how to configure ios devices with afaria - archive · • credential – adds certificates and...
TRANSCRIPT
SAP How-to Guide
SAP Mobility
SAP Afaria
provided by SAP Mobile - Rapid Innovation Group
Applicable Releases:
SAP Afaria 7 (SP1-SP4)
Version 1.0
March 2013
How To... Configure iOS Devices with Afaria
© Copyright 2014 SAP AG. All rights reserved.
No part of this publication may be reproduced or transmitted in any form
or for any purpose without the express permission of SAP AG. The
information contained herein may be changed without prior notice.
Some software products marketed by SAP AG and its distributors
contain proprietary software components of other software vendors.
Microsoft, Windows, Excel, Outlook, and PowerPoint are registered
trademarks of Microsoft Corporation.
IBM, DB2, DB2 Universal Database, System i, System i5, System p,
System p5, System x, System z, System z10, System z9, z10, z9, iSeries,
pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390,
OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power
Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER,
OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS,
HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex,
MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and
Informix are trademarks or registered trademarks of IBM Corporation.
Linux is the registered trademark of Linus Torvalds in the U.S. and other
countries.
Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either
trademarks or registered trademarks of Adobe Systems Incorporated in
the United States and/or other countries.
Oracle is a registered trademark of Oracle Corporation.
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open
Group.
Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame,
and MultiWin are trademarks or registered trademarks of Citrix Systems,
Inc.
HTML, XML, XHTML and W3C are trademarks or registered trademarks
of W3C®, World Wide Web Consortium, Massachusetts Institute of
Technology.
Java is a registered trademark of Sun Microsystems, Inc.
JavaScript is a registered trademark of Sun Microsystems, Inc., used
under license for technology invented and implemented by Netscape.
SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP
BusinessObjects Explorer, StreamWork, and other SAP products and
services mentioned herein as well as their respective logos are
trademarks or registered trademarks of SAP AG in Germany and other
countries.
Business Objects and the Business Objects logo, BusinessObjects,
Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other
Business Objects products and services mentioned herein as well as their
respective logos are trademarks or registered trademarks of Business
Objects Software Ltd. Business Objects is an SAP company.
Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere,
and other Sybase products and services mentioned herein as well as their
respective logos are trademarks or registered trademarks of Sybase, Inc.
Sybase is an SAP company.
All other product and service names mentioned are the trademarks of
their respective companies. Data contained in this document serves
informational purposes only. National product specifications may vary.
The information in this document is proprietary to SAP. No part of this
document may be reproduced, copied, or transmitted in any form or for
any purpose without the express prior written permission of SAP AG.
This document is a preliminary version and not subject to your license
agreement or any other agreement with SAP. This document contains
only intended strategies, developments, and functionalities of the SAP®
product and is not intended to be binding upon SAP to any particular
course of business, product strategy, and/or development. Please note
that this document is subject to change and may be changed by SAP at
any time without notice.
SAP assumes no responsibility for errors or omissions in this document.
SAP does not warrant the accuracy or completeness of the information,
text, graphics, links, or other items contained within this material. This
document is provided without a warranty of any kind, either express or
implied, including but not limited to the implied warranties of
merchantability, fitness for a particular purpose, or non-infringement.
SAP shall have no liability for damages of any kind including without
limitation direct, special, indirect, or consequential damages that may
result from the use of these materials. This limitation shall not apply in
cases of intent or gross negligence.
The statutory liability for personal injury and defective products is not
affected. SAP has no control over the information that you may access
through the use of hot links contained in these materials and does not
endorse your use of third-party Web pages nor provide any warranty
whatsoever relating to third-party Web pages.
SAP “How-to” Guides are intended to simplify the product implement-
tation. While specific product features and procedures typically are
explained in a practical business context, it is not implied that those
features and procedures are the only approach in solving a specific
business problem using SAP NetWeaver. Should you wish to receive
additional information, clarification or support, please refer to SAP
Consulting.
Any software coding and/or code lines / strings (“Code”) included in this
documentation are only examples and are not intended to be used in a
productive system environment. The Code is only intended better explain
and visualize the syntax and phrasing rules of certain coding. SAP does
not warrant the correctness and completeness of the Code given herein,
and SAP shall not be liable for errors or damages caused by the usage of
the Code, except if such damages were caused by SAP intentionally or
grossly negligent.
Disclaimer
Some components of this product are based on Java™. Any code change
in these components may cause unpredictable and severe malfunctions
and is therefore expressively prohibited, as is any decompilation of these
components.
Any Java™ Source Code delivered with this product is only to be used by
SAP’s Support Services and may not be modified or altered in any way.
Document History
Document Version Description
1.10 << Enter your summary of changes in this version >>
1.00 First official release of this guide
Typographic Conventions
Type Style Description
Example Text Words or characters quoted
from the screen. These
include field names, screen
titles, pushbuttons labels,
menu names, menu paths,
and menu options.
Cross-references to other
documentation
Example text Emphasized words or
phrases in body text, graphic
titles, and table titles
Example text File and directory names and
their paths, messages,
names of variables and
parameters, source text, and
names of installation,
upgrade and database tools.
Example text User entry texts. These are
words or characters that you
enter in the system exactly
as they appear in the
documentation.
<Example
text>
Variable user entry. Angle
brackets indicate that you
replace these words and
characters with appropriate
entries to make entries in the
system.
EXAMPLE TEXT Keys on the keyboard, for
example, F2 or ENTER.
Icons
Icon Description
Caution
Note or Important
Example
Recommendation or Tip
Table of Contents
1. Business Scenario ................................................................................................................. 1
2. Background Information ....................................................................................................... 1
3. Prerequisites .......................................................................................................................... 1
4. Step-by-Step Procedure ...................................................................................................... 2
4.1 Create a Configuration Policy (Passcode) ................................................................... 4
4.2 Create a Configuration Policy (Restriction) ................................................................. 7
4.3 Create a Configuration Policy (NitroDesk) .................................................................. 11
4.4 Link Configuration Policy to a Group .......................................................................... 14
4.5 Install Nitrodesk Email Client ...................................................................................... 15
4.6 Apply Policies ............................................................................................................... 16
5. Summary .............................................................................................................................. 17
How To... Configure iOS Devices with Afaria
March 2014 1
1. Business Scenario
This document provides an overview of steps that one would need to follow to create configuration
policies for Android devices on SAP Afaria. Configuration policies usually map to mobile security
policies within an organization, allowing administrators to ensure that both corporate owned and
personal devices accessing company resources such as Email, Wi-Fi, documents are protected by
an approved set of security policies on the device.
2. Background Information
This H2G describes the steps one would need to follow in order to create a configuration policy for
Android devices. The configuration policies created in this guide are only intended as an instruction
on how to implement a configuration policy and to demonstrate some of the capabilities across
different device manufacturers. It is not intended to serve as a best practice document for what to
implement in a configuration policy.
3. Prerequisites
The following are pre-requisites that must be met in order for you to complete the business
scenario in this H2G:
Installed Afaria 7.0 SP3 or later
Access to the SAP Afaria Administrator
A test iOS device with the SAP Afaria client installed and enrolled on Afaria. Note that for
this guide we will be focusing on generic iOS device configuration.
Optional, Nitrodesk Touchdown Email client on your device.
How To... Configure iOS Devices with Afaria
March 2014 2
4. Step-by-Step Procedure
This H2G provides a basic procedure to follow for creating Configuration Policies for iOS.
Configuration Policies are the policies created for applying uniform configuration to devices based
on the groups to which they belong.
Configuration policies collect inventory and set device settings without engaging users.
Inventory is collected for hardware, software, or both. Configuration policy settings vary by device
type, but may include settings such as for passwords, Wi-Fi, roaming, and VPN.
For many settings, the policy determines the items that are visible on the device user interface.
For some devices, such as some Samsung and Motorola Android models, the policy can set items
that are available only through manufacturer APIs, and are not visible in the user interface.
For many of the Android and Windows Mobile configuration policy attributes, setting the
attribute requires selecting a check box to enable the setting, then setting or selecting a value.
To change settings for most attributes listed on configuration policy pages, such as the
Schedule page for an Android configuration policy or the Connection > Ports page for a Windows
Mobile Professional policy, select a check box, then set a value:
• Check box – select the check box to include the setting in the policy.
• Value – set the value for the setting by using the appropriate controls, such as typing in a
text field, selecting a list value, or other as available on the user interface. For example, on
the Android configuration policy Schedule page, select a check box to include the schedule
setting, and then select a time from the list to set the schedule time. To stop setting a value,
clear the check box.
Afaria configuration policy MDM payload data allows you to manage device settings for items
such as Wi-Fi, passwords, and e-mail applications.
Policy definitions are compliant with the Apple iPhone Configuration Utility (iPCU) version 3.6
definitions. Refer to Apple resources for detailed guidance; for example iPCU help and Apple
support resources for enterprise device management.
MDM policies can include these payload types:
• Advanced – changes the device Access Point Name (APN) and cell network proxy settings.
These settings define how the device connects to the carrier‘s network. Change these
settings only as directed by the carrier.
• Calendar – configures a connection to a calendar server. The account is added to the
device and the user is prompted for any information that is required but not defined by the
policy.
• Contacts – configures a connection to a contact list.
• Credential – adds certificates and identities to the device. Certificate files must be
accessible from the machine running Afaria Administrator. When installing credentials on
a device, install all the intermediate certificates that link to a trusted certificate.
How To... Configure iOS Devices with Afaria
March 2014 3
• Mail – configures POP or IMAP e-mail accounts. To add a Microsoft Exchange account,
use an Exchange ActiveSync policy.
• Exchange ActiveSync – configures an Exchange ActiveSync account with a Microsoft
Exchange server. You can create a policy for users by specifying the user name, host
name, and e-mail address, or only the host name; Users provide other values when they
install the policy.
• Consider these items about user accounts:
a. If you specify the name, host name, and SSL settings in the policy, the user cannot
change these settings on the device
b. The password data element cannot contain a percent (%) character.
c. Accounts that you add to a device by installing a policy can be deleted only by
removing the policy from the device.
• Generic – lets you select from any imported payloads created in any version of the iPhone
Configuration Utility.
• LDAP – configures a connection to an LDAP server. You can specify multiple search bases
for each directory and configure multiple connections.
• Passcode – defines passcode requirements, frequency of change, and other
characteristics. When the configuration policy loads, the user must enter a passcode that
satisfies the policy.
• Provisioning File – adds a provisioning file (.mobileprovision) to the device, which has a role
in managing enterprise-signed applications.
• Restriction – defines restrictions for user access to certain features, such as device
functionality, applications, SIRI, operations on iCloud, security, and content ratings. For iOS
3.x devices, restricting Safari prevents the device from processing further Afaria
configuration policies. If your requirements dictate restricting Safari, consider applying the
policy as the last of all Afaria policies. To recover the device from the restriction, the user
can click Settings > General > Reset > Reset All Settings.
• SCEP – configures settings that allow the device to obtain certificates over the air from a
certificate authority (CA) server that is using SCEP (Simple Certificate Enrollment
Protocol).Embedded SCEP requests or SCEP requests that are added in Wi-Fi or VPN
policies do not appear in the SCEP policy list; they are accessible only through their
containing policy. This does not apply in Afaria except in the cases of mobile configuration
files imported into Generic policies.
• Setting – configures voice and data roaming.
• Subscribed Calendar – adds read-only calendar subscriptions to the device Calendar
application.
• VPN – configures VPN networks. There are several supported VPN protocols and methods
of authentication. Depending on the configuration settings you select, the options in the
editor vary.
• Web Clip – adds Web clips to the device home screen. Web clips provide fast access to
favorite Web pages. The URL must begin with http:// or https://.
• WiFi – configures Wi-Fi networks. Consider these items:
a. Password for WEP or WPA security authentication – if you do not specify a password
in the policy, the user is prompted to enter one when connecting to the network.
b. Enterprise security types – expose additional settings for protocols, authentication, and
trust.
How To... Configure iOS Devices with Afaria
March 2014 4
c. Wi-Fi policies can configure and save a network definition on a device only when the
device is detecting the network when it attempts configuration.
iOS NitroDesk TouchDown Configuration - NitroDesk TouchDown for iOS provides access to Exchange e-mail messages, contacts, and calendars using ActiveSync technology. You can install TouchDown either directly on the device, or use an Afaria application policy to push the TouchDown application to the device.
4.1 Create a Configuration Policy (Passcode)
We are going to put a basic security policy in place with an enforced numeric passcode, setting
the limit to 5.
1. In Policy,select New, Configuration, iOS.
2. In the Summary section, enter the following values:
a. Policy: iOS Passcode Lock
b. Note: Simple Lock Policy for iOS
c. State: Published
d. Type: Configuration
e. OS: iOS
f. Priority: 50
Note
In the case where many configuration policies are assigned to a device, the priority value indicates which Configuration Policy takes precedence, the lower the priority number, the higher the priority.
How To... Configure iOS Devices with Afaria
March 2014 5
3. Click MDM Paylod in the left menu.
4. Click Passcode.
How To... Configure iOS Devices with Afaria
March 2014 6
5. Click Add (see above screen)
6. Configure the following properties:
a. Click Enabled
b. Enable Allow simple value
c. Set Minimum passcode length to 5
7. Click Save (see screenshot below)
How To... Configure iOS Devices with Afaria
March 2014 7
4.2 Create a Configuration Policy (Restriction)
We are going to create a restriction policy to disable certain functionality on the device.
1. In Policy,select New, Configuration, iOS.
How To... Configure iOS Devices with Afaria
March 2014 8
2. In the Summary section, enter the following values:
a. Policy: iOS Restrictions Policy for Employees
b. Note: Restrict use of Safaria and Camera
c. State: Published
d. Type: Configuration
e. OS: iOS
f. Priority: 10
Note
In the case where many configuration policies are assigned to a device, the priority value indicates which Configuration Policy takes precedence, the lower the priority number, the higher the priority.
3. Click Restrictions from left menu bar and click Add (see screenshot on next page)
How To... Configure iOS Devices with Afaria
March 2014 9
4. Review the list of Restrictions available under the different categories.
5. Under Device functionality, disable (uncheck) Allow use of camera (see screenshot on the next
page)
6. Under Applications, disable (uncheck) Safari (see screenshot on next page)
7. Click Save (see screenshot on next page)
How To... Configure iOS Devices with Afaria
March 2014 10
How To... Configure iOS Devices with Afaria
March 2014 11
4.3 Create a Configuration Policy (NitroDesk)
We are going to create an e-mail policy for NitroDesk app for iOS.
1. In Policy,select New, Configuration, iOS.
2. In the Summary section, enter the following values:
a. Policy: iOS NitroDesk E-mail Configuration
b. Note: Corporate E-mail policy
c. State: Published
d. Type: Configuration
e. OS: iOS
f. Priority: 1
Note
In the case where many configuration policies are assigned to a device, the priority value indicates which Configuration Policy takes precedence, the lower the priority number, the higher the priority.
How To... Configure iOS Devices with Afaria
March 2014 12
3. Select Nitrodesk
4. Under Nitrodesk, select Account Configuration and click Add
How To... Configure iOS Devices with Afaria
March 2014 13
5. In this example, we are connecting to Microsoft 365 Hosted Email (Outlook 2010). Use
substitution variables to fill the fields:
Account License Key: 1234
User ID: student##
Password: Welcome1
Email address: %S.ExchangeUser%@yourdomain.onmicrosoft.com
Domain: yourdomain.onmicrosoft.com
Exchange server: m.outlook.com
Use SSL: No
For exercise purpose, we will input sample user account information, however, in
production environment, you would utilize substitution variables as shown below in the
example and screenshot.
User ID: %S.ExchangeUser%
Password: %S.ExchangePassword%
Email address: %S.ExchangeUser%@yourdomain.onmicrosoft.com
Domain: %S.ExchangeDomain%
How To... Configure iOS Devices with Afaria
March 2014 14
6. Review the details under EAS overrides, User settings, Email options, Calendar options.
7. Click Save to commit your new Configuration Policy.
4.4 Link Configuration Policy to a Group
We need to link our Configuration Policy to a group.
1. On Policy list, select your iOS Default Policy (the configuration policy you created in the
previous step); you can filter by clicking Type drop-down and selecting Configuration
2. Click the Link icon on the left menu bar.
3. In the right hand Groups window, select the iOSStatic group
4. Click the Link toolbar button.
How To... Configure iOS Devices with Afaria
March 2014 15
You are now ready to apply the iOS Configuration policies to iOS devices. Go to Groups.
1. Select iOSStatic group
2. Click Apply Policy
4.5 Install Nitrodesk Email Client
1. On your device, install the standard Nitrodesk client from the Play Store. Look for
“Touchdown for Smartphones”
How To... Configure iOS Devices with Afaria
March 2014 16
4.6 Apply Policies
If you have already enrolled your device, you can simply connect to the server by opening the Afaria
client and connecting, the latest policies will be applied.
1. Open the Afaria Client, select menu, Connect
Alternatively, if you are already enrolled, you could apply the policies for your device from the Afaria
Administrator.
2. In Afaria administrator, click Devices, locate your device.
3. Select your device and click the Apply Policies button on the toolbar.
4. A notification will be sent to the device to tell the Afaria client to connect.
How To... Configure iOS Devices with Afaria
March 2014 17
Regardless of the method you selected to apply the policies on the device, within a minute or two,
you should see the results; you will be prompted to set a device passcode/pin.
Afaria will configure your Nitrodesk client, if you selected Auto Start for Nitrodesk, the Nitrodesk
client will open automatically, follow the prompts to complete the configuration.
Note
If you cancel the prompt to set-up a device PIN, Afaria will leave a message in notification bar,
clicking this link will take you back to the PIN configuration screen for your device.
5. After a minute or two, open the device’s camera app, you should see a message as shown.
5. Summary
By the end of this guide you should now be equipped to create and explore configuration policies
an Android device on Afaria.
How To... Configure iOS Devices with Afaria
March 2014 1
www.sap.com/contactsap
http://scn.sap.com/community/mobile
http://developers.sap.com/mobile
SAP Mobile Platform How-To Guides