Mobile Secure Cloud Edition
Document Version: 2.0 - 2014-07-07
Table of Contents
1 Important Disclaimers on Legal Aspects. . . 3
2 Introduction. . . 4
3 Application Catalog. . . .5
3.1 Application Catalog Icons. . . .5
3.2 Adding Applications. . . .6
3.3 Uploading Signed Applications. . . 6
3.4 Deleting Applications. . . 6
4 Mobile Application Protection. . . 7
4.1 Protecting Applications. . . 8
4.2 Protecting Applications with Policy Templates. . . 8
4.3 Policy Settings. . . 9
4.3.1 Templates Settings. . . 9
4.3.2 Access Settings. . . 9
4.3.3 Invalid Login Handling Settings. . . 13
4.3.4 EULA Settings. . . 14
4.3.5 Location Settings. . . 14
4.3.6 Firewall Settings. . . 15
4.3.7 Miscellaneous Settings. . . .16
4.3.8 Secure Browser Settings. . . 17
5 Publishing Applications. . . 19
5.1 Publishing Applications to Android Devices. . . 19
5.2 Publishing Applications to iOS Devices. . . 20
1
Important Disclaimers on Legal Aspects
This document is for informational purposes only. Its content is subject to change without notice, and SAP does not warrant that it is error-free. SAP MAKES NO WARRANTIES, EXPRESS OR IMPLIED, OR OF
MERCHANTABILITY, OR FITNESS FOR A PARTICULAR PURPOSE. Coding Samples
Any software coding and/or code lines / strings ("Code") included in this documentation are only examples and are not intended to be used in a productive system environment. The Code is only intended to better explain and visualize the syntax and phrasing rules of certain coding. SAP does not warrant the correctness and completeness of the Code given herein, and SAP shall not be liable for errors or damages caused by the usage of the Code, unless damages were caused by SAP intentionally or by SAP's gross negligence.
Accessibility
The information contained in the SAP documentation represents SAP's current view of accessibility criteria as of the date of publication; it is in no way intended to be a binding guideline on how to ensure accessibility of software products. SAP specifically disclaims any liability with respect to this document and no contractual obligations or commitments are formed either directly or indirectly by this document.
Gender-Neutral Language
As far as possible, SAP documentation is gender neutral. Depending on the context, the reader is addressed directly with "you", or a gender-neutral noun (such as "sales person" or "working days") is used. If when referring to members of both sexes, however, the third-person singular cannot be avoided or a gender-neutral noun does not exist, SAP reserves the right to use the masculine form of the noun and pronoun. This is to ensure that the documentation remains comprehensible.
Internet Hyperlinks
The SAP documentation may contain hyperlinks to the Internet. These hyperlinks are intended to serve as a hint about where to find related information. SAP does not warrant the availability and correctness of this related information or the ability of this information to serve a particular purpose. SAP shall not be liable for any damages caused by the use of related information unless damages have been caused by SAP's gross negligence or willful misconduct. Regarding link classification, see: http://help.sap.com/disclaimer
Mobile Application Management
2
Introduction
SAP Mobile Secure cloud edition provides an interface that allows you to easily upload, protect, and deploy applications to managed devices.
Wrapping applications in a security policy allows you to implement application security without accessing the application source code. Security policies can help control how applications access enterprise networks, determine how devices handle confidential data, and restrict the locations in which users can use applications. Security policies can also determine how devices respond to unsuccessful attempts to access protected applications.
You can save security policies as templates, enabling the rapid deployment of enterprise applications to devices.
3
Application Catalog
The application catalog in the SAP Mobile Secure cloud edition contains the applications that are available to device users.
The application catalog is found on the App Protection tab. Administrators can add, manage, and deploy applications in the application catalog.
3.1
Application Catalog Icons
The application catalog uses icons to illustrate the key characteristics of applications.
Icon Description
● Application runs on Android devices ● Application runs on iOS devices ● Application is not wrapped ● Application is wrapped
● Application is wrapped with a federated template ● Application is a secure browser
● Application is wrapped with a template that has been updated and applied to another application
● Application is published
● Application needs to be republished
● Multiple versions of the application in the Application Catalog
Mobile Application Management
3.2 Adding Applications
You can upload a new application or a new version of an existing application to the Application Catalog.
Procedure
1. On the App Protection tab, click Upload New Application. 2. Click Browse.
3. Navigate to the IPA or APK file and click Open. 4. Click Upload.
3.3 Uploading Signed Applications
After you wrap an iOS application, you can download the application, sign the application, and then add it to the application catalog.
Procedure
1. On the App Protection tab, click the application.
2. Click Download to save the application to your computer. 3. Sign the application.
4. Click Upload Signed App to add the signed application to the application catalog.
3.4 Deleting Applications
You can remove applications from the application catalog. You cannot delete built-in applications.
Procedure
1. On the App Protection tab, click the application. 2. Click Delete.
3. To confirm the deletion, click OK.
4 Mobile Application Protection
Mocana Mobile Application Protection wraps applications, after development, with security and usage policies to protect corporate data, limit usage, and control access.
Mobile Application Protection divides policies into specific functional areas. Administrators can combine multiple functional areas into individual policies.
When mobile device users install a wrapped application over an unwrapped application, they might need to uninstall the original, unwrapped application. Uninstalling an application might delete application data from devices. To let users keep a wrapped and an unwrapped version of an Android application on their devices, you must change the application’s package name before wrapping. See developer.android.com for more information about Android package names.
The Download button is available when an administrator wraps an application. The Reset Passphrase button is available when an administrator enables the Application Lockout feature at any point during an application life
Mobile Application Management
cycle. For example, if a subsequent version of an application is wrapped, but the Application Lockout policy has been changed to disabled, the Reset Passphrase button remains as enabled, to support users who have a previous version installed.
Administrators cannot upload iTunes apps to the MAP server. For iOS, MAP works with applications for distribution within an organization; that is, those written in-house or specifically for the organization.
4.1 Protecting Applications
You can create custom policy settings to protect applications.
Procedure
1. On the App Protection tab, click an application. 2. On the Template page, specify policy information.
3. On the Access page, specify the application security information.
4. On the Invalid Login Handling page, specify how the application responds when users enter incorrect credentials.
5. On the EULA page, specify the agreement that users must accept to use the application. 6. On the Location page, specify location-based restrictions for the application.
7. On the Firewall page, specify the firewall settings for the application.
8. On the Miscellaneous page, specify settings for application expiry, email enforcement, and additional security. 9. On the Secure Browser page, specify the settings for secure-browsing applications.
10. Click Apply Policy.
4.2 Protecting Applications with Policy Templates
You can use the policy settings from an existing template to protect applications. The latest version of the template is used, even if a previous version of the application uses a different version of the template.
Procedure
1. On the App Protection tab, click an application. 2. Click Load Template.
3. Click the template. 4. Click Apply Policy.
4.3 Policy Settings
Security policies include settings that you can configure to regulate the use of applications.
4.3.1 Templates Settings
The Template settings allow you to save policy settings and apply them to multiple applications.
Setting Description
Template name ● Maximum length of 64 characters
Template version ● Number of revisions made to the template
Template description ● Description of the template
Overlay icon ● Icon that appears with the application icon when the template
wraps the application
● A padlock icon is the default icon ● Supports PNG files
Application federation ● Collection of trusted applications that can share data and pol
icy settings
● To add an application to an application federation, wrap the application with a federated template
4.3.2 Access Settings
The Access settings allow you to configure how applications authenticate users.
Setting Description
Per application VPN ● Application establishes a VPN connection
● Only applications wrapped with the template have access to the VPN connection
● Devices can prompt users for a VPN password or a certificate passphrase
Passphrase ● Application requires that users enter a passphrase before the
application opens
Mobile Application Management
4.3.2.1
Per Application VPN
The Per Application VPN settings allow you to configure authentication using VPN credentials and the connection that applications make to VPN servers.
Applications can establish a VPN connection for HTTP and HTTPS traffic. Applications check the VPN credentials of users before opening and connecting to the VPN server. If the user name or password changes on the VPN server, users must use the original credentials to open the application, then update the credentials on the VPN Settings page before connecting.
For Android devices, if a user switches applications, the device keeps the VPN connection open while the application that initiated the VPN connection is running in the background.
For iOS devices, if a user switches applications, the device closes the VPN connection closes and suspends the application that initiated the VPN connection. If the user returns to the application before the VPN expiration timeout elapses, the application reconnects to the VPN server automatically. Users can open the application if it cannot connect to the VPN server if the application has established the connection to the VPN server at least once before, but the application blocks traffic that would go over the VPN connection.
The Per Application VPN policy cannot be used with the Require Passphrase policy.
Setting Description
Allow override ● Whether users can select a VPN server that is different from
the VPN server defined in the policy
Server label ● Name of the VPN server
Server address ● IP address of the VPN server
Add Another Server ● Click to another VPN server
Suite B ● Whether the application supports Suite B encryption and what
level of encryption the application supports
● Allow Override allows users to prevent the use of Suite B en cryption
Authentication method ● The authentication method that the VPN server uses:
○ Pre-shared key
○ Digital certificate (see Digital Certificate Settings topic for more information)
Application login ● Whether users must authenticate to use the application
● The credentials required for authentication
IKE identity type ● The type of identifier for the Internet Key Exchange
IKE identity value ● The identifier value for the Internet Key Exchange
IKE version ● The version of the Internet Key Exchange
Setting Description
IKE phase 1 ● The mode of the Internet Key Exchange phase 1
● Main mode protects the identities of the VPN server and the VPN client
● Aggressive mode does not protect the identities of the VPN server and VPN client
DH group ● The Diffie-Hellman group
● Determines the strength of the key
Perfect forward secrecy (PFS) ● Whether the VPN server uses perfect forward secrecy to pro
tect session keys
● Allow override allows users to prevent the use of perfect for ward secrecy
VPN expiration timeout ● The length of time for which the VPN connection remains inac
tive before prompting users for authentication
● On Android devices, the VPN connection remains open until the timeout elapses
● On iOS devices, the VPN connection closes but reconnects au tomatically until the timeout elapses
4.3.2.1.1
Digital Certificate Settings
Setting Description
Server's CA certificate ● The certificate for the certificate authority
OCSP server URL Internet ● The Internet URL to the Online Certificate Status Protocol
(OCSP) server that determines the status of the certificate
OCSP server URL Intranet ● The intranet URL to the Online Certificate Status Protocol
(OCSP) server that determines the status of the certificate Check VPN gateway hostname and IP ad
dress
● Whether the VPN gateway host name and IP address are checked against the certificate
Wipe app data if user's certificate is re voked on OCSP server
● Whether the application wipes user data if the certificate has a revoked status
Extended user authentication ● Whether devices prompt users for user names and pass
phrases before connecting to the VPN server Simple Certificate Enrollment Protocol
(SCEP)
● Whether devices submit SCEP requests for certificates to use with the VPN server
Mobile Application Management
Setting Description
SCEP Base DN ● The distinguished name of the SCEP server
SCEP Subject Common Name Identity Type ● The type of information that the certificate uses as a common name
SCEP CA certificate ● Browse to and select the CA certificate for the SCEP server
● PEM format is recommended
SCEP RA certificate ● Browse to and select the RA certificate for the SCEP server
● Only required if you use a Registration Authority
SCEP URL ● The URL of the SCEP server
SCEP Key type ● The RSA key type that the SCEP server uses for encryption
SCEP client certificate expiration warning ● The number of days before expiry that devices prompt users to renew certificates
4.3.2.2 Passphrase Settings
The Passphrase settings allow you to configure authentication using a passphrase.
Applications do not start until users enter the correct passphrase. If the application belongs to an application federation, the passphrase unlocks the other applications in the application federation.
If the application restarts on is inactive in the background until passphrase expiration timeout elapses, users must enter the passphrase again.
The Passphrase policy cannot be used with the Per Application VPN policy.
Setting Description
Minimum password length ● The minimum number of characters required for a user pass
phrase
Passphrase expiration timeout ● The length of time, in minutes, that the application can stay in active in the background before the policy prompts again for the passphrase
Passphrase must contain at least one of each character type
● The criteria that passphrases must match to be valid
Passphrase history ● Whether users are allowed to reuse passphrases
Maximum age rule ● How ofter users must change their passphrases
Setting Description
Start reminding user to change his/her passphrase
● When devices remind users to changes their passphrases
4.3.3 Invalid Login Handling Settings
The invalid login handling settings allow you to configure how applications respond when users fail authentication. The Invalid Login Handling policy requires the Per Application VPN or Passphrase policy.
Setting Description
Invalid login handing ● Whether to activate invalid login handling
Failed login attempts ● The number of invalid login attempts before the invalid login
handling feature is triggered
Lock user out of the app ● Whether the application locks after invalid login attempts
● Users cannot access a locked application until a helpdesk rep resentative generates an unlock key for the application and sends it to the device
Wipe app data ● Whether the device performs a selective wipe after invalid
login attempts
● With a selective wipe, you can delete MAP-protected data without physical access to devices
● Wiping data is permanent—you cannot undo a wipe or restore data lost in a wipe
Lockout message ● The message that appears on devices that lock after invalid
login attempts
Helpdesk phone number ● The phone number that appears on devices that lock after in
valid login attempts
Helpdesk email address ● The email address to which devices send lockout recovery re
quests when devices lock after invalid login attempts
Subject line ● The subject line of the lockout recovery email message that
devices send to the helpdesk email address when devices lock after invalid login attempts
Email body text ● The body text of the lockout recovery email message that de
vices send to the helpdesk email address when devices lock after invalid login attempts
Mobile Application Management
4.3.4 EULA Settings
The end user licensing agreements settings (EULA) let you configure the agreement that users must accept before using the application.
The EULA policy requires the Per Application VPN or Passphrase policy.
Setting Description
User agreement ● Whether devices display the user agreement when users start
the application for the first time
Frequency ● How often devices display after users initially accept the user
agreement
User agreement title ● The title of the user agreement
User agreement text ● Browse to and select the TXT file that contains the text of the
user agreement
● Users must read, scroll to the bottom of, and accept the user agreement before they can use the application
Preview ● A preview of the user agreement
4.3.5 Location Settings
The location settings allow you to limit application use to specific regions and to mask the location data that devices report to applications.
Setting Description
Geo-fencing ● Whether the use of the application is restricted to a specific
area
● The application does not start if the device is outside of the area
● The application will stop working temporarily if the device moves outside of the area, but will resume if the device moves back into the area
● You can enter coordinates or use a map to define the location data
Top left coordinate ● The coordinate that defines the top-left corner of the area
Bottom right coordinate ● The coordinate that defines the bottom-right corner of the
area
Setting Description
Location accuracy ● The location accuracy that the application requires to apply
the geo-fencing restrictions
● Location data includes accuracy values
● The accuracy value and the location data define circles (with the accuracy value as the radius) that represents users' loca tions
● If the location circle overlaps the defined region, the geo-fenc ing policy applies
● Accuracy values: ○ Fine: 10 meters ○ High: 100 meters ○ Medium: 1000 meters ○ Low: 3000 meters
Location masking ● Whether devices mask location data when reporting it to the
application
Obfuscation mode ● How devices mask location data
● Random location reports random location data ● Fixed point reports specific location data
Fixed point location ● The specific location that devices report when using fixed
point as the obfuscation mode
● You can enter coordinates or use a map to define the location data
4.3.6 Firewall Settings
The firewall settings allow you to block several types of potentially insecure network traffic to the application.
Setting Description
Smart firewall ● Whether the smart firewall is active
Block all non-DNS UDP traffic ● Whether the application blocks all non-DNS UDP traffic
● Can help prevent a covert channel from transmitting data from the application
Block all non-SSL TCP traffic ● Whether the application blocks all non-SSL TCP traffic
● Can help prevent the application from transmitting data using non-secure protocols
Only trust the following SSL certificates ● Whether the applications trusts the listed SSL certificates only
Mobile Application Management
Setting Description
Certificates files ● Trusted SSL certificates
4.3.7 Miscellaneous Settings
The miscellaneous settings allow you to configure security settings for the application.
Setting Description
App expiration ● Whether to restrict the availability of the application by date
● Requires the Per Application VPN or Require Passphrase pol icy
Start date ● The date on which the application becomes available
End date ● The date on which the application stops being available
Copy-paste protection ● Whether users can copy data from the application and paste
the data into other applications ● iOS devices
○ Devices maintain a separate clipboard for the application ○ Users cannot copy data from this clipboard and paste it
into other applications
○ Users cannot copy data from the system clipboard and paste it into the application
● Android devices
○ Devices encrypt data from the application on the clip board
○ If users copy data from the protected application to an other application, the data remains encrypted and unusa ble
○ If the protected application closes, the data on the clip board remains encrypted
FIPS 140-2 module ● Whether the application uses the FIPS 140-2 cryptographic
module to validate cryptographic algorithms
● The FIPS 140-2 cryptographic module performs a self check when the application starts
○ The self check might cause a delay when the application starts
○ If the self check fails, the application will not start ● To apply the FIPS 140-2 module, you must enable one of the
following policies:
Setting Description
○ Per-Application VPN ○ Passphrase
○ Copy-Paste Protection
Jailbreak/rooting detection ● Whether the application can start if the device is jailbroken or rooted
Encrypted data at rest ● Whether the application encrypts data before saving it to the
device
● Requires the Per Application VPN or Require Passphrase pol icy
● Encrypted data is lost if users uninstall the application or in stall an unprotected version of the application
Email enforcement ● Whether to restrict the email functionality of the application
Email enforcement response ● How the application restricts email functionality:
○ Allow the use of secure email applications only
○ Allow the use of all email applications, but warn users first ○ Block email messages
Warning statement ● The text that the application uses as a warning message for
email enforcement
4.3.8 Secure Browser Settings
The secure browser settings allow you to configure the Mocana secure browser.
The secure browser is an application that establishes a VPN connection using SSL to browse Web sites that you allow.
Setting Description
Browser title ● The name of the secure browser in the Launcher view on devi
ces
Theme color ● The color of the toolbars in the secure browser
Allow invalid certificates ● Whether the secure browser accepts self-signed certificates
Show navigation bar ● Whether the secure browser displays the navigation bar that
includes the URL and search
Allow search ● Whether the search function is available in the navigation bar
Mobile Application Management
Setting Description
Allow URL entry ● Whether users can edit the URL in the navigation bar
Show toolbar ● Whether the secure browser displays the toolbar
Allow history ● Whether users can view the secure browser history and navi
gate to previously visited pages
Allow bookmark ● Whether users can create and use bookmarks
● On iOS devices, users can create bookmarks that appear in Safari and the Launcher view on devices
Allow email ● Whether users can share Web sites using email
Allow printing ● Whether users can print the contents of Web sites
Default sites ● Web sites that devices include as bookmarks automatically
5
Publishing Applications
After an application is wrapped, it must be deployed to mobile devices for the policies to take effect.
You can publish applications in a number of ways, including through third-party MDM and enterprise app store vendors. For customers who leverage SAP Mobile Secure cloud edition, there is built-in integration for application distribution. Once an application is wrapped, administrators can follow a simple workflow to queue the application for distribution to the desired client groups.
Wrapping is not a prerequisite for using the integrated deployment mechanism. For Android applications, once they are loaded into the catalog, they can be deployed. For iOS devices, the application must be wrapped with either a personal or an enterprise distribution certificate when uploaded before administrators can deploy it. Optionally, administrators can add an application to a category to make the application available to devices in the SAP Afaria client.
5.1
Publishing Applications to Android Devices
You can publish a wrapped application to Android devices.
Procedure
1. On the App Protection tab, click the application. 2. Click Publish.
3. On the Application Information page, perform the following tasks:
a) In the Display name field, type a name for the application that appears on devices.
b) In the Description field, type a description for the application that appears in the application catalog on devices.
c) Select whether the application is required.
For some Android devices, the application installs automatically. d) Click Next.
4. On the Distribution Groups page, select the group that can access the application. 5. Click Next.
6. On the Application Configuration page, define the information that SAP Mobile Secure cloud edition passes to the application.
Developers can compile libraries into applications that allow the applications to communicate with SAP Mobile Secure cloud edition using the SAP Afaria client.
7. Click Next.
8. To publish a required application immediately, select Distribute the application immediately to the device where supported.
9. Review the deployment settings and click Finish.
Mobile Application Management
5.2 Publishing Applications to iOS Devices
You can publish a wrapped application to iOS devices.
Procedure
1. On the App Protection page, click the application. 2. Click Publish.
3. Click Next.
4. On the Sign Application - Specify Signing Information page, specify the information that you use to sign applications.
5. Click Sign.
6. On the Application Information page, perform the following tasks:
a) In the Display name field, type a name for the application that appears on devices.
b) In the Description field, type a description for the application that appears in the application catalog on devices.
c) Select whether the application is a featured application.
Featured applications appear on the home page of the SAP Afaria client. d) Select whether the application is required.
If the application is managed, devices prompt users to install the application when policies are applied to the device. If the application is not managed, devices prompt users to install the application when the SAP Afaria client starts.
7. On the Distribution Groups page, select the group that can access the application. 8. Click Next.
9. On the Application Configuration page, define the information that SAP Mobile Secure cloud edition passes to the application.
Developers can compile libraries into applications that allow the applications to communicate with SAP Mobile Secure cloud edition using the SAP Afaria client.
10. To publish a required application immediately, select Distribute the application immediately to the device where supported.
11. Review the deployment settings and click Finish.
Important Disclaimers on Legal Aspects
This document is for informational purposes only. Its content is subject to change without notice, and SAP does not warrant that it is error-free. SAP MAKES NO WARRANTIES, EXPRESS OR IMPLIED, OR OF MERCHANTABILITY, OR FITNESS FOR A PARTICULAR PURPOSE.
Coding Samples
Any software coding and/or code lines / strings ("Code") included in this documentation are only examples and are not intended to be used in a productive system environment. The Code is only intended to better explain and visualize the syntax and phrasing rules of certain coding. SAP does not warrant the correctness and completeness of the Code given herein, and SAP shall not be liable for errors or damages caused by the usage of the Code, unless damages were caused by SAP
intentionally or by SAP's gross negligence.
Accessibility
The information contained in the SAP documentation represents SAP's current view of accessibility criteria as of the date of publication; it is in no way intended to be a binding guideline on how to ensure accessibility of software products. SAP specifically disclaims any liability with respect to this document and no contractual obligations
or commitments are formed either directly or indirectly by this document.
Gender-Neutral Language
As far as possible, SAP documentation is gender neutral. Depending on the context, the reader is addressed directly with "you", or a gender-neutral noun (such as "sales person" or "working days") is used. If when referring to members of both sexes, however, the third-person singular cannot be avoided or a gender-neutral noun does not
exist, SAP reserves the right to use the masculine form of the noun and pronoun. This is to ensure that the documentation remains comprehensible.
Internet Hyperlinks
The SAP documentation may contain hyperlinks to the Internet. These hyperlinks are intended to serve as a hint about where to find related information. SAP does not warrant the availability and correctness of this related information or the ability of this information to serve a particular purpose. SAP shall not be liable for any damages
caused by the use of related information unless damages have been caused by SAP's gross negligence or willful misconduct. Regarding link classification, see: http:// help.sap.com/disclaimer.
Mobile Application Management
www.sap.com/contactsap
© 2014 SAP AG or an SAP affiliate company. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. National product specifications may vary. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries.