Thinking to deploy Mobile BI for your enterprise, then securing your BI content on mobile would possibly on top of your mind. You don’t really have to worry a lot, as we know how important is that for you and hence we have built multiple security features into the app.
Here are some of the important ones …
- First and Foremost is the Application Password.
- Mobile BI app is today secured with application password (of minimum length 8 by default) which is set by the user when he uses the application for the first time.
- The password is prompted to user after the application is in background for more than 5 minutes (default value and can be changed).
- As an additional security measure, the application data is wiped off after specific number of unsuccessful attempts.
- Administrators can choose to ensure that the device user cannot disable the application password.
- Next is connecting to your Enterprise Mobile Server. This could happen over Wifi, VPN or data network
- In case of Wifi, there is no network challenge encountered as you are already in corporate network
- In case of VPN, you are required to manually logon/device auto connects to your VPN as and when connection to mobile server is attempted
- In case of Data, you are mostly presented with an enterprise authentication challenge – which could be Basic Auth, Form Auth etc.
Note: SSO is supported for Mobile BI App, more details available at SAP BI Mobile Server Single Sign On Support
- Next comes the part when your data packets are able to reach mobile server. HTTPS must be configured on the mobile server and mobile device must trust the certificates of mobile server SAP BusinessObjects Mobile 5.1: Ensure That The Mobile Server is Trusted
- A user has to be authenticated to Business Objects Enterprise
- Only an authenticated user can view/download documents on mobile device. And only the documents that he has rights to
- Authentication is also required to even view the documents that have been previously downloaded on mobile device
- If the right to view the document is revoked after the user downloaded the document to the device, the document is automatically removed from the device storage on the next refresh
- As we know mobile has lots of offline use-cases and many a times users do not have access to the network. Hence, they do download documents from BIP on to their mobile devices.
- Administrators can choose to allow users to save documents to device or not
- even if administrators have allowed the storage of documents on the device, some documents can be marked as ‘secure’ and the contents of these documents are never stored on the device.
- Once downloaded these documents are sandboxed within the app and are encrypted (FIPS-approved algorithm is used) before storage on the device. While viewing, the files mentioned above are loaded and decrypted in-memory
- The Stored document are deleted (and possibly updated) in the following cases – The Documents are either updated or refreshed by the User, The Documents are deleted by the User, the connection is deleted by the user.
- Additionally there is an option for the product to automatically delete the stored documents which is older than nnn days (configured by ‘offlineStorage.ttl’ in client settings)
- Apple automatically takes a screen-capture of the active application’s screen before it goes to background, and stores it on the device. Apple does this to show a smooth transition when fore-grounding the application. the nature of BI Applications makes this behavior a possible security threat, hence this product ensures that only a blank screen gets captured by Apple when the application goes to background.
- Application uses a small-sized low-resolution capture of the document view to display as a thumb-nail in tile view. However, the product does not create this thumbnail if the document has been marked as ‘secure’.
- The product allows the device users to share reports/documents.
- However, the product only shares URL to access the actual report (and not the underlying data) so that only authorized and authenticated users continue to have access to the data
- The product allows for screen-image to be shared, but device users can crop the screen to the desired area, and also smudge (or blur) any sensitive data so that the sensitive data is no more visually recognizable
- Definitely, this does not end here. Most of the enterprise customers do have a need of using the MDM apps for managing and securing the traffic from/into the app – Mobile BI App is already used by customers with solutions like Mocana, Xen Mobile etc.
In case you want more, do have a look at our detailed security guide at SAP BusinessObjects Mobile for iOS – SAP Help Portal Page