We are developing an iOS application in Xamarin, which will be distributed via MobileIron. We are also developing the Backend WebServices (rest).
What I need to know is, when a web service call comes to my API, I want to make sure, that the call is coming from a client who is logged-in to my app with his Active-Directory credentials, using MobileIron.
The MobileIron website has plenty of information, but is also a bit chaotic.
What MobileIron products are needed for my use case?
Whats the best way to protect my WebServices and allow just requests from our iOS Application with correct AD-Credentials?
Do I need the AppConnect SDK or can I just wrap the iOS Application in MobileIron? If I need the SDK, are there any examples?
Thanks in advance!
Cheers
Immi
Here is one way how it should work, we have this built up in our environment.
Assuming that the target devices are managed by the MobileIron MDM system with MobileIron Core (MDM) & MobileIron Sentry (Gateway -> Intranet).
You can configure MobileIron Sentry in this way, that a webrequest from an AppConnect enabled app (no matter if SDK included or wrapped!) will be authenticated with user certificate from device, Sentry obtains Kerberos ticket from domain controller for the user and then forwards the web request to a website / webservice where Kerberos authentication is enabled and the user has access granted.
There are many things to configure for this to work (CA, user certificate -> device, service account with delegation configured in AD, SPN for website configured in AD,...) and there is a good support document available from MobileIron to make this up & running.
It's to extensive to describe here all steps.
If this is already setup in the target environment (if there is already another AppConnect app), there are only a few steps left (SPN and MI app-specific AppConnect Config).
The good news is, that the app itself does not have to take care of the authentication. The MobileIron stuff does this on its own...
Related
I have application on App store. I want to add support for Citrix MDM solution, which will allow end user to install application as in-office app.
Want to know what are the steps I need to perform in application?
I have gone through the details on citrix and got following information in bits and pieces and have some question on top of information
Need to use the MAM SDK in iOS app. From where I should Download the SDK? Is it freely available for POC purpose?
If I integrate the SDK what are the changes I need to do in application? any sample application available?
Need to wrap the iOS application . Is it required if I use MAM SDK?
My application communicate with my server and has user authentication. Do I need to change anything on my server?
Is dummy/temporary server setup of Citrix is available to test my application?
Let me tackle each question.
You'll want to download the MAM SDK from the citrix.com web site. To do so though you'll need to first create a user account. It is free to download.
The changes to your iOS app are fairly straightforward. I won't repeat them here, but in the MAM SDK download you'll find step-by-step instructions on what you need to do. There is a sample app with source code provided.
You no longer need to MDX Wrap your iOS application. That's the older way of getting your apps managed by Citrix Endpoint Management. The new MAM SDK approach replaces that mechanism.
There are no changes needed to your authentication.
There's no dummy server available, but you can request a trial site. Create an account at Citrix Cloud and request a trial of Endpoint Management.
Source: I'm an engineer for the Citrix Endpoint Management product.
I am using Amazon SNS Service for an iOS application that needs push notifications.
I have figured most of the things, except for the part where I have to register my device tokens.
This is where Amazon talks about it. It can be done manually or with the help of createPlatformEndpoint API which they obviously recommend for bulk uploads. My question is how we can directly register tokens from devices that will install the app later on. The documentation talks about a proxy server which I would want to avoid as of now. Isn't there a direct way of doing this, like where I can directly call a method and push the device token received in the application to my SNS Platform?
This, is a possible duplicate except that it is in reference to Android.
The AWS Mobile SDKs support accessing SNS directly from the mobile device. If you're interested in seeing code demonstrating this on iOS, we included some as a sample we prepared for re:Invent 2013 called Mobile Photo Share.
The important thing to note when accessing SNS directly from the mobile device is that you'll want to restrict the credentials delivered to the device to only those services and resources you'll need to access. You can accomplish this via web identity federation or a token vending machine with appropriately restricted policy.
If you want to learn more about the Mobile Photo Share app, we had two talks at re:Invent about the app and its architecture. The video and slides for those talks are available here:
Building Cloud-Backed Mobile Apps
Integrating Social Login Into Mobile Apps
I'm developing a corporate web application.
The devices it is supposed to run on devices that have MobileIron and a corporate profile installed.
The app uses a corporate authentication service that authenticates based on client certificates. When I open the app in the Safari browser - the authentication is working properly. But in order to provide some of the features the app had to be wrapped in a PhoneGap shell. And the authentication has stopped working.
As far as I understand it is due to the fact that the UIWebView is unable to get the certificates from the device.
Is there any way to entitle it to or implement the handling myself?
Using MobileIron AppConnect, you can distribute certificates directly into those apps (instead of to the system keychain, which is only accessible to the built-in apps like Safari). The app can then be coded to provide that certificate to the web server when challenged. This is pretty easy to do.
http://support.mobileiron.com/appconnect will have the details.
I am establishing a VPN connection in my iPad through Junos Pulse to get into my organization's intranet.
Can anyone let me know if there is any iOS api or SDK available to get the user credentials entered in Junos pulse inside the iOS application ?
Junos Pulse (or Pulse Secure now) has an AppConnect SDK, this is straight from their guide:
The AppConnect SDK is a set of APIs and libraries, provided by Juniper, that allows mobile application developers
to directly open socket-based SSL VPN connections to a Connect Secure Gateway. From the point of view of the Connect Secure Gateway, these tunnels mirror all other forms of AppConnect tunnels. The integration is done at the code level. Any application that integrates with the AppConnect SDK needs to be recompiled and manually deployed to the end users. The AppConnect SDK is best leveraged by container solutions or in-house applications that are deployed without the use of an MDM solution. The APIs include authentication and connection management functions. Connections can be shared across multiple applications on a single device. Contact your Juniper sales representative for more details regarding AppConnect SDK.
Unfortunately as you can read in the last paragraph it is only available through your organisation Juniper sales representative.
I have to call payment gateway API from iOS code. Problem is it needs merchant credentials and I feel insecure embedding the merchant credentials in code. If someone somehow reverse engineer the code and get the credentials then the client is dead. Any advice?
I found this post Does Apple modify iOS application executables on apps submitted to the App Store? which says that app binaries are encrypted by Apple be default. Does it mean I can safely embed the credentials in code?
NO! Instead of adding the credentials to iOS app you should think about setting up a server which handles the interaction with the API, you are talking about, and let the app only interact with your server. So you can store the API key on your server and can limit whats possible by the user on server side (which will be much harder to abuse).