How To Configure iOS Devices with Afaria - Archive · • Credential – adds certificates and...

SAP How-to Guide

SAP Mobility

SAP Afaria

provided by SAP Mobile - Rapid Innovation Group

Applicable Releases:

SAP Afaria 7 (SP1-SP4)

Version 1.0

March 2013

How To... Configure iOS Devices with Afaria

© Copyright 2014 SAP AG. All rights reserved.

No part of this publication may be reproduced or transmitted in any form

or for any purpose without the express permission of SAP AG. The

information contained herein may be changed without prior notice.

Some software products marketed by SAP AG and its distributors

contain proprietary software components of other software vendors.

Microsoft, Windows, Excel, Outlook, and PowerPoint are registered

trademarks of Microsoft Corporation.

IBM, DB2, DB2 Universal Database, System i, System i5, System p,

System p5, System x, System z, System z10, System z9, z10, z9, iSeries,

pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390,

OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power

Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER,

OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS,

HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex,

MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and

Informix are trademarks or registered trademarks of IBM Corporation.

Linux is the registered trademark of Linus Torvalds in the U.S. and other

countries.

Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either

trademarks or registered trademarks of Adobe Systems Incorporated in

the United States and/or other countries.

Oracle is a registered trademark of Oracle Corporation.

UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open

Group.

Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame,

and MultiWin are trademarks or registered trademarks of Citrix Systems,

Inc.

HTML, XML, XHTML and W3C are trademarks or registered trademarks

of W3C®, World Wide Web Consortium, Massachusetts Institute of

Technology.

Java is a registered trademark of Sun Microsystems, Inc.

JavaScript is a registered trademark of Sun Microsystems, Inc., used

under license for technology invented and implemented by Netscape.

SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP

BusinessObjects Explorer, StreamWork, and other SAP products and

services mentioned herein as well as their respective logos are

trademarks or registered trademarks of SAP AG in Germany and other

countries.

Business Objects and the Business Objects logo, BusinessObjects,

Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other

Business Objects products and services mentioned herein as well as their

respective logos are trademarks or registered trademarks of Business

Objects Software Ltd. Business Objects is an SAP company.

Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere,

and other Sybase products and services mentioned herein as well as their

respective logos are trademarks or registered trademarks of Sybase, Inc.

Sybase is an SAP company.

All other product and service names mentioned are the trademarks of

their respective companies. Data contained in this document serves

informational purposes only. National product specifications may vary.

The information in this document is proprietary to SAP. No part of this

document may be reproduced, copied, or transmitted in any form or for

any purpose without the express prior written permission of SAP AG.

This document is a preliminary version and not subject to your license

agreement or any other agreement with SAP. This document contains

only intended strategies, developments, and functionalities of the SAP®

product and is not intended to be binding upon SAP to any particular

course of business, product strategy, and/or development. Please note

that this document is subject to change and may be changed by SAP at

any time without notice.

SAP assumes no responsibility for errors or omissions in this document.

SAP does not warrant the accuracy or completeness of the information,

text, graphics, links, or other items contained within this material. This

document is provided without a warranty of any kind, either express or

implied, including but not limited to the implied warranties of

merchantability, fitness for a particular purpose, or non-infringement.

SAP shall have no liability for damages of any kind including without

limitation direct, special, indirect, or consequential damages that may

result from the use of these materials. This limitation shall not apply in

cases of intent or gross negligence.

The statutory liability for personal injury and defective products is not

affected. SAP has no control over the information that you may access

through the use of hot links contained in these materials and does not

endorse your use of third-party Web pages nor provide any warranty

whatsoever relating to third-party Web pages.

SAP “How-to” Guides are intended to simplify the product implement-

tation. While specific product features and procedures typically are

explained in a practical business context, it is not implied that those

features and procedures are the only approach in solving a specific

business problem using SAP NetWeaver. Should you wish to receive

additional information, clarification or support, please refer to SAP

Consulting.

Any software coding and/or code lines / strings (“Code”) included in this

documentation are only examples and are not intended to be used in a

productive system environment. The Code is only intended better explain

and visualize the syntax and phrasing rules of certain coding. SAP does

not warrant the correctness and completeness of the Code given herein,

and SAP shall not be liable for errors or damages caused by the usage of

the Code, except if such damages were caused by SAP intentionally or

grossly negligent.

Disclaimer

Some components of this product are based on Java™. Any code change

in these components may cause unpredictable and severe malfunctions

and is therefore expressively prohibited, as is any decompilation of these

components.

Any Java™ Source Code delivered with this product is only to be used by

SAP’s Support Services and may not be modified or altered in any way.

Document History

Document Version Description

1.10 << Enter your summary of changes in this version >>

1.00 First official release of this guide

Typographic Conventions

Type Style Description

Example Text Words or characters quoted

from the screen. These

include field names, screen

titles, pushbuttons labels,

menu names, menu paths,

and menu options.

Cross-references to other

documentation

Example text Emphasized words or

phrases in body text, graphic

titles, and table titles

Example text File and directory names and

their paths, messages,

names of variables and

parameters, source text, and

names of installation,

upgrade and database tools.

Example text User entry texts. These are

words or characters that you

enter in the system exactly

as they appear in the

documentation.

<Example

text>

Variable user entry. Angle

brackets indicate that you

replace these words and

characters with appropriate

entries to make entries in the

system.

EXAMPLE TEXT Keys on the keyboard, for

example, F2 or ENTER.

Icons

Icon Description

Caution

Note or Important

Example

Recommendation or Tip

Table of Contents

1. Business Scenario ................................................................................................................. 1

2. Background Information ....................................................................................................... 1

3. Prerequisites .......................................................................................................................... 1

4. Step-by-Step Procedure ...................................................................................................... 2

4.1 Create a Configuration Policy (Passcode) ................................................................... 4

4.2 Create a Configuration Policy (Restriction) ................................................................. 7

4.3 Create a Configuration Policy (NitroDesk) .................................................................. 11

4.4 Link Configuration Policy to a Group .......................................................................... 14

4.5 Install Nitrodesk Email Client ...................................................................................... 15

4.6 Apply Policies ............................................................................................................... 16

5. Summary .............................................................................................................................. 17


March 2014 1

1. Business Scenario

This document provides an overview of steps that one would need to follow to create configuration

policies for Android devices on SAP Afaria. Configuration policies usually map to mobile security

policies within an organization, allowing administrators to ensure that both corporate owned and

personal devices accessing company resources such as Email, Wi-Fi, documents are protected by

an approved set of security policies on the device.

2. Background Information

This H2G describes the steps one would need to follow in order to create a configuration policy for

Android devices. The configuration policies created in this guide are only intended as an instruction

on how to implement a configuration policy and to demonstrate some of the capabilities across

different device manufacturers. It is not intended to serve as a best practice document for what to

implement in a configuration policy.

3. Prerequisites

The following are pre-requisites that must be met in order for you to complete the business

scenario in this H2G:

Installed Afaria 7.0 SP3 or later

Access to the SAP Afaria Administrator

A test iOS device with the SAP Afaria client installed and enrolled on Afaria. Note that for

this guide we will be focusing on generic iOS device configuration.

Optional, Nitrodesk Touchdown Email client on your device.


March 2014 2

4. Step-by-Step Procedure

This H2G provides a basic procedure to follow for creating Configuration Policies for iOS.

Configuration Policies are the policies created for applying uniform configuration to devices based

on the groups to which they belong.

Configuration policies collect inventory and set device settings without engaging users.

Inventory is collected for hardware, software, or both. Configuration policy settings vary by device

type, but may include settings such as for passwords, Wi-Fi, roaming, and VPN.

For many settings, the policy determines the items that are visible on the device user interface.

For some devices, such as some Samsung and Motorola Android models, the policy can set items

that are available only through manufacturer APIs, and are not visible in the user interface.

For many of the Android and Windows Mobile configuration policy attributes, setting the

attribute requires selecting a check box to enable the setting, then setting or selecting a value.

To change settings for most attributes listed on configuration policy pages, such as the

Schedule page for an Android configuration policy or the Connection > Ports page for a Windows

Mobile Professional policy, select a check box, then set a value:

• Check box – select the check box to include the setting in the policy.

• Value – set the value for the setting by using the appropriate controls, such as typing in a

text field, selecting a list value, or other as available on the user interface. For example, on

the Android configuration policy Schedule page, select a check box to include the schedule

setting, and then select a time from the list to set the schedule time. To stop setting a value,

clear the check box.

Afaria configuration policy MDM payload data allows you to manage device settings for items

such as Wi-Fi, passwords, and e-mail applications.

Policy definitions are compliant with the Apple iPhone Configuration Utility (iPCU) version 3.6

definitions. Refer to Apple resources for detailed guidance; for example iPCU help and Apple

support resources for enterprise device management.

MDM policies can include these payload types:

• Advanced – changes the device Access Point Name (APN) and cell network proxy settings.

These settings define how the device connects to the carrier‘s network. Change these

settings only as directed by the carrier.

• Calendar – configures a connection to a calendar server. The account is added to the

device and the user is prompted for any information that is required but not defined by the

policy.

• Contacts – configures a connection to a contact list.

• Credential – adds certificates and identities to the device. Certificate files must be

accessible from the machine running Afaria Administrator. When installing credentials on

a device, install all the intermediate certificates that link to a trusted certificate.


March 2014 3

• Mail – configures POP or IMAP e-mail accounts. To add a Microsoft Exchange account,

use an Exchange ActiveSync policy.

• Exchange ActiveSync – configures an Exchange ActiveSync account with a Microsoft

Exchange server. You can create a policy for users by specifying the user name, host

name, and e-mail address, or only the host name; Users provide other values when they

install the policy.

• Consider these items about user accounts:

a. If you specify the name, host name, and SSL settings in the policy, the user cannot

change these settings on the device

b. The password data element cannot contain a percent (%) character.

c. Accounts that you add to a device by installing a policy can be deleted only by

removing the policy from the device.

• Generic – lets you select from any imported payloads created in any version of the iPhone

Configuration Utility.

• LDAP – configures a connection to an LDAP server. You can specify multiple search bases

for each directory and configure multiple connections.

• Passcode – defines passcode requirements, frequency of change, and other

characteristics. When the configuration policy loads, the user must enter a passcode that

satisfies the policy.

• Provisioning File – adds a provisioning file (.mobileprovision) to the device, which has a role

in managing enterprise-signed applications.

• Restriction – defines restrictions for user access to certain features, such as device

functionality, applications, SIRI, operations on iCloud, security, and content ratings. For iOS

3.x devices, restricting Safari prevents the device from processing further Afaria

configuration policies. If your requirements dictate restricting Safari, consider applying the

policy as the last of all Afaria policies. To recover the device from the restriction, the user

can click Settings > General > Reset > Reset All Settings.

• SCEP – configures settings that allow the device to obtain certificates over the air from a

certificate authority (CA) server that is using SCEP (Simple Certificate Enrollment

Protocol).Embedded SCEP requests or SCEP requests that are added in Wi-Fi or VPN

policies do not appear in the SCEP policy list; they are accessible only through their

containing policy. This does not apply in Afaria except in the cases of mobile configuration

files imported into Generic policies.

• Setting – configures voice and data roaming.

• Subscribed Calendar – adds read-only calendar subscriptions to the device Calendar

application.

• VPN – configures VPN networks. There are several supported VPN protocols and methods

of authentication. Depending on the configuration settings you select, the options in the

editor vary.

• Web Clip – adds Web clips to the device home screen. Web clips provide fast access to

favorite Web pages. The URL must begin with http:// or https://.

• WiFi – configures Wi-Fi networks. Consider these items:

a. Password for WEP or WPA security authentication – if you do not specify a password

in the policy, the user is prompted to enter one when connecting to the network.

b. Enterprise security types – expose additional settings for protocols, authentication, and

trust.


March 2014 4

c. Wi-Fi policies can configure and save a network definition on a device only when the

device is detecting the network when it attempts configuration.

iOS NitroDesk TouchDown Configuration - NitroDesk TouchDown for iOS provides access to Exchange e-mail messages, contacts, and calendars using ActiveSync technology. You can install TouchDown either directly on the device, or use an Afaria application policy to push the TouchDown application to the device.

4.1 Create a Configuration Policy (Passcode)

We are going to put a basic security policy in place with an enforced numeric passcode, setting

the limit to 5.

1. In Policy,select New, Configuration, iOS.

2. In the Summary section, enter the following values:

a. Policy: iOS Passcode Lock

b. Note: Simple Lock Policy for iOS

c. State: Published

d. Type: Configuration

e. OS: iOS

f. Priority: 50

Note

In the case where many configuration policies are assigned to a device, the priority value indicates which Configuration Policy takes precedence, the lower the priority number, the higher the priority.


March 2014 5

3. Click MDM Paylod in the left menu.

4. Click Passcode.


March 2014 6

5. Click Add (see above screen)

6. Configure the following properties:

a. Click Enabled

b. Enable Allow simple value

c. Set Minimum passcode length to 5

7. Click Save (see screenshot below)


March 2014 7

4.2 Create a Configuration Policy (Restriction)

We are going to create a restriction policy to disable certain functionality on the device.



March 2014 8


a. Policy: iOS Restrictions Policy for Employees

b. Note: Restrict use of Safaria and Camera

c. State: Published


e. OS: iOS

f. Priority: 10

Note


3. Click Restrictions from left menu bar and click Add (see screenshot on next page)


March 2014 9

4. Review the list of Restrictions available under the different categories.

5. Under Device functionality, disable (uncheck) Allow use of camera (see screenshot on the next

page)

6. Under Applications, disable (uncheck) Safari (see screenshot on next page)

7. Click Save (see screenshot on next page)


March 2014 10


March 2014 11

4.3 Create a Configuration Policy (NitroDesk)

We are going to create an e-mail policy for NitroDesk app for iOS.



a. Policy: iOS NitroDesk E-mail Configuration

b. Note: Corporate E-mail policy

c. State: Published


e. OS: iOS

f. Priority: 1

Note



March 2014 12

3. Select Nitrodesk

4. Under Nitrodesk, select Account Configuration and click Add


March 2014 13

5. In this example, we are connecting to Microsoft 365 Hosted Email (Outlook 2010). Use

substitution variables to fill the fields:

Account License Key: 1234

User ID: student##

Password: Welcome1

Email address: %S.ExchangeUser%@yourdomain.onmicrosoft.com

Domain: yourdomain.onmicrosoft.com

Exchange server: m.outlook.com

Use SSL: No

For exercise purpose, we will input sample user account information, however, in

production environment, you would utilize substitution variables as shown below in the

example and screenshot.

User ID: %S.ExchangeUser%

Password: %S.ExchangePassword%

Email address: %S.ExchangeUser%@yourdomain.onmicrosoft.com

Domain: %S.ExchangeDomain%


March 2014 14

6. Review the details under EAS overrides, User settings, Email options, Calendar options.

7. Click Save to commit your new Configuration Policy.

4.4 Link Configuration Policy to a Group

We need to link our Configuration Policy to a group.

1. On Policy list, select your iOS Default Policy (the configuration policy you created in the

previous step); you can filter by clicking Type drop-down and selecting Configuration

2. Click the Link icon on the left menu bar.

3. In the right hand Groups window, select the iOSStatic group

4. Click the Link toolbar button.


March 2014 15

You are now ready to apply the iOS Configuration policies to iOS devices. Go to Groups.

1. Select iOSStatic group

2. Click Apply Policy

4.5 Install Nitrodesk Email Client

1. On your device, install the standard Nitrodesk client from the Play Store. Look for

“Touchdown for Smartphones”


March 2014 16

4.6 Apply Policies

If you have already enrolled your device, you can simply connect to the server by opening the Afaria

client and connecting, the latest policies will be applied.

1. Open the Afaria Client, select menu, Connect

Alternatively, if you are already enrolled, you could apply the policies for your device from the Afaria

Administrator.

2. In Afaria administrator, click Devices, locate your device.

3. Select your device and click the Apply Policies button on the toolbar.

4. A notification will be sent to the device to tell the Afaria client to connect.


March 2014 17

Regardless of the method you selected to apply the policies on the device, within a minute or two,

you should see the results; you will be prompted to set a device passcode/pin.

Afaria will configure your Nitrodesk client, if you selected Auto Start for Nitrodesk, the Nitrodesk

client will open automatically, follow the prompts to complete the configuration.

Note

If you cancel the prompt to set-up a device PIN, Afaria will leave a message in notification bar,

clicking this link will take you back to the PIN configuration screen for your device.

5. After a minute or two, open the device’s camera app, you should see a message as shown.

5. Summary

By the end of this guide you should now be equipped to create and explore configuration policies

an Android device on Afaria.


March 2014 1

www.sap.com/contactsap

http://scn.sap.com/community/mobile

http://developers.sap.com/mobile

SAP Mobile Platform How-To Guides

How To Configure iOS Devices with Afaria - Archive · • Credential – adds certificates and...

Documents

Transcript of How To Configure iOS Devices with Afaria - Archive · • Credential – adds certificates and...