Upload
lyanh
View
233
Download
0
Embed Size (px)
Citation preview
Deploying, Securing, Customizing and Extending the IBM Connections Mobile AppRusty Godwin – Connections Mobile Development
Jack O’Donnell – Connections Mobile Development
Please Note:• IBM’s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM’s
sole discretion.
• Information regarding potential future products is intended to outline our general product direction and it should not be relied on in making a purchasing decision.
• The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code or functionality. Information about potential future products may not be incorporated into any contract.
• The development, release, and timing of any future features or functionality described for our products remains at our sole discretion.
• Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will experience will vary depending upon many factors, including considerations such as the amount of multiprogramming in the user’s job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve results similar to those stated here.
Agenda
• Connections Mobile Overview
• New in 2015
• Deployment and Installation
• Customizing the App
• Securing the App
Greenhouse Customer A
4.x
Customer N
5.5.x
...
IBM Connections Mobile
One Application per Mobile OS
Regardless of the server deployment & level
IBM SmartCloud™
Supported Components
Mobile apps
iPhone®, iPad®, iPod touch®
iOS 8, 9
Android
Android 4.0+
Server
Mobile Application Management
Mobile Security Management
App Mgmt
Connections ServicesActivity Stream, Profiles, Files,
Communities, etc.
Mobile Services
Mobile App
App MgmtSecurity
Mgmt
Device
Features
Content
Provider
User Interface
Local DB
Security Mgmt Web Pages
Mobile Architecture
Activities
Client
Mobile OS specific app from the app stores
Server
Connections Mobile Service installed (enterprise app)
Minimum Connections 3.0.1 + Mobile refresh (LO61851)
EOS in 1H2016
Suggested minimum level is Connections 4.0.0 CR1
Specific features may require more recent version of the server
Deployment Components
New Function Released in 2015
Managing Work
• Assign a single To Do to multiple people in Activities
• Polls & Surveys
• Nested Folder support
Application Management
• Enforce App level password
• Control which apps can import data
• Render customized app theme colors
• Support secure browsers for IBM MaaS360 and
MobileIron
IBM Verse Integration
• Send an email directly from IBM Connections
IBM Connections Editor Integration
• Create and edit documents
New Application – IBM Connections Editor
Editing Capability for IBM Connections
• Securely create and edit within Connections Files
• Supports Microsoft Office formats for spreadsheets,
documents and presentations
• PDF viewer capability (Android)
New in IBM Connections 5.5
Nested Folder Support
• Create folders within another folder
• Move folders and files within folders
Polls & Surveys
• Respond to surveys from you mobile device
• View survey results
Internet Domain (untrusted) DMZ Intranet Domain (trusted)
VPN,
IBM Mobile Connect,
Reverse Proxy
HTTPS (HTTPS)
(HTTP)
Connections
Server w/ Mobile
Deployment ConfigurationConnections
Server w/ other
Connections
Apps
Connections
Server w/ other
Connections
Apps
(HTTP)
Deployed Components
Enterprise applications
Mobile ear
Security Roles
everyone* – all users (mobile web login pages and /SecurityConfiguration)
person – all authenticated
Mobile Administration ear
Security Roles
everyone – all authenticated (device and user registry)
administrator – admin users (mobile admin console access)
* Special consideration for /mobile/homepage/SecurityConfiguration
Deployed Components
Database
Schema Mobile
mobile DataSource (jdbc/mobile) and associated mobileJaasAuth
Customization
Mobile config files
mobile-config.xml and mobile-config.xsd
Deployed to LotusConnections-config
Customization folder (../data/shared/customization)
Mobile App Management is a feature that has been made available since the
3.2 release of the Connections Mobile app and the 3.0.1 CR2 of the
Connections server.
It allows the various Connections services to be customizable and adds
support for extensibility, re-branding, custom login form among other things.
For on-prem customers, the customizations/extensions are defined in a
config file called mobile-config.xml Found under <cell-name>\LotusConnections-config
Cloud customers can access the customization options from Connections
Mobile App Management in the administration console
Application Customization
/Configuration
/SecurityConfiguration -- Needs to be
unsecured /MobileConfiguration
Connections Mobile
Service
Connections AppServer
mobile-config.xml
Native Connections App
Application Management Topology
Cloud
Admin
Service Customization Generally speaking for each service, if the service is enabled its features will be available to the client
application. If the service is enabled, but displayInLauncher is false, the capabilities will be available to other services, but will not be available to navigate to from the home screen
Common set of customization's supported for the all services.
<Communities enabled="true" displayInLauncher="true">
<PublicCommunities>true</PublicCommunities>
<AllowAddMembers>true</AllowAddMembers>
</Communities>
For Profiles, we have a policy to prevent photo upload
<Profiles enabled="true" displayInLauncher="true">
<Upload>true</Upload>
<AllowEditProfile>true</AllowEditProfile>
</Profiles>
Service Customization
For Files, configure access to files on the device
<Files enabled="true" displayInLauncher="true”>
<PublicFiles>true</PublicFiles>
<ShareWithPublic>true</ShareWithPublic>
<AllowDownloads>true</AllowDownloads>
<AllowUploads>true</AllowUploads>
<AllowExport>true</AllowExport>
<AllowExportToDeviceGallery>true</AllowExportToDeviceGallery>
</Files>
Set the default service that is started after login
<DefaultApplication>Files</DefaultApplication>
Rebranding Support
Rebranding support includes the ability to
customize the app name and also provide
service labels for the various Connections
services.
<Customizations enabled="true">
<CustomizationLocation>mobile</CustomizationLocation>
<AppName>My Company</AppName>
<AppColors>
<ThemeColor>009933</ThemeColor>
<ForegroundColor>FFFFCC</ForegroundColor>
</AppColors>
</Customizations>
Customized
Service
Labels
Customized
Theme ColorCustomized
App Name
Extensibility Support
One or more custom services can be added
Custom service definition includes the
following:
Service Icon's for different device types
and densities
Service Label
Service URL
Parameter substitution - %userid%
The icons need to be designed in grey
scale.
Custom
Services
Customization in the Cloud
Cloud customers can access the
customization options from
Connections Mobile App Management
in the administration console
Connections Mobile Custom URLs
Connections mobile app can be started from a browser or another
mobile app on the device
Custom uri - ibmscp://com.ibm.connections/*
Launch the app – ibmscp://com.ibm.connections/launch
Open a profile – ibmscp://com.ibm.connections/profiles?<uid=>|<email=>
Open a community – ibmscp://com.ibm.connections/communities?<uid=>
Open a file – ibmscp://com.ibm.connections/files?<uid=>
Etc.....
Information on ibmscp options can be found in the Connections 5.5 Knowledge Center under
Using links to start and configure the IBM Connections mobile app
Email Digest Links (a.k.a Email Redirect) Email digest received with links to connections apps
Email includes additional link for mobile device access
Connections references open in mobile app
Configuration
WAS mail session with JNDI name of mail/notification with mail server and
protocol
Enabled in notifications-config.xml<property name="includeMobileLinksInNotifications">true</property>
Enable email channels for those events for which you want to broadcast<source defaultFollowFrequency="INDIVIDUAL" enabled="true" frequencyLocked="false" name="files">
<type name="mediaShare" notificationType="DIRECTED">
<channel enabled="true" name="email">
<property name="sender">[email protected]</property>
<property name="ftl">mediaShared.ftl</property>
</channel>
• When enabled, mobile users will see notifications on the device for the
following event:
• The Push Notification mechanism is platform specific• Android notifications are sent using Google Cloud Messaging (GCM)
• iOS notifications are sent using Apple Push Notification Service (APNS)
• IBM issues yearly iFix to update APNS Certificates
• Requires specific ports to be opened
• 443 for GCM (Android)
• Ports 2195 and 2196 for APNS (iOS)
• The user is invited to join a community
• The user is invited to join a person's
network
Push Notifications
• A task is assigned to the user
• A user is @mentioned
• A comment is added to content that the user owns
• Support has been added for accessing GCM and APNS via proxy• Support for HTTP based proxy servers (no SOCKS)
• Supports authenticated and non-authenticated access to the proxy server
• Available in Connections 5.0 CR and 5.5 iFix
• Updates to mobile-config.xml to use proxy• Append the following to the <!-- START PUSH SECTION ->
• Append the following to the <GCM> section
• For authenticated proxy access• Create J2C authentication alias named proxyMobilePushNotificationJAASAuth
• Ensure that the Prefix option is not enabled
Push Notification Proxy
<ConnectionRequestTimeout>300</ConnectionRequestTimeout>
<ConnectTimeout>100</ConnectTimeout>
<SocketTimeout>300</SocketTimeout>
<ProxyHost>proxyserver</ProxyHost>
<ProxyPort>proxyport</ProxyPort>
Security Features – App Data Control Security Control for app data is provided through the
following files service customizations :
ShareWithPublic
AllowDownloads
AllowUploads
AllowExport
AllowImport/ImportWhitelist
AllowExportToDeviceGallery
Password Retention Policy can be defined for storing/ not
storing password on device.
Expose/Hide Email Address
Allow/Prevent Geolocation information to be used
Allow/Prevent copy and paste in the app
Allow/Prevent app documents to be shared when you sync
your device with iTunes.
Security Features - Custom Login Form Custom Login Form can be defined by customers for various authentication mechanisms such as TAM,
SiteMinder, SPNEGO and the login form details are defined in the SecuritySettings section.
Connections App presents the same login interface irrespective of the login form defined by customer.
<SecuritySettings enabled="false">
<AuthType></AuthType> --TAM,SiteMinder,SPNEGO,Form,Basic
<LoginUrlContext></LoginUrlContext>
<LoginErrorUrlContext></LoginErrorUrlContext>
<LoginFormName></LoginFormName>
<UseridFieldName></UseridFieldName>
<PasswordFieldName></PasswordFieldName>
........
</SecuritySettings>
Security Features – EULA/Information Page
Connections App will allow
EULA or information pages
defined by customers to be
presented to users before
they are granted app access.
<InfoPagePathPattern>
</InfoPagePathPattern>
<InfoPagePositivePathPattern>
</InfoPagePositivePathPattern>
<InfoPageNegativePathPattern>
</InfoPageNegativePathPattern>
<TermsOfUsageURL>
</TermsOfUsageURL>
SecurityTwo factor Client Certificate Authentication
Allows requiring the mobile user to provide a certificate during login.
For iOS, due to sandboxing rules, apps can not access certificates in
Settings
The certificate used by the app must be installed in the app's
keychain.
Requires adding special “ibmmbd” extension to the certificate file
so app can open it.
End user access ibmmbd file via web site or email and opens it in
the Connections app to import it into the app keychain.
Supported on Android 4.0+ using the unified keychain
4.1 is not supported due to Android defect
Can install via a p12 file or an ibmmbd file
See “Configuring access with client certificates” in the Connections
documentation wiki for more info.
Sample Client Certificate Authentication Flow
Connections Mobile
Service
Native Connections App
Proxy
1) App attempts connection
2) App is challenged for client certificate
3) App sends certificate
4) Connection continues
5) App is challenged for Connections Server credentials
6) App sends Connections Server credentials
1 2 3 4 5 6
Mobile Application Management
Mobile Device Management software, such as MaaS360, provides a way to manage the security
requirements for devices and mobile application management (MAM).
The IBM Connections Mobile App supports the following MDM providers:
Fiberlink MaaS360
MobileIron
Citrix
Mobile Application Management
MaaS360
Support is built-in to the IBM Connections Mobile app on Google Play and the Apple App Store
IBM Connections Mobile supports the following policies:
Copy/Paste
File Export and whitelist
Print (Android only)
Controlling access using MaaS360
IBM Connections Mobile does not support the MaaS360 Enterprise Gateway
Function to control access based on MaaS360 managed policies is supported using IBM Mobile
Connect (IMC)
Mobile Application Management
MobileIron
Separate app for Android
Can be downloaded from the MobileIron app store
Support on iOS is built-in to the IBM Connections Mobile app on the Apple App Store
IBM Connections requires MobileIron VSP 5.7 or higher be installed
IBM Connections Mobile supports the following:
AppConnect Container Policy
AppConnect App Configuration
MobileIron ManagementManaging access to the Connections Server
In order to allow access to the Connections Server thru the MobileIron server, you need to setup a policy
to create an app tunnel.
This policy will map the URL the user uses to configure the Connections server account in the app with
the URL of the MobileIron server that will provide access to the Connections server.
The user configures Connections
server URL as:
https://myserver.company.com in the
app and the app config will route any
myserver.company.com request to the
sentry host
MobileIron SetupConfiguring your App policies
MobileIron allows you to control the following features of a managed app:
Printing
Copy/Paste
Open In
Mobile Application Management
Citrix
Separate IBM Connections Mobile apps containing Citrix support
Download IBM Connections Android Citrix app from the Citrix
IBM Connections iOS Citrix app is available on the Apple App Store.
Both apps can be distributed to users using the Citrix Worx Home app
The MDX file use to distribute the iOS app via Citrix Worx Home can be downloaded from the Citrix
Ready Marketplace
Mobile Application Management
App Configuration
Configuration Settings can be passed to the app via MDM
Provides the ability to preconfigure accounts
Limited support for certain mobile configuration settings:
AllowRemoveAccount
ThemeColor/ForegroundColor
InactivityTimeout
RememberPassword
Support for MaaS360 and MobileIron Secure Browser
Allows launching external URLs in Connections content in the secure browser
useSecureBrowser and secureBrowserPattern
com.ibm.mobile.connections.serverName.1=MyConnections
com.ibm.mobile.connections.serverURL.1=https://myserver.company.com/mobile
com.ibm.mobile.connections.user.1=%email%
com.ibm.mobile.connections.serverName.2=IBM SmartCloud
com.ibm.mobile.connections.serverURL.2=https://apps.na.collabserv.com/mobile
com.ibm.mobile.connections.user.2=%email%
com.ibm.mobile.connections.AllowRemoveAccount=true
com.ibm.mobile.connections.ThemeColor=006699
com.ibm.mobile.connections.ForegroundColor=FFFFFF
MaaS360 App Configuration
• App Configuration settings are
specified in a properties file that is
uploaded to the MaaS360 portal
• Substitutions for userid and email are
supported by MaaS360
MobileIron App Configuration
• App Configuration
settings are specified
in a AppConnect App
Configuration policy
• Substitutions for
userid and password
are supported by
MobileIron
iOS Managed App Configuration
On iOS, if you use a MDM provider that is not supported by the Connections app, you still may be
able to push out app config settings
The Connections 5.5 iOS app supports the iOS Managed App Configuration feature
The MDM vendor must support iOS Managed App Configuration and the device must be
managed by the MDM
Can be used with supported supported MDM vendors in conjunction with MDM app
configuration settings
Duplicate settings in the MDM app configuration overwrite the setting in the iOS
Managed app configuration
Notices and DisclaimersCopyright © 2015 by International Business Machines Corporation (IBM). No part of this document may be reproduced or transmitted in any form without written permission from IBM.
U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM.
Information in these presentations (including information relating to products that have not yet been announced by IBM) has been reviewed for accuracy as of the date of initial publication and could include unintentional technical or typographical errors. IBM shall have no responsibility to update this information. THIS DOCUMENT IS DISTRIBUTED "AS IS" WITHOUT ANY WARRANTY, EITHER EXPRESS OR IMPLIED. IN NO EVENT SHALL IBM BE LIABLE FOR ANY DAMAGE ARISING FROM THE USE OF THIS INFORMATION, INCLUDING BUT NOT LIMITED TO, LOSS OF DATA, BUSINESS INTERRUPTION, LOSS OF PROFIT OR LOSS OF OPPORTUNITY. IBM products and services are warranted according to the terms and conditions of the agreements under which they are provided.
Any statements regarding IBM's future direction, intent or product plans are subject to change or withdrawal without notice.
Performance data contained herein was generally obtained in a controlled, isolated environments. Customer examples are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual performance, cost, savings or other results in other operating environments may vary.
References in this document to IBM products, programs, or services does not imply that IBM intends to make such products, programs or services available in all countries in which IBM operates or does business.
Workshops, sessions and associated materials may have been prepared by independent session speakers, and do not necessarily reflect the views of IBM. All materials and discussions are provided for informational purposes only, and are neither intended to, nor shall constitute legal or other guidance or advice to any individual participant or their specific situation.
It is the customer’s responsibility to insure its own compliance with legal requirements and to obtain advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer’s business and any actions the customer may need to take to comply with such laws. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the customer is in compliance with any law
Notices and Disclaimers cont.Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products in connection with this publication and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. IBM does not warrant the quality of any third-party products, or the ability of any such third-party products to interoperate with IBM’s products. IBM EXPRESSLY DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
The provision of the information contained herein is not intended to, and does not, grant any right or license under any IBM patents, copyrights, trademarks or other intellectual property right.
•IBM, the IBM logo, ibm.com, Aspera®, Bluemix, Blueworks Live, CICS, Clearcase, Cognos®, DOORS®, Emptoris®, Enterprise Document Management System™, FASP®, FileNet®, Global Business Services ®, Global Technology Services ®, IBM ExperienceOne™, IBM SmartCloud®, IBM Social Business®, Information on Demand, ILOG, Maximo®, MQIntegrator®, MQSeries®, Netcool®, OMEGAMON, OpenPower, PureAnalytics™, PureApplication®,pureCluster™, PureCoverage®, PureData®, PureExperience®, PureFlex®, pureQuery®, pureScale®, PureSystems®, QRadar®, Rational®, Rhapsody®, Smarter Commerce®, SoDA, SPSS, Sterling Commerce®, StoredIQ, Tealeaf®, Tivoli®, Trusteer®, Unica®, urban{code}®, Watson, WebSphere®, Worklight®, X-Force® and System z® Z/OS, are trademarks of International Business Machines Corporation, registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at: www.ibm.com/legal/copytrade.shtml.