Appendix I:  SAP Afaria and Kapsel

SAP Afaria is mobile device management software.  Once the SAP Afaria client is installed on a mobile device, the device can be remotely managed.  SAP Afaria can remotely configure and update device settings, monitor compliance with corporate policies, locate a device, manage and install applications, and remotely lock or wipe a managed device.  See SAP Afaria 101: Orientation and SAP Afaria 210: Working with the Self Service Portal for an overview SAP Afaria.

This appendix will demonstrate how an Android Kapsel application can be installed via SAP Afaria, how to use SAP Afaria to specify the Logon plugin’s settings such as server host and port and how SAP Afaria can be used to provide a certificate that the Logon plugin should use for registration with an SAP Mobile Platform server.
The documentation for SAP Afaria is available at SAP Afaria 7 SP4, on Premise and SAP Afaria, cloud edition

Setup
Provisioning Mobile Applications
Provisioning Settings
Provisioning Certificates

Setup

• A 30 day trial version of SAP Afaria can be requested at https://www.sapafaria.com/.
• One option to install SAP Afaria onto a device is to download it from Google Play.
• Before the SAP Afaria client can connect, a SAP Afaria enrollment policy should be created in SAP Afaria Management console.  The policy once created will have an enrollment code which is actually a tinyURL pointing to the SAP Afaria server that identifies the enrollment policy.  This enrollment code will be requested during the install of the SAP Afaria client.  The enrollment policy will be associated with one or more groups.  Each group can have one or more configuration policies which specify the policies to apply to the device.  Each group can also have one or more application policies which make up the list of applications shown to a managed device in the SAP Afaria client.  See SAP Afaria 201 – Provisioning Android Devices for further details of this process.

Provisioning Mobile Applications

Applications can be made available to devices that are managed by SAP Afaria.

• Create a signed apk file of the Logon Sample 2.
  Right-click on the LogonDemo project > Export > Android > Export Android Application.  If needed create a new keystore and key or use an existing one.
  
• Create an SAP Afaria enterprise application policy and configure it as shown in the following screen shots. 
  

  Link the enterprise application policy to a group policy.
  

• Open the SAP Afaria client that is registered to a SAP Afaria group that contains the enterprise application policy and notice that the application is available to be downloaded.
  

  Note that the first screen shown when opening the application is the Registration screen and the user is prompted to enter the registration details.  The next example demonstrates how some of these values can be provided by SAP Afaria.
  

Provisioning Settings

Applications downloaded through SAP Afaria that use the SAP Mobile Application Framework (MAF) component such as the Kapsel Logon plugin can have the settings used to onboard the application with the SAP Mobile Platform server set in the SAP Afaria console.

• Edit the SAP Afaria enterprise application policy and under the Configuration tab, specify a text file containing the settings to be passed to the Logon plugin.   
  

  See the online documentation at Provisioning with Afaria for additional details on the possible settings.

• Uninstall and re-install the app.  Notice that the registration screen does not appear as the settings specified in the enterprise application policy are used.
  

Provisioning Certificates

Follow these steps to use a certificate provided by SAP Afaria which will uniquely identify a user during the SAP Mobile Platform registration process.  See also Device Management Chapter 10 Application Onboarding.

• Determine where the Certificate Authority is that Afaria is configured to use. 
  

  On the machine that matches the Server Address, Start > Administrative Tools > Certificate Authority. 
  

  This is the certificate authority that will be used to sign the client certificate generated by Afaria to uniquely identify the device.

• For the SMP 3.0 server to accept the client certificate during the registration process, it must trust the certificate authority used to sign the client certificate.  The following steps describe how to export the CA used by Afaria and import its public key into the SMP 3.0 keystore.
  Select the certificate authority, right-click and choose All Tasks > Back up CA….
  Transfer the generated p12 file onto the machine where the SMP 3.0 server is located and run

  keytool -exportcert -keystore A7CLOUD-CA.p12 -storetype PKCS12 -alias a7cloud-ca -storepass changeit -file A7CLOUD-CA.cer
  keytool -importcert -alias A7CLOUD-CA -file A7CLOUD-CA.cer -keystore smp_keystore.jks -storepass changeit
  

  Note, the SAP Mobile platform server will need to be restarted following this change.

• Edit the SAP Afaria application policy.
  Create a text file containing the values to be provisioned.

  

  See the online documentation at Provisioning with Afaria for additional details on the possible settings.

• Uninstall and re-install the app.  Notice that the first screen shown requests the SAP Afaria credentials after which a certificate provided by SAP Afaria is passed to the Logon plugin which is then used to register with the SAP Mobile Platform rather than a user id and password as shown in the previous example.
  

  Notice the three registrations, the first one and the second one use the No Authentication Challenge provider while the third registration uses the SAP Afaria provided certificate with the x.509 User Certificate provider.
  

Back to Getting Started With Kapsel