In the Authentication item of the Server configuration panel you can configure how devices are authenticated in the DME system. In the Authentication item of the Server configuration panel you can configure how devices are authenticated in the DME system.
The Security group of functions contains the following fields:
If this field is set to Yes, the DME server will automatically add devices in the Devices tab, the first time a user logs on to the server with a device which is not known to the system already (that is, with an unknown device ID). The device is assigned to the user. Unknown users are always created automatically if they pass the LDAP authentication.
If this field is set to Two-step authentication, new devices will be created with device ID and assigned to the user in the Devices tab, but locked. In order to enable regular synchronization with the device, the device must be unlocked by the DME Administrator. To help the DME Administrator identify the device, the device is permitted a system synchronization to populate the device identification fields, such as device type, user name, and phone number. These fields are visible in the device Information setup panel - see Information. To unlock the device, the DME Administrator can use the function Toggle device lock in the Devices tab (see Toggle device lock) or use a Web Service (see approveDevice).
Please note that if Client signature is enabled, and Auto sign is not enabled, the DME Administrator should send a new signing key to the device using the function Add client signing key before unlocking the device.
If the field Send mail on creation below is Yes, the DME Administrator will be notified whenever a device is created or changes users.
If this field is set to No, you must create devices manually or import them in the Devices tab. Please note that using Apple MDM for adding devices to DME will not work if this field is set to No. When using Apple MDM, this field must be set to Yes or Two-step authentication.
If this field is set to Yes, users who are created automatically (via LDAP) are initially locked, meaning that they are unable to log on to the DME server until the lock is cleared by an administrator in the Devices tab. If this field is set to No, users can start using DME immediately. Default: No.
If this field is set to Yes, devices can change hands - users are permitted to log in to any device running DME. If this field is set to No, a device is bound to a user, and it cannot connect to the server if the user logging in is different from what is registered in the Devices tab. In order for a device to be passed to another user, it must be detached from the user first by a DME Administrator (see Detach user from device).
See also Switching users.
If this field is set to Yes, Basic MDM devices are permitted access to DME. Basic MDM devices do not require authentication, and are created with "anonymous users" in the Devices tab. They are used for device management purposes, for gathering traffic statistics, and to some extent for synchronizing files. For more information, see Appendix G: The Basic MDM client. If this field is set to No, no "anonymous" devices are allowed on the DME server.
In this field you can specify if you want to require signed communication between clients and the server. Client signing is a process where the server confirms that the client is a valid user of the system, before any LDAP/AD authentication of the user takes place. This prevents Denial of Service (DOS) attacks on the LDAP system.
Client signing builds on a system of public and private keys, issued by the DME server. Each client receives a unique key from the server. When the client connects to DME, the server will verify the key presented to the server by the client. If the key is not validated, access is denied immediately.
For more information about the architecture behind the client signature feature, please request special documentation: "Client Signing" (NDA applies).
See also Auto sign below.
When client signatures are enabled, a challenge can arise when the user changes his or her network password using a PC (not the device). If the network password is changed, the user may be unable to connect to DME. There are two variations of this scenario:
The important thing to remember is that you should not try to "help" the user by removing the signature key from the device in DME. You, the administrator, should only issue a new signature key to the device if the user is unable to log in to the device because the server is unable to verify the new password (because the client certificate cannot be verified by the server).
If this field is set to Yes, unsigned devices should be provided with a certificate (key pair) when they connect for the first time. If Client signature is enabled (see above), you can enable this setting in a transition period until all existing, compatible devices have been provided with a signature. If this field is set to No, you must use the tab function Add client signing key in the Devices tab to generate a key pair for a device.
If this field is set to Yes, an e-mail is sent to an administrator when a device is created, a device changes users, or a new device signing key is generated. The DME Administrator can then verify the change, unlock any locked devices, or generate new keys for devices. The e-mail address is specified in the Alert e-mail section of the Collaboration panel section.
If this field is set to Yes, DME will store an encrypted version of each user's mailbox password in the local DME database. The password is stored the first time a user synchronizes his device. This way DME can employ the user's own password for scanning mailboxes instead of having to grant access to the DME server user. The password is only used for mailbox scans. See Collaboration for more information about the DME server user.
Note that if you change this setting from Yes to No, DME will flush all stored passwords. If you switch it back to Yes, the process of collecting the individual users' passwords starts over. This process requires that the active user sessions first time out in the JBoss application server, and this will take some time - approx. 20 minutes. During this period, those users will be unable to establish a connection from their DME clients.
DME relies on the clients for information about which clients are jailbroken (iOS) or rooted (Android), and which are not. The client reports that a device is jailbroken or rooted by adding (Jailbroken) or (Rooted), respectively, to the device name - for instance iPhone 3GS (Jailbroken).
If this field is set to Yes, DME will lock all devices that have been reported to be jailbroken or rooted. When you enable this setting, DME will lock all existing jailbroken and rooted devices the next time they contact the DME server, and create new devices as locked if they are jailbroken or rooted.
If the setting has been enabled, and you disable it again, you must manually unlock the locked devices.
Note: When you manually unlock a locked, jailbroken/rooted device, the device will not be locked again when it connects to the server, and the user can use the device as any other device.
Click Save configuration to save the current configuration.
|
Next topic |
Security