This section documents the Mobile Security Manager Settings page in the Oracle Access Management console. To open this page from the Oracle Access Management Launch Pad, click Configuration, then click View in the Settings section, then choose Mobile Security Manager Settings from the menu. Note that the Mobile Security Manager Settings page says Mobile Security Settings.
The following topics are covered:
Use the Client Settings tab to change options and configuration settings that affect the Secure Workspace.
| Element | Description |
|---|---|
|
Refresh/Apply/ |
Click Refresh to update the screen with any changes made on the (back-end) server. Click Apply to save your changes. Click Revert to erase your unsaved changes and restore the screen to its previous state. |
|
Show Save Checkbox in login page |
Select to allow users the option to enable the "remember user name" option on the login page. The "remember user name" option is only available if both of the following are true:
|
|
Open URL in secure browser |
Select to open protected URLs in the secure browser inside the Secure Workspace. Clear this option to open URLs in the device's default browser. A protected URL is a web app that is protected behind the Mobile Security Access Server. |
|
Enable add App button |
Select to include the Catalog app on the users home screen. |
|
Advanced certificate expiration warning time |
Enter the number of days in advance that the Secure Workspace should warn users about upcoming certificate expirations. |
|
Poll Interval |
Displays the frequency, in seconds, at which the client polls the server for new policies and commands. Values can only be reset by Oracle Professional Services. |
Use the Server Settings tab to configure the properties that control how the Mobile Security Manager functions at the server level. This tab is organized into the following sections:
| Element | Description |
|---|---|
|
Refresh/Apply/ |
Click Refresh to update the screen with any changes made on the (back-end) server. Click Apply to save your changes. Click Revert to erase your unsaved changes and restore the screen to its previous state. |
| Element | Description |
|---|---|
|
Passcode Expiration |
Enter the number of minutes that the Time Limited Passcode (TLP) that is used to reset forgotten PINs or provision Secure Workspace containers is valid. The default value is 60 minutes. |
|
Default Page Size |
The default number of records returned at once for a search query (for example, user search, role search, policy search, and so on). |
|
MSAS Host |
The complete name of the host that is running the Mobile Security Application Server, for example: host123.example.com |
|
MSAS Port |
The SSL port number that the Mobile Security Application Server is listening on. MSM must use an SSL port to communicate with MSAS. The default port number is 9001. |
|
Device/Workspace Operation Queue Archival Policy |
Determines if the commands that the Mobile Security Manager sends to devices or Workspaces are deleted or archived (for auditing purposes) after they have been executed.
Choose from the following:
|
|
Device/Workspace De-registration Policy |
For devices and Workspaces that have been de-registered, determines if database records are deleted or archived (for auditing purposes) after the de-registration has occurred.
Choose from the following:
|
Complete the fields in this section if your environment requires a proxy server to access external web resources.
| Element | Description |
|---|---|
|
Use proxy |
Select if your enterprise uses a proxy server to access the Internet when sending notification messages. |
|
Proxy Server Host |
The complete name of the host that is running the proxy service, for example: www-proxy.example.com |
|
Proxy Server Port |
The port number that the proxy service is listening on. |
|
Authentication |
Select if authentication is required. Provide values for the Proxy Username and Proxy Password fields. |
|
Proxy User name |
The account name required to access the proxy server. Leave blank if the proxy server does not require a user name. |
|
Proxy Password |
The account password required to access the proxy server. Leave blank if the proxy server does not require a password. |
This tab controls access and security settings for the File Manager service.
| Element | Description |
|---|---|
|
Authentication Protocol |
Select the authentication options the server should use for the File Manager service. |
|
HTTP Basic |
Select this option if the server should use HTTP Basic authentication. |
|
Authentication Challenge |
Select this option if the server should offer HTTP Basic authentication to the client.
|
|
Non-SSL |
Select this option if the server should allow HTTP Basic authentication over a non-HTTPS connection.
|
|
Kerberos / NTLM |
Select this option if the server should offer Kerberos/NTLM authentication to the client. Kerberos is the preferred authentication protocol for Windows 2000 and subsequent Active Directory domains. NTLM is an older Microsoft authentication protocol. |
|
Options |
Select the option that should be given priority. If Kerberos is selected, Kerberos is tried first, followed by NTLM if Kerberos is unsuccessful; If NTLM is selected, NTLM is tried first, followed by Kerberos if NTLM is unsuccessful. |
Use the Identity Store Settings tab to configure the properties that control how the Mobile Security Manager interacts with the directory server.
| Element | Description |
|---|---|
|
Refresh/Apply/ |
Click Refresh to update the screen with any changes made on the (back-end) server. Click Apply to save your changes. Click Revert to erase your unsaved changes and restore the screen to its previous state. |
|
IDS Profile Name |
The Identity Directory Service Profile created in the Oracle Access Management console. Refer to the Oracle Fusion Middleware Administrator's Guide for Oracle Access Management for more details. |
|
System Admin Groups |
Add LDAP groups as needed to grant users System Administrator privileges to Oracle Mobile Security Suite.
Click Add to create new rows in the table. Click Remove to remove the selected (highlighted) row from the table. Click View > Detach to open the table in a larger window. |
|
Help Desk Groups |
Add LDAP groups as needed to grant users Helpdesk User privileges, including access to the Mobile Security Manager console.
Click Add to create new rows in the table. Click Remove to remove the selected (highlighted) row from the table. Click View > Detach to open the table in a larger window. |
|
User Deleted Action |
Choose the default action that the system should carry out when a user account is deleted in the directory server.
Choose from the following:
|
|
User Disabled Action |
Choose the default action that the system should carry out when a user account is disabled in the directory of users.
Choose from the following:
|
|
Additional User Attributes |
If you are using Mobile Security File Manger and need some LDAP attributes to map a user's Home drive, add those attributes here. For example: homedirectory, uid.
Click Add to create new rows in the table. Click Remove to remove the selected (highlighted) row from the table. Click View > Detach to open the table in a larger window. |
"About the Identity Store Directory Server" in Administering Oracle Mobile Security Suite
Use the CA Settings tab to create PKI certificate profiles and CA connections.
Note:
Choose a CA provider that uses Microsoft CA servers. Only Microsoft CA servers are supported.For successful processing, you must trust the NDES certificate authority and the certificates issued by the MSM server and the MSAS server. For instructions, see "Configuring NDES and the Active Directory Certificate Authority," and "Configuring CA Settings" in Administering Oracle Mobile Security Suite.
To create a new certificate profile, click Add Certificate Profile.
To edit a certificate profile, click the profile name.
To delete a certificate profile, click the x to the right of the certificate profile record.
| Element | Description |
|---|---|
| Refresh | Click Refresh to update the screen with any changes made on the (back-end) server. |
| Element | Description |
|---|---|
|
Name |
The name of the certificate profile. |
|
Cert Authority |
The name of the certification authority that issued the digital certificate. |
|
SCEP Server URL |
The URL for the SCEP (Simple Certificate Enrollment Protocol) server. For example: http://abc.example.com/CertSrv/mscep |
|
Template Name |
The name of the certificate template to use. The template name must be present in the CA Authority (NDES), otherwise cert provisioning will fail. Also, the template must be unique for every SCEP profile you create. |
|
Subject Container |
A subject Distinguished Name value that is descriptive of your environment, for example:
|
|
Static Challenge Credential |
The challenge password sent as part of the enrollment request.
Click Reveal to show the password; click Conceal to hide it. |
|
Key Type |
Choose RSA or DSA from the menu. |
|
Key Size |
The bit length for the certificate. Choose 512, 1024, or 2048 from the menu. |
|
Subject Name Expression |
The name of the holder of the private key associated with the certificate. |
|
Cert Type |
Choose from the following:
|
|
Escrow Duration |
The number of months that the encryption key is escrowed. |
|
Key Usage |
Choose from the menu:
|
|
Number of Retries |
The number of times that a device should try and get a certificate from the SCEP server. |
|
Retry Delay |
The timeout delay in seconds between each retry. |
"Configuring CA Settings" in Administering Oracle Mobile Security Suite
"Configuring NDES and the Active Directory Certificate Authority" in Administering Oracle Mobile Security Suite
"Configuring Automatic Certificate Revocation with the Active Directory Certificate Authority" in Administering Oracle Mobile Security Suite
Use this tab to enter your mail server settings. Mobile Security Manager uses e-mail to send users notifications.
Note:
Upon clicking Apply (save), the system uses a test connection to validate the e-mail server settings.| Element | Description |
|---|---|
|
Refresh/Apply/ |
Click Refresh to update the screen with any changes made on the (back-end) server. Click Apply to save your changes. Click Revert to erase your unsaved changes and restore the screen to its previous state. |
|
SMTP Host |
The complete name of the host that is running the simple mail transfer protocol service, for example: smtp-host.example.com |
|
SMTP Port |
The port number that the SMTP service is listening on. The default port number is 25. |
|
SSL |
Select this option if the system should use a Secure Sockets Layer connection to send notifications over e-mail. Clear this option if the system should use an unencrypted connection.When using SSL to connect to the SMTP server, import the certificate into the WebLogic keystore. |
|
SMTP User |
The SMTP user account name used to send outgoing e-mail messages. |
|
SMTP Password |
The SMTP user's password. |
|
Admin Email |
The e-mail address to which bounce-back notifications should be sent. |
Use this tab to configure mail server settings if your organization uses Microsoft Exchange.
| Element | Description |
|---|---|
|
Refresh/Apply/ |
Click Refresh to update the screen with any changes made on the (back-end) server. Click Apply to save your changes. Click Revert to erase your unsaved changes and restore the screen to its previous state. |
|
Domain Name |
Enter the name of the Windows domain to which the Exchange server belongs. |
|
Server URL |
Enter the Exchange Web Service URL exposed by the Exchange server for the Mobile Security Notification Server to connect to. |
|
Service User |
Enter the Exchange service account that you created to establish a connection between Oracle Mobile Security Suite and Microsoft Exchange. |
|
Service Password |
Enter the service account password. |
|
Server Version |
Enter the version of the Exchange server, for example: 2010_SP1. |
|
Heartbeat Frequency |
Enter a value in seconds that specifies how frequently Exchange server should ping the Mobile Security Notification Server, for example: 5. |
|
Listener URL |
Enter the URL where the Mobile Security Manager is listening for Exchange notifications. By default this is http://<msm_hostname>:<msm_port>/msm/exchange |
"Configuring Microsoft Exchange (Secure Mail) to Work With Mobile Security Manager" in Administering Oracle Mobile Security Suite
Use this tab to configure notifications that the Mobile Security Manager sends to users. This tab is organized into the following sections:
| Element | Description |
|---|---|
|
Refresh/Apply/ |
Click Refresh to update the screen with any changes made on the (back-end) server. Click Apply to save your changes. Click Revert to erase your unsaved changes and restore the screen to its previous state. |
| Element | Description |
|---|---|
|
Include the e-mail sender in the notification message |
Select to include sender details in the notification e-mail. |
|
Include the e-mail subject in the notification message |
Select to include the e-mail subject in the notification message. |
|
Notification Server |
The name of the notification server. |
|
New E-mail Message |
Enter the default message that should populate the Subject line in e-mail messages to the user. |
|
New Calendar Message |
Enter the default message that should populate the Subject line in new calendar messages to the user. |
|
New Event Message |
Enter the default message that should populate the Subject line in new event messages to the user. |
Notification Thread Pool Size Setting
| Element | Description |
|---|---|
|
iOS |
Set the number of threads to allocate for iOS device notifications. |
|
Android |
Set the number of threads to allocate for Android device notifications. |
Use this tab to manage and upload the required APNS certificates that are used to securely communicate with the Apple Push Notification service. To send push notifications, the certificate uploaded here must be trusted by the Apple APNS server. More information can be found on the Apple development website: http://developer.apple.com
To learn how to obtain an Apple MDM certificate, see "Configuring the APNS Certificate" in Administering Oracle Mobile Security Suite.
Note:
Refer to the following Apple support page if you are unable to use the Apple Push Notification service. Devices connected to Wi-Fi that do not have cellular data service require specific ports to be open on network firewalls.| Element | Description |
|---|---|
|
Refresh/Apply/ |
Click Refresh to update the screen with any changes made on the (back-end) server. Click Apply to save your changes. Click Revert to erase your unsaved changes and restore the screen to its previous state. |
|
View |
Click and choose from the menu to control how the data in the table is displayed:
|
|
Add / Remove |
Use the buttons in the command bar to update the settings table.
|
|
Certificate Name |
A name for the certificate. Defaults to the certificate file name uploaded, but can be changed.If the certificate is to be used for MDM, the Certificate Name should be MDM. If the certificate is to be used for Exchange E-mail Notifications, it should be named Secure Mail. |
|
Certificate Password |
Enter the password for this certificate. This password is required to decrypt the APNS certificate file. |
|
Certificate File |
Click Choose File to navigate to the certificate file on your system. The certificate file should be saved in the PKCS12 format. The file will upload to Mobile Security Manager when you save your Apple Push Notification Service settings. |
"Configuring the APNS Certificate" in Administering Oracle Mobile Security Suite
Use this tab to configure the values needed to communicate with the Google Cloud Messaging service.To learn how to create a GCM key, see "Configuring the GCM Entry" in Administering Oracle Mobile Security Suite.
Note:
Be sure to configure your firewall to allow connectivity with GCM in order for Android devices to receive messages. Refer to the Android developer documentation for details.| Element | Description |
|---|---|
|
Refresh/Apply/ |
Click Refresh to update the screen with any changes made on the (back-end) server. Click Apply to save your changes. Click Revert to erase your unsaved changes and restore the screen to its previous state. |
|
View |
Click and choose from the menu to control how the data in the table is displayed:
|
|
Add / Remove |
Use the buttons in the command bar to update the settings table.
|
|
Application ID |
The Android app that is registering to receive messages. The Android app is identified by the package name from the manifest. This ensures that the messages are targeted to the correct Android application. The Application ID should be 'MDM if the GCM entry is to be used for MDM notifications. For Exchange E-mail notifications it should be com.nitrodesk.honey.nitroid. |
|
Sender ID |
A project number that you acquire from the API console when building an Android application. The sender ID is used in the registration process to identify a third-party application server that is permitted to send messages to the device. |
|
API Key |
A server authentication key that is saved on the third-party application server that gives the application server authorized access to Google services. The API key is included in the header of POST requests that send messages. |
"Configuring the GCM Entry" in Administering Oracle Mobile Security Suite
Use this tab to manage the Invite templates that the system uses to provide notification to users. Multiple instances of a template can be created in different languages. First select a template, then click Add New Language.
| Element | Description |
|---|---|
|
Create Template |
Click to open the New Template dialog. |
|
List of Templates |
Shows Invite templates in a column on the left side of the page. Click a template to open it. |
|
Add New Language |
Click to create a new instance of a template in another language. First open a template, then click Add New Language and choose a language from the menu. A new tab shows the name of the selected language. Use the editor to format the message content as needed. |
|
Remove |
Click to delete the selected language version of the selected template. You can delete a specific language from the template or the entire template. In the Confirm Delete dialog, click Yes, or select the Delete all language versions from template option and then click Yes. |
|
Edit |
Click to open a template, then click Edit to modify the verbiage or formatting. |
This table describes the elements in the New Template dialog.
| Element | Description |
|---|---|
|
Template Type |
Specifies the type of template to create. Preset to Invite Template. |
|
Template Name |
Give the template a unique, descriptive name. |
|
Language |
Choose the language that will be used for the initial instance of the template. |
This table describes the placeholders that can be used in an invite template. When the system sends a notification to a user, it replaces the placeholder with data configured in the system.
| Element | Description |
|---|---|
|
${recipient_name} |
The name of the person that the notification is sent to. |
|
${recipient_upn} |
The user's principal name (unique name) in the LDAP directory. |
|
${recipient_tlp} |
The passcode that the user should enter when presented with the Request Certificate Page. |
|
${tlp_expiration_time} |
The number of minutes that the passcode will remain valid after the invitation is sent. |
|
${access_service_host} |
The MSAS Runtime Server Base URL used to construct invitation links. |
|
${ios_app_download_link} |
The link to download the Secure Workspace for iOS devices. |
|
${android_app_download_link} |
The link to download the Secure Workspace for Android devices. |
|
${ios_mdm_registration_link} |
The link to the iOS Device Management (MDM) registration web page. |
Use this tab to edit iOS Mobile Device Management (MDM) settings. These settings go into effect during MDM registration. This tab is organized into the following sections:
| Element | Description |
|---|---|
|
Refresh/Apply/ |
Click Refresh to update the screen with any changes made on the (back-end) server. Click Apply to save your changes. Click Revert to erase your unsaved changes and restore the screen to its previous state. |
Note: The Android client does not accept the following settings. Instead, to configure these values, see "Change MDM Agent Settings" in Administering Oracle Mobile Security Suite.
| Element | Description |
|---|---|
|
Display Name |
The name of the MDM profile. |
|
Description |
A brief note on the MDM profile. |
|
Organization Name |
The organization that created the MDM profile. |
| Element | Description |
|---|---|
|
Display Name |
The name of the MDM profile. This value is shown on the device following MDM enrollment. |
|
Description |
A brief note on the MDM profile. |
|
Organization Name |
The organization that created the MDM profile. |
Use this tab to manage prohibited apps on the device. Apps can only be blacklisted on managed devices. Mobile security policies can check for blacklisted apps during enrollment and take action if a blacklisted app is found on the device. Following device enrollment, mobile security policies can check for blacklisted apps and, if one is found, take appropriate action as defined in the policy.
| Element | Description |
|---|---|
|
Refresh/Apply/ |
Click Refresh to update the screen with any changes made on the (back-end) server. Click Apply to save your changes. Click Revert to erase your unsaved changes and restore the screen to its previous state. |
|
View / Add / Remove |
|
|
App Name |
Enter the name of the app package to prohibit on the device. |