feature scope description - sap · 1 introduction [[unresolved text-ref:...

PUBLICSAP Cloud Platform, Mobile Service for App and Device ManagementDocument Version: 1.0 – 2019-01-16

Feature Scope Description

© 2

019

SAP

SE o

r an

SAP affi

liate

com

pany

. All

right

s re

serv

ed.

THE BEST RUN

Content

1 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

2 Feature Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4

3 Feature List. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63.1 Mobile Application Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63.2 End-User Portal. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73.3 Mobile Device Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8

Application Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8Device Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Security Actions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Inventory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30Device Activity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36Access Control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37Remediation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

3.4 Administration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38Analytics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38Account Administration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39Languages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40Roles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

3.5 User Assistance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433.6 Browser Support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

2 P U B L I CFeature Scope Description

Content

1 Introduction

[[unresolved text-ref: product-long-name-nonregistered]] is an enterprise mobile management (EMM) service that is provided through the SAP Cloud Platform.

This cloud-based system allows you to manage your mobile workforce without the complexity and expense of an on-premise installation. With this service, you can protect your corporate data by securing the apps that use this data and the devices on which they run.

To ensure that only authorized devices can access your network, configure the service to use your network servers such as your Exchange or Certificate Authority servers. To connect to these network resources, install and configure the Enterprise Connector.

This product includes the following components:

Component Description

The administration portal Allows administrators to perform tasks such as:

● Adding and managing in-house and commercial apps● Creating and managing users● Creating configuration polices for sending configuration settings to managed

devices

Mobile Place An end user portal for enrolling Android, iOS, and Windows Phone devices. It provides a single destination and an enhanced user experience for all your enterprise end users. Your end users can access Mobile Place to on-board, discover, and consume mobile services exposed by their enterprise.

The mobile service client A mobile app installed on mobile Android and iOS devices during enrollment into Mobile Device Management. The client connects with the mobile service to receive applications and device configuration pushed through application and configuration policies.

This feature scope description describes which features and documentation are available for [[unresolved text-ref: product-name-nonregistered]].

Feature Scope DescriptionIntroduction P U B L I C 3

2 Feature Summary

[[unresolved text-ref: product-long-name-nonregistered]] includes key features for managing apps and mobile devices.

Key Features

Feature Description

Mobile Application Management

● Distribute in-house and commercial applications to your users' devices. You can install apps directly on to managed devices or provide them as optional apps available through the mobile service client. Apps can also be distributed to Mobile Place.

● Manage apps through the Admin portal. You can add and deploy apps to Mobile Place. You can then trial these apps in a test environment and then either approve and publish the app or reject it.

● Third-party integration model

End-user Portal (Mobile Place)

● Manage user and language preferences● Manage your devices. Your users can enroll their devices into MDM through Mobile

Place. For each device, you can view the device information and, if the configuration policy is configured in Device Management console, the device location. Managed users can perform the security actions on devices such as locking and unlocking their device remotely.

Mobile Device Management ● Configure mobile device settings by creating configuration policies and apply to devices and groups. Configuration policies let you set device settings such as password settings, device restrictions, network settings (such as APN, Bluetooth, Wi-Fi, and VPN settings), and exchange settings

● Manage mobile devices such as editing device information or deleting the device. You can also view hardware and software inventory details for a device.

● Perform security actions on mobile devices such as locking and unlocking devices, wiping device data and settings, and removing MDM control

● Ensure policy compliance by preventing devices from connecting to MS Exchange if devices do not meet certain conditions. These include devices not on having the minimum required OS version, being jail-broken/rooted, and having outdated policies.

Mobile Identity Management Assign and manage certificates on mobile devices. You can assign certificates for devices, apps, or network access. You can revoke certificates or renew those set to expire.

Network Integration Integrate the mobile service to connect to your LDAP, Exchange, or Certificate Authority server. You can also configure APN, VPN, and Wi-Fi for devices


Feature Summary

Feature Description

Reporting View app and device reports such as:

● Devices by platform● Jailbreak status● Top 10 popular apps● Create custom reports using SAP Lumira

Administration ● Configure the [[unresolved text-ref: product-name-nonregistered]] admin portal and Mobile Place. You can set language preferences for the [[unresolved text-ref: product-name-nonregistered]] admin portal and Mobile Place. You can also set default account settings, authentication options, and EULA options for Mobile Place.

● Customize and localize the [[unresolved text-ref: product-name-nonregistered]] admin portal and Mobile Place by uploading resource files such as stylesheets, properties files, EULAs, shortcut icons, webclip images, logos and so on.

● Manage users through SAP Cloud Platform.

Feature Scope DescriptionFeature Summary P U B L I C 5

3 Feature List

SAP HCP, mobile service for app and device management includes the following features.

3.1 Mobile Application Management

SAP HCP, mobile service for app and device management allows you to manage the enterprise and commercial app store apps you can make available on Mobile Place for your end users.

● Mobile app containerization through a configuration profile● Can control data sharing between apps (for example, "open in")● Supports VPN tunneling on a per-app basis● Allow admin to wipe enterprise data only on the native e-mail app● Allow admin to only wipe corporate apps (at MDM level - not via wrapping or SDK)● Mobile app containerization through app wrapping / SDK● Can delete wrapped / SDK managed apps if device falls out of compliance● Lock access after x number of failed attempts● Time-based policies● Block access from jailbroken/rooted devices● Per-app jailbreak/root detection (detect jb/rooting when agent isn’t running)● Block copy/paste● Can apply appspecific VPN● Force log in after a set time● Can prevent app from using location services on the device● Can restrict app from composing an e-mail message in the native e-mail app● Can redirect application web traffic to a standard proxy or Mobile Access Gateway● Can wrapped apps be deployed, with policy, on devices that are not enrolled in MDM/have an MDM profile

present● Can assign apps to user accounts, user groups, and device groups● Supports certificates for SDK-managed apps● Secure PIM Features● Supports Office 365● Supports Lotus Notes● Can log into Secure PIM app using AD credentials● Can log into Secure PIM using PIN● Can log into Secure PIN using complex password● Supports 2-factor authentication (tokens)● Block access from jailbroken/rooted devices● Secure browser features


Feature List

● Can log on to browser app using AD credentials● Can log into Secure PIM using PIN● Can log into Secure PIN using complex password● Supports 2-factor authentication (tokens)● Can delete secure browser app if device falls out of compliance● Provides URL filtering● Encrypts browser cache● Can clear browser cache● Encrypts cookies● Encrypts browser history● Can clear browser history● Restricts copy/paste from browser to other apps● Can apply appspecific VPN for secure browser● Provides geofencing support

3.2 End-User Portal

● Allows enterprises to present a branded, localized experience to end users.● Offers enterprise apps and commercial apps through a single interface● Allows users to review and rate apps. Displays user ratings● Allows users to search for apps from the app catalog by providing an app name or words provided in the

app description.● Apple VPP support● Store can process payment for apps, or include a turnkey integration with payment processor (if so, which

payment processor do you integrate with (list in E42)● Allows admin to manage app access based on user role● Supports .appx packages (Windows)● App store can be accessed in the following ways:

○ Native app○ Web clip○ Custom URL in browser

Feature Scope DescriptionFeature List P U B L I C 7

3.3 Mobile Device Management

The mobile service provides support for many MDM features. You can configure Android, iOS, and Windows Phone devices by creating and applying a configuration policy to a device that has been enrolled into MDM. You can also perform security actions, such as Lock Device and Remote Wipe, on MDM-managed devices.

3.3.1 Application Configuration

The mobile service allows you to define commercial and enterprise application packages for devices using Application policies. The policies determine which applications are available for devices to browse and install.

Feature Description

Android Enterprise Applications Android enterprise application policies define which enterprise applications are available for devices to browse and install from the client app list.

Enterprise applications are produced by third-party entities. Application packages include:

● Identifying information for the application● (Application onboarding) File or data for application onboarding data provisioning

Android Market Applications Android Market application policies define which Google Play Android applications are available for users to browse and install using the Mobile Place application app list. In addition, Android for Work apps can be set to "Required," pushing them down to managed user devices upon connection.

Commercial and Google-hosted enterprise applications (also known as private apps) are delivered to devices using Google Play. There are three types of apps that can be made available using Google Play:

● Android "standard" apps● Android for Work apps● Google-hosted private apps (also called enterprise apps), which may be either

standard or Android for Work apps

While the first two app categories can be deployed using the mobile service, Google-hosted private apps can only be deployed using the Device Administration Console.

Application packages typically include:

● Identifying information for the application● File or data for application onboarding data provisioning

iOS App Store Apps iOS App Store application policies define which Apple App Store applications are available for install from the mobile service app list.

Commercial applications are delivered from the Apple App Store.

Application package content includes:


Feature List

Feature Description

● Identifying information for the application● (Optional) Information for Apple redemption codes● (Application onboarding) File or data for application onboarding data provisioning

iOS Enterprise Applications iOS enterprise application policies define which enterprise-signed applications are available for devices to install.

Enterprise-signed applications are produced by your developing entity and are delivered from the Package Server.

Application packages include:

● Identifying information for the application● MDM protocol, if defined● (Application onboarding) File or data for application onboarding data provisioning

Windows Phone App Store Applications

App Store application policies for Windows Phone define the Windows Store applications that appear on the mobile service app list, and are therefore available for installation.

Commercial applications are delivered from the Windows Phone commercial market. An application package includes information that identifies the application.

Windows Phone Enterprise Applications

Windows Phone enterprise application policies define the enterprise-signed applications that are available for devices to install.

Enterprise-signed applications are produced by third-parties. An application package includes information that identifies the application.

3.3.2 Device Configuration

The mobile service allows you to set the following settings for managed Android, iOS, and Windows Phone devices.


3.3.2.1 Android Devices

Android

Feature Description

Password Enforce password settings on mobile devices such as password format and length

Encryption Enable or disable encryption on the device's storage

Camera Enable or disable the camera on the device (Android 4.x and above devices)

Screenshots Allow or prevent users of Android 4.x and above devices from taking screen shots of the client. Allowing screen shots is a security risk because a screen shot could include sensitive corporate information.

Smart Lock Enable or disable Smart Lock on Android 5.x and higher devices. Smart Lock is an Android feature that allows users to unlock their devices automatically.

Bluetooth Enable or disable the device's Bluetooth radio. You can also enable scanning for nearby discoverable devices.

Wireless LAN Enable Wi-Fi and set properties for a single wireless LAN (WLAN) connection per session. To set properties for multiple connections, connect the device for multiple sessions, and define one Wireless LAN connection in each separate session.

The following network modes are supported: WEP, WPA/WPA2 PSK, and 802.1x Enterprise.

Device Communications Set configuration properties to connect to the mobile service, either directly or through its relay server proxy.

Android for Work

Feature Settings Description

Google Chrome Incognito mode Enable or disable incognito mode in Google Chrome. You can also force all tabs to be opened in incognito mode.

Browser History Control whether the browser saves the user's browsing history.


Feature List


Password Manager Enable or disable Password Manager. If you enable Password Manager, Google Chrome memorizes user passwords for future website logins. If you disable Password Manager, users cannot save passwords, nor use previously saved passwords. You can allow the user to configure the option, or you can specify that it is always on or always off.

Autofill Specifies whether the user can use the autofill feature to complete online forms. The first time a user fills out a form, Google Chrome automatically saves the entered information, such as the name, address, phone number, or email address, as an autofill entry. You can allow the user to configure the option, or you can specify that it is disabled.

Bookmarks Allow users to edit bookmarks. Bookmark editing allows users to add, edit, or remove items from their Google Chrome bookmarks bar.

Alternate Error Page Enable or disable alternate error page. When this is enabled, Google Chrome suggests alternate pages to the user when the page they are trying to reach is unavailable. The user sees suggestions to navigate to other parts of the website or to search for the page with Google.

Pre-rendering Enable or disable the pre-rendering of webpages. Pre-rendering web pages can speed up the user's browsing experience by allowing Google Chrome to pre-load and render linked pages.

Default Search Provider Set whether the user can set a default search provider for the omnibox (Google Chrome's address bar).

Safe Search Force safe search in Google Chrome. This setting forces your users' Google searches in Google Chrome to be done with SafeSearch turned on.

Search Suggest Enable or disable Search Suggest

Safe Browsing Enable or disable Safe Browsing. This setting specifies whether Safe Browsing is turned on for users. Safe Browsing helps protect users from websites that may contain malware or phishing content. You can allow users to decide whether to use Safe Browsing, or specify that it is always on or always off.

Google Translate Enable or disable Google Translate in Google Chrome. This setting lets you specify whether Google Chrome uses Google Translate, which offers content translation for web pages in languages not specified in the Language settings on a user's Google Chrome device. You can set Google Chrome to let users set this option in their local Google Chrome Settings, always offer translation, or never offer translation.



Data Compression Proxy Enable or disable data compression proxy. Enabling this setting can reduce cellular data usage and speed up mobile web browsing by using proxy servers hosted at Google to optimize and compress website content. You can set Google Chrome to allow the user to decide whether to use the data compression proxy, enable the data compression proxy, or disable the data compression proxy.

Proxy Configure the use of a proxy for Google Chrome. You can use these settings specify how Google Chrome connects to the Internet. If you leave the setting as Not Enforced, the user can change the proxy configuration in their Chrome Settings

Whitelist and Blacklist Configure a blacklist or whitelist for Chrome. A blacklist prevents Chrome devices from accessing specific URLs. A whitelist explicitly allows Chrome devices to access specific URLs. You can enter up to 1000 URLs for each list.

Bookmarks Manage Bookmarks

Geolocation Set Geolocation settings. These settings determine whether websites can track users' physical locations. Tracking physical locations can be set by the user (Not Enforced), allowed by default (Allow), the user can be asked each time a website requests the physical location (Ask), or denied by default (Block All).

Default Cookie Settings Set default cookies settings. These settings determine whether websites can store browsing information, such as user site preferences or profile information. Whether to allow cookies can be set by the user (Not Enforced), allowed by default (Allow All), or denied by default (Block All).

Default Images Set default images settings. The default images setting option determines whether websites can display images. Whether to display images can be set by the user (Not Enforced), allowed by default (Allow All), or denied by default (Block All).

JavaScript Set default JavaScript settings. The Default JavaScript setting option determines whether websites can run JavaScript. If you disable JavaScript, some sites may not work properly. This setting can be set to: Not Enforced (the user can set this option on the device), Allow All (allowed by default), or Block All (denied by default).

Popups Set default popups setting. The Default popup setting option determines whether websites can display pop-ups. Whether to allow pop-ups can be set by the user (Not Enforced), allowed by default (Allow All), or denied by default (Block All).


Feature List


Exchange Account For a user that is already defined in the Microsoft Exchange environment, sets properties for the native Microsoft Exchange ActiveSync (EAS) client.

Restrictions Screen Capture Allows you to enable or disable screen captures on the device

Enable Camera Allows you to enable or disable the camera on the device. Only applies to Android 5.0 and later devices.

Contact Sharing Allows you to allow or prevent the user from sharing contacts on the device. Only applies to Android 4.4 and earlier devices.

Copy and paste Allows you to allow or prevent the user from copying and pasting data on the device. Only applies to Android 4.4 and earlier devices.

Notification Allows you to determine how notifications are displayed on the lock screen. You can allow the device to display the full notification or instead display a notification with the content hidden. Only applies to Android 4.4 and earlier devices.

Input Method Editor Whitelist

Allows you to create a list of approved keyboard and input methods. Only keyboard and input methods defined in the list will be available to the user. Only applies to Android 4.4 and earlier devices.

Security Password Quality The password format required, either Something, Numeric, Alphabetic, Alphanumeric, or Complex.

Minimum Password Length The minimum length for the password. The range is 4 – 16 characters.

Invalid password attempts before Android for Work data wipe

The number of times a user can enter a wrong password before data wipe occurs. Maximum idle time until lock

Maximum idle time until lock

The maximum time that the user can configure the device to remain idle before the device screen locks. The options are: 15 sec, 30 sec, 1 min, 2 min, 5 min, 10 min, and 30 min.

Password History The number of passwords stored in the history list. The range is 1 – 100. The default is 10.

Maximum number of days until password expires

The number of days a password remains valid. The range is 0 – 365. 0 means there is no restriction (the password does not expire). The default is 90 days.

Minimum password letters The minimum number of letters in the password. The range is 1 – 16.

Minimum password lowercase

The minimum number of lowercase letters in the password. The range is 0 – 16.



Minimum password uppercase

The minimum number of uppercase letters in the password. The range is 0 – 16.

Minimum password non-letter

The minimum number of non-letter characters in the password. The range is 0 – 16.

Minimum password numeric

The minimum number of numbers in the password. The range is 1 – 16.

Minimum password complex characters

The minimum number of symbols in the password. The range is 1 – 16.

Smart Lock Smart Lock disabled Yes or No. Select Yes to disable Smart Lock on Android 5.x and higher devices. Smart Lock is an Android feature that allows users to unlock their devices automatically.

Certificate Include/Exclude - Cert, Request, Remove

Configure settings for CA certificates used to authenticate connections between the Android for Work profile and your network.

Wi-Fi Policy Configure Wi-Fi connections on Android for Work devices to allow users to connect wirelessly to your network. You can also choose to block users from connecting to a configured network connection.

Wi-Fi Policy Configure Wi-Fi connections on Android for Work devices to allow users to connect wirelessly to your network. You can also choose to block users from connecting to a configured network connection.

NitroDesk

Feature Group Settings Description

Account Configuration For planned NitroDesk TouchDown client users, account configuration sets properties for a new TouchDown client when launching the TouchDown client configuration wizard.

EAS Overrides For NitroDesk TouchDown client users, you can set configuration properties to override Exchange ActiveSync settings. These settings override the Exchange settings only if they are more restrictive than the Exchange settings.

Security Phone book copy fields A comma-delimited list of data elements that are eligible for copy to phone book

Set signature If left blank, users can enter their own signature

Set suppressions A comma-delimited list of codes for suppressing user-facing items after TouchDown has been configured


Feature List


User Settings For NitroDesk TouchDown client users, sets properties for general user settings.

Email Options For NitroDesk TouchDown client users, sets properties for additional email options.

Calendar Options For NitroDesk TouchDown client users, sets properties for calendar options.

LG


Application Management Application installation mode Define which applications can be installed on a device. You can deploy applications to devices by creating a whitelist (allowed applications) and a blacklist (disallowed applications).

Blacklist and Whitelist Management

Add rules to add or delete applications.

Enable/Disable Policy Define a policy to enable or disable an application

Install/Remove/Wipe Policy Define a policy to install, remove, or wipe application data or cache.

Bluetooth Enable or disable the device's Bluetooth radio.

Email Account For LG Android devices, sets properties for connecting to and from remote email server

Exchange Account For an LG Android user that is already defined in the Microsoft Exchange environment, sets properties for the native Microsoft Exchange ActiveSync (EAS) client. Once the client is defined on a device, allows you remove it from the device.

Location Enable GPS location provider Enable GPS location services

Enable network location provider Enable network location services

Password Allow simple password Enables/disables passwords with regular patterns, for example: “abcd”, “aaaa”, “1234”, or “2222.”

Restrictions Enable SD Card Enable the memory card on the device

Allow USB Enable a USB connection on the device

Allow USB tethering Allows for USB tethering from device to device or whenever the device is connected to a computer or laptop via a USB cable



Allow sending SMS Allow SMS text messaging

Allow browser Allow Internet browser to be installed on the device

Allow Wi-Fi Allow Wi-Fi. The user cannot change this value. This setting overrides the Wi-Fi setting on the policy editor Wireless LAN page.

Allow mobile data Allows the device to access a mobile network

Allow screen capture Allow user to take a screen shot of an image on the device

Allow factory reset Allows user to reset changes to the device default settings

Allow device-admin deactivation Allow administrators to deactivate the device from the Device Administration console

Allow POP/IMAP email Allow device to send/receive email through a defined POP/IMAP server

Allow install of applications Allow install of applications

Allow uninstall of applications Allow uninstall of applications

Allow install of apps of unknown source

Allow install of apps of unknown source

Allow running of apps of unknown source

Allow running of apps of unknown source

Roaming Allow automatic sync while roaming

Automatically synchronizes email, calendars and contacts when the device roams onto a different network

Allow roaming data Allows the user data roaming privileges when they change networks

Security For Android LG devices, sets properties for device encryption and credential storage.


Feature List

Samsung SAFE (KNOX Standard)

Feature Group Feature Description

APN Configure one or more Access Point Name (APN) profiles for a Samsung SAFE device. An APN identifies a gateway between the user's mobile network and a data network and is required for users to access the Internet or send and receive MMS messages.

Applications Enable Google Play Store Application

Enable Google Play Store Application

Enable YouTube™ Enable YouTube™

Enable Voice Dialer Enable Voice Dialer

Application Blacklist Use the blacklist to define applications you do not want users to download from Google Play.

Application Whitelist Use the whitelist to define applications that users can download.

Enable/Disable App Use this policy to enable or disable an application.

Install/Remove/Update app

Use this policy to install, remove, or update an application.

Bluetooth Enable Discoverable Enable to allow the device to discover nearby Bluetooth devices

Enable Desktop/Laptop Connectivity

Enable desktop/laptop connectivity

Browser Enable Auto Fill Enable Auto Fill

Enable Cookies Enable Cookies

Enable JavaScript Enable JavaScript

Enable Popups Enable Popups

Device Manager Allow Device Admin Deactivation

The Device Manager Policy controls whether users of Samsung SAFE devices can deactivate the Samsung MMEP or mobile service client as a device administrator.

Email Account For Samsung SAFE devices, sets properties for connecting to the remote email server.

Exchange Account For a Samsung SAFE user that is already defined in the Microsoft Exchange environment, sets properties for the native Microsoft Exchange ActiveSync (EAS) client. Once the client is defined on a device, lets you remove it from the device.

Firewall Configure the IP Address and port of the firewall



Location Enable GPS Location Provider

Enable GPS Location services

Password Policy Maximum number of days until password expires

The maximum number of days for a password to remain valid.

Minimum number of complex characters in password

Enforce a minimum number of complex characters

Password History The number of previous passwords stored on the system's history list.

Remote Reset Restarts the device

Restriction Policy Allow Unknown Source Install

Allows the installation of non-Google Play apps

Allow Settings Changes Allows the user to change settings

Enable Background Data Enables applications syncing, sending, and receiving data at any time

Enable Backup Allows the user to save a copy of Contacts to a secure web site

Enable Bluetooth Enables the Bluetooth radio. The user cannot change this value. This setting overrides the Bluetooth setting on the policy editor Bluetooth page.

Enable Bluetooth Tethering

Enables Bluetooth tethering

Enable NFC Enables Nearfield communication on the device

Enable Camera Enables the camera application

Enable Clipboard Enables the clipboard application

Enable Microphone Enables the Voice Dialer application

Enable SD Card Enables the SD card

Allow SD Card Write Allows applications to write to the SD card

Enable USB Debugging Enables USB debugging

Enable USB Media Player Enables the USB Media Player

Enable Screen Capture Enables the user to create screen captures

Enable USB Tethering Enables USB tethering on the device


Feature List


Enable Wi-Fi Enables Wi-Fi.

Enable Wi-Fi Tethering Enables Wi-Fi tethering

Allow Multiple Users Allows multiple users to use the device

Allow Factory Reset Allows the user to reset the device to its factory settings

Allow OTA Upgrade Allows the device to receive Over-the-air software upgrades

Allow Nonemergency Calls

Allows the user to place nonemergency calls

Roaming Allow roaming data Allows data use while roaming

Allow automatic sync while roaming

Automatically synchronizes email, calendars and contacts when the device roams onto a different network

Allow push while roaming Allows push synchronization while roaming

Security Encrypt device Encrypt the device memory and internal SD card.

Encrypt SD card Encrypt the external SD card.

Install certificate (Android 4.x and above)

Install a certificate and set a password

Clear installed certificates (Android 4.x and above)

Remove installed certificates

Wi-Fi Configure Wi-Fi connections on Samsung SAFE devices to allow users to connect wirelessly to your network.

3.3.2.2 iOS Devices

Payload Setting Description

Advanced Payload Defines the Access Point Name (APN) and cellular network proxy settings for devices. These settings define how devices connect to mobile networks.

Airplay Adds AirPlay destinations to available devices. Use AirPlay to stream music, photos, and video wirelessly to Apple TV and other AirPlay-enabled devices on the same Wi-Fi network as iOS devices.



AirPrint Adds printers to a device's AirPrint. Use AirPrint to print wirelessly to an AirPrint-enabled printer, from apps such as Mail, Photos, and Safari. This makes it easier to support environments where the printers and the devices are on different subnets.

Calendar Defines the settings that devices use to connect to a calendar account on a server. After the mobile service applies the payload, the calendar data is available on devices.

Cellular Defines cellular network settings for devices. Only one cellular payload can apply to each device, and a cellular payload cannot be applied if an advanced payload is already applied to a device. For iOS 7, the cellular payload replaces the advanced payload.

Contacts Defines the settings that devices use to connect to a contacts account on a server. After the mobile service applies the payload, contact data is available on devices.

Credential Adds certificates and identities to devices. Certificate files must be accessible from the machine that is running the Device Administration console. When installing credentials on devices, install all the intermediate certificates that link to a trusted certificate.

Enterprise SSO Uses Kerberos SSO and authenticates user credentials only once to access corporate and application store applications on a device. Devices must either be in a corporate network or be connected to the corporate VPN using the Internet. You can create multiple SSO payloads in a single iOS configuration policy.

Exchange ActiveSync Configures an Exchange ActiveSync account from a Microsoft Exchange server on devices.

Font Adds a font to an iOS device. You can include multiple font payloads, as needed.

Generic The Generic payload includes payloads created in any version of the iPhone Configuration Utility and imported into the device management service.

Global HTTP Proxy Defines a Web proxy server for devices. Only one Global HTTP Proxy payload can apply, and only to supervised devices.

Guided Access Locks the device to a single application, on its current version, until the payload is removed. Once locked on an application, the application is not subject to version updates.

LDAP Configures devices to connect to an LDAP server and access directory information. You can specify multiple search bases for each directory, and configure multiple connections.

Mail Configures POP or IMAP email accounts on devices.

Managed Domains Defines the Web domains that are under the management of an enterprise.

Organization Info Defines and sends information about your company to devices.

Passcode Allow simple value Whether a simple password is permitted. A simple password contains repeated characters or character sequences.

Require alphanumeric value Whether the password requires letters as well as numbers.


Feature List


Minimum passcode length The minimum required length of the password.

Minimum number of complex characters

The minimum number of symbols required in the password.

Maximum passcode age The maximum age of a password. When the password reaches the maximum age, the user must change the password.

Auto lock The duration which devices can be inactive before locking automatically.

Passcode history The number of unique passwords that must occur before a password can be repeated.

Grace period for device lock The length of time for which devices can be unlocked without a password after locking.

Maximum number of failed attempts

The number incorrect password attempts before devices must be unlocked by connecting to iTunes.

Per App VPN (iOS 7 and later) The per-app VPN payload defines one or more VPN connections that you can assign to specific applications on iOS devices. You can also define a VPN connection for the Safari browser app to use to access specified domains on your network.

Provisioning File Adds a provisioning file (.mobileprovision) to devices, which has a role in managing enterprise-signed applications.

Restrictions Enable supervised restrictions Whether the restrictions that apply to devices in supervised mode are enabled.

Allow installing apps Whether the App Store is enabled on the device.

Allow AirDrop (Supervised mode only)

Whether AirDrop is enabled.

Allow removing apps (Supervised mode only)

Whether users can remove applications from devices.

Allow changes to cellular data use for apps (Supervised mode only)

Whether users can change the access to the cellular network that applications have.

Allow use of camera Whether the camera is enabled on devices

Allow FaceTime Whether FaceTime is enabled.

Allow screen capture Whether users can save images of device screens.

Allow automatic sync while roaming Whether devices can synchronize data automatically while roaming.



Allow Siri Whether Siri is enabled.

Allow Siri while device locked (Allow Siri setting selected)

Whether Siri is enabled when devices are locked. This setting is available when Allow Siri setting is selected.

Allow Siri profanity filter (Supervised mode only; Allow Siri setting selected)

Whether the Siri profanity filter is enabled.

Show user-generated content in Siri (Supervised mode only; Allow Siri setting selected; iOS 7 and later)

Whether querying user-generated content from the Web is allowed.

Allow iMessage (Supervised mode only)

Whether iMessage is enabled on devices.

Allow voice dialing Whether voice dialing is enabled.

Allow bookstore (Supervised mode only)

Whether the iBook Store is enabled.

Allow erotica (Supervised mode only; Allow bookstore settings are selected)

Whether users can download content tagged as erotica in iBook.

Allow Passbook while device locked Whether Passbook is enabled when devices are locked.

Allow In-App purchase Whether users can make purchases from applications.

Force user to enter iTunes Store password for all purchases

Whether users must provide credentials for each purchase in iTunes.

Allow multiplayer gaming Whether multiplayer gaming is enabled.

Allow adding Game Center friends Whether users can add friends in Game Center.

Allow configuration profile Installation (Supervised mode only)

Whether users can install configuration profiles and certificates on devices.

Allow account changes (Supervised mode only)

Whether users can change accounts on devices.

Allow changes to Find My Friends (Supervised mode only; iOS 7 and later)

Whether users can make changes to the Find My Friends application.

Allow pairing with nonconfigurator host (Supervised mode only; iOS 7 and later)

Whether users can pair devices with hosts. This setting does not prevent pairing with a supervision host.


Feature List


Allow open from managed apps to unmanaged apps (iOS 7 and later)

Whether users can open documents from managed accounts and application in accounts and applications that are not managed.

Allow open from unmanaged apps to managed apps (iOS 7 and later)

Whether users can open documents from unmanaged accounts and application in accounts and applications that are managed.

Allow automatic updates to certificate trust settings (iOS 7 and later)

Whether over-the-air public-key infrastructure updates are enabled on devices.

Show Control Center in lock screen Whether Control Center is enabled to show up on the lock screen.

Show Notification Center in lock screen

Whether Notifications view in Notification Center is enabled on the lock screen.

Show Today view in lock screen Whether Today view in Notification Center is enabled on the lock screen.

Allow Erase Content (Supervised mode only)

Whether the Erase All Content and Settings option in the Reset screen on the device is enabled.

Allow Spotlight Internet Results (Supervised mode only)

Whether Spotlight is enabled to return the Internet search results.

Allow Enabling Restrictions (Supervised mode only)

Whether 'Enable Restrictions' option in the Restrictions screen on the device is enabled.

Allow Activity Continuation Whether activity continuation is enabled on the device.

Force Airplay outgoing request pairing password (iOS 7.1 and later)

If enabled, this forces all devices receiving AirPlay requests from the device to use a pairing password.

iCloud – Allow backup Whether devices can back up data to the cloud.

iCloud – Allow document sync Whether devices can synchronize documents to the cloud.

iCloud – Allow Photo Stream Whether Photo Stream is permitted on devices.

iCloud – Allow shared photo streams (iOS 6 and later)

Whether shared photo streams are enabled on devices.

iCloud – Allow keychain sync Whether devices can synchronize keychain data with other devices.

iCloud – Allow managed app cloud sync

Whether managed applications are enabled to use cloud sync.



Security and Privacy – Allow diagnostic data to be sent to Apple

Whether devices can send diagnostic data to Apple.

Security and Privacy – Allow user to accept untrusted TLS certificates

Whether devices prompt users to accept untrusted TLS certificates.

Security and Privacy – Force encrypted backups

Whether devices are required to encrypt backup data.

Security and Privacy – Force limited ad tracking (iOS 7 and later)

Whether devices limit ad tracking.

Security and Privacy Allow Touch ID to unlock device

Whether devices can be unlocked using touch ID.

Security and Privacy – Allow apps to enter Guided Access mode (Supervised mode only)

The applications that can initiate Guided Access Mode on devices.

Allow use of YouTube Whether the YouTube application is permitted on devices.

Allow use of iTunes Store Whether the iTunes application is permitted on devices.

Allow use of Game Center (Supervised mode only)

Whether Game Center is permitted on devices.

Allow use of Safari Whether Safari is permitted on devices. If Safari is disabled on devices, users cannot open web clips.

Enable autofill Whether Safari can automatically fill out forms and other data fields.

Force fraud warning Whether Safari must block fraudulent sites on devices.

Enable JavaScript Whether Safari permits JavaScript.

Block pop-ups Whether Safari blocks pop-ups.

Accept cookies Whether Safari accepts cookies on devices.

Allow explicit music, podcasts, & iTunes U

Whether devices allow explicit content in music, podcasts, or iTunes.

Ratings region The region that determines the available ratings for movies, TV shows, and applications.

Movies The allowed content ratings for movies on devices.

TV Shows The allowed content ratings for TV shows on devices.


Feature List


Apps The allowed content ratings for applications on devices.

SCEP Configures settings that allow devices to obtain certificates over the air from a certificate authority (CA) server that uses SCEP (Simple Certificate Enrollment Protocol).

Setting Roaming Whether devices can make and receive calls when roaming.

Data Roaming Whether devices can access data services when roaming.

Personal Hotspot Whether devices can act as personal hotspots for other Wi-Fi devices

Subscribed Calendar Adds read-only calendar subscriptions to Calendar application on devices.

VPN Configures VPN connections for devices. There are several supported VPN protocols and methods of authentication. Depending on the configuration settings you select, the options in the editor vary.

Web Clip Label The name of the web clip. URL The URL of the web clip. The URL must start with HTTP or HTTPS.

Removable Whether users can remove web clips from devices.

Icon The icon for the web clip. The icon should be a PNG file of 59 x 60 pixels.

Precomposed Icon Whether the icon is precomposed. The device does not add additional styles to precomposed icons.

Full Screen Whether the web clip opens to full screen.

Web Content Filter Affects Web viewing to limit sites using permitted lists and blacklist, or by limiting sites to only a defined list (whitelist).

Wi-Fi Configures one or more Wi-Fi profiles on your iOS devices. A Wi-Fi profile includes the required settings to allow the device to connect to a specified wireless network.

3.3.2.3 Windows Phone


App Restrictions Maintains a list of apps that are allowed or denied on the device. You can define either a denied item list or an allowed item list. The restrictions are maintained based on the app details, or the publisher details.



Assigned Access Enterprise Assigned Access enables an enterprise to provision a device to a locked down user experience. The administrator can customize the start screen with pinned applications, control the visibility of certain system settings, and configure custom launch actions for buttons.

Certificate Uploads the root or intermediate certificate for Windows Phone device authentication

Exchange ActiveSync The Exchange ActiveSync payload determines how Windows Phone devices interact with Microsoft Exchange servers.

Passcode Allow simple value Whether a simple password, which contains repeated characters or character sequences, is permitted

Require alphanumeric value Whether the password requires letters as well as numbers

Minimum passcode length The minimum required length of the password

Minimum number of complex characters

The minimum number of symbols required in the password.

Maximum passcode age The maximum age of a password. When the password reaches the maximum age, the user must change it.

Auto lock The duration that devices can be inactive before locking automatically.

Passcode history The number of unique passwords that must occur before a password can be repeated.

Maximum number of failed attempts

The number incorrect password attempts allowed before the device gets locked.

Restrictions Disable Wi-Fi Disables Wi-Fi on the device.

Disable Internet Sharing Disables sharing of your cellular data connection over Wi-Fi.

Disable Auto Connect To Wi-Fi Sense Hotspots

Disables automatic connection to Wi-Fi networks using Wi-Fi Sense hotspot.

Disable Wi-Fi Hot Spot Reporting

Disables reporting of the Wi-Fi hotspots.

Disable Manual Wi-Fi Configuration

Disables manual configuration of Wi-Fi settings.

Disable NFC Disables Nearfield communication

Disable Bluetooth Disables Bluetooth.


Feature List


Disable VPN Roaming Over Cellular

Disables VPN policies over cellular connections, while roaming.

Disable VPN Over Cellular Disables VPN policies over cellular connections.

Disable USB Connection Disables USB connections to the device.

Disable Cellular Data Roaming

Disables roaming of cellular data.

Disable Use of Storage Card Disables the use of storage card on the device.

Disable Telemetry Disables telemetry or app usage information collection.

Disable Location Disables location collection.

Disable User to Reset Phone Disables phone reset. The user cannot perform even a hard reset.

Disable Copy paste Disables copying and pasting of content.

Disable Screen Capture Disables screen capture.

Disable Voice Recording Disables voice recording.

Disable SaveAs of Office Files Disables saving of Office files.

Disable Sharing of Office Files

Disables sharing of Office files.

Disable Cortana Disables Cortana.

Disable SyncMySettings Disables syncing of settings across your Microsoft devices.

Disable Manual MDM Unenrollment

Disables unenrollment from MDM.

Disable Microsoft Account Connection

Disables creation of a Microsoft account (store account). Accounts that are already created will not be disabled.

Disable Adding Non Microsoft Accounts Manually

Disables creation of non-Microsoft accounts such as Google, Facebook, and so on. Accounts that are already created will not be disabled.

Disable Manual Root Certificate Installation

Disables manual installation of Root certificate.

Require Device Encryption (Requires UEFI secure boot enabled device)

Enforces device encryption.



Disable Store Disables accessing the store apps.

Disable Developer Unlock Disables unlocking the device for debugging and testing Windows Phone apps.

Disable Search To Use Location

Restricts Bing search from accessing the device location.

Require Safe Search Permissions

Sets Safe Search permission to 'strict'. You cannot change this setting.

Disable Storing Images From Vision Search

Disables storing images from Bing Vision search.

Disable Browser Disables the default browser.

Disable Camera Disables camera.

Disable Action Center Notifications

Disables action center notifications from appearing on the device lock screen.

SCEP Configures settings that allow devices to obtain certificates over the air from a certificate authority (CA) server that uses SCEP (Simple Certificate Enrollment Protocol).

Wi-Fi Configures connections to Wi-Fi networks on Windows Phone devices.

VPN By establishing a VPN connection, corporate mobile users can securely access critical business information from a corporate network through any public network.

3.3.3 Security Actions

OS Action Description

Android Lock Device This command locks the device. The device remains locked until the user enters the correct passcode. While locked, the device still allows emergency calls. The device lock is not removed if the user resets the device or removes the battery.

Delete Device Data Resets your device to factory condition, including removing the Android client

Unlock - Clear Passcode Removes an Administrator Lock and clears the passcode


Feature List


Remote Wipe Email Deletes all provisioned Exchange accounts on the device including those configured in NitroDesk TouchDown. When you use this button, you are prompted to include a secure wipe of the TouchDown SD card. When you choose to perform a secure wipe, NitroDesk TouchDown deletes only the data it has stored on the card.

Lock KNOX Container Locks the KNOX container. When a KNOX container is locked, users are prevented from logging in. The container can only be unlocked using the Unlock KNOX Container button on the Device toolbar. You can use this button to secure data in the KNOX container if, for example, the device is lost or stolen.

Unlock KNOX Container Unlocks a locked KNOX container. For example, you can use this button to unlock a locked KNOX container after a lost or stolen device has been recovered.

Remove KNOX Container Deletes all applications and data in the KNOX container and removes the container from the device.

Reset KNOX Container Password Resets the user's password on the KNOX container. Use this button when a user forgets their password. When a password is reset, the user is prompted to enter a new password the next time they try to access the KNOX container.

iOS Lock Device Locks the device. The device remains locked until the user enters the correct passcode. While locked, the device still allows emergency calls. The device lock is not removed if the user resets the device.

Remote Wipe Resets the device and removes it from mobile service management. If you choose this option, the user must connect the device to iTunes to restore data.

Unlock - Clear Passcode Unlocks the device and removes the passcode. If the device has a policy that requires a passcode, the device prompts the user to create a new passcode. An outbound notification through SMS or GCM is provided.

Remove Control Removes the device and all device content from MDM control. The device remains enrolled with limited management capabilities.

Modify Access Control Policy Opens the access control policy for the device.

Change Device Name Changes the current name of device in the Device Administration console.



Clear Restriction Password Changes the current name of the device. Once the new name is provided, the device user is notified with this change and the new name appears on the device. However, in the Device Administration console, the new name is reflected on completion of the subsequent device inventory collection.

Clear Activation Lock Clears the activation lock on a supervised device so that it can be wiped and reactivated for another user. Activation lock prevents unauthorized people from erasing and reactivating a lost or stolen device. It is enabled when a user sets up Find My iPhone on the device.

Windows Phone Remote Wipe Removes the device from management and resets it to its factory settings.

Remove Control Removes the device and all device content from MDM control. The device remains enrolled in management with limited management capabilities.

Lock Device Locks the device; the device remains locked until the correct passcode is entered. The device lock is not removed even if the battery is replaced.

Remote Ring Produces an audible ring on the device regardless of the volume set on the device. When the administrator initiates this action, a push notification is triggered and the device connects back to mobile service. An MDM session is established and the remote ring action is completed.

Lock Device and Reset Password Locks the device and resets the password on the device. A new password is generated on successful completion of this action, and the password appears in the Device Inspector tab.

3.3.4 Inventory

The mobile service collects both hardware and software inventory on managed devices. Users can view the following hardware inventory information.


Feature List

3.3.4.1 Android Inventory

Inventory Item Description

Android Hardware information, such as device model, platform version, phone type, roaming status (allow data roaming, auto sync when roaming, allow push while roaming) and more.

App Blacklist Blacklisted apps

App Whitelist Whitelisted apps

Bluetooth Information about Bluetooth support on the Android device, including device name and address, bonded devices, and more.

Certificate Information about certificates that are installed, such as CA Cert Name, User Cert Name, Issued To, Issued By, Validity, Type and Hash Code.

Device Device information, such as device OS, IMEI, OS version, serial number, and more.

Firewall Information about firewall, such as proxy address, port, IP tables proxy rules, and IP tables proxy option (true if "proxy rule" is enabled, else false).

Managed Software Information about managed software is populated only for Samsung devices such as:

● Package name● Install count – the number of times the application has been installed. This value per

sists irrespective of application installation and uninstallation.● Uninstall count – the number of times the application has been uninstalled, will persist

irrespective of application installation and uninstallation.● Disabled – the status of the application.● Installation disabled – the installation status of the application.● App installed – true if the application package is successfully installed on the device;

otherwise, false.

Memory Available memory, total memory, and name of the memory of both the device and SD card.

Phone Current network, current mobile operator, and phone number.

Restrictions As defined by configuration policy restriction payloads. Restrictions defined by the device holder are not reported.

Security Password attributes, MDM version, CA certificate details, and more.


3.3.4.2 iOS Inventory

Type Inventory Item Description

Afaria Afaria detected jailbreak Indicates whether a device is in a security-compromised state

Afaria installed Indicates whether the mobile service client is installed on the device

Last policy connect Indicates when the device last connected to the mobile service to allow the application of a policy

Last notification sent Indicates when the mobile service sent a notification to the device to initiate a connection

Sync policy Indicates the name of the synchronization policy

Afaria version Indicates the version of the client on the device

Under MDM Control Indicates whether the device is under MDM control

Is supervised Indicates whether the device is supervised

Bluetooth Bluetooth MAC Indicates the media access control (MAC) address of the Bluetooth hardware of the device.

Certificates Common name Indicates the common name of the certificate

Is identity Indicates whether the certificate is an identity certificate

Device Compromised Indicates whether the device is compromised

Device name Indicates the name of the device

iOS version Indicates the version of iOS on the device

ROM Indicates the ROM version

iOS user name Indicates the name of the device user

OS Indicates the operating system of the device

UDID Indicates the UDID of the device

Is do not disturb on Indicates whether the Do Not Disturb feature is active on the device

Is device locator on Indicates whether the device is reporting its location to the iCloud

Is iCloud backup enabled Indicates whether the device backs up data (device settings, photos, application data, and so on.) to the iCloud


Feature List


Last iCloud backup date Indicates the last date that the device backed up data to the iCloud

Product Name Indicates the product name of the device. This value is from Apple and might not reflect device branding

General Serial number Indicates the serial number of the device

IMSI Indicates the International Mobile Subscriber Identity (IMSI) of the device

IMEI Indicates the International Mobile Station Equipment Identity (IMEI) of the device

Device Model Number Indicates the model number of the device

Device Model Indicates the product name of the device. This value is from Apple and might not reflect device branding

MEID Indicates the Mobile Equipment Identifier (MEID)

Last Connection Indicates the last time that the device connected to the mobile service

Phone number Indicates the phone number of the device

Managed Certs Serial Number Indicates the serial number of the certificate

Thumbprint Indicates the hash, or thumbprint, of the certificate

Subject Indicates the entity identified by the certificate

Issuer Indicates the entity that verified and issued the certificate

Effective Date Indicates the date on which the certificate is first valid

Expiration Date Indicates the date on which the certificate ceases to be valid

CA Name Indicates the name of the certificate authority

CA Type Indicates the type of the certificate authority

Purpose Indicates the purpose for which the device uses the certificate

Subject Alternative Name Indicates alternate entities identified by the certificate

Revocation State Indicates the revocation state, if any, of the certificate

Memory Available device capacity Indicates the amount of available memory on the device



Device capacity Indicates the total amount of memory, both allocated and available, on the device

MS Exchange Device ID Indicates the device identity on the Microsoft Exchange server

User ID Indicates the user identity on the Microsoft Exchange server

Organization Info Name Indicates the name of the organization

Address Indicates the address of the organization

Phone Indicates the phone number of the organization

Email Indicates the email address of the organization

Other Indicates additional information about the organization

Payloads Description Indicates the name of the payload in the Device Inspector. The name distinguishes the different payloads on the device.

Display name Indicates the display name of the certificate

Has removal passcode Indicates whether a passcode is required to remove the certificate from the device

ID Indicates the ID of the certificate

Identifier Indicates the identifier of the certificate

Is encrypted Indicates whether the certificate is encrypted

Organization Indicates the organization

Removal disallowed Indicates whether users can remove the certificate from the device

Type Indicates the type of the certificate

Version Indicates the version of the certificate

Is managed Indicates whether the certificate is managed by the mobile service.

Phone Carrier settings version Indicates the version of carrier settings on the device. Carrier settings include settings for network, calling, cellular data, and so on. Apple or the carrier might update the carrier settings and users might receive notifications to install new settings.

Data roaming enabled Indicates whether the device can use the cellular network for data communication when the device is away from its home network


Feature List


Modem firmware version Indicates the firmware installed on the device for the data modem

SIM serial number Indicates the unique serial number of the SIM card in the device

SIM carrier network Indicates the wireless provider for the device

Voice Roaming Enabled Indicates whether the device can use the cellular network for phone communications when the device is away from its home network

Cellular Technology Indicates the cellular technology that the device uses

Provisioning Profiles

Expiration date Indicates the date on which the provisioning profile expires.

ID Indicates the identifier of the provisioning profile on the device

Name Indicates the name of the provisioning profile

Restrictions Displays settings from the Restriction payload in configuration policies that apply to the device

Security Hardware encryption capability Indicates the hardware encryption that is available on the device

Passcode compliant Indicates if the passcode on the device is compliant

Profile passcode compliant Indicates if the profile passcode is compliant

Passcode present Indicates whether the passcode is present on the device

Wi-Fi WIFI MAC Indicates the media access control (MAC) address of the Wi-Fi hardware of the device

Personal hotspot on Indicates whether the device is acting as a Wi-Fi hotspot

3.3.4.3 Windows Phone Inventory


Afaria Indicates whether the device is under MDM control

Certificate Provides information such as Common Name and Is identity for all certificates on the device

Client Configuration Device identification and certificate renewal information, including device name, enterprise ID, certificate renewal, signed certificate renewal



Device Hardware information, such as device model, platform version, phone type

MS Exchange Values related to Access Control for Email including domain, account type, server name, and SSL connection

Managed Certificates Information on certificates which are deployed/managed by Afaria such as: Serial number, Thumbprint, Subject, Issuer, Effective Date, Expiration Date, CA Name, CA Type, Purpose, Subject Alternative Name, Revocation State

Provisioning Profiles Information related to provisioning the device, including address, use hardware device ID, port number

Security Password configuration details, such as: whether the device password enabled, length, expiration date, history

3.3.5 Device Activity

The mobile service can monitor and report on device activities for enrolled devices. Depending on the device type, monitored activities include:

● Cellular data● Wi-Fi data● Outgoing and incoming phone calls● Outgoing and incoming Short Message Service (SMS) and Multimedia Messaging Service (MMS)

messages● International roaming status and usage● Definitions of subscriber data, such as IMSI, ICCID, and MSISDN, collected by each device type.

Subscriber Data iOS AndroidWindows Phone Definition

IMSI ● International Mobile Subscriber Identity, conforming to International Telecommunication Union (ITU) standard.

ICCID ● Integrated Circuit Card Identifier, conforming to International Telecommunication Union (ITU) standard.

Cell ID ● Last reported cell ID. On CDMA networks, the Base Station ID (BID).

Current Client ID ● ● ● Mobile service client global unique identifier (GUID).

Current Device ID ● ● iOS – Unique Device Identifier (UDID), Wi-Fi MAC Address.

Android – International Mobile Equipment Identity (IMEI).


Feature List

Subscriber Data iOS AndroidWindows Phone Definition

MSISDN ● Mobile Subscriber Integrated Services Digital Network Number which is the literal phone number as reported by the device. Not all SIM cards, specifically in Europe, are preprogrammed with an MSISDN.

Home MCC ● ● ● Home network Mobile Country Code.

Home MNC ● ● ● Home network Mobile Network Code.

Activity Last Collected

● ● ● Date on which Device Activity data was last posted on the server by the device.

Last MCC ● ● Last reported Mobile Country Code (MCC).

Last MNC ● ● Last reported Mobile Network Code (MNC).

Latitude ● ● ● Last reported approximate latitude, based on crowd-sourced Wi-Fi hotspot and mobile cell tower location.

Longitude ● ● ● Last reported approximate longitude, based on crowd-sourced Wi-Fi hotspot and mobile cell tower location.

Location Last Determined

● ● ● Date and time of the last location change.

Opt In ● ● ● User answer to request for Device Activity Enrollment (accepted/declined).

Roaming Change Date

● ● Date and time of the last roaming state change.

Status of Location Services

● ● ● Status of Location Services on the device (enabled or disabled).

3.3.6 Access Control

Access Control Access control regulates synchronization requests to email servers.

Access Control can prevent synchronization requests that do not meet the access control policies of the mobile. Access control policies include a list of known devices, their associated policies, any remediation actions, and any defined polices for unknown devices.


3.3.7 Remediation

Remediation policies define the conditions of compliance and the actions that the mobile service takes when devices go out of compliance. You create remediation policies in the Device Administration console.

3.4 Administration

3.4.1 Analytics

Feature Description

Reporting Visualize app usage through the following reports:

● Apps downloaded by platform● Apps trend analysis● Top 10 popular apps● Top 10 managed apps

Visualize app usage through the following reports:

● Devices by platform● Jailbreak status● Devices trend analysis● Devices by owner● Devices by OS version● Device by compliance status● Devices by platform across the service

Create and view custom reports using SAP Lumira Launchpad capabilities

App Analytics Shows total number of apps downloaded over time for each OS platform

Shows app usage reports by user/platform

Provides report of app usage per unit time (that is day or week)

Provides app usage session length

Shows concurrent usage of an app


Feature List

3.4.2 Account Administration

Feature Description

Profile Management ● View/Edit Profile: Change the first name, last name, phone number, and password associated with the profile

● API Credentials: Generate, delete, and regenerate● Skip warning when launching app in device test cloud● Skip warning when accessing app protection cloud service provider

Configure the Admin Portal and Mobile Place

● Set default display language for the mobile service for the administration portal● Set users to be managed or unmanaged in Mobile Place● Set default display language for Mobile Place● Set authentication/access settings● Select whether the EULA prompt is displayed during initial logon to managed users, un

managed users, unauthenticated access of mobile place, or each time the EULA changes

Customize the Admin Portal and Mobile Place

Upload any of the following resource types to customize and localize the administration portal:

● Public localization properties file● Private localization properties file● Email localization properties file● Background image● Shortcut icon

Upload any of the following resource types to customize and localize Mobile Place:

● Style sheet● Public localization properties file● Private localization properties file● EULA

Configure Enterprise Access

Configure enterprise connector to establish a secure SSH connection to enterprise resources

Configure Single Sign-On Configure SSO so that users can log on to Mobile Place through SSO

Configure Device Support

● Configure Google Cloud Messaging (GCM) as an alternative to SMS notifications● Configure Android for Work● Download a signed Certificate Signing Request (CSR) and upload the generated Apple

MDM certificate.● Sign the mobile service client for iOS for your enterprise● Configure the Auto-Discovery Server for Windows Phone thereby simplifying the enroll

ment process


Feature Description

Manage Signing Profiles ● Create signing profiles● Edit signing profiles● Delete signing profiles

Device Test Cloud Service Test apps using a third-party service before uploading them to the App Catalog. The following app types are supported for testing:

● Enterprise apps● Web apps● Fiori mobile apps

App Protection Cloud Configure app protection for Enterprise and Fiori mobile apps using a third-party app protection service

Health Dashboard View the status of the following services and determine the overall health of the mobile service:

● Account management● App management● Device management● Enterprise access

Manage Groups ● Create a new static group, and assign users and applications to it.● Create a directory group (Active directory or LDAP), and assign groups from the enterprise

Active Directory (AD) Organization Unit (OU) lists

Notifications Notifications in the administration portal when iOS enterprise applications, iOS signing profiles, Apple MDM certificates, or APNs certificates are going to expire.

3.4.3 Languages

Language Administration Portal Mobile Place Mobile Apps Documentation

Chinese (Simplified) ● ● ●

Chinese (Traditional) ● ●

Croatian ● ●

Czech ● ●

English ● ● ● ●

French ● ●

French Canadian ● ●


Feature List

Language Administration Portal Mobile Place Mobile Apps Documentation

German ● ●

Hungarian ● ●

Italian ● ●

Japanese ● ● ●

Korean ● ●

Polish ● ●

Portuguese ● ●

Portuguese (Brazilian) ● ●

Romanian ● ●

Russian ● ●

Serbian ● ●

Slovenian ● ●

Spanish ● ●

Spanish (American) ● ●

Spanish (Colombian) ● ●

Spanish (Mexican) ● ●

Thai ● ●

Turkish ● ●


3.4.4 Roles

Role Description

Account Admin The account admin has all permissions within the system and represents the highest level of authority in the mobile service for app and device management. Account Admins can assign any role based on having Account Admin access.

Features specific to the Account Admin Role are:

● Add Users, Manage Users● View and define reports● Set account defaults, define localization, branding and default end-user behavior

Device Admin The Device Admin role allows users unrestricted access to the Device Administration console. Assign this role to users requiring full access to MDM administration console and all tenant settings.

Mobile Place User The Mobile Place User role allows end users to access the Mobile Place. A Mobile Place User can browse the content of Mobile Place from the on-device application catalog and download applications onto their mobile device.

App Catalog Admin The App Catalog Admin has overall responsibility for the SAP Mobile Place application catalog. Admins have the App Publisher features, and approves or rejects application production and trial requests.

Device Help Desk The Device Help Desk role allows users to access the Device Administration console as helpdesk personnel to view and modify mobile devices and view device management policies. Assign this role to users who perform administrative operations and provide support for users.

Reports User The Reports User role allows users to access reports for their account.

App Catalog Publisher The App Catalog Publisher is responsible for managing the publication process for applications that he owns, and is the primary contact for those apps. As part of that process, app publishers have the following access rights:

● Add and manage applications (Enterprise, App Store, Web, SAP Fiori) along with supporting material (videos, screenshots, documents)

● Request publication of the application to Mobile Place as either a production or a trial application (with limited user access)

● View application feedback and rating information

Device Helpdesk (Read Only)

The Device Helpdesk (Read Only) role allows users only read-only access to the Device Administration console as helpdesk personnel to view mobile devices and device management policies.

MAP Admin The MAP Admin role grants a user the authorization to wrap an application with security and usage policies to help protect data, limit usage, and control access.


Feature List

3.5 User Assistance

The product includes embedded help as well as a set of documents that explain how to configure, operate, and use the software.

You can access the documentation from the mobile service for app and device management page of the SAP Help portal here: https://help.sap.com/viewer/product/MOBILE_SERVICE_FOR_APP_AND_DEVICE_MANAGEMENT/Cloud/en-US.

3.6 Browser Support

Console Requirements

SAP Cloud Platform mobile service for app and device management portal

Supported browsers and versions:

● Microsoft Internet Explorer version 11● Google Chrome version 34.x● Mozilla Firefox version 26.x● Safari version 6.1.3 for Mac OS

NoteFirefox is not supported for Analytics.

Device Administration Supported browsers and versions:

● Google Chrome 35.0 or later● Internet Explorer 9 or later● Mozilla Firefox 30.0 or later● Safari 5.15 or later - Mac or iPad

Restrictions:

● Enhanced security configuration setting in Internet Explorer 9 is not supported● Compatibility view in Internet Explorer is not supported● Due to session state sharing restrictions between tabs, support is limited to using a

single tab

Mobile Place Supported browsers and versions by OS:

● Android Native (Android)● Chrome 34.x (Android/iOS/Windows Desktop)● Firefox 26.x (Android/Windows Desktop)● Internet Explorer 10 and 11 (Windows Desktop/ Windows Phone 8 and 8.1)● Safari 6.1.3 (iOS/Mac OS)


https://help.sap.com/viewer/product/MOBILE_SERVICE_FOR_APP_AND_DEVICE_MANAGEMENT/Cloud/en-US

https://help.sap.com/viewer/product/MOBILE_SERVICE_FOR_APP_AND_DEVICE_MANAGEMENT/Cloud/en-US

Important Disclaimers and Legal Information

HyperlinksSome links are classified by an icon and/or a mouseover text. These links provide additional information.About the icons:

● Links with the icon : You are entering a Web site that is not hosted by SAP. By using such links, you agree (unless expressly stated otherwise in your agreements with SAP) to this:

● The content of the linked-to site is not SAP documentation. You may not infer any product claims against SAP based on this information.● SAP does not agree or disagree with the content on the linked-to site, nor does SAP warrant the availability and correctness. SAP shall not be liable for any

damages caused by the use of such content unless damages have been caused by SAP's gross negligence or willful misconduct.

● Links with the icon : You are leaving the documentation for that particular SAP product or service and are entering a SAP-hosted Web site. By using such links, you agree that (unless expressly stated otherwise in your agreements with SAP) you may not infer any product claims against SAP based on this information.

Beta and Other Experimental FeaturesExperimental features are not part of the officially delivered scope that SAP guarantees for future releases. This means that experimental features may be changed by SAP at any time for any reason without notice. Experimental features are not for productive use. You may not demonstrate, test, examine, evaluate or otherwise use the experimental features in a live operating environment or with data that has not been sufficiently backed up.The purpose of experimental features is to get feedback early on, allowing customers and partners to influence the future product accordingly. By providing your feedback (e.g. in the SAP Community), you accept that intellectual property rights of the contributions or derivative works shall remain the exclusive property of SAP.

Example CodeAny software coding and/or code snippets are examples. They are not for productive use. The example code is only intended to better explain and visualize the syntax and phrasing rules. SAP does not warrant the correctness and completeness of the example code. SAP shall not be liable for errors or damages caused by the use of example code unless damages have been caused by SAP's gross negligence or willful misconduct.

Gender-Related LanguageWe try not to use genderspecific word forms and formulations. As appropriate for context and readability, SAP may use masculine word forms to refer to all genders.


Important Disclaimers and Legal Information

Feature Scope DescriptionImportant Disclaimers and Legal Information P U B L I C 45

www.sap.com/contactsap

© 2019 SAP SE or an SAP affiliate company. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company. The information contained herein may be changed without prior notice.

Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors. National product specifications may vary.

These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.

SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. All other product and service names mentioned are the trademarks of their respective companies.

Please see https://www.sap.com/about/legal/trademark.html for additional trademark information and notices.

THE BEST RUN

https://www.sap.com/about/legal/trademark.html

feature scope description - sap · 1 introduction [[unresolved text-ref:...

Documents