Device Security

To fully secure devices, developers and administrators can combine multiple mechanisms. In addition to using the built-in security features of both the device and SAP Mobile Platform, SAP recommends that you also use Afaria so you can remotely initiate security features as required.

Application authentication is defined by the developer, managed by the administrator in the Management Cockpit, and processed by the core CSI in SAP Mobile Platform Server.

Device security in SAP Mobile Platform follows this process:

The client sends the application ID and user credentials (including user name and password, certificate, or token) to SAP Mobile Platform.
SAP Mobile Platform uses the application ID to find the security profile that should authenticate the user credentials, and invokes the authentication providers in that profile to perform the authentication.
When authentication succeeds, the user credentials or additional credentials derived during the authentication process are made available as SSO material towards the back-end systems.

In SAP Mobile Platform Server, the client always provides the credentials defined in their security profile, and not the back-end system. If you are configuring multiple back ends, then following options are possible:

Use SAP SSO2 Token when connecting to an SAP back-end system
- User provides credentials for the SAP Mobile Platform Server authentication, which in turn provides a MYSAPSSO2 token.
- That same token can be used to connect to all back-end systems.
Use X.509 certificate when connecting to an SAP back-end system
- A trusted certificate can be used with all back-end systems.
Use basic authentication when connecting to any back-end system
- The SAP Mobile Platform Server authentication and all back-end systems should have same user name and password.

Developers define SAP Mobile Platform security features for devices, including data encryption, login screens, and data vaults for storing sensitive data. Developers use the Client Hub, integrated with Logon Manager, which simplifies user onboarding and configuration to enable easier and faster enterprise-wide deployments. The Client Hub reduces the effort required by the end user to manage multiple passwords for mobile applications and improves the user experience.

Limiting Application Access
Application access to SAP Mobile Platform runtime is tightly controlled: before a user can access a mobile application, he or she must provide a passcode; before the application can access the runtime, the application must be registered and provisioned with required connections and security profiles.
Securing Sensitive Data On-Device with DataVault
To securely store data on the device, developers should use a data vault with device applications. Administrators then define the password policy using Management Cockpit

Parent topic: Security Administration