Skip to Content

In my previous blog, I wrote about using Afaria and how simpler the process is to enroll a device and deploy an application. In the below slide deck from SAP, there are four aspects to “SAP Mobile Secure” – Devices, Application, Content and Communication.


/wp-content/uploads/2013/08/1_255737.jpg

                                   (Slide deck from SAP Afaria Product Road Map (Road Map Revision: 2013.05.21))

Securing a device is primarily done using an MDM – Afaria. Its capable of handling certificates, VPN , Passwords,  Wi-Fi access etc., but its more device focused and is used to deployed applications. In today’s world, the number of mobile sales has surpassed PC sales and there is an ever growing number of applications. In a typical BYOD scenario, IT administrators face a challenge dealing with devices which have both personal applications as well as corporate applications.

To secure applications (primarily the corporate applications) there are many approaches.

  1. One could write custom code in each of the application. This would be a mammoth task and not a practical approach
  2. Containers with SDK –   Applications are placed into Containers provided by a vendor. These applications are embedded with the Container’s SDK . Container launch a virtual environment from which users can access applications. All of the interaction between users and these  applications takes place within the container and its encrypted data store. Mobile apps that reside outside the container cannot access the data store
  3. Application Wrapping – Application wrapping is also a form of containerization. This approach does not require the use of an SDK to reprogram original app code, but instead the it patches the app’s executable code with security libraries that control how data is stored, shared and transported
  4. Virtualization – It’s a concept where the apps are only rendered on the device, but the actual run of the app and its storage of the data happens in another remote environment.

Few months back, SAP announced its partnership with Mocana to resell one of the leading mobile security products Mobile App Protection (MAP). MAP is based on Application wrapping and is very easy to use. Zero coding. No SDK. There is no need to have a client on the device. It’s MDM agnostic. It’s ideal for BYOD scenario where you want to separate Personal and Corporate data. It’s a very simple Web based UI which deals with iOS and Android applications.

Upon launching MAP, the Home tab lists the uploaded applications , policies applied and users who can access the system

/wp-content/uploads/2013/08/2_255738.jpg

Applications tab lists all the applications uploaded in the System. You also upload new Applications from this tab.

/wp-content/uploads/2013/08/3_255739.jpg

The Policies tab lists out all the 13 policies which are available to apply for any application

/wp-content/uploads/2013/08/4_255743.jpg

I shall briefly explain what each policy does.

  • App Expiration: Set start and end date for an application access
  • Copy-Paste Protection: Prevents coping data from a wrapped application to any unwrapped application. Mainly to prevents corporate data leakage
  • Data Wipe – To remotely wipe data in an App
  • Encrypted Data at rest: Encrypts data before saving it on to the device and is decrypted when data is retrieved
  • FIPS 140-2 Module: Enables Cryptographic certification
  • Geo-Fencing: This lets you define the geographic area the app is allowed to remain in. If the app goes outside this zone, it will stop working
  • Jail breaking/Rooting detection: Prevents apps from running on such devices
  • Location Masking: Prevents the locations to be passed to the Apps. You can configure it to always default to one value or a random value.
  • Lockout Recovery:  Applications get locked when users provide an invalid passphrase (password). This allows administrators to go into an Application and unlock it
  • Per-Application VPN – Provides an exclusive VPN connection only to the designated wrapped application. Other Apps have no access to this VPN
  • Require Passphrase – Passphrase is used to set passwords to gain access to an Application.
  • Smart Firewall – Applications can be forced to only communicate with a trusted server over SSL. This is done with a technique called “Certificate Pinning”.                                                                                                                          
  • User Agreement – Allows the display for a disclaimer or License agreement when the user launches an App. Only after an acceptance, the App will be displayed

App-Federation tab allows you to define a trusted collection of apps which can share data and have can have common settings like (App expiration, Copy-Paste, Geo-Fencing, Location masking, User agreement etc)

The step required to convert your enterprise app to a wrapped enterprise app is very simple. From the Application tab upload an application (.ipa or .apk) and then select the application. You will get see options to set for all the 13 policies. Once you have enabled each of the policies which is required, you can save and download the file.

You could use Afaria to distribute this application to devices by creating an Application policy referring to this .apk or .ipa file.

As part of the Product Roadmap, SAP Afaria team have announced that there will be an integration of App containerization (Mocana and Samsung KNOX) in the near future.

Hope you found this useful.

To report this post you need to login first.

3 Comments

You must be Logged on to comment or reply to a post.

  1. Simon Kemp

    Nice summary Murali,

    I had heard about Mocana but hadn’t had any chance to look into it yet. Seem like a useful tool – but does Afaria not already have many of these features? Can you also just use Mocana to distribute the app to devices?

    Thanks for sharing.

    (0) 
    1. Murali Shanmugham Post author

      Thanks Simon. Yes, there are few overlaps – Jailbreak detection, location services etc. My understanding is that Afaria is device focused rather than specific application. The security features in Afaria are clubbed into a configuration policy and passed on to the device. With introduction of AES concepts, more application management features were being delivered by Afaria. But again these were at a device level rather than a specific application.

      I have read few articles where they mentioned its going to be increasingly challenging to manage BYOD devices using an MDM alone. All the top MDM vendors are now investing in Mobile Application Management making it easier to focus and protect business context applications.

      As far as I can recall, Mocana wouldn’t be able to distribute the apps to devices. Users can open the Mocana App catalog from their mobile devices and download the apps.

      (0) 
  2. Navin K Pal

    Thanks Simon.

    Its very useful information. Actually we are looking in this area for last couple-of-day.

    Keep sharing.

    Regards

    Navin

    (0) 

Leave a Reply