Device control

From Resco's Wiki
(Redirected from Security policy)
Jump to navigation Jump to search

Administrators can use Woodford to display and manage devices synchronized with your CRM. You can see what app version are the mobile users using, when they have synced their app, and how did the sync go. Admins can also remotely lock or wipe the app for mobile users, or assign security policies to users. To read more about the MDM features built-in in the Resco platform from a business point of view, see enterprise security.

Select Device control from the Administration menu of Woodford to display:

  • list of security policies
  • list of devices associated with each security policy

Toggle the arrow in the security policy line to show or hide devices using that policy.

Device details

The following information is available about each connected device.

Device control overview

Current User, Business Unit
Name of the user currently using the device and their business unit
Device Name
Name of the device; click the device name to display also the ID and the operating system of the device
App Version
Version of the Resco Mobile CRM app installed on the device
Lock, Wipe, Full Sync
Tools for remote management of devices
Device State
State of the device’s security (OK, locked, or wiped)
Synchronized On
Date of the most recent synchronization.
Sync Result
Icon showing the result of the last sync. Click the icon to access the most recent synchronization logs.
Device control:Sync result
Sync Stats
Shows the most important statistics of the last sync.

Check Lock if you want to lock the application on a particular device. Locked application does not start.

Check Wipe if you want to delete the local database on a device, including server URL and user credentials.

Check Full Sync if you want to ensure that the next synchronization of that device will be a full synchronization. This checkbox will be disabled automatically after full synchronization finishes. What will happen is that the user changes will be uploaded, local Mobile CRM app database will be deleted and initial, full synchronization will be performed. If there are unsynchronized changes or Sync Errors, i.e., synchronization conflicts waiting for resolving, Force Full Sync will not be performed until these conflicts are resolved.

  • In some situations, for example, if there's an error in the app project, or when server metadata change without updating the app project, it can happen that local data cannot be uploaded. In these cases, you can check Full Sync and then click Force and Discard Device Changes to ignore local changes completely.

If there is a permission change on user’s security role, this change will be applied only with full synchronization. The easiest way to get these changes applied, is to use the Force Full Sync for all devices that users with the updated security role are using.

Note With Android and iOS platforms, the push notifications are used for the Lock and Wipe and the device is Locked or Wiped out immediately (or after application start) when the device connects to the internet. Other platforms require performing synchronization or changing the Security policy.

Toolbar functions

New Policy
Create a new security policy.
Edit
When you edit a device, you can select a different security policy, lock, wipe, or force full synchronization.
When you edit a policy, you can edit its settings.
Delete
When you delete a device, the device is assigned the default policy when the device next synchronizes with the server.
When you delete a security policy, you need to assign devices to another policy. Security policy cannot be deleted if there are devices assigned to it.
Export
Download a .csv file with the list of devices.
Sync Log
Display a list of synchronization logs of a device.

Security policy

Device control:security policy
Create security policies

A security policy is a set of properties that are applied to all devices for which the policy is set.

Security policy properties are in these groups:

Application Session
Require Login after X minutes of inactivity – After defined time in minutes, the Mobile CRM application asks for the password to continue using it.
Check Security Policy
At Application Login – Mobile CRM application checks whether there is a change in the security policy at the application login. Login is performed either at the start of the application or if user enters a password to log in to the application.
Every X Hours – Security Policy is checked periodically after defined time in hours.
Note If none of these options are used, the policy is downloaded only at synchronization.
Lock Application
Lock Application – If this option is enabled, all devices under this policy will be locked and the application cannot be used unless the device has a different policy assigned.
If no server contact after X hours – Application is locked if it did not connect to the CRM server either in matter of checking the policy or synchronization, or online mode access. The application can be unlocked by entering the correct password. Also, internet access is required in this case.
During non-business hours – Application is locked if the current time is outside of the given interval.
Invalid password X times – If a wrong login password is entered for a specified number of times, the Mobile CRM application locks up (Admin lock) and can be unlocked in the Woodford’s Security list of devices. The locked device will have a Lock checkbox enabled and needs to be unchecked.
Wipe Application
Wipe Application – If this option is enabled, all devices under this policy are wiped, even if the user tries to synchronize the Mobile CRM with the server.
If no server contact after X hours – The device’s local Mobile CRM database is wiped out if the application does not contact server after the specified number of hours.
Invalid password X times – The device’s local Mobile CRM database is wiped out after entering a wrong password for a specified number of times.

Migration
If you are migrating your backend from an on-premises database to the cloud, this function allows your mobile users to switch seamlessly from the old URL to the new one. Mobile users don't have to perform any extra action and the change does not require full sync. Limitations apply, such as:
  • Old server database must be physically copied to the new location. Rowversion must stay the same.
  • The old and new server (URL) must use OAuth2 mode with the same user identity.
When, while synchronizing in the configured time frame, a mobile device with this security policy fails to connect to the old server (don't use redirects!), the device automatically tries to connect to the new URL.
Contact Resco support.

Assign devices to policies

To assign a mobile device to a security policy:

  1. Select the device and click Edit (or double-click the device).
  2. Select a suitable security policy from the list and click OK.

Default security policy

When a new device is set to synchronize with user’s server, it is automatically listed under the Default policy. To edit the policy, select the Default row and click Edit. By editing this policy, you define how all devices handle security unless you move them to a custom policy.

Tip: Check policy at app login

Checking security at app login is generally a good idea. For example, you can set the following policy for colleagues that are leaving your company. The app is locked and wiped immediately at startup.

Device control:Sample of security policy

Technical details

Internally, the information about devices and security policies are stored on the CRM server.

  • Each device is represented by a record in the resco_mobiledevice entity (Dynamics) or mobiledevice entity (Resco).
  • Each security policy is a record in the resco_mobilesecuritypolicy entity (Dynamics) or mobilesecuritypolicy entity (Resco).

Installations with Salesforce store this information in Resco CRM server.