Legal Notice
Copyright © 2013 Symantec Corporation. All rights reserved.
Symantec, the Symantec Logo, the Checkmark Logo and are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
This Symantec product may contain third party software for which Symantec is required to provide attribution to the third party (“Third Party Programs”). Some of the Third Party Programs are available under open source or free software licenses. The License Agreement accompanying the Software does not alter any rights or obligations you may have under those open source or free software licenses. Please see the Third Party Legal Notice Appendix to this Documentation or TPIP ReadMe File accompanying this Symantec product for more information on the Third Party Programs.
The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any.
THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING,
PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.
The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, "Rights in Commercial Computer Software or Commercial Computer Software Documentation", as applicable, and any successor regulations. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.
Symantec Technical Support maintains support centers globally. Technical Support’s primary role is to respond to specific queries about product features and functionality. The Technical Support group also creates content for our online Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering and Symantec Security Response to provide alerting services and virus definition updates.
Symantec’s support offerings include the following:
■ A range of support options that give you the flexibility to select the right amount of service for any size organization
■ Telephone and/or Web-based support that provides rapid response and up-to-the-minute information
■ Upgrade assurance that delivers software upgrades
■ Global support purchased on a regional business hours or 24 hours a day, 7 days a week basis
■ Premium service offerings that include Account Management Services For information about Symantec’s support offerings, you can visit our website at the following URL:
www.symantec.com/business/support/
All support services will be delivered in accordance with your support agreement and the then-current enterprise technical support policy.
Contacting Technical Support
Customers with a current support agreement may access Technical Support information at the following URL:
www.symantec.com/business/support/
Before contacting Technical Support, make sure you have satisfied the system requirements that are listed in your product documentation. Also, you should be at the computer on which the problem occurred, in case it is necessary to replicate the problem.
When you contact Technical Support, please have the following information available:
■ Operating system
■ Version and patch level
■ Network topology
■ Router, gateway, and IP address information
■ Problem description:
■ Error messages and log files
■ Troubleshooting that was performed before contacting Symantec
■ Recent software configuration changes and network changes
Licensing and registration
If your Symantec product requires registration or a license key, access our technical support Web page at the following URL:
www.symantec.com/business/support/
Customer service
Customer service information is available at the following URL:
www.symantec.com/business/support/
Customer Service is available to assist with non-technical questions, such as the following types of issues:
■ Questions regarding product licensing or serialization
■ Product registration updates, such as address or name changes
■ General product information (features, language availability, local dealers)
■ Latest information about product updates and upgrades
■ Information about upgrade assurance and support contracts
■ Information about the Symantec Buying Programs
■ Advice about Symantec's technical support options
■ Nontechnical presales questions
contact the support agreement administration team for your region as follows:
[email protected] Asia-Pacific and Japan
[email protected] Europe, Middle-East, and Africa
[email protected] North America and Latin America
Technical Support
... 4Chapter 1
Deploying and setting up Symantec App
Center
... 11Deploying and setting up Symantec App Center ... 11
Choosing your deployment model: SaaS or on-premise ... 12
Getting started with the public cloud/SaaS option ... 13
Setting up Symantec App Center ... 14
Licensing App Center ... 15
Managing the iOS certificates used by Symantec App Center ... 18
Configuring the Symantec App Center for the devices that you support ... 23
Building a native iOS App Center App using the App Center Builder ... 26
Creating roles and groups ... 27
Setting up notifications ... 34
Branding your company's app center and the App Center App ... 35
Enhancing your app center ... 38
Enabling the End-User Portal ... 39
Configuring your app center for internationalization ... 40
Chapter 2
Enrolling and authenticating users
... 43Enrolling and authenticating users ... 43
Enrolling and authenticating users using the local IDP ... 44
Configuring the local identity provider ... 45
Enrolling end users for the local IDP ... 49
Enrolling and authenticating users using Active Directory/LDAP ... 52
Configuring Active Directory/LDAP as an external identity provider ... 53
Enrolling and authenticating users using SAML ... 57
Configuring SAML as an external identity provider ... 58
URLs to pass through SiteMinder without authentication ... 63
Configuring SiteMinder as an external identity provider ... 64
Enrolling users using your external identity provider ... 69
Chapter 3
Creating and managing app policies
... 71Creating and managing app policies ... 71
Re-wrapping apps ... 80
Creating app policies that allow for single sign-on ... 80
Controlling app network access ... 82
Making an app so that it is required, and managing required apps ... 88
Chapter 4
Managing and publishing apps to your App
Center
... 91Adding apps to Symantec App Center ... 91
Publishing apps ... 96
Rescinding (un-publishing) and updating (replacing) apps ... 102
Chapter 5
Making content available for download in Symantec
App Center
... 103Creating and assigning content policies ... 103
Creating content categories ... 105
Adding and managing content ... 106
Updating, editing, re-publishing, and deleting content files ... 108
Chapter 6
Managing end user devices
... 111Managing the mobile devices enrolled with Symantec App Center ... 111
Enabling mobile device management (MDM) in Symantec App Center ... 113
Device Management features by App Center App type ... 114
Mobile Device Management reporting in Symantec App Center ... 116
Viewing, managing, and restricting a device's inventory ... 117
Working with device policies ... 118
Prioritizing Device Policies ... 118
Assigning and unassigning device policies ... 119
Locking, wiping, resetting passwords, and issuing other commands to managed mobile devices ... 119
Locating a lost or stolen device ... 121
Viewing device details and settings ... 122
Sharing policy settings between different policies ... 123
Chapter 7
Using TouchDown™ with Symantec App Center
... 125Using TouchDown™ with Symantec App Center ... 125
Viewing TouchDown-related details and reports ... 126
Chapter 8
Running reports
... 127Running reports ... 127
Appendix A
List of Symantec App Center Shared Settings
... 131iOS shared policy settings ... 131
Android shared policy settings ... 134
TouchDown shared policy settings ... 135
Appendix B
Renewing the MDM Certificate
... 139Renewing the MDM Certificate ... 139
Appendix C
Commands that can be sent to mobile devices
... 141Deploying and setting up
Symantec App Center
This chapter includes the following topics:
■ Deploying and setting up Symantec App Center
■ Setting up Symantec App Center
Deploying and setting up Symantec App Center
This workflow walks you through the process of deploying and setting up Symantec App Center. It consists of the following tasks:
Choosing your deployment option as follows:
■ Public cloud/Saas
■ On-premise (Red Hat/CentOS)
See“Choosing your deployment model: SaaS or on-premise”on page 12. 1
Deploying App Center.
If you choose the SaaS model, you need to register for your App Center. See“Getting started with the public cloud/SaaS option”on page 13. 2
Setting up App Center by configuring the features that you want to use. See“Setting up Symantec App Center”on page 14.
3
Pre-requisite:
■ To deploy App Center on premise, you need an SSL certificate for your App Center server.
You can purchase this certificate from a publicly-trusted certificate authority.
1
Choosing your deployment model: SaaS or on-premise
You can deploy Symantec App Center using one of the following deployment models:
■ Public cloud/SaaS
Implemented in Symantec’s public cloud
■ On-premise
Implemented in a Red Hat Enterprise Linux (RHEL) or CentOS environment See the Symantec App Center Installation Planning Guide for more information on these models, including:
■ Network configuration diagrams
■ A planning questionnaire
■ Connection and certificate requirements (for the on-premise model)
■ Additional deployment options for each model (for example, public vs. private cloud for the SaaS model)
Table 1-1briefly describes these models including their pros and cons.
Table 1-1 App Center deployment options
Pros/Cons Description
Deployment option
Pros:
■ Quick and easy to get started
■ No capacity planning required
■ No operations or administrative overhead
Cons:
■ Multi-tenant environment
■ Lack of performance guarantees
■ Requires external connectivity to corporate identity provider (for example, Active Directory)
■ May not meet infosec/policy requirements
This model is implemented on the Amazon cloud. It's used by customers who want to get started quickly and who do not want to worry about
infrastructure. Public cloud/SaaS
Table 1-1 App Center deployment options (continued) Pros/Cons Description Deployment option Pros: ■ If VMware infrastructure is in place, it's quick and easy to provision
■ May be preferred by infosec policy
■ Scales to a large number of users Cons:
■ Requires operations involvement
■ Requires database administrator involvement
■ IT is responsible for server hardening
This model can be deployed facing the Internet, on a corporate Intranet, or in a firewalled DMZ. If multiple servers are implemented for scalability, a load balancer is needed to balance the traffic. On-premise
Next steps:
■ If you choose the SaaS model, you need to register for your App Center. See“Getting started with the public cloud/SaaS option”on page 13.
■ If you choose the on-premise model, refer to the Symantec App Center 4.1
Installation and Operations Guide.
Getting started with the public cloud/SaaS option
You can register for your own Symantec App Center at
www.appcenterhq.com/registration. This form gathers the information needed to an App Center in Symantec’s Amazon cloud.
In general, you are required to provide the following information:
■ User name and password
The user name and password needed to log in to App Center for the first time After you log in, you can create additional users as required.
■ URL
The name of the App Center URL that you want to create
For example, if you type Acme, the URL for your App Center will be acme.appcenterhq.com.
Note:The email address you provide is where the registration email is sent. Access to this email is required to complete the registration process.
After you submit the App Center Registration form, you'll receive an email that contains a link to your App Center. You can log in to your App Center using the user name and password that you specified on the registration form.
Setting up Symantec App Center
After you install Symantec App Center, you can perform the following tasks to set up App Center based on your organization's preferences:
■ Install your license key.
See“Licensing App Center”on page 15.
■ Import your iOS certificates so that you can develop and distribute iOS apps. This requires that you have an Apple Development and Distribution
Provisioning Profile.
See“Managing the iOS certificates used by Symantec App Center”on page 18.
■ Create a native iOS App Center App.
The App Center App is the app that launches your App Center on your end users' devices. App Center is installed with a default web clip App Center App for iOS. You can create a native App Center App for iOS that supports more features.
See“Configuring the Symantec App Center for the devices that you support”
on page 23.
■ Identify and configure your identity provider (IDP).
You can use either a local identity provider or configure an external identity provider to enroll and authenticate users.
See“Enrolling and authenticating users”on page 43.
■ Create your roles and groups.
Roles define what users have permission to do in App Center. App Center is installed with a default set of roles that are assigned a default set of permissions. You can create custom roles and assign them the permissions that you want.
Groups let you combine App Center users that have something in common. If you want to give members of the group permission to perform specific tasks, you can assign one or more roles to the group.
See“Creating roles and groups”on page 27.
You can set up the following types of notifications in App Center: push notifications, administrative notifications, and licensing notifications. See“Setting up notifications”on page 34.
■ Brand your App Center.
App Center lets you apply your organization's brand to your custom app center and mobile clients, such as adding your logo, creating a title, and so on. See“Branding your company's app center and the App Center App”on page 35.
■ Enhance your app center to provide more features to your end users' when logged into your app center.
See“Enhancing your app center”on page 38.
■ Enable a browser-based end-user portal.
This lets your end users view apps and content across all supported device platforms from any browser.
See“Enabling the End-User Portal”on page 39.
■ Configure your default language.
See“Configuring your app center for internationalization”on page 40.
Licensing App Center
Symantec App Center is available as both a service hosted by Symantec, and as an on-premise product that’s part of the Symantec Mobile Management Suite. To obtain a 60-day hosted trial, complete the form at
https://www.appcenterhq.com/registration/. The App Center hosted service can be licensed by subscription as follows:
■ Trial- All features, no support, 60-day limit, and limited to a maximum of 100
mobile users.
■ Basic - Mobile Device Management (MDM)
■ Standard - Mobile App Management (MAM)
■ Enterprise- All features enabled
■ Storage add-on- Hosted users receive 4GB of server storage. You can purchase
a storage add-on subscription license in increments of 10 GB.
Figure 1-1
Identity integration with AD, LDAP, and SAML Enterprise App Center
App Security and Policy Content Security and
Policy End-user Self-service
Portal App Usage Analysis
Reporting SE / Channel Support Symantec / Nukona Enterprise Support SaS Deployment Time Limit On-premise Deployment Number of users Basic Edition Trial Standard Edition Enterprise Edition <100 As licensed 60 days Mobile Device Management
Symantec App Center
Licensing Options
As licensed As licensed As licensed As licensed
Adding an App Center license
Note:This procedure assumes that you already have an App Center license. If you need to purchase a license, contact your Symantec Sales Partner or approved reseller. Also, before you start this procedure, make sure that the computer that runs the App Center Admin Console has external internet access. The serial number is located in the License Certificate and is in the format of a letter followed by 10 digits, for example, M0123456789.
Applying a new license
1
In the App Center Admin Console, go to Account > Licensing and click Addnew license.
Note:The Primary Contact field
supports only single-byte characters. Double-byte characters trigger an error message telling you to use only single-byte characters.
2
Enter the serial number for your new license and then click Add.Note:The serial number is sent by email to the person specified at the time of the license purchase.
3
If you have additional licenses to apply, repeat the procedure.Checking your App Center licensing status
The Account > Licensing page displays the status of your current App Center license, and if multiple licenses are available, which is applied. License status is color-coded in the UI:
■ Red- Licensed user count is exceeded, storage space is exceeded, or license is
expired. Additionally, when any of these conditions are present, a message is displayed across the top of the App Center Admin Console.
■ Yellow- App Center is within 10% of its licensed user count, the licensed
storage space is below 200 MB, or the license is within 30 days of expiring.
■ Green- The App Center license is valid and there are no impending license
limits or expirations.
Additionally, the page provides information about expiration and application dates, license type, the number of users the license allows, and the license serial number are provided.
Renewing a license
The process to renew a license is the same as for purchasing and applying a new license. Before your current license expires, or when the number of users approaches the limit for your current license, contact your Symantec Sales Partner or reseller to purchase a new license. When you have the serial number for the new license, you enter it on the Account > Licensing page.
Managing the iOS certificates used by Symantec App Center
For various iOS functions, you need certificate/key pairs that you obtain from the Apple iOS provisioning portal (in the case of Push and MDM functions) or qualified certificate vendors (in the case of AppSigning keys). These keys are usually imported into and managed on your local Mac computer in the Apple ‘Keychain Access’ application (Applications > Utilities > Keychain Access). To upload these keys to Symantec App Center, you must choose to export the key as a Personal Information Exchange file (.P12).
The following items are used with App Center:
Also known as a app-signing certificate.
Used to associate the app with the owner of the key and provide a trust relationship between the app code and the end-user
Code-signing Certificate
Used for the Push Certificate and Mobile Provisioning Profile. Provides a unique ID for each app
App ID
Required for any distributed native app or Secure Web App
Mobile Provisioning Profile
Used to secure the relationship between the App Center server and the iOS device
MDM Certificate
Creating and installing the iOS certificates
Per Apple’s licensing policy, apps that are available from the Apple App Store may not be distributed through any other means, including App Center. App Center performs checks prior to uploading an app to make sure that the .ipa file is valid for redistribution.
Make sure that you are compliant with the terms of the Apple License Agreement. Review the steps that must be completed and other information at:
http://developer.apple.com/library/ios/#documentation/ ToolsLanguages/Conceptual/ DevPortalGuide/
Introduction/Introduction.html#//apple_ref/doc/uid/TP40011159-CH1-SW1
■ Sign up for the iOS Developer Enterprise Program.
http://developer.apple.com/programs/ios/enterprise
■ Follow the process for distributing apps to your enterprise.
http://developer.apple.com/library/ios/#featuredarticles/
FA_Wireless_Enterprise_App_Distribution/ Introduction/Introduction.html
If you are not ready to commit to distributing apps through the Apple App Store, you can distribute apps on an ad-hoc basis using a Developer's license. Ad-hoc distribution requires that you have the UDIDs of any devices that receive your app. Review the ad-hoc distribution method at:
http://developer.apple.com/library/ios/#documentation/
ToolsLanguages/Conceptual/DevPortalGuide/DesignatingiOSDevicesforDevelopmentand UserTesting/ DesignatingiOSDevicesforDevelopmentandUser
Testing.html#//apple_ref/doc/uid/TP40011159-CH30-SW1
Note:The UDID of any enrolled iOS device is available on the Devices section of the App Center Admin Console.
Phase 1: Uploading the code-signing certificate
In the first phase of this workflow, you upload the certificate/key pair that is used to sign the app code (a.k.a., 'code-signing' certificate). This file is provided by the person or department who manages your Apple Enterprise Account.
Note:App Center requires a .P12 format for the certificate/key file. If the file is in .CER format, on a Mac, use Keychain Access to import the certificate and then export it as a .P12 file.
To upload the code-signing certificate
1
In the Admin Console, click Settings > Apple/iOS Certificates.2
In the right pane, scroll down to Code-Signing Certificates.3
At Upload New, browse for and select your Apple code-signing certificate.4
Optionally, if you do not already have an Apple code-signing certificate, use the link provided in the UI for information about obtaining the certificate.5
At the top of the page, click Upload.Phase 2: Creating an Apple App ID, configuring APNS,
generating the CSR, and downloading the certificate
In this phase of the workflow, you create the App ID that's used for the Push Certificate and for the Mobile Provisioning Profile that's used with your App Center iOS app.
This workflow proceeds as follows:
■ Create an App ID.
■ Configure the App ID for use with the Apple Push Notification Service.
■ Generate the certificate signing request (CSR) and dowload the certificate. To create an App ID Push Certificate
1
Go tohttp://developer.apple.com.2
Select iOS Dev Center and log in.3
Select iOS Provisioning Portal > App ID's.4
On the right side of the screen, select New App ID.5
Type a descriptive name for your app.6
Select a Bundle Seed (App ID Prefix). For example: Use Team ID7
Add the Bundle Identifier (App ID Suffix). For example: com.yourdomain.appname8
Click Submit.You return to the main App ID page.
To configure the certificate for the Apple Push Notification Service (APNS)
1
On the main App ID page, locate the App ID you created in the first part of the workflow and select Configure.2
On the Configuration page, check Enable for Apple Push Notification Service.3
Click Production Push SSL Certificate and click Configure.To generate the certificate signing request (CSR) and downloading the certificate
1
Open Keychain Access and click Certificate Assistant > Request Certificatefrom Certificate Authority.
2
Enter the requested information and then save the CSR to your local disk.4
Download the certificate.The certificate is in the .cer format. The next two steps provide instructions to change the format to .P12.
5
To change the format, double-click the .cer file to open it in Keychain Access.6
Export the file as a .P12 file.Phase 3: Creating a Mobile Provisioning Profile, and building
and publishing a native app
You use the Mobile Provisioning Profile with App Center Builder to create a native iOS App Center App.
To create a Mobile Provisioning Profile
1
Go to the Apple Developer website and login.http://developer.apple.com
2
Go to Provisioning > Distribution > New Profile.3
Select In House.4
Type a name for the profile.5
Select the Distribution Certificate from Phase l of this workflow.6
Select the App ID you created in Phase 2 of this workflow.7
Click Submit.8
Wait for 30-60 seconds and then refresh the page to see that the Provisioning Profile is active. When the profile is active, download and save it to a convenient location.To build the native app
Build the native app according to the instuctions found in the following topic: See“Building a native iOS App Center App using the App Center Builder”
on page 26.
To publish the native app
1
In App Center Builder, click Publish.2
Select Import Enterprise Distribution Profile and import the Provisioning profile you created in the first procedure of this phase (Phase 3).As a best-practice, double-check that the Bundle ID is the one you want.
3
Type your App Center URL and administrator credentials.Phase 4: Uploading the Push and MDM certificates
In this final phase, you upload the two certificates that let you remotely manage iOS devices and push notifications to iOS devices.
To upload the Push Certificate
1
In the App Center Admin Console, click Settings > Apple / iOS Certificates> Push Certificate.
2
Click Choose file and select the Push Certificate you created in the second procedure of Phase 2.The Push Certificate must be associated with the App ID that is used to build the native iOS App Center App.
3
Click Upload.To upload the MDM Certificate for SaaS installations
1
In the Admin Console, click Downloads > iOS MDM CSR.2
Click Download iOS MDM CSR.3
Download and save the iOS MDM Certificate Signing Request (CSR).4
Go tohttp://identity.apple.com/pushcertand login with your Apple account credentials.5
Click Create a Certificate.6
Click Choose file and select the CSR you downloaded in step2, and then clickUpload.
7
When the page refreshes, click Download to retrieve your MDM Certificate.8
In the Admin Console, click Settings > Apple iOS / Certificates > MDMCertificate > Upload New.
9
Select the MDM Certificate you just downloaded in step7.10
Click Save.To upload the MDM Certificate for on-premise installations
1
In the left pane of the Admin Console, click Downloads > iOS MDM CSR, clickDownload iOS MDM CSR, and save the file.
2
Email the file to:3
Upon receipt of the signed CSR, go tohttp://identity.apple.com/pushcert/, login, and upload the signed CSR file.The MDM Certificate is provided to you.
4
In the App Center Admin Console, click Settings > Apple / iOS Certificates, and in the right pane, click MDM Certificate > Upload New.5
Browse to and upload the MDM Certificate provided to you in step3.6
Click Settings > Device Management and check Enable device management.7
Click Save.This completes the iOS certificates workflow.
Configuring the Symantec App Center for the devices that you support
The App Center App is the app that launches your Symantec App Center on your end users' devices and then allows them to browse and download the apps and content to which they're entitled. End users typically download this app to their devices when they enroll.
App Center is installed with a default App Center App for Android and iOS. For BlackBerry, you must request that Symantec Support creates one for you. See“Configuring the BlackBerryApp Center App”on page 25.
Each App Center App provides basic mobile application management to the devices they support, such as the ability to view and download apps from your App Center. Beyond that, each app differs in the features that they support.Table 1-2lists some of these differences.
Table 1-2 App Center App features by device
BlackBerry Android
iOS Native App iOS Web Clip Feature Yes Yes Yes Yes Download apps from App Center No No Yes No Content No Yes Yes No Location tracking No Yes Yes No Localized UI No Yes Yes No App wrapping
Table 1-2 App Center App features by device (continued)
BlackBerry Android
iOS Native App iOS Web Clip Feature No Yes Yes No Single Sign-On No Yes Yes No Push notifications No Yes Yes Yes Mobile Device Management
Configuring the iOS App Center App
Symantec App Center is installed with a default web clip App Center App for iOS, which includes an icon that appears on the user's device to launch the app. The web clip app is easy to get started with, but does not support many of the key features of App Center. It is often used by trial customers.
You can create a native App Center App for iOS that supports more features. However, this requires that you first create a distribution certificate using your Apple Enterprise Developer account so that you can build the app and upload it to your App Center.
See“Managing the iOS certificates used by Symantec App Center”on page 18. To configure the iOS App Center App
1
In the Admin Console, click Settings.2
On the center pane under Device Clients, click iOS Client.3
Click Use web clip or Use native app.4
Under Policy, check Authentication to allow end users to access downloaded content when the App Center App is offline.5
Check Content Storage to limit the amount of content end users can download to their devices based on a specified size in gigabytes.6
Check Usage Restrictions to command the App Center App to destroy any app-related data on devices that are detected as jailbroken.7
Under Limited Use Tokens, check Limit the number of app downloadattempts to one per request to restrict the number of token requests.
8
Click Save.See“Building a native iOS App Center App using the App Center Builder”
Configuring and rebuilding the Android App Center App
Symantec App Center is installed with a default App Center App for Android, which includes a default icon and title that appears on the user's device to launch the app. You can change the settings of the default app, as well as the icon. You must then rebuild the app for the changes to take effect.
Note:There are times when you may need to re-build your Android App Center App (for example, after you upgrade to a new version of Symantec App Center). Re-building an App Center App updates the app to include any new functionality distributed with an upgrade. After you re-build the app, end users who are using that app are notified that a newer version is available to download.
To configure and rebuild the Android App Center App
1
In the Admin Console, click Settings.2
On the center pane under Device Clients, click Android Client.3
Check Usage Restrictions to destroy any app-related data on devices that are detected as rooted.4
Click Rebuild Android App Center Client.5
Click Save.To change icon of the Android App Center App
1
In the Admin Console, click Downloads.2
Under Android Native Client, click Rebrand Android Client.3
Scroll down to Android Client, click Browse, and then select the icon.4
Click Save.Configuring the BlackBerryApp Center App
Symantec App Center is not installed with a default App Center App for BlackBerry. To request a Blackberry App Center App from Symantec Support
1
In the Admin Console, click Settings.2
On the center pane under Device Clients, click BlackBerry Client.3
Click Enable BlackBerry Support.4
Follow the onscreen instructions to send the required information to Symantec Support to create the BlackBerry App Center App.Building a native iOS App Center App using the App Center Builder
After you configure the settings for your native iOS App Center App, you need to build it using the App Center Builder. The App Center Builder lets you design this app in the way that you want your end users to see it. It then uploads the app to your App Center. Your end users then download this app to their devices. You must run the App Center Builder on a Mac.
Note:There are times when you may need to re-build your native iOS App Center App (for example, after you upgrade to a new version of Symantec App Center). Re-building an App Center App updates the app to include any new functionality distributed with an upgrade. You must follow the same procedure to re-build the app. After you re-build the app, end users who are using the app are notified that a newer version is available to download.
Pre-requisites:
■ A Mobile Provisioning Profile from the Apple Development iOS Provisioning Portal
See“Managing the iOS certificates used by Symantec App Center”on page 18.
■ An image that you want to use as the App Center App icon. To run the App Center Builder
1
On a Mac, from the Admin Console in the left pane, click Downloads.2
Under App Center Builder, click Download App Center Builder.3
When prompted, accept the Apple Disk Image (.dmg file) to mount it, and then open it.4
On the App Center Builder dialog box, double click the AppCenterBuilder icon.5
Click Design.6
Under Title, type a title for the App Center App as you want it to appear on the user's device.7
Optionally, type a Subtitle.8
Click Apply shine to icons to add a glossy effect to the App Center App icon.9
Click on any one of the blank icon boxes to browse and add an image for the App Center App icon based on the appropriate size.10
Click Automatically generate missing icons to populate the remaining icon boxes with the same image that you added in step9.11
Click Publish.12
Click Import Enterprise Distribution Profile to select your Mobile Provisioning Profile.Your profile information appears.
Note:If you don't have your Mobile Provisioning Profile, you can download it again from the Apple Development iOS Provisioning Portal.
13
Under Your URL, type the FQDN of your App Center.14
Click Generate and upload iOS App Center App.15
Type your Username and Password to verify your admin credentials.16
Click OK.Creating roles and groups
Roles define what users have permission to do in Symantec App Center. App Center is installed with a default set of roles that are assigned a default set of permissions (seeTable 1-3). You can edit the permissions in the default roles or create custom roles and assign them the permissions that you want.
Groups let you combine App Center users that have something in common. If you want to give members of the group permission to perform specific tasks, you can assign one or more roles to the group. Once you set up a group, you can easily assign app policies, manage devices, control content, etc., based on those groups. For example, you might create a group called "Finance" that consists of all of the registered App Center users who work in the Finance department. You could create apps that for solely for use by the Finance department and assign those policies just to the "Finance" group.
App Center installs with default groups that correspond with the default roles (i.e., administrators, developers, publishers, and managers). There is also the default groups all users, which consists of all of the users who have registered with App Center. And the default group invited, which consists of all of the users who were sent an email invitation to register with App Center, but have not yet done so.
You should set up your roles and groups in App Center before you configure your identity provider (IDP) so that when you configure the IDP, you can map users to
the App Center groups that you created. Thereafter, you can create, delete, or modify roles and groups as needed.
See“Enrolling and authenticating users”on page 43.
You set up and manage roles and groups in the same manner regardless of which IDP you use.
Creating roles
Once you establish your roles, you can assign one or more roles to a group. The roles that you assign to your groups determine the tasks that the groups' users can perform, as well as the features that they can access in the App Center Admin Console.
Table 1-3describes the default roles.
Table 1-3 Default roles
Description Role
Has full administrative permissions throughout App Center, including the rights to:
■ See and edit all apps
■ Add new apps
■ See and edit all content
■ Add new content
■ See and edit all groups and users
■ Add new groups and users
■ Define app, content, and device policies
■ Modify settings Administrator
Has limited access to the Admin Console with the following permissions to:
■ Upload apps
■ Replace or delete apps that they previously uploaded
■ Determine which groups can install developer
■ Request a Publisher publish their app as production as beta Developer
Table 1-3 Default roles (continued)
Description Role
Has limited access to the Admin Console with the following permissions to:
■ Do everything a developer can do
They can do this only for the apps and content for which they have been assigned as Publishers — not just the apps or content that they upload.
■ Approve or deny publish requests from Developers for apps for which that they are Publishers
Only Administrators can assign a Publisher permission to a certain app or content.
Publishers
Has limited access to the Admin Console with the following permissions to:
■ Change group membership (that is, entitlements) for apps and content
■ Manage any apps or content for which they are assign as Managers They cannot upload, replace, or delete any apps or any content. Only Administrators can give a Manager permissions to manage an app or content.
Managers
Has limited access to the Admin Console with the following permissions to:
■ Access mobile device management (MDM)
They can see a list of devices and execute device options such as revoke the App Center App.
Device Manager
Has limited access to the Admin Console with the following permissions to:
■ Define and edit content policies, app policies, and MDM policies
■ Assign device policies
Policy Editors cannot, however, assign content or app policies. Policy Editor
To create a role
1
In the Admin Console on the left pane, click Settings.2
On the center pane under Settings, click Roles and Permissions.3
Do one of the following:■ To create a role from an existing role, select the existing role, and then click Duplicate. Type the name for the role.
This role is assigned the same permissions as the role from which it was duplicated.
4
Check each permission that you want to grant to this role.When you grant a role to add a certain permission, you should also grant the corresponding role to change that permission. However, you can grant a role to change a permission without granting the role to add the permission. For example, if you check Can add mdm policy, you should also check Can
change mdm policy. However, you can just check Can change mdm policy
without checking Can add mdm policy.
5
Click Save.Creating groups
Users in groups fall into one or more of the following categories:
■ Users who develop and publish apps, manage devices and content, and perform administrative tasks within App Center.
After you have defined your roles, you can assign those roles to groups. For example, you can assign the Publishers role to the Publishers group. Everyone in the Publishers group can perform all the tasks that you defined for the Publishers role.
■ End users who access App Center to download content and apps and whose devices you want to secure and manage.
Creating groups for your end users makes it easier to define what policies apply to these users. For example, you can create a group called Finance. Then you can create app policies that only members of the Finance group can access. As you create a group, you can specify what roles (if any) you want to apply to the group. After you create a group, you can apply policies to the group, set up device management policies, and so on. When you configure an external IDP, you can map the IDP's groups to your App Center groups. This way, you do not have to individually add members to groups.
Note:App Center does not support group mappings for SAML.
A single user can be in multiple groups. To create a group
1
In the Admin Console on the left pane, click Users.3
In the Group Name field, type the name for the new group.4
Optionally, check all of the roles that you want to assign to your new group.5
In the Members box, type the name of a user that you want to add to this group, and then click Add. Repeat this step for each user that you want to add.If you use an external IDP, you can map the IDPs groups to your App Center groups. Users automatically are added to the appropriate groups based on the group mappings when they enroll with App Center.
6
Select one of the following Admin Scope options:If you selected the roles View Devices and/or View Users, users in this group can view all of the devices and/or all of the users registered with App Center.
Everyone
If you selected the roles View Devices and/or View Users, users in this group can only view the devices and/or all of the users in the group that you select below.
Limited To
See“Setting up localized administrators”on page 31.
7
Click Save.See“Enrolling and authenticating users using the local IDP”on page 44. See“Enrolling and authenticating users using Active Directory/LDAP”on page 52. See“Enrolling and authenticating users using SAML”on page 57.
See“Enrolling and authenticating users using SiteMinder”on page 62.
Setting up localized administrators
Symantec App Center lets you create groups and assign roles to these groups that allow the group members to see only the users and/or devices for the specific groups or subgroups that you specify. This feature is called Admin Scope. When you select the permissions View Devices and/or View Users in a role and then assign that role to a group, you can restrict the group's members to being able to view just the devices and/or users for the subgroup that you specify.
Note:You must uncheck View All Devices and/or View All Users for this feature to work as designed.
For example, assume that you want to let only a few administrators be able to view all of the users and devices in their specific region. So you create a new role called "Localized Admins." And in that role, you select the permissions View
Devices and View Users. You already have setup groups for "all users - East Coast"
and "all users - West Coast." Now you create a new group called "East Coast Admins," and in that group you add the administrators who will manage the East Coast users and their devices. When you configure this new group, in the Admin
Scope you select Limit to and select the subgroup all users - East Coast. This
means that the members of the "East Coast Admins" group can only view the users and devices for the members of the "all users - East Coast" group. They cannot, for example, view users or their devices for the "all users - West Coast" group. While you can use this feature with any identity provider, it is better suited for larger organizations that integrate with Active Directory and/or LDAP. When you integrate with Active Directory/LDAP, you can use App Center's group mapping feature to map Active Directory/LDAP groups to App Center groups. When you are ready to create a new App Center User group, the Active Directory/LDAP groups and subgroups that you have mapped automatically appear in the Admin Console on the Users > Add New Group page.
See“Configuring Active Directory/LDAP as an external identity provider”
on page 53.
For a detailed example of how to set up the Admin Scope feature using Active Directory/LDAP and group mapping, see the following knowledge base article:
www.symantec.com/business/support/index?page=content&id=HOWTO83776&key=61596 &actp=LIST
This workflow consists of the following tasks: 1. Create a new role for localized administrators. 2. Create a new group for localized administrators.
To complete this workflow, you must have first configured and enabled your identity provider and configured your group mappings.
See“Enrolling and authenticating users”on page 43. To create a new localized administrators role
1
In the Admin console, click Settings > Roles & Permissions.2
In the right pane, click Add Role.3
On the right pane in the Name field, type the name for the new role. For example, you may want to name the new role Localized Admin.4
Make sure View Devices and/or View Users is checked. You can check one or the other or both.5
Make sure View All Devices and/or View All Users is unchecked. If you checked only View Devices, then make sure View All Devices is unchecked. If you checked View Users, make sure View All Users is unchecked.This feature does not work as designed if the corresponding "All" option is checked.
6
Check any of the tasks that you want this role to have permissions to do, and uncheck any roles that you don't want users to have permission to do.7
Click Save.To create a new localized administrators group
1
In the Admin console, click Users.2
In the center pane, click Add New Group.3
In the right pane, in the Group Name box, type the name for your new group. For example, you might want to call this new group Localized Admin.4
Under Roles, select the new role that you just created above. See“To create a new localized administrators role”on page 32.5
Under Admin Scope, make sure Limited To is selected. This is the default setting.6
Select one or more groups or subgroups that this new User group should have control of.7
Click Save.Setting up notifications
Symantec App Center sends notifications for several different events. Device users who install the native App Center App receive notifications when new apps or updates are available. You can opt to have notifications sent by email if push notifications are not available. Administrators can be notified by email when certain system events occur.
You can set up the following types of notifications in App Center:
App Center sends notifications to mobile users when new applications are available. For most devices, notifications are delivered from App Center to the mobile device using the standard platform service: Google GCM or Apple Push Notification Service. Notifications are sent to the native App Center mobile client. Devices using the iOS App Center web clip client cannot use Apple Push Notifications. Certain Android devices do not support notification either, in particular those without the Google Market App or those that have not been configured with a Google Account. App Center configures itself to communicate with Google GCM and uses a site-wide account and self-signed certificates. The GCM account is embedded in the native Android App Center mobile client too.
The Apple Push Notification Service (APNS) requires special certificates to enable communication from App Center via APNS to the client device. (APNS requires that Apple act as the go-between for notifications.)
Note:APNS certificates are created in the Provisioning Portal on http://developer.apple.com. They are created at the same time as mobile provisioning files are created for the native mobile client. See“Managing the iOS certificates used by Symantec App Center” on page 18.
For devices that are not enabled for push notifications, App Center can be configured to send email message with this check box: Send
email notification if push notifications are unavailable.
App Center sends a variety of notifications about system events via email to the email account of the primary administrator. App Center allows such email to be directed to a different address, perhaps to be logged or entered into a tracking system. It also allows a custom prefix to be pre-pended to each subject line for easier mail filtering.
Administrative notifications
If your license is in a warning state or if the licensed user count is exceeded, the storage limit is exceeded, or the license has expired, App Center can issue emails to notify the administrator of these issues. You can activate or deactivate licensing notifications on the Settings > Notifications page. See“Licensing App Center”on page 15.
Licensing notifications
Setting up notifications
1
In the left pane of the App Center admin console, click Settings .2
On the center pane, click Notifications and then in the right pane, select the options you want to use.3
When you are done, click Save.Branding your company's app center and the App Center App
Symantec App Center lets you apply your organization's brand to your custom app center. This includes title, email contact, support information, community URL, FAQs, color, corporate logo, and icons.
To brand your company's app center and the App Center App
2
Specify the following information:The name that appears in the center of the title bar at the top of each Web page in the Admin Console and the End User Portal. Long Title
This title does not appear on the mobile clients.
The title that appears on the mobile clients. If your organization has a long name, you may want to consider shortening the name. Short Title
For example, if the name of your organization is Acme Trucking Company, the short title may be ATC or Acme.
The From: email address that appears on email messages to end users.
From Email
The name that appears in emails in addition to the email address. From Name
The URL or email address that your end users should contact to obtain support.
Support URL
For example, if your company has a support Web site, it could be the URL to that site (for example, https://support.acme.com). If your company has an email address that all support requests should go to, then it could be that email address (for example, [email protected]).
The support email address that is used for the Android client only.
Support Email
The URL for your company support page. Community URL
The URL to your organization's support FAQ page. Frequently Asked
Questions
This could also be the text that you want to appear on the end users mobile browser login and download app center pages.
The background color of the title bar. Accent Color
Use an RGB color.
Apps that are constrained by a policy will have their own icon that contains the Symantec logo.
The billboard text that appears above the heading "Top Apps" on tablet devices.
Native Client Billboard Text
The billboard image that appears above the heading "Top Apps" on tablet devices.
Native Client Billboard Image
An image that is repeated in the title bar. This image must be in .jpeg or .png format. Accent Image
Your company's logo that appears in the top left of the title bar. This image must be in .jpeg or .png format and is limited to 60 pixels maximum height by 200 pixels maximum width. Logo
The logo that users click to log in to your enterprises' app center. Login Logo
An image that is used in the iOS web clip client.
This image must be in .jpg or .png format and be a 114 x 114 pixel iOS icon image.
iOS Webclip Icon
An image that is used in the Android native client.
This image must be in .jpg or .png format and be 72 x 72 pixel Android icon image.
Android Icon
3
At the top of the Branding page, click Save.Enhancing your app center
You can configure Symantec App Center to enhance your end users' experience when logged into you're your app center.
This includes the ability for end users to do the following:
■ View apps grouped by category
■ Search for apps by specified text
■ View and request access to apps and content to which they're not entitled
■ Enable the self-service End-User Portal
■ View screen shots associated with apps on both the device and the end user portal
To enhance your app center
1
In the Admin Console on the left pane, click Settings.2
On the center pane under Standard/Enterprise Edition, click EnhancedStore.
3
Click Enabled.4
Click Users can see all apps, even if not entitled to let your end users view apps to which they're not entitled. When doing so, they can request access to an unentitled app, at which point a request is sent to the app's publisher.5
Click Expose reviewer identity to see the name of any end user who reviews an app.You can see app reviews when you click See More on the production version of an app.
6
Under App Categories, click Add to add a category. You can assign a category when you add or edit an app.7
Under Content Store, click Users can see all content, even if not entitled to let your end users view content to which they're not entitled.When doing so, users can request access to unentitled content, at which point a request is sent to the app's publisher.
8
Under Content Categories, click Add to add a category.9
Click Save.Enabling the End-User Portal
End users can be permitted to view apps from any non-Mobile device-based browser (such as a personal computer) via the self-service End-User Portal. The End-User Portal displays apps and content across all supported device platforms. You can also display your own billboard on the End-User Portal. This can either be in the form of a text description or a URL can be used to source the content. And you can add additional tabs for custom content.
End users access the End-User Portal at the following URL: https://<my_url>.appcenterhq.com/portal
where <my_url> is the name of your Symantec App Center tenant. The pre-requisites for this task are as follows:
■ You must be using the standard or enterprise edition of App Center.
■ You must first enable the Enhanced Store on the Settings > Enhanced Store page.
To enable the End-User Portal
1
In the Admin Console, click Settings.2
On the center pane under Standard/Enterprise Edition, click End-UserPortal.
3
Check Users can browse apps in a web browser on their computer. When you check this option, additional options appear.4
Check Users can view their devices in the End-User Portal to let users view details about their own devices.5
Check Users can run commands on their devices in the End-User Portal to let users run commands on their own devices.6
In the Billboard Text type information that you want to appear on the home page of the End-User Portal.When this box is blank, no message appears.
7
In Billboard URL type a URL address.This setting is the URL for the optional sub-page (iframe) to be displayed, e.g., “https://intranet.acme.com/internal_news”. We strongly suggest that the billboard page be served via HTTPS (SSL). For best results, the billboard page should be 320px high by 865px wide.
When this box is blank, no message appears.
8
Optionally, in the Tab Name box, type the name of an extra tab to add to the End-User Portal.The content for this tab is directly sourced using the Tab URL (below), and the Tab Name is shown as the selectable tab on the left-hand panel of the portal.
9
If you added a new tab, type the Tab URL.10
At the top of the page, click Save.Configuring your app center for internationalization
Symantec App Center lets you type and store localized data on the following Admin Console pages:
■ Apps (Edit and Version Edit)
■ Settings > Branding
■ Settings > Metadata > App Versions
■ Settings > Standard/Enterprise > End-User Portal
■ Settings > Device Management
■ Settings > Mobile User Invitation Email
■ Users (Invite via Email)
When you are on any one of these pages, you should type the data initially in your default language. Using the top menu bar, you can then specify another language and then type the data in that language. The localized data appears on the devices and end user portals configured for that language. If localized data is not available, the content appears in the default language.
To configure your app center for internationalization
1
In the Admin Console, click Settings.2
On the center pane, click International.See“Managing localized email invites”on page 41.
Managing localized email invites
To create email invitations for end users in their local language, create custom templates for each language by navigating to Settings > Mobile User Invitation
Email or Users > Invite via Email. Once you have created the local invitation
email, go to Users > Invite via Email. Make sure the proper language is selected in the top menu bar. Then enter the email addresses of the users that you want to send the localized message to and click Send Invite. All other emails to end users will be localized based on the users preferred language after they have logged in to the App Center.
Enrolling and
authenticating users
This chapter includes the following topics:
■ Enrolling and authenticating users
■ Enrolling and authenticating users using the local IDP
■ Enrolling and authenticating users using Active Directory/LDAP
■ Enrolling and authenticating users using SAML
■ Enrolling and authenticating users using SiteMinder
Enrolling and authenticating users
Symantec App Center lets you use an identity provider (IDP) to enroll and authenticate users to the App Center. App Center can handle group management through the local IDP or you can manage groups through the external IDP. All IDPs (local and external) provide access the Admin Console, the End-User Portal, the App Center App, and any wrapped apps that require authentication. IDPs not only provide authentication, they also provide for application single sign-on. This workflow assumes you have met the following prerequisites:
■ Roles and groups are set up.
You should set up your roles and groups in App Center before you configure your IDP so that when you configure the IDP, you can map users to the App Center groups that you created. Thereafter, you can create, delete, or modify roles and groups as needed.
See“Creating roles and groups”on page 27.
■ If you use an external IDP, the IDP already exists within your organization.
2
Table 2-1 Enrolling and authenticating users workflow
Description Phase
Configure your IDP.
App Center supports for the following IDPs:
■ Local
By default, Symantec App Center provides a simple, local IDP that you can use for authentication. The local IDP is easy to use, requires no integration, and is ideal for small user environments or trials.
■ Active Directory
App Center supports using Active Directory (AD) to authenticate users.
■ LDAP
App Center supports AD as an IDP through LDAP and also can support any other type of IDP that exposes an LDAP interface.
■ SAML
App Center supports using SAML to authenticate users. Use SAML as the external IDP if you integrate with Symantec O₃.
■ SiteMinder
SiteMinder is supported for on-premises installations only. Integration with SiteMinder not only lets you use SiteMinder as the authentication provider, it also lets you use it for application single-sign on. App Center supports integration with SiteMinder versions 6, 12, and 12.5.
1
Enroll users.
The process to enroll users varies depending on whether you use the local IDP or an external IDP.
2
See“Enrolling and authenticating users using the local IDP”on page 44. See“Enrolling and authenticating users using Active Directory/LDAP”on page 52. See“Enrolling and authenticating users using SAML”on page 57.
See“Enrolling and authenticating users using SiteMinder”on page 62.
Enrolling and authenticating users using the local IDP
This workflow assumes you have met the following prerequisite:
■ Roles and groups are set up.
You should set up your roles and groups in Symantec App Center before you configure your identity provider (IDP) so that when you configure the IDP, you
can map users to the App Center groups that you created. Thereafter, you can create, delete, or modify roles and groups as needed.
See“Creating roles and groups”on page 27.
The workflow to enroll and authenticate users in App Center using the local IDP is as follows:
1. Configure the local IDP.
The local IDP is ideal for smaller environments or trial users because it is easy to use and requires no integration. The local IDP provides authentication for access to the Admin Console, the End-User Portal, the App Center App, and any wrapped apps that require authentication. The local IDP not only provides authentication, it also provides for application single sign-on. See“Configuring the local identity provider”on page 45.
2. Enroll your users.
App Center offers several methods that you can use to enroll users:
■ Email invitation
■ Manually adding a user in the App Center Admin Console
■ Enrolling multiple users at once using a comma-separated values (CSV) file
See“Enrolling end users for the local IDP”on page 49. See“Enrolling and authenticating users”on page 43.
Configuring the local identity provider
By default, Symantec App Center provides a simple, local identity provider (IDP) for user authentication. The local IDP is ideal for smaller environments or trial users because it is easy to use and requires no integration. The local IDP provides authentication for access to the Admin Console, the End-User Portal, the App Center App, and any wrapped apps that require authentication. The local IDP not only provides authentication, it also provides for application single sign-on. App Center can also handle group management through the local IDP.
See“Creating app policies that allow for single sign-on”on page 80. See“Creating roles and groups”on page 27.
The password policies that you configure in App Center only apply when you use the local IDP. If you have enabled an external IDP for authentication, the external IDP enforces its password policies. The ability to change or reset password is only available for the local IDP.
■ Roles and groups are set up.
You should set up your roles and groups in App Center before you configure your IDP so that when you configure the IDP, you can map users to the App Center groups that you created. Thereafter, you can create, delete, or modify roles and groups as needed.
See“Creating roles and groups”on page 27.
Configuring the local IDP consists of the following workflow:
■ Configure the user authentication settings.
See“To configure the user authentication settings for the local IDP”on page 46.
■ Specify password lockout criteria.
See“To specify password lockout criteria for the local IDP”on page 47.
■ Set the administrator password policy.
If you enable either MDM or an app policy for the administrator, all of the options on the Admin Password Policy page are checked. The minimum password length is set to 8 characters.
All of the controls on this page become disabled in the following instances:
■ If you use app policies
■ If you enable Mobile Device Management (MDM)
In both instances, App Center sets the policy and cannot be modified by an administrator.
See“To set the admin password policy for the local IDP”on page 47.
■ Set the user password policy.
See“To set the user password policy for the local IDP”on page 48.
■ Specify the offline PIN policy.
The offline PIN policy is enforced when the user selects an offline PIN in the App Center App. The PIN is used for theApp Center App and applications that have offline authentication permitted in their app policy. App Center only supports latin letters, digits, and punctuation characters for the offline PIN. See“To specify the offline PIN policy for the local IDP”on page 48.
To configure the user authentication settings for the local IDP
1
In the Admin Console, click Settings > User Authentication.2
Check Use email address as user name to let users login with their email addresses.This eliminates the need for users to remember their user names. If you already have an external IDP enabled, this option does not appear.
