Mobile device management

From Resco's Wiki
(Redirected from MDM)
Jump to navigation Jump to search
Security Guide


Wikipedia logo
Wikipedia has an article on a similar subject:

Mobile device management (MDM) is the administration of mobile devices, such as smartphones, tablet computers and laptops.

Built-in features

Resco platform includes some traditional MDM features out of the box. The backend administrator can access the list of connected mobile devices, assign different security policies to users, remotely control/synchronize/wipe app from user device, and much more. See Enterprise security for more information.

Third-party MDM providers

Resco Mobile CRM app can be managed by MDM providers, such as Microsoft Intune, Citrix Xen Mobile or Google Enterprise Distribution. Our App Store / Play Store app can be used for MDM distribution with limited support of security features (see the Security section below). More advanced MDM integration requires requesting a custom mobile app with MDM integration.

MDM admins can control which version of Resco app is installed on the managed devices, or even restrict certain features of our app. However, Resco apps require a set of permissions for their function, too strict control can break the app.

MDM also adds another layer to the complexity of the update and change management. See best practices for upgrading Resco apps for more information.

Essentially, there are two main scenarios for MDM:

  • Distribution
  • Security

App distribution

The main motivators for centralized distribution are:

  • manage the version that users have installed
  • block access to the app store for security reasons

For example, if you have a custom JavaScript solution that you have meticulously tested with a certain version of the app or a finetuned custom integration solution, you might decide to skip some releases so that you don't have to test everything anew. However, in order to be eligible for Resco support, you need to update your app at least once a year. Also, the operating systems on mobile devices should be kept up to date at least once a year.

If you want to use MDM for centralized distribution of the app on a larger number of devices, this should not be a problem. To this date, the Resco support team has been able to help with any requested MDM solution. In this scenario, the MDM provider should request a custom version of the Resco app, either as an IPA file (iOS) or APK/AAB file (Android). Resco support will provide a version of the app ready to be signed by the customer's provisioning profile and certificate. In the case of Custom Mobile App, you have full control over requesting the new version, and you’ll be served by our semi-automated build system.

We have received reports from our customers, that in the case of iOS, many have successfully used the app store version of the app for distribution - no need for a custom installation file from Resco. However, we are happy to provide such custom files if needed. Contact Resco support for more information.

Security

In the case of security, the situation can be more complicated. The common use cases for security features of MDM include:

  • Using app-specific configuration (key-value pairs) for prefilling URL, name, etc. See App-specific configuration support section.
  • Setting up Exchange or SharePoint access
  • Restricting the communication between the managed Resco app and non-managed apps
  • App-specific restrictions blocking features like copy/paste, taking screenshots, enforcing encryption, and much more
  • Initiating a private VPN to access protected enterprise resources
  • Enabling conditional access to enterprise resources
Warning Keep in mind that if you block email clients, the app cannot send a log file to the support email address.

Enabling security features varies across different MDM providers and platforms. Some of them (e.g., Citrix on iOS or MS Intune on Android) require Mobile Application Management (MAM) SDK to be included in the app, while others (e.g., MS Intune on iOS) provide wrapping tools that take app installation (IPA / APK / AAB) and inject protection layer on a binary level. Some of the scenarios are described below.

MDM support on iOS

iOS has support for MDM systems incorporated in the operating system. Some of the security features are supported out-of-the-box, even for apps having no specific MDM support. Here is the list of supported security features for specific MDM providers:

Feature Microsoft Intune Citrix Xen Mobile Other MDMs
Deployment AppStore app & custom apps AppStore app & custom apps AppStore app & custom apps
App-specific configuration AppStore app & custom apps AppStore app & custom apps AppStore app & custom apps
App-specific restrictions Custom app wrapped with Intune App Wrapping Tool Custom app with Citrix MAM SDK No support
Private VPN support and CA Custom app wrapped with Intune App Wrapping Tool Custom app with Citrix MAM SDK No support

MDMs allow you to control which App Store version is downloaded. For example, here are the instructions for Intune MDM: https://learn.microsoft.com/en-us/mem/intune/protect/software-updates-ios

MDM support on Android

Currently, we support only Microsoft Intune and Google Enterprise Distribution on Android. Google Enterprise Distribution is supported without any requirements for the app: even the Google Play store version can be used. Microsoft Intune support requires a custom-built mobile app with MS Intune MAM SDK opted in.

Integrating the Android app with MDM is straightforward. You can typically choose the Play Store app from the list. In the case of custom mobile apps, choose the “Line-of-business app” option and upload the APK installation produced by our branding process.

Use enterprise authentication on Windows apps

If you want to use authentication methods like conditional access, user certificates, or reverse proxy on Windows Desktop and Windows Store (UWP) apps, the mobile user needs to enable the Enterprise Authentication switch in the Sync window.

Mobile device management: Enterprise authentication

This option delegates the OAuth2 authentication flow to the default browser (which must be managed) and gets the authentication result back to the application using the app's URL scheme. Users might experience a confirmation dialog after successful login and they must confirm redirection to our app to deliver the result back to the synchronization dialog.

Integrating app with MDM

Integrating the Android app with MDM is straightforward. You can typically choose Play Store app from the list. In the case of custom mobile apps, choose “Line-of-business app” option and upload the APK installation produced by our branding process.

Similarly, the iOS App Store app can be typically chosen from the list. It’s a bit more complicated in the case of custom mobile apps because line-of-business distribution on iOS requires resigning the resulting app with your Apple Developer distribution certificate (see Enterprise deployment on iOS).

Integrating custom iOS app with Microsoft Intune

Microsoft provides the MS Intune App Wrapping Tool for injecting security features into existing IPA installation. Here is the digest of the MS Intune documentation:

Prerequisites:

  • Mac OS 12.6 or later with Xcode 13.x (v14.x won’t work!)
  • Apple Developer account with a valid distribution certificate, App ID for bundle ID (package name) of your custom app, In-house provisioning profile for this App ID (AdHoc can also be used, but it requires app resigning after adding a new device into the team).

Steps:

  1. Request the build of your custom mobile app via Woodford.
  2. Your Resco account manager contacts you to discuss the pricing and approves the build.
  3. Our branding portal makes the new IPA installation based on your mobile app request. You obtain a download link by email. Download the IPA file.
  4. Make sure that you have a distribution certificate with the private key on your Mac. Type the following command to Terminal:
    security find-identity -v -p codesigning
  5. Copy certificate hash into clipboard
  6. Download the provisioning profile for your app and place it into the same folder as IPA.
  7. Download the MS Intune App Wrapping Tool 19.1.0, unzip it, mount included DMG file and copy “IntuneMAMPackager” folder into ~/Applications.
  8. Open Terminal app, go to folder with IPA and place following command (replace MobileCrm.ipa with real file name and [CertificateHash] with hash from clipboard):
    ~/Applications/IntuneMAMPackager/Contents/MacOS/IntuneMAMPackager -i MobileCrm.ipa -o MobileCrm-wrapped.ipa -p MobileCrmInHouse.mobileprovision -c [CertificateHash] -v true
  9. Upload MobileCrm-wrapped IPA into Microsoft EndPoint Manager as line-of-business app

Integrating custom iOS app with Citrix XenMobile

Citrix provides MAM SDK implementing security features in apps. SDK isn’t part of our App Store app, but it can be incorporated into custom mobile apps. Make sure to enable Include Citrix MAM SDK before requesting a new custom app build. If you also provided a valid distribution certificate and provisioning profile, the resulting IPA installation should be suitable for side-loading onto your devices. Otherwise, you must resign the IPA with your certificate and provisioning profile (see Enterprise deployment on iOS).

However, Citrix EndPoint Management doesn’t support IPA installation, and it requires a wrapped MDX envelope. To achieve it, you must pass the following steps:

Prerequisites:

  • Mac OS 12.6 or later with Xcode 13+
  • Citrix MAMSDK_iOS.zip file from GitHub releases

Steps:

  1. Request the build of your custom mobile app via Woodford.
  2. Your Resco account manager contacts you to discuss the pricing and approves the build.
  3. Our branding portal makes the new IPA installation based on your mobile app request. You obtain a download link by email. Download the IPA file.
  4. If you haven’t provided the distribution certificate and provisioning profile into the Mobile Apps config, resign the IPA file with your distribution certificate (see Enterprise deployment on iOS).
  5. Unpack the MAM SDK and copy MobileCrm.ipa file into the SDK root folder.
  6. Download the MDX generator script and unpack it into the same folder.
  7. Open the Terminal app, go to the MAM SDK root folder (command cd [folderpath]), and enter the following command:
    ./generate_mdx MobileCrm.ipa
  8. Upload the MobileCrm_Full.mdx file into Citrix EndPoint Management and configure specific app details and policy settings that the Endpoint Management Store enforces.

Windows UWP for sideloading

If you need the latest version of the Microsoft Store edition of Resco Mobile CRM without using the store, and suitable for sideloading, you can download it from Resco web.

App-specific configuration support

App-specific configuration can be used to pre-initialize newly deployed apps with user- or organization-specific detail (e.g., organization URL or user name).

Mobile CRM app (and custom apps as well) supports app-specific configuration on iOS inherently as it’s incorporated in the iOS API. Some MDM providers (such as MS Intune) support native Apple plist dictionary file format of configuration (Intune section App-specific config for managed iOS devices). This is a sample content of the plist file with all key-value pairs supported by the Resco Mobile CRM app:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
            <key>UserMode</key>
            <integer>0</integer>    <!-- 0=Standard User, 1=External User, 2=Anonymous User, 3=Current Windows User, 4=OAuth2-->
            <key>OrganizationUrl</key>
            <string></string>
            <key>UserName</key>
            <string></string>
            <key>Password</key>
            <string></string>
            <key>Domain</key>
            <string></string>
            <key>HomeRealm</key>
            <string></string>
            <key>ADFSUsername</key>
            <string></string>
            <key>SharePointServerType</key>
            <integer>0</integer>    <!-- 0=Same As CRM, 1=Active Directory, 2=Online (MS Office 365), 3=ADFS-->
            <key>SharePointUserName</key>
            <string></string>
            <key>SharePointPassword</key>
            <string></string>
            <key>ExchangeUrl</key>
            <string></string>
            <key>ExchangeEmail</key>
            <string></string>
            <key>ExchangeUserName</key>
            <string></string>
            <key>ExchangePassword</key>
            <string></string>
            <key>SavePassword</key>
            <string>false</string>
</dict>
</plist>

App-specific configuration for managed apps on Android is limited to custom apps with MDM-specific support (having MS Intune MAM SDK included). Such apps consume app-specific configuration in the form of key-value pairs from the following list:

UserMode                   Integer value (0: Standard, 1: External, 2: Anonymous, 3: CurrentWinUser, 4: OAuth2)
OrganizationUrl            
UserName       
Password         
Domain            
HomeRealm     
ADFSUsername           
SavePassword               Boolean value (true/false)
EnterpriseAuthentication   Boolean value (true/false)
ExchangeUrl
ExchangeEmail
ExchangeUserName
ExchangePassword
SharePointServerType       Integer value (0: SameAsCrm, 1: AD, 2: Online, 3: ADFS)
SharePointUserName  
SharePointPassword

The same key/value pairs can be used for Windows Store app configuration.