Mobile device management

From Resco's Wiki
(Redirected from MDM)
Jump to navigation Jump to search
Security Guide


Wikipedia logo
Wikipedia has an article on a similar subject:

Mobile device management (MDM) is the administration of mobile devices, such as smartphones, tablet computers and laptops.

Built-in features

Resco platform includes some traditional MDM features out of the box. The backend administrator can access the list of connected mobile devices, assign different security policies to users, remotely control/synchronize/wipe app from user device, and much more. See Enterprise security for more information.

Third-party MDM providers

Resco Mobile CRM app can be managed by MDM providers, such as Microsoft Intune or MobileIron. Contact your MDM provider to check if they support Resco.

MDM admins can control which version of Resco app is installed on the managed devices, or even restrict certain features of our app. However, Resco apps require a set of permissions for their function, too strict control can break the app.

MDM also adds another layer to the complexity of the update and change management. See best practices for upgrading Resco apps for more information.

Essentially, there are two main scenarios for MDM:

  • Distribution
  • Security

App distribution

The main motivators for centralized distribution are:

  • manage the version that users have installed
  • block access to the app store for security reasons

For example, if you have a custom JavaScript solution that you have meticulously tested with a certain version of the app or a finetuned custom integration solution, you might decide to skip some releases so that you don't have to test everything anew. However, in order to be eligible for Resco support, you need to update your app at least once a year. Also, the operating systems on mobile devices should be kept up to date at least once a year.

If you want to use MDM for centralized distribution of the app on a larger number of devices, this should not be a problem. To this date, the Resco support team has been able to help with any requested MDM solution. In this scenario, the MDM provider should request a custom version of the Resco app, either as an IPA file (iOS) or APK/AAB file (Android). Resco support will provide a version of the app ready to be signed by the customer's provisioning profile and certificate.

We have received reports from our customers, that in the case of iOS, many have successfully used the app store version of the app for distribution - no need for a custom installation file from Resco. However, we are happy to provide such custom files if needed. Contact Resco support for more information.

Security

In the case of security, the situation can be more complicated. The common use cases for security features of MDM include:

  • Using key-value pairs for prefill URL, name, or even password of the CRM
  • Setting up Exchange or SharePoint access
  • Restricting the communication between the managed Resco app and non-managed apps
  • Blocking features like copy/paste, taking screenshots, and much more.
Warning Keep in mind that if you block email clients, the app cannot send a log file to the support email address.

The process is the same as for distribution - you need a custom IPA/APK/AAB file. However, in this case, the MDM needs to add their custom wrapper for our app. The exact procedure depends on the MDM, often, this is a website where you upload the app to receive a wrapped version, or there is a program for that. In some cases, a wrapped iOS app needs to be re-signed; sometimes this is done by the wrapping process. The customer and their MDM provider are responsible for the wrapping - Resco support is ready for consultations.

A different option is to use SDK. The MDM provider gives us their SDK and we have to integrate it into our app. However, this approach is generally discouraged: the SDK is a black box from our point of view and we cannot predict how the code will react, because we use Xamarin. We recommend using key-value pairs in the case of iOS.

For Android and Windows Store versions, we do have an app with integrated Intune SDK that we can build on-demand, without the need for wrapping (in theory, as the MDM requirements can change any time).

Use enterprise authentication on Windows apps

If you want to use authentication methods like conditional access, user certificates, or reverse proxy on Windows Desktop and Windows Store (UWP) apps, the mobile user needs to enable the Enterprise Authentication switch in the Sync window.

Enterprise authentication.png

This option delegates the OAuth2 authentication flow to the default browser (which must be managed) and gets the authentication result back to the application using the app's URL scheme. Users might experience a confirmation dialog after successful login and they must confirm redirection to our app to deliver the result back to the synchronization dialog.

Remote Application Management tools

To simplify the initial user access to the Resco app, use push applications via Remote Device Management. Follow the below mentioned parameters in your MDM to have control over your enterprise mobility.

Note This is the Apple-defined protocol, therefore, it applies only to iOS users for all MDM providers. Since iOS version 9.3, the mobile application supports MDM key-value pair provisioning on iOS devices.

You are able to specify the following parameters in your MDM:

UserMode (0:Standard, 1:External, 2: Anonymous, 3:CurrentWinUser, 4: OAuth2)
OrganizationUrl
UserName
Password
Domain
HomeRealm
ADFSUsername
SavePassword (true/false)
ExchangeUrl
ExchangeEmail
ExchangeUserName
ExchangePassword
SharePointServerType (0: SameAsCrm, 1: AD, 2: Online, 3: ADFS)
SharePointUserName
SharePointPassword

Once the above configuration is specified, the application skips the initial tutorial and shows the synchronization window (with the above values pre-filled) on the first run.