1 SAS Mobile BI Security and the Mobile Device Version 1.0 April 24, 2015
2 Contents Introduction...1 Security Features Provided by SAS Mobile BI and SAS Visual Analytics...2 Introduction... 2 Lock the SAS Mobile BI App with a Passcode... 2 What Is It?... 2 The Lock Out and the Wipe Out... 2 How to Engage the Passcode Feature... 2 Use Whitelists and Blacklists to Enable or Prevent Access... 3 What Is It?... 3 How to Engage the Whitelist or Blacklist Features... 3 Keep Report Data Remote to Prevent Offline Access... 4 What Is It?... 4 How Does Remote Data Work?... 4 How to Engage the Remote Report Data Feature... 4 Use a Time-out Setting to Prevent Access... 4 What Is It?... 4 How to Engage the Offline Access Time-Out Feature... 4 Encrypt Reports and Data... 5 What Is It?... 5 ios Encryption... 5 Android Encryption... 5 Explore More Security Options...6 References...7
3 Introduction Viewing your organization s reports on a mobile device can be extremely powerful as well as convenient. However, mobile devices come with security concerns. By using features provided by SAS Mobile BI and SAS Visual Analytics, as well as features supplied by the mobile device, your organization can secure its reports and data and confidently use mobile devices.
4 Security Features Provided by SAS Mobile BI and SAS Visual Analytics Introduction To secure reports and data that you view on your mobile devices, you can implement the following features: Passcode: Use an app passcode to lock the SAS Mobile BI app. Whitelists and blacklists: Add your device to a list to enable or prevent access. Remote data: Prevent offline viewing of reports by requiring a network connection to access remote data. Time-out: Limit offline access by enforcing a time limit. Report encryption: Encrypt data that is stored on the device. Lock the SAS Mobile BI App with a Passcode What Is It? The passcode feature locks the SAS Mobile BI app. This feature is separate from and in addition to the passcode feature that is provided by mobile devices. There are two types of app passcodes: required and optional. A required passcode is a passcode that is required by a server connection. When the app first connects to the affected server, the app requires that you create a passcode. Then, whenever you open the app or view a report that is associated with that server, you must enter the passcode. An optional passcode is a passcode that you can choose to use to lock the app. The passcode is not required to access a server connection. You can disable the passcode at any time. Note that the Android version of SAS Mobile BI does not support the optional passcode. The Lock Out and the Wipe Out Your passcode should be known only to you. If you lose your mobile device, no one else should be able to guess your passcode and use it to open the app. If you (or another person) provide an incorrect passcode a specific number of times, the app locks itself for a length of time. You can enter your passcode again after the lock-out expires. If, after the lock-out expires, you provide an incorrect passcode a specific number of times again, the app removes all SAS BI reports, data, and server connections from your device. The app is reset to its default settings. If you forget your passcode, you must delete and reinstall the app on your device. Doing so deletes the reports and data. How to Engage the Passcode Feature Required passcodes are set by the SAS Visual Analytics administrator. Optional passcodes are set by the app user. For information about how to set an optional passcode, see the Help in the SAS Mobile BI app.
5 To set a required passcode, the SAS Visual Analytics administrator assigns users or groups to a role that has the Require Passcode on Mobile Devices capability. To customize the lock-out and wipe-out behavior, the administrator uses the following Transport Service properties: viewerservices.passcode.timeout: Specifies, in minutes, how frequently a user must re-enter his or her passcode in SAS Mobile BI. The default is 15. viewerservices.passcode.attempts: Limits the number of sequential, failed attempts to enter a passcode for SAS Mobile BI. The default is 5. If a user reaches the limit, the user is locked out of the app for 15 minutes. After the lockout interval, the user can again attempt to enter his or her passcode. If the user reaches the limit again, all custom content (data, reports, settings, and connection information) is removed from the mobile device. For more information about the capability and properties, see SAS 9.4 Intelligence Platform: Middle-Tier Administration Guide. Use Whitelists and Blacklists to Enable or Prevent Access What Is It? The whitelist manages the devices that can use the SAS Mobile BI app. A device must be on the whitelist in order to use SAS Mobile BI. The whitelist affects devices, not users. If a device is lost, a SAS Visual Analytics administrator can remove the device from the whitelist and therefore prevent access to the reports and data. The blacklist manages the devices that cannot use the SAS Mobile BI app. All devices can use SAS Mobile BI except those that are on the blacklist. The blacklist affects devices, not users. If a device is lost, a SAS Visual Analytics administrator can add the device to the blacklist and therefore prevent access to the reports and data. The whitelist manages by inclusion and the blacklist manages by exclusion. How to Engage the Whitelist or Blacklist Features In SAS Visual Analytics, an administrator can manage mobile devices. The administrator uses the mobile device ID to assign the device to the whitelist or blacklist. While an administrator can maintain both a whitelist and a blacklist, only one list can be enforced in a deployment at any time. The blacklist is the default. To enforce the whitelist instead, open SAS Visual Analytics Administrator. Select Tools > Manage Devices. The Mobile Devices page opens. At the top of the page, in the Enforced list, select Whitelist. To perform these tasks, the administrator must have the Manage Mobile Devices capability in addition to the Manage Environment capability. For more information about the managing mobile devices by using a blacklist or whitelist, see SAS 9.4 Intelligence Platform: Middle-Tier Administration Guide.
6 Keep Report Data Remote to Prevent Offline Access What Is It? When you subscribe to a report, it appears in the portfolio in SAS Mobile BI. However, depending on the security assigned to your user ID, the report data might not exist on your device. Report data can be local or remote: Local data is stored on your device. Remote data exists on your device only while the report is open and the device is connected to a Wi-Fi or cellular network. If a report uses remote data, the report thumbnail in the portfolio displays the cloud icon:. You might see this feature called tethering or live connection. How Does Remote Data Work? Each time you open a report with remote data, the app connects to the server. The Prepare Data notification is displayed while the data is downloaded. The report opens when the data is available on the device. The data is available only while you view the report. After you close the report, the data is removed from the device. The thumbnail image on the report in the portfolio no longer appears. If you are not connected to a network and you try to open the report, it does not open. How to Engage the Remote Report Data Feature To prevent offline access to mobile data on a server, the SAS Visual Analytics administrator assigns users or groups to a role that has the Purge Mobile Report Data capability. This capability affects the user ID that you use to access the server, not the server or its data. When this capability is set and you access the server via SAS Mobile BI using that user ID, all reports on that server use the remote report data feature. Use a Time-out Setting to Prevent Access What Is It? If a user has been offline for a specified number of days, he or she must sign in to the SAS Mobile BI app. For example, if the user attempts to browse reports in the library or open a report in the report viewer, the app requires that the user enter the password for the affected server connection. If the user fails to sign in, then the app no longer downloads reports, updates subscribed reports, or opens reports for viewing. This feature is not only useful when the device is missing. It also provides security when the employee leaves the organization but keeps the device. The blacklist and whitelist features require that the device access the server before the list can look up the device to deny or permit access. The offline access timeout feature denies access by checking the employee s credentials, which the IT organization revokes when the employee leaves the organization. How to Engage the Offline Access Time-Out Feature To enforce a time limit for offline access, the SAS Visual Analytics administrator assigns users or groups to a role that has the Limit Duration of Offline Access capability.
7 To customize the time limit, the administrator uses the Transport Service viewerservices.offline.limit.days property. The default is 15 days. For more information about the capability and property, see SAS 9.4 Intelligence Platform: Middle-Tier Administration Guide. Encrypt Reports and Data What Is It? The operating system on the mobile device encrypts the content on the device. SAS Mobile BI reports and data are encrypted with the rest of the contents on the device. ios Encryption The ios operating system uses AES 256 encryption. For more information, see the ios Security document available at: https://www.apple.com/business/docs/ios_security_guide.pdf. Android Encryption On Android devices, users can control whether their data is encrypted by using the device settings. The default encryption setting varies by manufacturer. On the Nexus 6 and Nexus 9 devices encryption is enabled by default. On other Android devices that are supported by the SAS Mobile BI app encryption is disabled by default. To enable the encryption, see the documentation for the device. The encryption used on Android devices is described in the article available at: https://source.android.com/devices/tech/security/encryption/.
8 Explore More Security Options An organization and its IT department can require the use of the following technologies to increase mobile device security: Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols. (SAS Mobile BI uses SSL to transfer data and reports.) Review the network configuration for your organization. Virtual Private Network (VPN) applications. Mobile Device Management (MDM) technology such as Good Technology and Mocana. See these companies web sites for more information. Mobile devices that use fingerprint recognition (Touch ID) or other biometric technology. See the specifications for the mobile devices that your organization supports. Device passcodes. See the specifications for the mobile devices that your organization supports.
9 References Park, Heesun Advanced Security Configuration Options for SAS 9.4 Web Applications and Mobile Devices. Proceedings of the SAS Global Forum 2014 Conference. Cary, NC: SAS Institute Inc. Available at: Redpath, Christopher, and Meera Venkataramani Secure Your Analytical Insights on the Plane, in the Café and on the Train with SAS Mobile BI. Proceedings of the SAS Global Forum 2014 Conference. Cary, NC: SAS Institute Inc. Available at: SAS 9.4 Intelligence Platform: Middle-Tier Administration Guide, Second Edition. Available at: SAS Mobile BI online Help. Available in the app. SAS Visual Analytics: Administration Guide. Available at: A user name and password is required to access this document. Contact SAS Technical Support.
10 SAS and all other SAS Institute Inc. product or service names are registered trademarks or trademarks of SAS Institute Inc. in the USA and other countries. indicates USA registration. Other brand and product names are trademarks of their respective companies.
GO!NotifyLink ActiveSync Solution for ios Devices User Guide GO!NotifyLink ActiveSync Solution for ios Devices: iphone, ipod touch, ipad, ipad mini What s in this document This document: Lists software
FileMaker Server 13 FileMaker Server Help 2010-2013 FileMaker, Inc. All Rights Reserved. FileMaker, Inc. 5201 Patrick Henry Drive Santa Clara, California 95054 FileMaker and Bento are trademarks of FileMaker,
CHAPTER114 The window in Cisco Unified Communications Manager Administration allows the administrator to add, search, display, and maintain information about Cisco Unified Communications Manager end users.
Apple Deployment Programs Apple ID for Students: Parent Guide As a parent or guardian, you want the best learning environment for your student. One that makes learning relevant for each student and allows
Cloud Services for Backup Exec Planning and Deployment Guide Chapter 1 Introducing Cloud Services for Backup Exec This chapter includes the following topics: About Cloud Services for Backup Exec Security
GoldMine Mobile Edition Installation and User Guide Version 9.0 Rev: 90-10-24-11 5675 Gibraltar Drive Pleasanton, CA 94588 USA TEL: 800.776.7889 www.frontrange.com Copyright 2011 FrontRange Solutions USA
Iomega EZ Media and Backup Center User Guide Table of Contents Setting up Your Device... 1 Setup Overview... 1 Set up My Iomega StorCenter If It's Not Discovered... 2 Discovering with Iomega Storage Manager...
Certificate Management Palo Alto Networks PAN-OS Administrator s Guide Version 6.0 Contact Information Corporate Headquarters: Palo Alto Networks 4401 Great America Parkway Santa Clara, CA 95054 www.paloaltonetworks.com/company/contact-us
PowerSchool 7.x Student Information System Released December 2011 Document Owner: Documentation Services This edition applies to Release 7.1 of the [product name] software and to all subsequent releases
SRA 6.0 User s Guide 1 Notes, Cautions, and Warnings NOTE: A NOTE indicates important information that helps you make better use of your system. CAUTION: A CAUTION indicates potential damage to hardware
TeamViewer 7 Manual Remote Control TeamViewer GmbH Kuhnbergstraße 16 D-73037 Göppingen www.teamviewer.com Table of Contents 1 About TeamViewer... 5 1.1 About the software... 5 1.2 About the manual... 5
Getting Started Guide StarTeam Borland Software Corporation 100 Enterprise Way Scotts Valley, California 95066-3249 www.borland.com Borland Software Corporation may have patents and/or pending patent applications
Technical Whitepaper SimplySecure TM Architecture & Security Specifications, compliance and certification considerations for the IT Professional Rob Weber November 2014 Foreward First-in-class web-managed
TeamViewer 7 Manual Meeting TeamViewer GmbH Kuhnbergstraße 16 D-73037 Göppingen www.teamviewer.com Table of contents 1 About TeamViewer... 5 1.1 About the software... 5 1.2 About the manual... 5 2 Basics...
Introducing the Collaboration Service 10.2 for the Enterprise IM app 3.1 introducing The Collaboration Service Sender Instant Messaging Server Collaboration Service 10 device Recipient V. 1.0 June 2013
This release connector is deprecated. Use Kofax Capture and the appropriate Kofax Capture release script to release documents to a specific destination. KOFAX Front-Office Server 2.7 Configuration Guide
If you are navigating using only the keyboard or using an assistive device and need help, visit our Navigation Instructional page for alternative views and navigation. Warning: If you select this link,
COMPREHENSIVE INTERNET SECURITY SonicWALL Secure Remote Access Appliances SonicWALL SSL VPN 5.0 User s Guide Table of Contents Using This Guide About this Guide......................................................
Part No. P0919415 04 CallPilot Manager Set Up and Operation Guide 2 CallPilot Manager Set Up and Operation Guide Copyright 2002 Nortel Networks All rights reserved. 2002. The information in this document