Provisioning With Afaria: Security Considerations

Applications must be provisioned with name=value pair parameters to connect to Unwired Server. Those parameters can include connection parameters for Unwired Server including the server's public key, and an X.509 certificate for authentication through SSO. Administrators can automate the process of provisioning applications by enabling a group of applications to be intially provisioned with a set of parameters from a configuration file using Afaria. Developers include API calls in the application to retrieve the provisioning data and certificate.

This task assumes that an Afaria client is co-installed on the device, that the user has enrolled in Afaria management, and that a Certificate Authority server is available to be configured for use with an Afaria portal package.
  1. Ensure that required configuration files, keys (for E2EE), or other artifacts are available.
    The administrator creates an initial configuration file for applications which are to be deployed and provisioned through Afaria. See System Administration for the format of this file, and instructions on how to get the public key of the Unwired Server, for inclusion in the file. ).
    Note: Without Afaria, the initial configuration file can be manually placed on a device, and consumed by the application. iOS devices do not support this capability because the application sandbox cannot be manually accessed. See System Administration to learn what the name of the file must be, and where it needs to be placed (it varies by platform).

  2. Ensure the mobile application developer includes code in the application to allow the application client to make request for a certificate and provisioning data to Afaria: validate that this key exists on the device and is properly provisioned.
    1. Include code to check whether the application is provisioned, and if not, retrieve a provisioning file using Afaria. The provisioning file includes the public key of the Unwired Server.
    2. If an application wishes to use certificate-based authentication, the application developer includes code in the application to retrieve an X.509 certificate using Afaria and a Certificate Authority configured for the Afaria portal package. The application consumes, uses, or deletes the certificate as required. The application developer sets up a synchronization profile, and presents the user's certificate for authentication.

      The application developer also includes in the synchronization profile any other required application configuration parameters, such as encryption keys used for synchronization.

      The developer also includes code to prompt the application user to enter the Common Name and Challenge Code.

    For details on client APIs, see the Developer Guide for your device type.
  3. The Afaria administrator performs the following tasks to creates a portal package to serve deployments for a group of application of a specified device platform on an Unwired Server:
    1. Defines the Certificate Authority server for the portal package.
    2. Includes the portal package into a Group Profile.
    3. Imports the configuration file to provision applications in that portal package.
    4. Enables Simple Certificate Enrollment Protocol (SCEP) in Afaria Server.
      Use SCEP to:
      • Create or obtain a user certificate on behalf of a mobile client.
      • Send this certificate back to the device.
    For details, see the Afaria server configuration documentation.
  4. The IT administrator generates and distributes to end users the Common Name and Challenge Code required by the Certificate Authority configured for the Afaria portal package.
For complete details on Afaria provisioning, see Provisioning with Afaria in System Administration.
Parent topic: Provisioning Security Artifacts
Related concepts
Security Artifacts That Require Provisioning
Related tasks
Provisioning with Unwired Server
Related reference
Provisioning Methods by Application Type