Mobile Secure Cloud Edition Document Version: 2.0-2014-07-07
Table of Contents 1 Important Disclaimers on Legal Aspects....3 2 Introduction....4 3 Application Catalog....5 3.1 Application Catalog Icons....5 3.2 Adding Applications....6 3.3 Uploading Signed Applications....6 3.4 Deleting Applications....6 4 Mobile Application Protection....7 4.1 Protecting Applications....8 4.2 Protecting Applications with Policy Templates....8 4.3 Policy Settings.... 9 4.3.1 Templates Settings....9 4.3.2 Access Settings.... 9 4.3.3 Invalid Login Handling Settings....13 4.3.4 EULA Settings....14 4.3.5 Location Settings....14 4.3.6 Firewall Settings.... 15 4.3.7 Miscellaneous Settings....16 4.3.8 Secure Browser Settings.... 17 5 Publishing Applications....19 5.1 Publishing Applications to Android Devices.... 19 5.2 Publishing Applications to ios Devices.... 20 2 2014 SAP AG or an SAP affiliate company. All rights reserved. Table of Contents
1 Important Disclaimers on Legal Aspects This document is for informational purposes only. Its content is subject to change without notice, and SAP does not warrant that it is error-free. SAP MAKES NO WARRANTIES, EXPRESS OR IMPLIED, OR OF MERCHANTABILITY, OR FITNESS FOR A PARTICULAR PURPOSE. Coding Samples Any software coding and/or code lines / strings ("Code") included in this documentation are only examples and are not intended to be used in a productive system environment. The Code is only intended to better explain and visualize the syntax and phrasing rules of certain coding. SAP does not warrant the correctness and completeness of the Code given herein, and SAP shall not be liable for errors or damages caused by the usage of the Code, unless damages were caused by SAP intentionally or by SAP's gross negligence. Accessibility The information contained in the SAP documentation represents SAP's current view of accessibility criteria as of the date of publication; it is in no way intended to be a binding guideline on how to ensure accessibility of software products. SAP specifically disclaims any liability with respect to this document and no contractual obligations or commitments are formed either directly or indirectly by this document. Gender-Neutral Language As far as possible, SAP documentation is gender neutral. Depending on the context, the reader is addressed directly with "you", or a gender-neutral noun (such as "sales person" or "working days") is used. If when referring to members of both sexes, however, the third-person singular cannot be avoided or a gender-neutral noun does not exist, SAP reserves the right to use the masculine form of the noun and pronoun. This is to ensure that the documentation remains comprehensible. Internet Hyperlinks The SAP documentation may contain hyperlinks to the Internet. These hyperlinks are intended to serve as a hint about where to find related information. SAP does not warrant the availability and correctness of this related information or the ability of this information to serve a particular purpose. SAP shall not be liable for any damages caused by the use of related information unless damages have been caused by SAP's gross negligence or willful misconduct. Regarding link classification, see: http://help.sap.com/disclaimer Important Disclaimers on Legal Aspects 2014 SAP AG or an SAP affiliate company. All rights reserved. 3
2 Introduction SAP Mobile Secure cloud edition provides an interface that allows you to easily upload, protect, and deploy applications to managed devices. Wrapping applications in a security policy allows you to implement application security without accessing the application source code. Security policies can help control how applications access enterprise networks, determine how devices handle confidential data, and restrict the locations in which users can use applications. Security policies can also determine how devices respond to unsuccessful attempts to access protected applications. You can save security policies as templates, enabling the rapid deployment of enterprise applications to devices. 4 2014 SAP AG or an SAP affiliate company. All rights reserved. Introduction
3 Application Catalog The application catalog in the SAP Mobile Secure cloud edition contains the applications that are available to device users. The application catalog is found on the App Protection tab. Administrators can add, manage, and deploy applications in the application catalog. 3.1 Application Catalog Icons The application catalog uses icons to illustrate the key characteristics of applications. Icon Application runs on Android devices Application runs on ios devices Application is not wrapped Application is wrapped Application is wrapped with a federated template Application is a secure browser Application is wrapped with a template that has been updated and applied to another application Application is published Application needs to be republished Multiple versions of the application in the Application Catalog Application Catalog 2014 SAP AG or an SAP affiliate company. All rights reserved. 5
3.2 Adding Applications You can upload a new application or a new version of an existing application to the Application Catalog. Procedure 1. On the App Protection tab, click Upload New Application. 2. Click Browse. 3. Navigate to the IPA or APK file and click Open. 4. Click Upload. 3.3 Uploading Signed Applications After you wrap an ios application, you can download the application, sign the application, and then add it to the application catalog. Procedure 1. On the App Protection tab, click the application. 2. Click Download to save the application to your computer. 3. Sign the application. 4. Click Upload Signed App to add the signed application to the application catalog. 3.4 Deleting Applications You can remove applications from the application catalog. You cannot delete built-in applications. Procedure 1. On the App Protection tab, click the application. 2. Click Delete. 3. To confirm the deletion, click OK. 6 2014 SAP AG or an SAP affiliate company. All rights reserved. Application Catalog
4 Mobile Application Protection Mocana Mobile Application Protection wraps applications, after development, with security and usage policies to protect corporate data, limit usage, and control access. Mobile Application Protection divides policies into specific functional areas. Administrators can combine multiple functional areas into individual policies. When mobile device users install a wrapped application over an unwrapped application, they might need to uninstall the original, unwrapped application. Uninstalling an application might delete application data from devices. To let users keep a wrapped and an unwrapped version of an Android application on their devices, you must change the application s package name before wrapping. See developer.android.com for more information about Android package names. The Download button is available when an administrator wraps an application. The Reset Passphrase button is available when an administrator enables the Application Lockout feature at any point during an application life Mobile Application Protection 2014 SAP AG or an SAP affiliate company. All rights reserved. 7
cycle. For example, if a subsequent version of an application is wrapped, but the Application Lockout policy has been changed to disabled, the Reset Passphrase button remains as enabled, to support users who have a previous version installed. Administrators cannot upload itunes apps to the MAP server. For ios, MAP works with applications for distribution within an organization; that is, those written in-house or specifically for the organization. 4.1 Protecting Applications You can create custom policy settings to protect applications. Procedure 1. On the App Protection tab, click an application. 2. On the Template page, specify policy information. 3. On the Access page, specify the application security information. 4. On the Invalid Login Handling page, specify how the application responds when users enter incorrect credentials. 5. On the EULA page, specify the agreement that users must accept to use the application. 6. On the Location page, specify location-based restrictions for the application. 7. On the Firewall page, specify the firewall settings for the application. 8. On the Miscellaneous page, specify settings for application expiry, email enforcement, and additional security. 9. On the Secure Browser page, specify the settings for secure-browsing applications. 10. Click Apply Policy. 4.2 Protecting Applications with Policy Templates You can use the policy settings from an existing template to protect applications. The latest version of the template is used, even if a previous version of the application uses a different version of the template. Procedure 1. On the App Protection tab, click an application. 2. Click Load Template. 3. Click the template. 4. Click Apply Policy. 8 2014 SAP AG or an SAP affiliate company. All rights reserved. Mobile Application Protection
4.3 Policy Settings Security policies include settings that you can configure to regulate the use of applications. 4.3.1 Templates Settings The Template settings allow you to save policy settings and apply them to multiple applications. Setting Template name Maximum length of 64 characters Template version Number of revisions made to the template Template description of the template Overlay icon Icon that appears with the application icon when the template wraps the application A padlock icon is the default icon Supports PNG files Application federation Collection of trusted applications that can share data and policy settings To add an application to an application federation, wrap the application with a federated template 4.3.2 Access Settings The Access settings allow you to configure how applications authenticate users. Setting Per application VPN Application establishes a VPN connection Only applications wrapped with the template have access to the VPN connection Devices can prompt users for a VPN password or a certificate passphrase Passphrase Application requires that users enter a passphrase before the application opens Mobile Application Protection 2014 SAP AG or an SAP affiliate company. All rights reserved. 9
4.3.2.1 Per Application VPN The Per Application VPN settings allow you to configure authentication using VPN credentials and the connection that applications make to VPN servers. Applications can establish a VPN connection for HTTP and HTTPS traffic. Applications check the VPN credentials of users before opening and connecting to the VPN server. If the user name or password changes on the VPN server, users must use the original credentials to open the application, then update the credentials on the VPN Settings page before connecting. For Android devices, if a user switches applications, the device keeps the VPN connection open while the application that initiated the VPN connection is running in the background. For ios devices, if a user switches applications, the device closes the VPN connection closes and suspends the application that initiated the VPN connection. If the user returns to the application before the VPN expiration timeout elapses, the application reconnects to the VPN server automatically. Users can open the application if it cannot connect to the VPN server if the application has established the connection to the VPN server at least once before, but the application blocks traffic that would go over the VPN connection. The Per Application VPN policy cannot be used with the Require Passphrase policy. Setting Allow override Whether users can select a VPN server that is different from the VPN server defined in the policy Server label Name of the VPN server Server address IP address of the VPN server Add Another Server Click to another VPN server Suite B Whether the application supports Suite B encryption and what level of encryption the application supports Allow Override allows users to prevent the use of Suite B encryption Authentication method The authentication method that the VPN server uses: Pre-shared key Digital certificate (see Digital Certificate Settings topic for more information) Application login Whether users must authenticate to use the application The credentials required for authentication IKE identity type The type of identifier for the Internet Key Exchange IKE identity value The identifier value for the Internet Key Exchange IKE version The version of the Internet Key Exchange 10 2014 SAP AG or an SAP affiliate company. All rights reserved. Mobile Application Protection
Setting IKE phase 1 The mode of the Internet Key Exchange phase 1 Main mode protects the identities of the VPN server and the VPN client Aggressive mode does not protect the identities of the VPN server and VPN client DH group The Diffie-Hellman group Determines the strength of the key Perfect forward secrecy (PFS) Whether the VPN server uses perfect forward secrecy to protect session keys Allow override allows users to prevent the use of perfect forward secrecy VPN expiration timeout The length of time for which the VPN connection remains inactive before prompting users for authentication On Android devices, the VPN connection remains open until the timeout elapses On ios devices, the VPN connection closes but reconnects automatically until the timeout elapses 4.3.2.1.1 Digital Certificate Settings Setting Server's CA certificate The certificate for the certificate authority OCSP server URL Internet The Internet URL to the Online Certificate Status Protocol (OCSP) server that determines the status of the certificate OCSP server URL Intranet The intranet URL to the Online Certificate Status Protocol (OCSP) server that determines the status of the certificate Check VPN gateway hostname and IP address Whether the VPN gateway host name and IP address are checked against the certificate Wipe app data if user's certificate is revoked on OCSP server Whether the application wipes user data if the certificate has a revoked status Extended user authentication Whether devices prompt users for user names and passphrases before connecting to the VPN server Simple Certificate Enrollment Protocol (SCEP) Whether devices submit SCEP requests for certificates to use with the VPN server Mobile Application Protection 2014 SAP AG or an SAP affiliate company. All rights reserved. 11
Setting SCEP Base DN The distinguished name of the SCEP server SCEP Subject Common Name Identity Type The type of information that the certificate uses as a common name SCEP CA certificate Browse to and select the CA certificate for the SCEP server PEM format is recommended SCEP RA certificate Browse to and select the RA certificate for the SCEP server Only required if you use a Registration Authority SCEP URL The URL of the SCEP server SCEP Key type The RSA key type that the SCEP server uses for encryption SCEP client certificate expiration warning The number of days before expiry that devices prompt users to renew certificates 4.3.2.2 Passphrase Settings The Passphrase settings allow you to configure authentication using a passphrase. Applications do not start until users enter the correct passphrase. If the application belongs to an application federation, the passphrase unlocks the other applications in the application federation. If the application restarts on is inactive in the background until passphrase expiration timeout elapses, users must enter the passphrase again. The Passphrase policy cannot be used with the Per Application VPN policy. Setting Minimum password length The minimum number of characters required for a user passphrase Passphrase expiration timeout The length of time, in minutes, that the application can stay inactive in the background before the policy prompts again for the passphrase Passphrase must contain at least one of each character type The criteria that passphrases must match to be valid Passphrase history Whether users are allowed to reuse passphrases Maximum age rule How ofter users must change their passphrases 12 2014 SAP AG or an SAP affiliate company. All rights reserved. Mobile Application Protection
Setting Start reminding user to change his/her passphrase When devices remind users to changes their passphrases 4.3.3 Invalid Login Handling Settings The invalid login handling settings allow you to configure how applications respond when users fail authentication. The Invalid Login Handling policy requires the Per Application VPN or Passphrase policy. Setting Invalid login handing Whether to activate invalid login handling Failed login attempts The number of invalid login attempts before the invalid login handling feature is triggered Lock user out of the app Whether the application locks after invalid login attempts Users cannot access a locked application until a helpdesk representative generates an unlock key for the application and sends it to the device Wipe app data Whether the device performs a selective wipe after invalid login attempts With a selective wipe, you can delete MAP-protected data without physical access to devices Wiping data is permanent you cannot undo a wipe or restore data lost in a wipe Lockout message The message that appears on devices that lock after invalid login attempts Helpdesk phone number The phone number that appears on devices that lock after invalid login attempts Helpdesk email address The email address to which devices send lockout recovery requests when devices lock after invalid login attempts Subject line The subject line of the lockout recovery email message that devices send to the helpdesk email address when devices lock after invalid login attempts Email body text The body text of the lockout recovery email message that devices send to the helpdesk email address when devices lock after invalid login attempts Mobile Application Protection 2014 SAP AG or an SAP affiliate company. All rights reserved. 13
4.3.4 EULA Settings The end user licensing agreements settings (EULA) let you configure the agreement that users must accept before using the application. The EULA policy requires the Per Application VPN or Passphrase policy. Setting User agreement Whether devices display the user agreement when users start the application for the first time Frequency How often devices display after users initially accept the user agreement User agreement title The title of the user agreement User agreement text Browse to and select the TXT file that contains the text of the user agreement Users must read, scroll to the bottom of, and accept the user agreement before they can use the application Preview A preview of the user agreement 4.3.5 Location Settings The location settings allow you to limit application use to specific regions and to mask the location data that devices report to applications. Setting Geo-fencing Whether the use of the application is restricted to a specific area The application does not start if the device is outside of the area The application will stop working temporarily if the device moves outside of the area, but will resume if the device moves back into the area You can enter coordinates or use a map to define the location data Top left coordinate The coordinate that defines the top-left corner of the area Bottom right coordinate The coordinate that defines the bottom-right corner of the area 14 2014 SAP AG or an SAP affiliate company. All rights reserved. Mobile Application Protection
Setting Location accuracy The location accuracy that the application requires to apply the geo-fencing restrictions Location data includes accuracy values The accuracy value and the location data define circles (with the accuracy value as the radius) that represents users' locations If the location circle overlaps the defined region, the geo-fencing policy applies Accuracy values: Fine: 10 meters High: 100 meters Medium: 1000 meters Low: 3000 meters Location masking Whether devices mask location data when reporting it to the application Obfuscation mode How devices mask location data Random location reports random location data Fixed point reports specific location data Fixed point location The specific location that devices report when using fixed point as the obfuscation mode You can enter coordinates or use a map to define the location data 4.3.6 Firewall Settings The firewall settings allow you to block several types of potentially insecure network traffic to the application. Setting Smart firewall Whether the smart firewall is active Block all non-dns UDP traffic Whether the application blocks all non-dns UDP traffic Can help prevent a covert channel from transmitting data from the application Block all non-ssl TCP traffic Whether the application blocks all non-ssl TCP traffic Can help prevent the application from transmitting data using non-secure protocols Only trust the following SSL certificates Whether the applications trusts the listed SSL certificates only Mobile Application Protection 2014 SAP AG or an SAP affiliate company. All rights reserved. 15
Setting Certificates files Trusted SSL certificates 4.3.7 Miscellaneous Settings The miscellaneous settings allow you to configure security settings for the application. Setting App expiration Whether to restrict the availability of the application by date Requires the Per Application VPN or Require Passphrase policy Start date The date on which the application becomes available End date The date on which the application stops being available Copy-paste protection Whether users can copy data from the application and paste the data into other applications ios devices Devices maintain a separate clipboard for the application Users cannot copy data from this clipboard and paste it into other applications Users cannot copy data from the system clipboard and paste it into the application Android devices Devices encrypt data from the application on the clipboard If users copy data from the protected application to another application, the data remains encrypted and unusable If the protected application closes, the data on the clipboard remains encrypted FIPS 140-2 module Whether the application uses the FIPS 140-2 cryptographic module to validate cryptographic algorithms The FIPS 140-2 cryptographic module performs a self check when the application starts The self check might cause a delay when the application starts If the self check fails, the application will not start To apply the FIPS 140-2 module, you must enable one of the following policies: 16 2014 SAP AG or an SAP affiliate company. All rights reserved. Mobile Application Protection
Setting Per-Application VPN Passphrase Copy-Paste Protection Jailbreak/rooting detection Whether the application can start if the device is jailbroken or rooted Encrypted data at rest Whether the application encrypts data before saving it to the device Requires the Per Application VPN or Require Passphrase policy Encrypted data is lost if users uninstall the application or install an unprotected version of the application Email enforcement Whether to restrict the email functionality of the application Email enforcement response How the application restricts email functionality: Allow the use of secure email applications only Allow the use of all email applications, but warn users first Block email messages Warning statement The text that the application uses as a warning message for email enforcement 4.3.8 Secure Browser Settings The secure browser settings allow you to configure the Mocana secure browser. The secure browser is an application that establishes a VPN connection using SSL to browse Web sites that you allow. Setting Browser title The name of the secure browser in the Launcher view on devices Theme color The color of the toolbars in the secure browser Allow invalid certificates Whether the secure browser accepts self-signed certificates Show navigation bar Whether the secure browser displays the navigation bar that includes the URL and search Allow search Whether the search function is available in the navigation bar Mobile Application Protection 2014 SAP AG or an SAP affiliate company. All rights reserved. 17
Setting Allow URL entry Whether users can edit the URL in the navigation bar Show toolbar Whether the secure browser displays the toolbar Allow history Whether users can view the secure browser history and navigate to previously visited pages Allow bookmark Whether users can create and use bookmarks On ios devices, users can create bookmarks that appear in Safari and the Launcher view on devices Allow email Whether users can share Web sites using email Allow printing Whether users can print the contents of Web sites Default sites Web sites that devices include as bookmarks automatically 18 2014 SAP AG or an SAP affiliate company. All rights reserved. Mobile Application Protection
5 Publishing Applications After an application is wrapped, it must be deployed to mobile devices for the policies to take effect. You can publish applications in a number of ways, including through third-party MDM and enterprise app store vendors. For customers who leverage SAP Mobile Secure cloud edition, there is built-in integration for application distribution. Once an application is wrapped, administrators can follow a simple workflow to queue the application for distribution to the desired client groups. Wrapping is not a prerequisite for using the integrated deployment mechanism. For Android applications, once they are loaded into the catalog, they can be deployed. For ios devices, the application must be wrapped with either a personal or an enterprise distribution certificate when uploaded before administrators can deploy it. Optionally, administrators can add an application to a category to make the application available to devices in the SAP Afaria client. 5.1 Publishing Applications to Android Devices You can publish a wrapped application to Android devices. Procedure 1. On the App Protection tab, click the application. 2. Click Publish. 3. On the Application Information page, perform the following tasks: a) In the Display name field, type a name for the application that appears on devices. b) In the field, type a description for the application that appears in the application catalog on devices. c) Select whether the application is required. For some Android devices, the application installs automatically. d) Click Next. 4. On the Distribution Groups page, select the group that can access the application. 5. Click Next. 6. On the Application Configuration page, define the information that SAP Mobile Secure cloud edition passes to the application. Developers can compile libraries into applications that allow the applications to communicate with SAP Mobile Secure cloud edition using the SAP Afaria client. 7. Click Next. 8. To publish a required application immediately, select Distribute the application immediately to the device where supported. 9. Review the deployment settings and click Finish. Publishing Applications 2014 SAP AG or an SAP affiliate company. All rights reserved. 19
5.2 Publishing Applications to ios Devices You can publish a wrapped application to ios devices. Procedure 1. On the App Protection page, click the application. 2. Click Publish. 3. Click Next. 4. On the Sign Application - Specify Signing Information page, specify the information that you use to sign applications. 5. Click Sign. 6. On the Application Information page, perform the following tasks: a) In the Display name field, type a name for the application that appears on devices. b) In the field, type a description for the application that appears in the application catalog on devices. c) Select whether the application is a featured application. Featured applications appear on the home page of the SAP Afaria client. d) Select whether the application is required. If the application is managed, devices prompt users to install the application when policies are applied to the device. If the application is not managed, devices prompt users to install the application when the SAP Afaria client starts. 7. On the Distribution Groups page, select the group that can access the application. 8. Click Next. 9. On the Application Configuration page, define the information that SAP Mobile Secure cloud edition passes to the application. Developers can compile libraries into applications that allow the applications to communicate with SAP Mobile Secure cloud edition using the SAP Afaria client. 10. To publish a required application immediately, select Distribute the application immediately to the device where supported. 11. Review the deployment settings and click Finish. 20 2014 SAP AG or an SAP affiliate company. All rights reserved. Publishing Applications
Important Disclaimers on Legal Aspects This document is for informational purposes only. Its content is subject to change without notice, and SAP does not warrant that it is error-free. SAP MAKES NO WARRANTIES, EXPRESS OR IMPLIED, OR OF MERCHANTABILITY, OR FITNESS FOR A PARTICULAR PURPOSE. Coding Samples Any software coding and/or code lines / strings ("Code") included in this documentation are only examples and are not intended to be used in a productive system environment. The Code is only intended to better explain and visualize the syntax and phrasing rules of certain coding. SAP does not warrant the correctness and completeness of the Code given herein, and SAP shall not be liable for errors or damages caused by the usage of the Code, unless damages were caused by SAP intentionally or by SAP's gross negligence. Accessibility The information contained in the SAP documentation represents SAP's current view of accessibility criteria as of the date of publication; it is in no way intended to be a binding guideline on how to ensure accessibility of software products. SAP specifically disclaims any liability with respect to this document and no contractual obligations or commitments are formed either directly or indirectly by this document. Gender-Neutral Language As far as possible, SAP documentation is gender neutral. Depending on the context, the reader is addressed directly with "you", or a gender-neutral noun (such as "sales person" or "working days") is used. If when referring to members of both sexes, however, the third-person singular cannot be avoided or a gender-neutral noun does not exist, SAP reserves the right to use the masculine form of the noun and pronoun. This is to ensure that the documentation remains comprehensible. Internet Hyperlinks The SAP documentation may contain hyperlinks to the Internet. These hyperlinks are intended to serve as a hint about where to find related information. SAP does not warrant the availability and correctness of this related information or the ability of this information to serve a particular purpose. SAP shall not be liable for any damages caused by the use of related information unless damages have been caused by SAP's gross negligence or willful misconduct. Regarding link classification, see: http:// help.sap.com/disclaimer. Important Disclaimers on Legal Aspects 2014 SAP AG or an SAP affiliate company. All rights reserved. 21
www.sap.com/contactsap 2014 SAP AG or an SAP affiliate company. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. National product specifications may vary. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. Please see http://www.sap.com/corporate-en/legal/copyright/ index.epx for additional trademark information and notices.