Embed Size (px)
Citation preview
SAP Best Practices™ for SAP Mobile Secure Cloud Configuration March 2015
© 2014 SAP SE or an SAP affiliate company. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company. SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. Please see http://www.sap.com/corporate-en/legal/copyright/index.epx#trademark for additional trademark information and notices. Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors. National product specifications may vary. These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP SE or its affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP SE or SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation, and SAP SE’s or its affiliated companies’ strategy and possible future developments, products, and/or platform directions and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions.
TABLE OF CONTENTS
1 PURPOSE ......................................................................................................................................... 3
2 PREPARATION ................................................................................................................................. 3 2.1 Prerequisites .................................................................................................................................... 3
3 ENTERPRISE CONNECTIVITY ........................................................................................................ 3 4 CONFIGURING SINGLE SIGN-ON .................................................................................................. 4
5 CONFIGURING SAP MOBILE SECURE FOR VARIOUS MOBILE OS .......................................... 5 5.1 Apple MDM (Mobile Device Management) Certificate .................................................................. 5 5.2 Google Cloud Messaging (GCM) for Android ............................................................................... 7 5.3 Windows Phone 8 .......................................................................................................................... 11
1 PURPOSE
This building block contains the basic configuration activities for the SAP Mobile Secure Cloud edition. The diversity of mobile enterprise use cases that may require a number of device types and mobile OS to be supported in your organization. You will find detailed configuration steps to assist you in this guide. 2 PREPARATION
This document is intended for system administrators and mobility consultants. It assumes that you are familiar with the SAP Mobile Secure product portfolio, and/or the components you intent to deploy in the cloud edition, SAP Afaria, or SAP Mobile Application Projection by Mocana. You should also be knowledgeable about the device types and mobile operating systems you plan to support in your organization. 2.1 Prerequisites The following table describes the requirements to be addressed prior to proceeding with configuring your SAP Mobile Secure cloud instance:
Document Description
Requirements Document for SAP Mobile Secure Cloud
http://help.sap.com/Download/Multimedia/pdf-mobilesecure/Mobile_Secure_Cloud_System_Requirements.pdf
Quick Guide – SAP Mobile Secure Cloud rapid-deployment solution
This document is the starting point for the solution deployment. You will need to complete this before proceeding.
3 ENTERPRISE CONNECTIVITY
You can run SAP Mobile Secure in the cloud as a complete self-sufficient Mobile Enterprise Management solution. However, if your organization has invested into Microsoft Active Directory (AD) to manage users, their roles and authorizations, you leverage AD for your Mobile Secure deployment. This section guides you through the process of securely connecting the enterprise’s Active Directory to the Mobile Secure instance in the cloud. If you wish to connect your SAP Mobile Secure cloud instance to your enterprise network such as Microsoft Certificate Authority, SMTP, LDAP/Active Directory, perform the configuration below. 1. Log into the SAP Mobile Secure cloud Admin Portal at https://portal.sapmobilesecure.com 2. Navigate to Account Enterprise Access.
3. Select Get Started.
4. As the Enterprise Connectivity are constantly changing, select System Requirements and Installation Instructions. Follow the instructions within.
5. Once you have configured the connection, perform a connection test to ensure your configuration works correctly.
4 CONFIGURING SINGLE SIGN-ON
Simplicity and user convenience are the keys for good adoption of enterprise-secure mobility programs. With one single authorization step Single Sign-On allows mobile users to access all enterprise resources they are authorized for without being prompted to log in again at each of them such as the SAP Mobile Place. For the convenience of your mobile users, you may want to configure Single Sign-On. Before proceeding, you will need to contact your network administrator for the required IdP metadata file or an URL to that file. 1. Log into the SAP Mobile Secure Cloud Admin Portal. 2. Navigate to Account Enterprise Access. 3. Select Single Sign-on.
4. Select your method of locating the IdP file by choosing either Load from URL or Read from file.
5. Review the configuration and select Apply Changes.
6. Select Download to download the metadata. 7. Provide the metadata to your network administrator. 8. To test the Single Sign-On, navigate to SAP Mobile Place. You should be logged in automatically or
redirect to the IdP login page to login.
5 CONFIGURING SAP MOBILE SECURE FOR VARIOUS MOBILE OS
In this section you will configure your SAP Mobile Secure cloud instance to work with various mobile operating systems.
5.1 Apple MDM (Mobile Device Management) Certificate The purpose of this activity is to generate an Apple MDM Certificate. This certificate is required to manage iOS devices.
1. Log into the SAP Mobile Secure Cloud Admin Portal. 2. Navigate to Devices Settings.
3. From the Step 1. Download a signed CSR, select Download.
Note: You will be prompted to download a file with an extnesion of .scsr. Take note of the download location as you will need to locate this file later.
4. Select the hyperlink in Step 2. Request certificate.
5. With your enterprise account Apple ID log into the Apple Push Certificate Portal.
Note: It is recommended to use an Enterprise Account (not your personal Apple ID).
Note: This certificate has to be renewed annually.
6. Once you are logged in, select Create a Certificate.
7. Read and accept Apple’s Term of Use.
8. In the Note section, enter a description.
9. Select Choose File.
10. Browse and select the .scsr file downloaded earlier.
11. Once the file is loaded, select Upload.
12. Once you have finished, select Download to download your Apple MDM Push Certificate.
Note: You will be prompted to download a .PEM file. Take note of the location as you will need it later on.
13. Return to the SAP Mobile Secure Cloud Admin Portal in the Device Settings. 14. On Step 3. Upload certificate and install to SAP Afaria, select Choose File.
15. Browse and select the .PEM file from the location you saved it step 9 above.
16. Once the file is uploaded, select Upload and Install.
5.2 Google Cloud Messaging (GCM) for Android The purpose of this activity is to create a Google Cloud Messaging account. This account is required to manage Android devices.
1. Navigate to the Google Cloud Message for Android portal.
Note: http://developer.android.com/google/gcm/gs.html 2. On Step 1. Open the Google Developer Console, select the hyperlink to
begin.
3. Enter your Google enterprise Account. Note: It is recommended to use an Enterprise Account, not your personal Google Account.
4. Select Create Project.
Android for Work By the time this documentation is published Google and SAP will have announced Android for Work, which comprises of enterprise-secure containers and hardened OS versions to better support enterprises in managing Android devices using enterprise-grade Mobile Device Management systems like SAP Mobile Secure. Stay tuned for more information on sapmobilesecure.com as the Android for Work campaign is jointly being rolled out by Google and SAP.
5. Enter the following and choose Create.
Note: Project ID is a unique identifier.
6. Once the project is created, select APIs.
7. Scroll down until you find Google Cloud Messaging for Android and select OFF.
8. Read and accept the Google APIs Terms of Service.
9. Once complete, select Credentials.
10. From the Public API access, select Create new Key.
11. Select Server Key.
12. Select Create.
13. Take note of the API Key as you will need it for configuration.
14. Select Overview.
15. Take note of your Project ID as you will need it for configuration.
16. Return to the SAP Mobile Secure Cloud Admin Portal and navigate to Devices Administration.
17. On the Afaria Admin, navigate to Server Configuration Component GCM Server.
18. Select the checkbox to enable GCM, enter the GCM Project ID and GCM API Key and select Save.
19. Once saved, navigate to Policy Type (filter) Enrollment.
20. Select the Android Enrollment Policy and choose the Edit icon.
21. Select General.
22. Select the checkbox GCM Project ID to enable GCM.
23. Save the policy.
5.3 Windows Phone 8 The Microsoft Windows 8 device management protocol supports the distribution, management, and removal of Windows Phone 8 applications, but only if the applications were distributed through an Afaria client and if all applications, including the Afaria client were signed with the same certificate. Find the guide for acquiring and implementing the Window Phone 8 certificate at: http://help.sap.com/Download/Multimedia/zip-afaria/WindowsPhone_Enterprise_Client_Signing.pdf.
© 2014 SAP SE or an SAP affiliate company. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company. SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. Please see http://www.sap.com/corporate-en/legal/copyright/index.epx#trademark for additional trademark information and notices. Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors. National product specifications may vary. These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP SE or its affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP SE or SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation, and SAP SE’s or its affiliated companies’ strategy and possible future developments, products, and/or platform directions and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions.
sap.com
