Overview :
Oracle Mobile Applications Framework (MAF) 2.3 release offers a new feature which supports integration with 3rd party EMM vendors. This integration is focused on leveraging the native capabilities in mobile operating systems,to enable a more consistent, open, and simple way to configure and secure mobile applications. These native capabilities are commonly referred as App Configurations For Enterprise , and are supported by popular EMM vendors like AirWatch, and MobileIron. The supported vendors at this point are AirWatch, and MobileIron, but we expect the solutions from other EMM vendors, who are listed on App Config Community also to work with MAF 2.3. To learn more about the best practices around native MDM / MAM capabilities offered by iOS , and Android, visit the AppConfig Community . The App Config Community is supported and maintained by EMM vendors like AirWatch, MobileIron. It provides recommendations for enterprise mobile app developers to secure their applications in an EMM vendor neutral approach, by leveraging the native capabilities in the operating systems.
MAF’s integration with AirWatch, and MobileIron does not support their respective SDKs , or wrapping solutions. Instead, the integration is focussed around their ability to use a standard approach offered by iOS, and Android, to manage applications, and application configurations.
From recent versions of iOS , and Android , Apple, and Google have rolled out a standard approach to manage applications, and application configurations, through native operating system capabilities. These native OS capabilities remove the need for containers, and dual workspaces, that frustrate users and hinder productivity. Also, by leveraging the native OS capabilities, mobile developers can build applications which are EMM vendor neutral.
AirWatch, and MobileIron’s support for standards based application management, and application configuration, offers various advantages for Oracle MAF developers, and enterprises.
- Building enterprise-ready applications can now be faster, as the most common use cases do not require the need of an SDK, or a wrapping solution.
- Developers can build applications which are EMM vendor neutral, as they are built on native standards supported by mobile operating systems.
- Various organizations within an enterprise can provide a better on boarding experience to their users, by leveraging the native application level configurations.
- Faster turn around time to build enterprise-ready mobile applications, provides an ability for the enterprises to rollout greater selection of business apps for their users.
MAF integration with AirWatch, and MobileIron, supports the following use cases on Apple iOS, and Google’s Android for Work platforms.
1. Application Security :
- Encryption : Offline content stored within the sandbox of a MAF application, can now be encrypted using the native device level encryption provided by the mobile operating system. This can be done by enforcing a passcode on the device. Encryption within MAF applications can be enabled by enforcing a device passcode by pushing down a policy through the EMM console.
- Managed Open-In : Control end-user’s ability to open managed documents stored offline within a MAF application, into unmanaged personal applications like Box.net, Dropbox .etc.
- Disable Screen Capture : Control end-user’s ability to take screen shots.
- Remotely Wipe Application : Remotely wipe the application.
- Disable Copy / Paste : Control end-user’s ability to copy and paste content between managed and unmanaged applications. Since iOS does not provide a native restriction to control this capability, leveraging this feature within an iOS app might involve some custom work in MAF application. There is no development work involved in leveraging this capability within Android apps which are published within in Android for Work environment.
- Disable Camera :Control end-user’s ability to use camera within managed applications.
AirWatch Mobile Device Management Guide for iOS ,and MobileIron CORE Device Management Guide for iOS can provide you detailed information on how to create security restrictions on iOS.
AirWatch Integration with Android for Work Guide and MobileIron CORE Device Management for Android for Work can provide you detailed information on how to create security restrictions on Android for Work.
2. Application Tunneling : MAF applications which may require access to web services residing behind a corporate firewall, can leverage a secure app tunnel connection between the app on the device, and the backend services. This can be done by distributing, and enabling a Per-App VPN configuration on a device.
Per-App VPN configuration is a native capability provided by the mobile operating system to enable VPN on an application level . A Per-App VPN configuration comprises of information about the VPN server, or tunneling server , to which the network calls from the applications get routed. Per-App VPN configurations can be provisioned on devices through an Agent application, and can be applied to specific MAF applications. Once the Per-App VPN configurations are applied to specific MAF applications, all the network requests initiated from these applications are routed through the VPN server, or the tunneling / proxy server specified in the configuration.
AirWatch, and MobileIron currently support a long list of commercial VPN providers like Cisco AnyConnect, Juniper ,Check Point , Palo Alto Networks, F5 Networks, Pulse Secure etc and more. To configure Per-App VPN, enterprises can either use one of the supported VPN providers , or they can use the tunneling server provided by the EMM vendors. AirWatch provides a tunneling server called AirWatch Tunnel, and MobileIron provides a tunneling server called MobileIron SENTRY.
You can find more details about the Per-App VPN support on the App Tunnel section on AppConfig Community. Also, for more details on AirWatch, and MobileIron tunneling setup, refer to AirWatch Tunneling Guide , and MobileIron SENTRY Guide respectively.
3. Single – Sign On:
The single sign-on capability documented by the AppConfig community specifies the best practice for how an app developer should invoke the IDP from the app in order to facilitate a single sign-on experience. Most Single Sign-On scenarios will be handled by the MAF framework, and developers might not have to do much of changes to their application. The native OS capabilities on iOS, and Android, support certificate based authentication, and username / password based authentication. The Single Sign-On capabilities listed on AppConfig community are expected to work with MAF 2.3 release.
3rd Party EMM Certification :
From MAF 2.3 release onwards, all the future releases of MAF shall publish information on certified EMM vendors as part of the certification matrix.
| Product | Certified & Supported OS | Minimum OS Version | Server Console |
| AirWatch | Certified on iOS Supported with Android For Work | iOS 9 Android 5.0 | AirWatch console 8.3.0.405 |
| MobileIron | Certified on iOS Supported with Android For Work | iOS 9 Android 5.0 | Mobile Iron Core 8.5.0.0 |
Following use cases are targeted for future releases of MAF, and are currently on the roadmap:
Managed Application Configuration :
Enterprise applications require users to enter URL, port, email address, and various configurations as part of a one time setup of an application. These manual configurations can impact the adoption and success of an organization’s mobile app initiatives, increase the burden on a help desk fielding calls from users, and add the burden of maintaining documentation that needs to be updated frequently as new updates to the application are made available.
By leveraging the native APIs recommended by the AppConfig Community, these configurations can be automatically set remotely by the EMM server. This simplifies the setup process for end users, and alleviates the help desk and documentation burden. Developers can define a set of configuration keys within their apps. An IT administrator can simply set the same keys and values in the EMM provider’s management console and they will be pushed to the app.
Apps commonly implement the following types of configurations:
Backend service configuration: server URL, port, use SSL, group/tenant code
User configuration: username, email, domain
In future releases, MAF will provide an ability to read the configurations set by the IT administrators in the EMM console. MAF developers can then read these values, and leverage them within the application lifecycle to provide a better on boarding experience for the end-users.
