.

key:            exitRestartKey
type:           boolean
default:        <false/>

Set this value to <true/> if you want Sandbox to return to its home page if the application is interrupted and then returns to an active state.

Configuring Whitelist and Bookmarks

Sandbox is governed by a “whitelist.” Only web resources validated against the whitelist will be displayed within the application. The whitelist is a list of approved domains under which content may be viewed. For example, if floatlearning.com is added to the whitelist, all content under floatlearning.com and its subdomains will be approved and loaded by Sandbox. Because the whitelist is a list, its data type is slightly more complex than those previously listed.

<array>
  <string>floatlearning.com</string>
  <string>cnn.com</string>
</array>

Whitelist

The whitelist is an array of strings representing the hostnames of sites that the user may access.

key:            whitelistKey
type            array
default:        (blank)

Enter all domains accessible to the user.

Note: This list can vary from one item to many items depending on the specific scenario in which Sandbox is implemented.

Bookmarks

Sandbox also allows administrators to set bookmarks inside the application. If there are any bookmarks entered in the bookmarks list, the user can access the items by simply tapping the “bookmarks” button in Sandbox’s toolbar. If a site is bookmarked, it is automatically whitelisted. Users can always access bookmarked URLs. The bookmark setting is also of type array and should follow the same pattern as configurations of the whitelist key.

key:            bookmarksKey
type:           array
default:        none

Enter all domains accessible to the user from Sandbox’s bookmarks button.

Note: The option to display the bookmarks list will be disabled if no bookmarks are included in this configuration.

Locking the Configuration with a Passcode

After configuring Sandbox with a configuration plist, administrators will be presented the opportunity to lock any further changes to the application’s settings by means of a passcode.

If Sandbox successfully configures itself from a configuration plist, the administrator will be asked if they wish to set a four-digit passcode. If they answer yes, the application will securely store this passcode.

If any attempts to change Sandbox’s settings are made while protected by a passcode, the user will be alerted that their actions will not be saved unless they enter the correct passcode. Upon entering the correct passcode, any changes made will be saved to the application’s settings.

If an administrator attempts to configure Sandbox using a configuration plist after a passcode has been set, they will be presented with an opportunity to enter the security passcode. If the passcode entered is correct, Sandbox will configure itself with the new profile. If the password is incorrect, no changes will be made to Sandbox’s settings.

If an administrator forgets the passcode, Sandbox will be permanently locked. It will be necessary to delete Sandbox from the device and then reconfigure the application.

Special Characters in Configuration Files

There are a handful of special characters that need to be escaped before using in a Property List file. If you want to use any of these characeters, replace them with the "escaped character":

Character Escaped Character
& (ampersand)&amp;
< (less than)&lt;
> (greater than)&gt;
" (quotation mark)&quot;

For example, if you wanted to create a bookmark named Help & Information, you would enter Help &amp; Information.

Sample Configuration File

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
  <key>startPageKey</key>
  <string>ionagroup.com</string>
  <key>statusBarKey</key>
  <false/>
  <key>navBarKey</key>
  <false/>
  <key>toolBarKey</key>
  <false/>
  <key>restrictedMessageKey</key>
  <string>This is the restricted message.</string>
  <key>idleTimeKey</key>
  <integer>0</integer>
  <key>idleRestartKey</key>
  <false/>
  <key>exitRestartKey</key>
  <false/>
  <key>whitelistKey</key>
  <array>
  <string>floatlearning.com</string>
  </array>
  <key>bookmarksKey</key>
  <array>
  <string>google.com</string>
  </array>
</dict>
</plist>
Download this sample configuration plist.