Best Practices for deploying the mobile service for SAP Fiori apps – Part 3
In Part 2 of this 3 part series, we discuss how customers who wish to do so can use SAP’s app management solution as part of the mobile service for SAP Fiori. But as the blog indicated, many customers already have an EMM solution in place. For this reason we often get asked how the Fiori mobile service can work together with their EMM provider of choice.
Also discussed way back in Part 1 we introduced the design principal on which Fiori mobile was built – that while we need to have a solution that customers can use, there is nothing in the product that requires the customer to use it. This final part of the blog series covers in more detail how customers can use Fiori mobile with their existing EMM solution.
Download and transfer
The easiest way for the mobile service for SAP Fiori to integrate with a third party EMM is through a simple Download and Transfer approach. In this model, the application is built using the Fiori mobile service and has it’s mobile qualities managed by the service (including the ability to manage security settings, log level, understand usage, etc), but the app is deployed by the EMM vendor of choice.
To do this, once the app is built, simply navigate into the Platforms tab and click on the Action icon (it looks like a gear). In the popup menu, you will see a Download Binary option:
Once download is complete, upload the app into your EMM providers app catalog and distribute as desired. DONE!
But let’s not stop there. For certain EMM providers we can do a little more. For example, as announced by Senthil Krishnapillai and Brad Anderson in their joint blog SAP Fiori Mobile – Microsoft Intune Integration is Finally Here!, Fiori mobile, during the build process can inject the inTune MAM plugin. The plugin will automatically activate when the app is launched. In this model there are actually two modes that are supported – MAM-mode and MDM-mode. In MAM-mode the app can be deployed from SAP Mobile Place if desired. When the app is launched, the user will be prompted to enter their Azure credentials. Once authenticated, the app will extract MAM policies from inTune (things like DLP, app password, data encryption and more). If the app is deployed via the inTune software (via the Download and Transfer process), the settings are deployed via MDM and the policies will already be in place when the app is launched – they will take effect immediately.
If you look at the SAP Fiori roadmap and find the mobile service for SAP Fiori section, you will see that additional capabilities and vendors will be released at a future date and time.
One additional option for iOS
Some of our customers are solely focused on supporting iOS devices only. For these scenarios, customers can deploy the app through SAP Mobile Place, but still manage access to the app through the EMM provider. But how does that magic happen??? The secret has to do with how the app is signed.
The mobile service for SAP Fiori has as a feature the ability to store signing profiles. This includes the signing certificate and passphrase and an optional provisioning profile:
The provisioning profile is key. If the provisioning profile is specific as part of the signing profile, then it is embedded in the application during the signing process and cannot be managed externally. If, in the definition of your signing profile the provisioning profile is not included, you are left with a challenge. Somehow, the provisioning profile has to get on the device or the app will not run. That’s the key. If the provisioning profile is not installed on the device the app will not run. And that’s where the EMM provider comes in. You can deploy the app through Mobile Place, but manage the provisioning profile through the EMM provider. As part of the compliance process for the device the profile can be installed and the app will run. If the device falls out of management at any point, the provisioning profile will be removed and the app will no longer function.
It is important to note in this scenario that the app will continue to reside on the device, and if data is stored locally it will still be there. So this may not be an option in all cases.
There you have it. Three different (for actually) ways to install and manage apps created from the mobile service for SAP Fiori. Pick the one that works best for you given your current and future EMM landscape.
Thanks for an informative and easy to digest series...
Perhaps Part 4 or another series on the SSO options for the Fiori Mobile Service?
Paul - thanks for the feedback - that sounds like a great idea!