This chapter describes the AppConfig Community that provides tools and best practices to manage mobile applications, the MAF approach to enterprise mobile applications, and the management of MAF applications with EMM solutions from AirWatch, MobileIron, and Blackberry.
This chapter includes the following sections:
The AppConfig Community provides tools and best practices to secure, configure, deploy, and manage mobile enterprise applications.
The AppConfig Community was formed, and is maintained, by Enterprise Mobile Management (EMM) organizations: VMware AirWatch, MobileIron, IBM MaaS360, and JAMF Software. The community works to streamline the development and deployment of mobile enterprise applications.
The tools and best practices of the community are defined by the following:
Use of native frameworks that are made available through operating systems (OS)
Absence of EMM - specific integrations
The AppConfig approach to developing enterprise mobile application provides a standard approach to application configuration and management because it builds upon the application security and configuration frameworks within the native OS functionality of the iOS and Android platforms. The AppConfig approach has been defined by The App Configuration for Enterprise (ACE). See About the MAF Approach to Enterprise Mobile Applications.
MAF applications support ACE capabilities such as app tunnelling, application configuration, and implementations of security polices and access control. MAF supports application integration with third-party EMM solutions from AirWatch, MobileIron, and BlackBerry. For information about MAF integrations with EMM solutions, see Managing MAF Applications with the AirWatch EMM Solution, Managing MAF Applications with the MobileIron EMM Solution, and Managing MAF Applications with the Blackberry EMM Solution.
More information about the AppConfig Community is available at: http://appconfig.org/.
MAF adopts the AppConfig approach to enterprise mobile applications, and supports capabilities that have been defined by ACE.
MAF adopts the AppConfig approach to enterprise mobile applications as it neither requires proprietary Software Development Kit (SDK) nor application wrapping tools. The MAF integration with AirWatch, MobileIron, and Blackberry helps developers build EMM vendor neutral applications without containers and dual workspaces.
MAF supports application integration with third-party EMM solutions. The integration focuses on using the capabilities of the mobile operating systems to configure and secure MAF applications. MAF aims at providing the capabilities that have been defined by ACE. ACE is an initiative that defines standards for enterprise application management. ACE provides an application development framework that defines common standards for mobile application management so that an application could be managed by any vendor. More information about ACE is available at: http://www.appconfigforenterprise.org/.
MAF applications support the following ACE capabilities:
App tunnel: An application may need to access services behind a firewall. Device level IPsec VPNs come with concerns pertaining to connectivity and security. To address these concerns, mobile operating systems provide a Per-App-VPN capability so that individual applications can tunnel their way into networks. An application tunnel is a Secure Sockets Layer (SSL) connection from an application through a gateway to backend resources. As the tunnel is provided on a Per-App basis, no rogue application can worm its way into the network.
Application configuration: Users enter URL, port, email address, port numbers, tenant ids, skin configurations and other configurations when they set up applications. An EMM server can automatically and remotely set these configurations using the native APIs recommended by the AppConfig Community. Administrators use web consoles to enter configurations which are then pushed to applications. Developers define a set of configuration keys within their applications. EMM administrators set the same keys and values in the management console of the EMM provider, and they will be pushed to the application. See Configuring Properties in MAF Applications for Use by EMM Solutions.
Single Sign-On: Users may need to sign-on to multiple systems, each of which may involve different user names and authentication techniques. A single sign-on (SSO) solution lets users authenticate themselves just once to access information on any of several systems. With SSO, the user is authenticated once and the authenticated identity is securely carried across the network to access resources. The application developer implements the Security Assertion Markup Language (SAML) standard to federate authentication to an Identity Provider (IDP). This SAML IDP is configured to use either Kerberos authentication or certificate authentication. The EMM solution will distribute the appropriate Kerberos credentials and, or certificates based on the standard built in operating system API calls available to the EMM providers.
Security policies and access control: Access control ensures that applications run only on approved devices. The capability enforces security policies at the application level. An organization requires security and data loss protection within enterprise applications to prevent sensitive data from moving outside company control.
Encryption: EMM vendors provide data protection for enterprise applications by enforcing a passcode policy on the device. Administrators can enable device level encryption by setting a passcode policy on the device.
Managed Open In: This is a mobile application management feature that restricts the flow of corporate data on iOS devices to only those applications that are under IT control.
Enterprises may also want to disable application capabilities for security reasons.
Common implementations of custom security polices include:
Disable copy and paste – the ability to disable the copy and paste capability from within the application
Default email settings – the ability to specify the default email application to be used to send email messages within the application
Disable use of camera - the ability to disable the use of camera
Disable capture of screenshots - the ability to disable the capture of screenshots
MAF uses the SSO certificate, application tunnel, and application configuration methods to enforce access control on MAF devices that are managed by AirWatch, MobileIron, and Blackberry EMM solutions.
Access control prevents users from logging into applications which are downloaded directly from iTunes and Google Play stores.
Access control may be enforced in three ways:
Using SSO certificate: SSO authentication can use certificates. Access is controlled by provisioning a certificate for single sign on, which will only be made available to compliant applications on managed devices. A user who tries to download an application from the iTunes store or the Google Play store as a personal application on an unmanaged device will be unable to authenticate and log into the application.
Using Application Tunnel: Access control can be enforced using the Application Tunnel capability. An enterprise can configure the authentication page of an application so that it only accepts connections from users who come through the secure Application Tunnel, based on IP address. The Application Tunnel capability is only available for compliant applications on managed devices. A user who tries to download the applications from the iTunes store or the Google Play store as a personal application on an unmanaged device will not be able to authenticate and log into the application.
Using application configuration: Leverage application configurations defined within MAF applications to allow or deny access to an application. The application will use the value it received in the configuration key, and grant access to the application if it is set to true.
MAF applications integrate with EMM solutions to set application-level configurations remotely on the EMM server.
Integration with EMM solutions such as AirWatch, MobileIron, and Blackberry provides MAF applications the capability to set application-level configurations remotely on the EMM server, which can then be accessed by the MAF applications.
Application configurations can simplify the setup process for users. The AirWatch, MobileIron, or Blackberry server sends a set of configuration keys which are then defined by developers. An organization administrator sets the keys and values in the EMM administrative web console from where they will be sent to MAF applications.
MAF applications implement backend service configurations such as URL, port, use SSL, group or tenant code, and user configurations such as user name, email, and domain.
Custom security policies can be enforced using application configurations. These custom security policies are commonly implemented:
Disable Public Cloud Sync: the ability to disable the syncing of application data with public clouds such as Dropbox
Disable Copy and Paste: the ability to disable the copy and paste capability from within the application
Integration with the AirWatch EMM solution helps MAF applications implement data leak protection by means of security policies.
AirWatch provides an EMM solution to secure and manage applications. AirWatch has three development approaches to provide core application feature sets: the SDK, app wrapping, and the approach that follows the AppConfig Community. When integrated with AirWatch, MAF follows the AppConfig approach. MAF does not support SDK and App Wrapping from AirWatch. MAF only supports the AirWatch ability to leverage native standards to manage applications.
MAF applications can be managed by means of the AirWatch Administrative Console. The console allows the EMM administrators to create iOS configuration profiles, and Android for Work configuration profiles, and apply them to various managed devices which are enrolled into the AirWatch Administrative Console. When users enroll their devices into AirWatch Agent App, all the configuration profiles which are assigned to their device get downloaded, and get applied. The configuration profile contain the restrictions which allow EMM administrators to enable or disable a specific functionality such as camera or Managed Open In within the application. The configuration profiles also contain Per App level configuration information which allow secure tunneling between MAF applications and various backend services, which are hosted behind the firewall, and are used by MAF applications .
Information about the AirWatch EMM platform is available at: https://www.vmware.com/products/enterprise-mobility-management.html.
Core Application Feature Sets
MAF uses the EMM from AirWatch technologies to secure its applications. MAF uses the ACE to integrate MAF applications with AirWatch. Devices may be enrolled in AirWatch, applications may be installed from the AirWatch App Catalog, or internal or public applications may be uploaded to the AirWatch Administrative Console. Integration with AirWatch helps MAF implement data leak protection through the following security policies.
Encryption: MAF applications on the iOS platform, Android 5.0, and higher platform versions provide the ability to enable encryption. When encryption is enabled, MAF uses the native OS encryption to encrypt the content of the entire device, including applications.
Managed Open-In: The ability to open the documents stored in managed applications in other unmanaged applications like Dropbox or Box is available on the iOS platform, Android 5.0, and higher platform versions. On the iOS platform, when this restriction is enabled, it is applicable to all the applications on the device. When you set this restriction, you turn off the ability to share documents through email. In MAF, the Email Device Service is turned off. When you enable the Open In restriction on the Android platform, the restriction is applicable to each application and not to the whole device.
Camera: The capability to enable or disable the camera on the device is available on the iOS platform, Android 5.0, and higher platform versions. On the iOS platform, the camera restriction, when enabled, is applicable to all the applications on the device. This restriction is not applied to each application. On the Android platform, the camera restriction is applied to each application and not to the device.
Email: An iOS profile has no restriction which directly controls the email access at the device or application level. Setting the Open In restriction turns off the ability to share documents by means of email. In MAF, the Open In restriction turns off the Email Device Service.
App Tunnelling with AirWatch Tunnel: MAF applications on the iOS platform, Android 5, and higher platform versions are provided the Per App VPN mode capability, an OS-level capability available for individual applications on a mobile device. AirWatch Tunnel is a server component that is installed and configured with the AirWatch Administrative Console. AirWatch Tunnel uses native operating system APIs to secure data-in-transit between MAF applications and the secure enterprise network. The secure tunnel isolates the application when it communicates with the network.
Secure browser integration: Users who want to access web content from MAF applications are redirected from the application to the AirWatch Secure Browser. Tapping on a GoLink within a MAF application launches the AirWatch Secure Browser client. The EMM administrator sets policies in the AirWatch console. When the secure browser client is launched, the policies are applied to the application, and depending on compliance with the set policies, content is either blocked or displayed.
Secure email integration: Users who want to compose new email or perform tasks such as attach a document are redirected from the MAF application to the AirWatch Secure Browser. AirWatch provides URL schemes to launch the secure email client. Tapping on a GoLink within a MAF application launches the AirWatch Secure Email client. The EMM administrator sets policies in the AirWatch console. When the secure email client is launched, the policies are applied to the application, and compliance with the policies decides whether the user is allowed to attach files or blocked from doing so.
You can download the VMware AirWatch Mobile Device Management Guide at: http://mobile34.ca/wp-content/uploads/2016/02/Mobile-Device-Management-Guide-v8_3.pdf.
AirWatch documentation is available at: https://resources.air-watch.com/category/Documentation.
Integration with the EMM solution from MobileIron helps MAF use the layered security approach of MobileIron to implement data loss prevention on mobile devices.
MAF integrates with the EMM from MobileIron technologies to secure applications. MobileIron provides a wrapping solution, an SDK, and also supports the ACE standard. MAF does not support the wrapping tool or SDK from MobileIron. MAF uses ACE to secure its applications. With ACE, developers can develop applications that work across EMM solutions.
MAF applications can be managed by means of the MobileIron Core administration console. The Core administration console allows IT administrators to create iOS configuration profiles and Android for Work configuration profiles and apply them to various managed devices which are enrolled into the MobileIron Core console.
When users enroll their devices into the MobileIron Agent application, all the configuration profiles, which are assigned to their device, get downloaded and applied. The configuration profile contains the restrictions that allow IT administrators enable or disable a specific functionality such as camera or Managed Open In within the application.
The configuration profiles also contain Per App level configuration information that allows secure tunneling between MAF applications and various backend services that are hosted behind the firewall. The backend services are used by MAF applications.
MobileIron Security Model
MobileIron uses a layered security approach to implement data loss prevention on mobile devices. The layered data loss prevention model includes basic controls, which directly address the requirements; supplemental controls, which provide additional controls; and compensating controls, which apply when no basic control is available. For example, for authentication, a device password provides the basic control while biometric authentication may supplement the basic control.
The layered security approach is implemented using the following controls.
Encryption
Encryption is available for iOS 9, Android 5.0 and higher version devices. MobileIron encryption for data-at-rest and data-in-motion has FIPS 140-2 validation and complements the embedded encryption capabilities of the operating systems. MobileIron provides the following types of encryption:
Encryption of all enterprise data-at-rest on the device: The EMM solution enforces device passwords to enable device level encryption that is available to all applications.
Encryption of all enterprise data-in-motion to and from the device: Enterprise mobile data, which includes email, applications, documents, and web pages, flows through MobileIron Sentry, the gateway that protects against attacks and interception through the use of digital certificates and transport layer encryption.
Encryption of all enterprise data in secure applications: In addition to the iOS and Android embedded encryption, MobileIron uses containerization to provide additional security controls, including encryption.
Data Sharing
The Open In function of mobile operating systems allows applications to share data. MobileIron allows IT to control which applications use this function to access application data. Setting this restriction on the iOS platform also turns off the ability to share documents through email. In MAF, the Email Device Service is turned off.
Copy and Paste functionality: The iOS platform does not provide a native restriction to control the ability to copy and paste content between managed applications. MAF developers can impose this restriction by implementing a custom Cordova plugin, which in turn calls the native iOS APIs to clear the buffer.
Capture screenshots functionality: MobileIron can also disable the screenshot capture function across the entire device.
Email: No restriction pertaining to email is available for the Android platform. For the iOS platform, although there is no restriction to manage the email service, by setting the Managed Open-In restriction, email within a managed application can be turned off.
Network Security
Application tunneling: MobileIron provides secure application-level tunneling for all enterprise data, including email, applications, documents, and web traffic. IT can separate the flow of enterprise data transmitted on a secure channel from non-enterprise data.
VPN: For standardized on device-wide VPN technology, MobileIron configures the VPN service to provide a secure channel for data. MobileIron provides secure access to business data through PerApp VPN.
Per-App-VPN with MobileIron Tunnel supports the following in MAF applications:
Access to a basic authentication protected API hosted on non-Oracle cloud by tunneling the network request through MobileIron Sentry which acts as a proxy server
Access to an unsecured API hosted in Oracle Mobile Cloud Service by tunneling the network request through MobileIron Sentry which acts as a proxy server
Access to a basic authentication protected API hosted on an Oracle Mobile Cloud Service by tunneling the network request through MobileIron Sentry which acts as a proxy server
MobileIron Sentry is the gateway in the MobileIron platform that manages, encrypts, and secures traffic between the mobile device and back-end enterprise systems.
Secure Browser Integration
Users who want to access web content from a MAF application are redirected from the application to the MobileIron Secure Browser. Tapping on a GoLink within the MAF application launches the MobileIron Secure Browser client. MobileIron provides URL schemes to launch the secure browser client. The EMM administrator sets policies in the MobileIron console. When the secure browser client is launched, the policies are applied to the application and depending on compliance, content is either blocked or displayed.
Secure Email Integration
Users who want to compose new email, or perform tasks such as attach a document are redirected from a MAF application to the MobileIron Secure Email client. MobileIron provides URL schemes to launch the secure email client. Tapping on an email link within a MAF application launches the MobileIron Secure Email client. The EMM administrator sets policies in the MobileIron console. When the secure email client is launched, the policies are applied to the application, and compliance with the policies decides whether the user is allowed to attach files or blocked from doing so.
MobileIron documentation is available at: https://community.mobileiron.com/.
Integration with the Blackberry enterprise mobile management solution helps MAF secure applications by means of the BlackBerry security policies.
MAF applications can be managed by means of the BlackBerry Administrative Console. The Administrative Console allows EMM administrators to create configuration profiles, such as iOS configuration profiles, and apply them to various managed devices which are enrolled into the Blackberry Administrative Console. When users enroll their devices into the BlackBerry Agent application, all the configuration profiles that are assigned to their device get downloaded and applied. The configuration profile contain the restrictions that allow EMM administrators to enable or disable a specific functionality such as camera or Managed Open In within the application. The configuration profiles also contain Per-App level configuration information. This information allows secure tunneling between MAF applications and various backend services, which are hosted behind the firewall. The backend services are used by MAF applications.
The Blackberry EMM solution offers MAF applications the following capabilities:
Encryption: On the iOS platform, BES provides the ability to encrypt the content stored on the device and applications using the native OS encryption. BES 12 uses a FIPS-validated cryptographic module to encrypt all the data that it stores directly, and writes indirectly to files. BES 12 supports both full device and work space encryption. IT policy rules can also be used to force some devices to encrypt data.
Managed Open In is a security feature released in the Apple iOS 7 mobile operating system. The feature allows IT to configure which applications employees can use to access data. Supported on iOS 9, this feature manages the ability to open documents stored in managed applications, in other unmanaged applications such as Dropbox, and Box. BES supports Open-in management as a mobile application management (MAM) measure, and uses it as part of an enterprise data loss prevention (DLP) strategy for iOS devices.
Copy and Paste feature: The restriction that pertains to Copy and Paste implements a method of data loss prevention by restricting the copying and pasting of text and, or images. This feature manages the ability to copy and paste content between different mobile applications on iOS devices. A custom Cordova plugin could be used to enable or disable copy and paste feature between managed and unmanaged applications.
Device features: Device features to restrict the usage of camera during application use allow administrators to restrict camera usage in an enterprise setting. Tools can also prevent screenshots from being taken. These restrictions are available for applications on iOS 9 and Android devices. Personal cloud applications such as email are not designed to convey or store enterprise data. Mobile device owners who use them for such purposes expose the enterprise to greater risk of data loss. The restriction that pertains to email determines from which application a user may send email messages.
Per-App VPN: Virtual private network (VPN) on demand and direct application tunnels to automatically route all communication from a specific application through a secure channel back to the enterprise network is available for applications on both iOS and Android platforms with MobileIron Tunnel. A VPN provides an encrypted tunnel between a device and the enterprise network. A VPN solution consists of a VPN client on a device and a VPN concentrator. The device uses the VPN client to authenticate with the VPN concentrator, which acts as the gateway to the enterprise network. Use Per-App VPN to specify which work applications and secured applications on devices use a VPN for the transit of data. Per-App VPN helps decrease the VPN load on an organization by enabling only discretionary traffic use the VPN. For example, the VPN may be used to access application servers or web pages behind the corporate firewall.
Documentation about Blackberry security is available at: http://help.blackberry.com/en/bes12-security/current/.
Configure properties in the maf-application.xml file of a MAF application. Administrators can use EMM software to configure values for the properties when the application is deployed to users.
You can configure the properties in the maf-application.xml file application of the application using the <adfmf:emmAppConfig> element. The following sample maf-application.xml file shows a number of properties that are defined.
<adfmf:emmAppConfig> <adfmf:property name="serverURL" type="String" description=“URL to connect the backend service"/> <adfmf:property name="port" type="Integer" description=“Port number of the backend service”/> <adfmf:property name=“enableEncryption" type=“Boolean" description=“Turn on app level encryption”/> <adfmf:property name=“refreshDate" type=“Date" description=“Date on which application will be refreshed”/> </adfmf:emmAppConfig>
An EMM administrator configures values for these properties in an EMM console. The EMM software then pushes the values to the devices on which your MAF application is installed. This feature is only supported for MAF applications that are deployed to the Android and iOS platforms. Make sure that the EMM software supports the data types that you specify in the <adfmf:emmAppConfig> element. In the example above, the specified properties have the following data types: String, Integer, Boolean, and Date.
See the documentation of the EMM vendor for information about how to configure the corresponding property values in the EMM console and the data types that the EMM software supports.
You can read the property values in the application lifecycle of your MAF application using the #{EMMConfigProperties}EL expression. For example, write an EL expression as follows to read the value of the serverURL property: #{EMMConfigProperties.serverURL}
EMMAppConfigScope.getInstance().addPropertyChangeListener(this);