If SAP Mobile Platform server is used, an SAP Mobile Platform administrator can enable the password policy. If enabled, the user must satisfy each rule. If “Allow Default Password” is enabled in the password policy, the Set Passcode screen does not appear, but the user can enable the app passcode using the Change Passcode option.
If the password policy is disabled, or if communication is not through the SAP Mobile Platform, MAFLogonManagerNG applies the default password policy. You can configure the default password policy from the MAFLogonOperationsDefaultValues.plist located in the MAFLogonManagerNG.bundle folder of your project.
| Rule Name | Description | Default Value |
|---|---|---|
| keyMAFLogonPasswordPolicyIsEnabled | Whether a password policy is provided | True |
| keyMAFLogonPasswordPolicyExpirationDays | Number of days after which the password policy expires | 0 ~ infinite |
| keyMAFLogonPasswordPolicyHasDigits | Whether the password requires one or more numeric digit | NO |
| keyMAFLogonPasswordPolicyHasLowerCaseLetters | Whether the password requires one or more lowercase letters | NO |
| keyMAFLogonPasswordPolicyHasSpecialLetters | Whether the password requires one or more special characters | NO |
| keyMAFLogonPasswordPolicyHasUpperCaseLetters | Whether the password requires one or more uppercase letters | NO |
| keyMAFLogonPasswordPolicyIsDefaultPasswordAllowed | Allows the device user to switch off custom app passcode | YES |
| keyMAFLogonPasswordPolicyIsDefaultPasswordUsageOnByDefault | If a default password is allowed, whether the switch on the device is, by default, on | NO |
| keyMAFLogonPasswordPolicyLockTimeout | Length of time, in seconds, after which the secure store is locked | 0 ~ infinite |
| keyMAFLogonPasswordPolicyMinLength | Minimum length of the password | 8 |
| keyMAFLogonPasswordPolicyMinUniqueChars | Minimum number of unique characters in password | 0 ~ none |
| keyMAFLogonPasswordPolicyRetryLimit | Maximum number of retries before the secure store is erased | 0 ~ infinite |
The data vault is created after a successful registration. If device users are allowed to do so, they can switch off the data vault passcode. Even if the the user does not specify a passcode, the data is secured with a default datavault passcode.
If the data vault is locked with a custom passcode, the logon UI is presented with an Unlock screen. Users can unlock the data vault with the passcode they have set. If the user provides a wrong passcode multiple times, the data vault deletes itself. You can determine the maximum number of tries by a data vault property, which you can set in the password policy.
You can set the data vault timeout in the password policy. MAFLogonManagerNG downloads it from the SAP Mobile Platform server during registration.
When device users forget their passcodes, they can tap the Forgot passcode button on the Unlock screen, which erases all client-side data.
If there is an SAP Mobile Platform server in the landscape, tapping the Forgot passcode button deletes both the client- and server-side registrations. This works only when the device is connected to a network where the SAP Mobile Platform server is reachable. Otherwise, an administrator must manually remove the server-side registration.
MAFLogonManagerNG does not currently support policy changes. That is, if the password policy is changed on the SAP Mobile Platform server after a device user registers, MAFLogonManagerNG does not download and apply the new policy.
#define kErrorDomainMAFSecureStoreManager @"MAFSecureStoreManagerErrorDomain" #define keyMAFSecureStoreManagerErrorDescriptionParameters @"errorDescriptionParameters" #define keyMAFSecureStoreManagerErrorExceptionName @"exceptionName" #define keyMAFSecureStoreManagerErrorExceptionReason @"exceptionReason" #define errMAFSecureStoreManagerErrorUnknown 0 #define errMAFSecureStoreManagerErrorAlreadyExists 1 #define errMAFSecureStoreManagerErrorDataTypeError 2 #define errMAFSecureStoreManagerErrorDoesNotExist 3 #define errMAFSecureStoreManagerErrorInvalidArg 4 #define errMAFSecureStoreManagerErrorInvalidPassword 5 #define errMAFSecureStoreManagerErrorLocked 6 #define errMAFSecureStoreManagerErrorOutOfMemory 7 #define errMAFSecureStoreManagerErrorPasswordExpired 8 #define errMAFSecureStoreManagerErrorPasswordRequired 9 #define errMAFSecureStoreManagerErrorPasswordRequiresDigit 10 #define errMAFSecureStoreManagerErrorPasswordRequiresLower 11 #define errMAFSecureStoreManagerErrorPasswordRequiresSpecial 12 #define errMAFSecureStoreManagerErrorPasswordRequiresUpper 13 #define errMAFSecureStoreManagerErrorPasswordUnderMinLength 14 #define errMAFSecureStoreManagerErrorPasswordUnderMinUniqueChars 15
When the Secure Store is closed and the application calls the logonManager logon API, MAF presents the MAF Logon UI and the user can unlock the Secure Store with the app passcode provided at registration time.
The system administrator can have the user specify a custom app passcode, or can let the user have the option to switch off the passcode functionality. If the user switches off this functionality, the Secure Store is protected with the default password provided by the underlying component. The system administrator can specify this behavior per application or per connection type by adjusting the SAP Mobile Platform Server side password policy.