11 Configuring Mobile Security Manager

This chapter documents advanced administration topics and Mobile Security Manager configuration settings. It includes the following topics.

Understanding Scheduled Jobs
Configuring Mobile Security Manager Settings

11.1 Understanding Scheduled Jobs

Mobile Security Manager runs the scheduled jobs in Table 11-1, which keep the server and the mobile clients up to date. Scheduled jobs are not configurable.

Table 11-1 Scheduled jobs in Mobile Security Manager

Job Name	Description	Run Frequency
Post-Process Task Trigger	Executes the post-process tasks from the queue.	Every 5 minutes
Identity Changelog Sync Trigger	Syncs the back-end LDAP directory change log.	Every 5 minutes
User Group Membership Sync Trigger	Performs the identity Users and Groups membership check on all the registered endpoints.	Every 4 hours
Device Sync Trigger	The Device Sync Trigger job performs the following tasks: Syncs device information such as device attributes and info about installed apps with the Mobile Security Manager server. Evaluates MDM device policies on the Mobile Security Manager server and pushes device policies to all MDM-enrolled devices.	Every day at 10 PM
Compliance Check Trigger	Evaluates all enrolled devices for policy compliance.	Every day at 11 PM

When the Compliance Check Trigger or Device Sync Trigger jobs run, Mobile Security Manager resolves policy conflicts and calculates the Effective Policy for every user enrolled in the mobility program.

11.2 Configuring Mobile Security Manager Settings

This section includes the following topics:

About the Mobile Security Manager Settings Page
How to Open the Mobile Security Settings Page
Configuring Client Settings
Configuring Server Settings
Configuring Identity Store Settings
Configuring CA Settings
Configuring User Notification Settings
Configuring Exchange Server Settings
Configuring Device Notification Settings
Configuring the APNS Certificate
Configuring the GCM Entry
Configuring Notification Templates
Configuring MDM Agent Settings
Configuring Blacklisted Apps

11.2.1 About the Mobile Security Manager Settings Page

The Mobile Security Manager Settings page is organized into twelve tabs that let you configure options such as client and server settings, user notification settings, settings that affect interactions with third-party systems such as Microsoft Exchange, Apple Push Notification Service, Google Cloud Messaging, and so on.

The Mobile Security Manager Settings page is located in the Settings section of the Oracle Access Management console.

Note:

Use online help to view field-level descriptions of the Mobile Security Manager Settings page, or see "Mobile Security Manager Settings Help" in the Help Reference for Oracle Mobile Security Suite Consoles.

11.2.2 How to Open the Mobile Security Settings Page

Use these steps to open the Mobile Security Settings console pages in the Oracle Access Management console. You must have System Administrator privileges to view this page.

In a browser window, open the Oracle Access Management console using the appropriate protocol (HTTP or HTTPS). For example:

https://hostname:port/access

For details, see "Working with the Oracle Access Management Console" in Oracle Fusion Middleware Administrator's Guide for Oracle Access Management.
Log in with your System Administrator user name and password.
Click the main Oracle Access Management Launch Pad page, then click Configuration.

The Configuration Launch Pad opens.

Under Settings, click View and choose Mobile Security Manager Settings from the menu.

The Mobile Security Settings page opens.
The Mobile Security Settings page contains the following tabs that you can click to open:
- Client Settings - Click to change options and configuration settings that affect the Secure Workspace.
- Server Settings - Click to configure properties that control how Mobile Security Manager functions at the server level
- Identity Store Settings - Click to configure properties that control how Mobile Security Manager interacts with the directory server.
- CA (Certificate Authority) Settings - Click to create PKI certificate profiles and CA connections.
- User Notification Settings - Click to enter your mail server settings. (Mobile Security Manager uses e-mail to send users notifications.)
- Exchange Server Settings - Click to configure mail server settings if your organization uses Microsoft Exchange.
- Device Notification Settings - Click to configure notifications that the Mobile Security Manager sends to users.
- APNS Settings - Click to manage and upload the required APNS certificates that are used to securely communicate with the Apple Push Notification service.
- GCM Settings - Click to configure the values needed to communicate with the Google Cloud Messaging service.
- Notification Templates - Click to manage the Invite templates that the system uses to provide notification to users.
- MDM Agent Settings - Click to edit Android and iOS Mobile Device Management (MDM) settings.
- Blacklisted Apps - Click to manage prohibited apps on the device.

11.2.3 Configuring Client Settings

For descriptions of the Client Settings form fields, see "Client Settings" in the Oracle Fusion Middleware Help Reference for Oracle Mobile Security Suite Consoles.

Client Settings provide the ability to configure some aspects of the Secure Workspace behavior in an OMSS deployment.

11.2.4 Configuring Server Settings

This section includes the following topics:

Configuring General Server Settings
Configuring Proxy Settings
Configuring Mobile File Manager Authentication Settings

11.2.4.1 Configuring General Server Settings

For descriptions of the Server Settings form fields, see "Server Settings" in the Oracle Fusion Middleware Help Reference for Oracle Mobile Security Suite Consoles.

11.2.4.2 Configuring Proxy Settings

For descriptions of the Proxy Settings form fields, see "Proxy Settings" in the Oracle Fusion Middleware Help Reference for Oracle Mobile Security Suite Consoles.

11.2.4.3 Configuring Mobile File Manager Authentication Settings

For descriptions of the File Manager Settings form fields, see "File Manager Settings" in the Oracle Fusion Middleware Help Reference for Oracle Mobile Security Suite Consoles.

You can configure the following Mobile File Manager authentication settings:

Whether the File Manager server should accept HTTP Basic authentication.
Whether the server should reject unauthenticated requests without extending an authentication offer. If HTTP Basic is enabled and the Authentication Challenge option is selected, then the user is asked to provide a user name and password; if the Authentication Challenge option is not selected, the user is not asked for a user name and password and the server rejects the unauthorized request.
Whether the server should accept HTTP Basic authentication over a non-SSL connection.
Whether the server should offer Kerberos or NTLM authentication to the client.

Note:

The Mobile File Manager will fail to connect if a Windows file share on any of the following Windows versions is being referenced by a DNS alias instead of the native system host name:

Windows Server 2012
Windows Server 2008
Windows 8
Windows 7
Windows Vista

To fix the issue, either access the file share using the native host name, or complete the following steps to modify the registry on the file share server:

Locate and click the following key in the registry of the server:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters

On the Edit menu, click Add Value, and then add the following registry value:

Value name: DisableStrictNameChecking

Data type: REG_DWORD

Radix: Decimal

Value: 1
Restart the Windows Server service on the file share server.

11.2.5 Configuring Identity Store Settings

For descriptions of the Identity Store Settings form fields, see "Identity Store Settings" in the Oracle Fusion Middleware Help Reference for Oracle Mobile Security Suite Consoles.

Use the Identity Store Settings configuration page to:

Edit the configuration values that Mobile Security Manager uses to import LDAP directory records from your directory server on a scheduled basis.
Edit the System Administrator and Help Desk Administrator LDAP group mappings.
Choose the default action (Lock, Wipe, Do Nothing) that the system should carry out when a user account is deleted or disabled in the directory server.
Add extra LDAP user attributes to Mobile Security Manager to facilitate mapping a user's Home drive in Mobile Security File Manager.

11.2.6 Configuring CA Settings

For descriptions of the CA Settings form fields, see "CA Settings" in the Oracle Fusion Middleware Help Reference for Oracle Mobile Security Suite Consoles.

Note:

Choose a CA provider that uses Microsoft CA servers. Only Microsoft CA servers are supported.

Use the CA (Certificate Authority) Settings tab to create PKI certificate profiles and CA connections. These settings are used for device enrollment. For successful processing, you must trust the NDES certificate authority and the certificates issued by the MSM server and MSAS server. Use the following steps:

Create a certificate profile for the NDES SCEP server by configuring the NDES server as described in Section 12.3, "Configuring NDES and the Active Directory Certificate Authority."
The Mobile Security Manager server verifies the certificate issued by the SCEP server. Consequently, you need to import the Active Directory (AD) Certificate Manager root CA and issuing CA (if different from the root CA) into the Mobile Security Manager server's wlstrust.jks file. Use the following steps to import the certificates into the MSM Server trust store:
1. Export the AD Certificate Manager root CA and issuing CA and import them into the Mobile Security Manager server's trust store. The Mobile Security Manager server trust store file is located here:
  
  <DOMAIN_HOME>/config/fmwconfig/wlstrust.jks
2. Run the following keytool commands to import the trusted certificates into the Mobile Security Manager trust store:
```
keytool -importcert -keystore wlstrust.jks -file <rootca_filename> -alias ndesrootca -storepass <password> 

keytool -importcert -keystore wlstrust.jks -file <issuerca_filename> -alias ndesissuerca -storepass <password>
```
3. Restart the Mobile Security Manager server.
  
  You can create a new CA certificate profile for the above Active Directory (AD) NDES server.

For information about certificate revocation, see Section 12.4, "Configuring Automatic Certificate Revocation with the Active Directory Certificate Authority."

11.2.6.1 Configure CA Settings for Internal CA Server

Use the following cURL commands to configure the validity period for certificates issued by an internal certificate authority.

Note:

cURL is free software that you can download from the cURL website at http://curl.haxx.se/

Enter the following command, which retrieves the MSM server settings and saves them to a file in JSON format:

curl -v -H "Content-Type:application/json" 
-u <adminusername>:<adminpass> --request 
-k GET https://<msmhost>:<msmport>/msm-mgmt/systemSettings/server > serversetting.json

Modify the serversetting.json file and update the scepCACertValidity parameter with a new value.

Enter the following command, which modifies the MSM server settings as provided in the JSON input file:

curl -v -H "Content-Type:application/json" 
-u <adminusername>:<adminpass> --request  
-k PUT https://<msmhost>:<msmport>/msm-mgmt/systemSettings/server 
-d serversetting.json

11.2.7 Configuring User Notification Settings

For descriptions of the User Notification Settings form fields, see "User Notification Settings" in the Oracle Fusion Middleware Help Reference for Oracle Mobile Security Suite Consoles.

Use this tab to enter your mail server settings. Mobile Security Manager uses e-mail to send users notifications.

Note:

When using SSL to connect to the SMTP server, import the certificate into the WebLogic keystore.

11.2.8 Configuring Exchange Server Settings

For descriptions of the Exchange Server Settings form fields, see "Exchange Server Settings" in the Oracle Fusion Middleware Help Reference for Oracle Mobile Security Suite Consoles.

Use this tab to configure mail server settings if your organization uses Microsoft Exchange.

Note:

Also see Section 12.5, "Configuring Microsoft Exchange (Secure Mail) to Work With Mobile Security Manager."

11.2.9 Configuring Device Notification Settings

For descriptions of the Device Notification Settings form fields, see "Device Notification Settings" in the Oracle Fusion Middleware Help Reference for Oracle Mobile Security Suite Consoles.

Use this tab to configure notifications that the Mobile Security Manager sends to users.

11.2.10 Configuring the APNS Certificate

For descriptions of the APNS Certificate Settings form fields, see "Apple Push Notification Service (APNS) Settings" in the Oracle Fusion Middleware Help Reference for Oracle Mobile Security Suite Consoles.

Mobile Security Manager requires an Apple MDM certificate to manage iOS devices. This certificate enables secure communication using Apple Push Notification Services (APNS). (If you are only supporting unmanaged iOS devices, Mobile Security Manager does not need an MDM certificate.)

Before you begin - These steps require a computer running Mac OS X.

Create a Certificate Signing Request (CSR) to obtain an APNS certificate from Apple.
1. Open the Keychain Access application by opening the Finder and opening Applications > Utilities > Keychain Access.
2. From the menu choose Keychain Access > Certificate Assistant > Request a Certificate From a Certificate Authority...
  
  The Certificate Assistant opens.
3. Complete the form by providing an e-mail address and a common name, then select Saved to Disk.
  
  Click Continue.
  
  The Save-as dialog opens.
4. Save the CSR to a convenient location.
Send the unsigned CSR to Oracle to obtain a Signed CSR. The unsigned CSR (generated above) should be sent to Oracle Support.

Oracle Support will sign the CSR and send it back to you.
Upload the signed CSR to the Apple Push Certificates Portal.
1. Using an Apple ID and password, sign in to the Apple Push Certificate Portal located here:
  
  https://identity.apple.com/pushcert/
  
  The Apple ID does not need to be associated with an Apple Developer / Enterprise Account. It can be any Apple ID.
2. Accept the EULA and continue.
3. Click Create a Certificate, then click Browse.
  
  Select the Oracle-signed CSR and click Upload.
  
  A new certificate for ”Oracle” Mobile Device Management opens.
4. Click Download and download the Apple signed certificate.
Export the APNS certificate.
1. Double-click the downloaded file to upload it using the Keychain Access application.
2. Expand the left arrow and verify that it contains APSP:<UUID> (Apple Production Services) and that it has an associated private key. UUID is a randomly generated number.
3. Right-click the certificate and click Export.
  
  Save the certificate in .p12 format.
  
  Enter a password to protect the exported .p12 file. Record the password because you will need it in the next step.
Upload the APNS certificate to OMSS.
1. Open the Mobile Security Settings page. To learn how, see Section 11.2.2, "How to Open the Mobile Security Settings Page."
2. Click APNS Settings on the menu bar. (If APNS Settings is not visible, use the arrow buttons to scroll the menu bar to the right. Or, click to view additional menu items.)
3. Click Add to create a new row in the settings table.
4. For Certificate Name, type MDM and for Certificate Password enter the password you used to protect the exported .p12 file.
  
  Click Choose File to select the .p12 file and click Apply to upload the file and save the APNS settings to Mobile Security Manager.

11.2.11 Configuring the GCM Entry

For descriptions of the GCM Settings form fields, see "Google Cloud Messaging (GCM) Settings" in the Oracle Fusion Middleware Help Reference for Oracle Mobile Security Suite Consoles.

Mobile Security Manager requires GCM (Google Cloud Messaging) credentials to connect to GCM and send push notifications to Android devices. Follow these steps to create a GCM key.

Create a Google API project and enable the GCM service.
1. Sign in with Google credentials to the Google Developers Console:
  
  https://cloud.google.com/console
2. If you have an API Project, click it to open the Project Dashboard.
  
  If you do not have an API project yet, click Create Project. Specify a Project Name and click Create.
  
  A page opens and displays your project number—for example, Project Number: 670330094152.
  
  Copy the project number. You will need it when you upload the API key to Mobile Security Manager.
3. Choose APIs & auth > APIs from the sidebar, then, under Mobile APIs, click Cloud Messaging for Android.
  
  Click Enable API.
  
  Google Cloud Messaging is enabled.
Obtain an API key.
1. Choose APIs & auth > Credentials from the sidebar.
2. In the Public API access section, click Create new Key, then click Server key in the Create a new key dialog.
  
  The Create a server key and configure allowed IPs dialog box opens.
3. Enter your server's IP address and click Create.
  
  The API key is created.
4. Copy the API key.
Upload the API key to Mobile Security Manager.
1. Open the Mobile Security Settings page. To learn how, see Section 11.2.2, "How to Open the Mobile Security Settings Page."
2. Click GCM Settings on the menu bar. (If GCM Settings is not visible, use the arrow buttons to scroll the menu bar to the right. Or, click to view additional menu items.)
3. Click Add to create a new row in the settings table.
4. For Application ID, type MDM.
  
  For Sender ID, enter the project number from step 1.
  
  For API key, paste the API key from step 2.
5. Click Apply to save the GCM settings to Mobile Security Manager.
After modifying the values, click Apply to save changes or Revert to discard the changes.

Click Refresh to view the updated changes on the back-end server.

11.2.12 Configuring Notification Templates

For descriptions of the Notification Templates form fields, see "Notification Templates" in the Oracle Fusion Middleware Help Reference for Oracle Mobile Security Suite Consoles.

Use this tab to manage the Invite templates that the system uses to provide notification to users.

Multiple instances of a template can be created in different languages. First select a template, then click Add New Language. Choose a language from the menu. A new tab shows the name of the selected language. Use the editor to format the message content as needed.
You can also delete templates: you can delete just a specific locale, or you can delete a template and all of its locales.

To learn how to create or edit a notification template, see Section 3.2.1.1, "How to Create and Edit Notification Templates."

11.2.13 Configuring MDM Agent Settings

For descriptions of the MDM Agent Settings form fields, see "MDM Agent Settings" in the Oracle Fusion Middleware Help Reference for Oracle Mobile Security Suite Consoles.

Use this tab to edit iOS Mobile Device Management (MDM) settings. The Android client does not accept the settings entered on the MDM Agent Settings tab. For Android, see Section 10.2.6, "Change MDM Agent Settings" to configure MDM agent values on the Secure Workspace app.

11.2.14 Configuring Blacklisted Apps

For descriptions of the Blacklisted Apps form fields, see "Blacklisted Apps" in the Oracle Fusion Middleware Help Reference for Oracle Mobile Security Suite Consoles.

Use this tab to manage prohibited apps on the device. Apps can only be blacklisted on managed devices. Mobile security policies can check for blacklisted apps during enrollment and take action if a blacklisted app is found on the device. Following device enrollment, mobile security policies can check for blacklisted apps and, if one is found, take appropriate action as defined in the policy.