Enrolling Device to SAP Cloud Platform Mobile serv...

Technology Blogs by Members

Explore a vibrant mix of technical expertise, industry insights, and tech buzz in member blogs covering SAP products, technology, and events. Get in the mix!

Introduction

In my previous blog, I have explained how to setup service for app and device management with SAP Cloud Platform Identity Authentication. This blog explains how to enroll the mobile devices to service for app and device management.

End users could be one of these types:

Managed users - it is mandatory to enroll the device. This option is used mostly for company-owned devices. When the device is enrolled the app and device management service could apply corporate policies to the device such as remotely installing certificates, configuring email, installation of corporate mobile apps etc. Service for app and device management will manage the device, it could even allow the administrators to remotely erase data from a device. Users enroll their devices through Mobile Place.

Mobile Place is the enterprise app store, it is just like google play or apple app store. It is accessed via URL in mobile browser.

Unmanaged users -These users do not enroll their devices. These devices cannot be controlled by app & device management service. Users will get access to Mobile Place, where they could download corporate apps to their devices.

Assigning Mobile Place Roles to Users

In a production environment, you will start by creating a group in Cloud Platform cockpit under Security > Authorizations. This group will be assigned with Mobile Place Users role.

"Group for Mobile Place" is a new group I have created. You need to assign this group to the role Mobile Place Users under App & Device Management > Configure App & Device Management.

The next step is to map "Group for Mobile Place" with the group in SAP Cloud Platform Identity Authentication.

For this demo, I have created a group in Identity Authentication and assigned P000050 user to it as given below. I will explain how to make use of LDAP groups later in this blog.

To pass the groups as an assertion attribute a new attribute called Groups has to be added to the application in Identity Authentication as given below.

From Cloud Platform cockpit map "Group for Mobile Place" with "Employees" under Security > Trust.

Since Employees group is assigned with the user P000050, he gets access to Mobile Place and will be able to enroll his device.

Note that the enrollment happens through Mobile Place, so it is required to share the Mobile Place URL with end users for enrollment. Generally, the IT Admin send a welcome email with Mobile Place URL, then users could click on the link and open it in mobile browser.

Given below is the enrollment demo, where the user enters the Mobile Place URL in a browser and successfully enroll the device and get access to Mobile Place.

Mapping User Groups from LDAP

In the above example, you can see that I have created a user group manually (Employees) in Identity Authentication and assigned users to that group. It is not the case when you are using a user store like LDAP with Identity Authentication.

Usually, the LDAP carries details about different groups within it. But Identity Authentication will not show the groups a user is assigned to. For example, in LDAP if the user Murali is assigned to the group "Managers", in Identity Authentication it will not show it details about group as given below.

So, how will we pass these LDAP groups to Cloud Platform so that we can assign roles to that group? The solution is to add an additional SAML Assertion Attribute called Corporate Groups as given below.

corporate_groups will be then mapped to Cloud Platform group, where we need to enter the LDAP group name as given below - this will give all users in LDAP group Managers with Mobile Place access.