Skip to Content
Author's profile photo Daniel Van Leeuwen

Getting Started with Kapsel – Appendix I — Afaria and Kapsel


Appendix I:  SAP Afaria and Kapsel

SAP Afaria is mobile device management software.  Once the SAP Afaria client is installed on a mobile device, the device can be remotely managed.  SAP Afaria can remotely configure and update device settings, monitor compliance with corporate policies, locate a device, manage and install applications, and remotely lock or wipe a managed device.  See SAP Afaria 101: Orientation and SAP Afaria 210: Working with the Self Service Portal for an overview SAP Afaria.

This appendix will demonstrate how an Android Kapsel application can be installed via SAP Afaria, how to use SAP Afaria to specify the Logon plugin’s settings such as server host and port and how SAP Afaria can be used to provide a certificate that the Logon plugin should use for registration with an SAP Mobile Platform server.
The documentation for SAP Afaria is available at SAP Afaria 7 SP4, on Premise and SAP Afaria, cloud edition

Provisioning Mobile Applications
Provisioning Settings
Provisioning Certificates


  • A 30 day trial version of SAP Afaria can be requested at
  • One option to install SAP Afaria onto a device is to download it from Google Play.
  • Before the SAP Afaria client can connect, a SAP Afaria enrollment policy should be created in SAP Afaria Management console.  The policy once created will have an enrollment code which is actually a tinyURL pointing to the SAP Afaria server that identifies the enrollment policy.  This enrollment code will be requested during the install of the SAP Afaria client.  The enrollment policy will be associated with one or more groups.  Each group can have one or more configuration policies which specify the policies to apply to the device.  Each group can also have one or more application policies which make up the list of applications shown to a managed device in the SAP Afaria client.  See SAP Afaria 201 – Provisioning Android Devices for further details of this process.

Provisioning Mobile Applications

Applications can be made available to devices that are managed by SAP Afaria.

  • Create a signed apk file of the Logon Sample 2.
    Right-click on the LogonDemo project > Export > Android > Export Android Application.  If needed create a new keystore and key or use an existing one.
  • Create an SAP Afaria enterprise application policy and configure it as shown in the following screen shots. 

    Link the enterprise application policy to a group policy.

  • Open the SAP Afaria client that is registered to a SAP Afaria group that contains the enterprise application policy and notice that the application is available to be downloaded.

    Note that the first screen shown when opening the application is the Registration screen and the user is prompted to enter the registration details.  The next example demonstrates how some of these values can be provided by SAP Afaria.

Provisioning Settings

Applications downloaded through SAP Afaria that use the SAP Mobile Application Framework (MAF) component such as the Kapsel Logon plugin can have the settings used to onboard the application with the SAP Mobile Platform server set in the SAP Afaria console.

  • Edit the SAP Afaria enterprise application policy and under the Configuration tab, specify a text file containing the settings to be passed to the Logon plugin.   

    See the online documentation at Provisioning with Afaria for additional details on the possible settings.

  • Uninstall and re-install the app.  Notice that the registration screen does not appear as the settings specified in the enterprise application policy are used.

Provisioning Certificates

Follow these steps to use a certificate provided by SAP Afaria which will uniquely identify a user during the SAP Mobile Platform registration process.  See also Device Management Chapter 10 Application Onboarding.

  • Determine where the Certificate Authority is that Afaria is configured to use. 

    On the machine that matches the Server Address, Start > Administrative Tools > Certificate Authority. 

    This is the certificate authority that will be used to sign the client certificate generated by Afaria to uniquely identify the device.

  • For the SMP 3.0 server to accept the client certificate during the registration process, it must trust the certificate authority used to sign the client certificate.  The following steps describe how to export the CA used by Afaria and import its public key into the SMP 3.0 keystore.
    Select the certificate authority, right-click and choose All Tasks > Back up CA….
    Transfer the generated p12 file onto the machine where the SMP 3.0 server is located and run
    keytool -exportcert -keystore A7CLOUD-CA.p12 -storetype PKCS12 -alias a7cloud-ca -storepass changeit -file A7CLOUD-CA.cer
    keytool -importcert -alias A7CLOUD-CA -file A7CLOUD-CA.cer -keystore smp_keystore.jks -storepass changeit

    Note, the SAP Mobile platform server will need to be restarted following this change.

  • Edit the SAP Afaria application policy.
    Create a text file containing the values to be provisioned.


    See the online documentation at Provisioning with Afaria for additional details on the possible settings.

  • Uninstall and re-install the app.  Notice that the first screen shown requests the SAP Afaria credentials after which a certificate provided by SAP Afaria is passed to the Logon plugin which is then used to register with the SAP Mobile Platform rather than a user id and password as shown in the previous example.

    Notice the three registrations, the first one and the second one use the No Authentication Challenge provider while the third registration uses the SAP Afaria provided certificate with the x.509 User Certificate provider.

Back to Getting Started With Kapsel

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Brenton OCallaghan
      Brenton OCallaghan

      Very useful stuff - thanks for sharing Daniel!


      Author's profile photo Former Member
      Former Member

      Hello at all!

      I have a doubt about that.. Currently we are using Afaria to manage iOS versions of our enterprise but I am confused about the implementation with the AppUpdate kapsel plugin.

      Front-end development is in the device (it is not a web-app or webview) and we are using SMP3 with plugins like a OData or Logon,

      My questions are:

      • how to manage correctly the versions and update app to a newer version using SMP3?
      • Is it necessary to upload in afaria or only in SMP3 "App specific settings" in the bottom of upload? 

      Captura de pantalla 2016-03-10 a las 13.41.15.png

      Thank you very much!!

      Author's profile photo Daniel Van Leeuwen
      Daniel Van Leeuwen
      Blog Post Author

      Are you building a Hybrid /Apache Cordova app?  If so, rather than using an MDM or app store to provide updates to your app, you could use the App Update plugin.  It allows you to update the HTML/JavaScript/CSS/image or www assets of your app.  It requires using an SMP or HCPms server.  There is a separate section of this guide that goes into detail on using the App Update plugin.


      Dan van Leeuwen

      Author's profile photo Former Member
      Former Member

      Thank you for your soon response Dan,  so....will we need afaria to manage the app or not?  I am looking in the SMP3 admin panel and I can upload the "www" folder, resources and etcetera but also I am the owner of the cordova container with, where to upload this container??