CUSTOMER Mobile Secure Cloud Edition Document Version: 1.0 ( 2014-12-19 ) SAP Mobile Secure Cloud Edition Release Notes Content 1 Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 2 New Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 3 Enhancements/Changes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 4 Fixed Issues. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 4.1 SAP Mobile Secure Admin Portal. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 4.1.1 Mobile Device Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8 4.1.2 Mobile Application Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 4.2 Mobile Place. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 5 Known Issues. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10 5.1 SAP Mobile Secure Admin Portal. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10 5.1.1 General. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 5.1.2 Mobile Device Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 5.1.3 Mobile Application Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 5.2 Mobile Place. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 6 SAP Mobile App Protection by Mocana, cloud edition Release Notes. . . . . . . . . . . . . . . . . . . . . . .16 6.1 What’s New. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 6.2 Fixed Issues. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16 6.3 Known Issues. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17 2 CUSTOMER © 2014 SAP SE or an SAP affiliate company. All rights reserved. SAP Mobile Secure Cloud Edition Release Notes Content 1 Overview SAP Mobile Secure cloud edition allows you to secure mobile devices, mobile applications, and the mobile content of your enterprise. ● ● ● Mobile Device Management – SAP Mobile Secure is the trusted solution to manage and secure deployments of mobile devices for any size of company. ○ Mobile Device Management – quickly self-enroll devices for enterprise use; have control needed by preconfiguring settings, and enforcing security and compliance policies. ○ Highly secure and scalable – meets the requirements of the world's largest enterprises. Remotely lock and wipe managed devices, control security settings for bring-your-own-device (BYOD) or corporateowned devices. ○ Robust analytics – use built-in robust analytics for instant insight into mobile device usage and the ability to take immediate action. Mobile Application Management – SAP Mobile Secure cloud edition allows you to manage and secure applications on your devices. Mobile Place is the end user portal for SAP Mobile Secure, cloud edition. It combines the best features of Mobile Application Management (MAM) and Mobile Device Management (MDM), providing a single interface into the Enterprise Mobility Management environment for both managed and unmanaged users and devices. ○ Manage applications by adding, modifying, and deleting applications. ○ Approve applications that can be consumed by users. ○ App Wrapping – SAP Mobile Secure helps organizations accelerate mobile initiatives by automating app security. App Wrapping technology enables enterprises to quickly secure existing corporate and thirdparty applications without having to write any code. To use the App Wrapping feature, you will have to buy a separate license at an additional cost. Mobile Content Management – SAP Mobile Documents is designed for enterprise deployments where collaboration, security, and control of business content are critical. Users enjoy anytime, anywhere access to view and collaborate on personal and corporate content, in an easy-to-use, native mobile app. To use SAP Mobile Documents, you will have to buy a separate license at an additional cost. SAP Mobile Secure cloud edition product documentation is available on SAP Help Portal. SAP Mobile Secure Cloud Edition Release Notes Overview CUSTOMER © 2014 SAP SE or an SAP affiliate company. All rights reserved. 3 2 New Features The new features introduced in this update of SAP Mobile Secure Cloud Edition are: Table 1: Area Feature Mobile Secure Admin Portal and Mobile Place Provide a customized support page that will appear as Support menu item in Mo bile Place. Mobile Secure Admin Portal (Application Administrators can add a Fiori applica Management) and Mobile Place tion and deploy the Fiori application in Mobile Place. Mobile Place View device information and location of the device; New device actions that can be performed from Mobile Place are: ● Mobile Secure Admin Portal Documentation Location ● Mobile Secure Administration Guide > Account Management > Custom izing Mobile Place ● Mobile Place User Guide > App Cat alog ● Mobile Secure Administration Guide > Application Management > Add ing a Fiori Application ● Mobile Place User Guide > App Cat alog > Installing a Fiori Application Mobile Place User Guide > App Catalog Android - Delete E-mail, Delete Email & Data Create a Mobile Secure organization ac count and associate accounts of subsid iaries to organization account. Mobile Secure Administration Guide: ● Creating an Organization Account and Associating Subsidiary Ac counts ● Account Management > User Man agement > Adding Users Mobile Secure Admin Portal (Analytics) View custom reports in SAP Lumira Launchpad from Analytics > Custom tab. Mobile Secure Administration Guide > Analytics Mobile Secure Admin Portal Configure Single Sign-On (SSO) for Mo bile Place. Mobile Secure Administration Guide: Mobile Secure Admin Portal (Device Ad ministration) 4 Upload SSL certificate for Windows Phone to enable auto-discovery. CUSTOMER © 2014 SAP SE or an SAP affiliate company. All rights reserved. ● Account Management > Updating Mobile Place Settings ● Account Management>Configuring Single Sign-On for Mobile Place Mobile Secure Administration Guide > Device Management > Managing Device Settings ● Auto-Discovery Support for Win dows Phone Enrollment ● Creating and Configuring the AutoDiscovery Server SAP Mobile Secure Cloud Edition Release Notes New Features Area Feature Documentation Location Mobile Secure Admin Portal (Device Ad ministration) Support for iOS 7 activation lock and by pass code; New Allow activation lock op tion for supervised devices in the iOS En rollment policy; A new security action to clear the activation code on a supervised device with Find My iPhone enabled; A new hardware inventory item for storing the device's bypass code. Device Administration > Policies > En Mobile Secure Admin Portal (Device Ad ministration) iOS 8 new supervised device commands to change the device name and to clear the restrictions password on the device. Device Administration > Device Adminis tration > Performing Security Actions on Devices > Security Actions for iOS Devi ces Mobile Secure Admin Portal (Device Ad ministration) iOS 8 consent text to display end-user li cense agreement in the enterprise appli cation. Device Administration > Policies > En rollment Policies > Creating an Enroll ment Policy for iOS SAP Mobile Secure Cloud Edition Release Notes New Features rollment Policies > Creating an Enroll ment Policy for iOS Device Administration > Device Adminis tration > Performing Security Actions on Devices > Security Actions for iOS Devi ces CUSTOMER © 2014 SAP SE or an SAP affiliate company. All rights reserved. 5 3 Enhancements/Changes The enhancements/changes introduced in this update of SAP Mobile Secure Cloud Edition are: Table 2: Area Description Documentation Location Mobile Secure Admin Portal While adding a new application, applica tion description now supports HTML content. Mobile Secure Administration Guide > Application Management Mobile Secure Admin Portal Mobile Secure Admin Portal Mobile Secure Admin Portal Mobile Secure Admin Portal (Device Ad ministration) ● Adding an Enterprise Application ● Adding a Web Application ● Adding a Fiori Application While adding a new application, if an icon Mobile Secure Administration Guide > for an application is not provided, then Application Management the default application icon is displayed. ● Adding an Enterprise Application ● Adding a Web Application ● Adding a Fiori Application While adding a new application, a filtered Mobile Secure Administration Guide > list is displayed for selecting trial users. Application Management ● Adding an Enterprise Application ● Adding a Web Application ● Adding a Fiori Application While adding a new application, a filtered Mobile Secure Administration Guide > list is displayed for selecting app owners. Application Management Updates to iOS WiFi payloads in configu ration policies for iOS 8: ● When Proxy is set to Automatic ● New security types ● New Accepted EAP Type parame ● Adding a Enterprise Application ● Adding a Web Application ● Adding a Application from Commer cial App Store ● Adding a Fiori Application Device Administration > Policies > Con figuration Policies > Configuration Poli cies for iOS Devices > MDM Payloads > WiFi Payload ters Mobile Secure Admin Portal (Device Ad ministration) Option to upload identity certificate in iOS 8 SSO payload, to renew the Ker beros credentials without user interac tion. Device Administration > Policies > Con figuration Policies > Configuration Poli cies for iOS Devices > MDM Payloads > Enterprise SSO Payload Mobile Secure Admin Portal (Device Ad ministration) Inventory tracking for the new restric tions added in the iOS configuration pol icy. Device Administration >Device Adminis tration > Device Inspector > Hardware Inventory for iOS Devices > Restrictions Hardware Inventory 6 CUSTOMER © 2014 SAP SE or an SAP affiliate company. All rights reserved. SAP Mobile Secure Cloud Edition Release Notes Enhancements/Changes Area Description Mobile Secure Admin Portal (Device Ad ministration) The OpenSSL Libraries on the server are upgraded to version 1.0.1j. SAP Mobile Secure Cloud Edition Release Notes Enhancements/Changes Documentation Location CUSTOMER © 2014 SAP SE or an SAP affiliate company. All rights reserved. 7 4 Fixed Issues This section describes all the fixed issues in the product at the time of release. 4.1 SAP Mobile Secure Admin Portal This section describes all the fixed issues in SAP Mobile Secure Admin portal. 4.1.1 Mobile Device Management This section contains the fixed issues pertaining to Mobile Device Management (MDM) module in SAP Mobile Secure admin portal. 4.1.1.1 General The general fixed issues related to Mobile Device Management module in Mobile Secure Admin portal are described below. ● When a new certificate authority (CA) profile definition is added to the CA server and the server is unavailable, there is a delay before the new profile definition appears. [REF 54390] ● Hiding a column in “Custom Data” view actually removes it from the view. [REF 54477] ● In the Afaria Administrator, the “Last Connection” column of the “Custom” view is dropped during an upgrade from SP04 to SP05. [REF 856666] ● The API sample to remove devices from Groups using the GUID or UDID, rather than the UID, fails. ● The API sample to open a policy using an enrollment code rather than the policy ID fails. ● The existing enrollment server (aips) web.config file is overwritten during the upgrade process. 4.1.1.2 Android Devices The fixed issues related to Android devices are described below. ● Reenrolling Android devices revokes all policy certificates. [REF 54576] ● The “Purpose” field on the certificate view for the SLL (static link library) application on Android is blank. [REF 54638] 8 CUSTOMER © 2014 SAP SE or an SAP affiliate company. All rights reserved. SAP Mobile Secure Cloud Edition Release Notes Fixed Issues 4.1.1.3 iOS Devices The fixed issues related to iOS devices are described below. ● Expired iOS policy certificates are not auto-renewed. [REF 54551] ● When an iOS configuration for Exchange Active Sync policy is set up to configure the Exchange password on the device during enrollment, and the policy is reapplied to the device after enrollment, and the user also manually enters a policy, the Exchange password field on the device is blanked out. [REF 51328] ● Enrolling an iOS client using the MDM enrollment URL results in an error. [REF SMS-5372] 4.1.2 Mobile Application Management This section contains the fixed issues pertaining to Mobile Application Management (MAM) module in SAP Mobile Secure admin portal. ● Occasionally, retire and delete actions text for workflow does not appear. [REF SMS-4752] ● While adding a commercial application from Apple play store, the country name is invalid when the URL of the commercial application contains the country name. For example, URL is https://itunes.apple.com/us/app/ find-my-iphone/id376101648?mt=8. [REF SMS-4495] ● If the URL contains the country name while adding a commercial application from Apple play store, an alert that application is not supported is displayed. [REF SMS-4494] 4.2 Mobile Place This section describes the fixed issues in Mobile Place. ● In application catalog, clicking on a newly created web app intermittently hangs the screen with a wait cursor. [REF SMS-5481] ● App Catalog page is unresponsive (performance issue) on mobile devices. [REF SMS-4618] ● Application Catalog page is unresponsive when using native browser on Android devices. [REF SMS-4618] SAP Mobile Secure Cloud Edition Release Notes Fixed Issues CUSTOMER © 2014 SAP SE or an SAP affiliate company. All rights reserved. 9 5 Known Issues This section describes all the known issues in the product at the time of release. 5.1 SAP Mobile Secure Admin Portal This section describes all the known issues in SAP Mobile Secure Admin portal. 5.1.1 General The general issues related to Mobile Secure Admin portal are described below. ● For Network Access Control to function, a Mobile Secure identity, unique to each enterprise, must be specified in the cloud settings. Currently this setting is not accessible to enterprise administrators. [REF SMS-4590] Workaround/Action: To set this value, please open a support case with the username that should be used to populate the field, and the operations team will populate the field with the supplied value. This user must have the Afaria Helpdesk role at minimum. ● After renewing Apple MDM APNs certificate and uploading it through portal, iOS enrollment did not work. Uploaded APNs certificate is correctly installed in the SAP Afaria server but did not remove the old certificate, causing enrollment to fail. [REF SMS-2245] Workaround/Action: Please open a support case to remove previous MDM APNS certificate from Afaria server environment. ● On selecting the Account Users menu and creating a new user with user name containing multi-byte (example: Chinese) characters, an error occurs when saving information in Add New User dialog. [REF SMS-1662] Workaround: None. 5.1.2 Mobile Device Management This section contains the known issues pertaining to Mobile Device Management (MDM) module in SAP Mobile Secure admin portal. 10 CUSTOMER © 2014 SAP SE or an SAP affiliate company. All rights reserved. SAP Mobile Secure Cloud Edition Release Notes Known Issues 5.1.2.1 Android Devices The known issues related to Android devices are described below. ● An Android device's user value format changes from <user> to <domain>\<exchangeID> when the Afaria client is launched for the first time. This occurs for Android devices with Nitrodesk installed that have been manually enrolled. This behavior is by design. When the device enrolls, a UserID is supplied and displayed in the User column of the Device list. When the client is launched for the first time, this value changes to the <domain>\<exchangeID> format. This does not occur for devices enrolled through the Self-Service Portal. [REF 52256] ● Following an Afaria Server upgrade to SP5, you cannot remove a WiFi SSID from a device using the Samsung WiFi configuration policy if the device is running a pre-SP5 version of the Afaria client application. Workaround: Upgrade the client to SP5. [REF 52690] ● If the SAP Afaria client is deleted from the SAP Afaria server and devices try to connect using the client without re-enrolling, the sessions on Android devices fail with a "The Server refused to accept a connection from this client due to security restrictions" error message. The SAP Afaria client reconnects and displays a "This Client is not approved" error message. [REF 53792] ● Users can uninstall an application even when uninstallation is disabled in a Samsung SAFE Application configuration policy if the same application is set as optional in an Android Enterprise Application policy. If you create a Samsung policy for an application with installation and uninstallation settings, do not create a separate Android Enterprise Application policy for the application. [REF 53908] ● If a user deactivates the Afaria Samsung MMEP application from the Device administrators page of a Samsung device, they can bypass policies and restrictions previously applied to the device. Workaround: Create and deploy a Device Manager policy ( Android Configuration Samsung SAFE Device Manager Policy ) with Allow Afaria Device Admin Deactivation set to "No”. [REF 53909] ● If inventory is deleted for an Android device from the Devices page of the Afaria Administration console, the device does not receive policies during the next session and the user receives a message that "Certificate failed authentication. Try reset credentials, enroll again or contact your administrator". Workaround: Reset credentials or re-enroll the device. [REF 53910] ● Android 4.2 and later devices will not connect successfully over SSL if the certificate has been signed with an MD5 signature. This is a security restriction of Android 4.2+ devices. [REF 53914] ● The Samsung Email Account configuration policy creates a duplicate email account on Android KitKat devices on subsequent sessions. This occurs if the incoming and outgoing user names are not in the format <username>@<domain>. KitKat devices require this format. [REF 54457] ● Unable to create an Exchange account on a Samsung S3/ICS device using a Samsung Exchange account policy if a prior attempt to create the account failed because of invalid settings. Workaround: Remove the Email address value from the EAS account in the policy and reapply it to the device; then re-add the Email address value and reapply the policy to the device. [REF 54556] ● Intermittent issues when installing applications from Google Play Store. Problems may include Google Play Store or the device crashing. This is an issue with Google Play Store. [REF 54589] ● If you delete the INV log on an Android device with GCM server enabled, the GCM Registration ID is deleted as well. When you reconnect and send an outbound request, the request fails and an error message is written to the server log. Workaround: Re-enroll the device to populate the GCM registration ID. [REF 54617] ● Re-enrolling Android devices issues new SSO certificates consistently, but EAS certificates only intermittently. Re-enrolling does not issue new NitroDesk, Wi-Fi, or SCEP certificates. Clearing data issues all new certificates, but EAS certificates only intermittently. [REF 54618] SAP Mobile Secure Cloud Edition Release Notes Known Issues CUSTOMER © 2014 SAP SE or an SAP affiliate company. All rights reserved. 11 ● Use of the Android device commands, Administrator Lock and Unlock, should be used with extreme caution. These actions have exhibited different behaviors dependent on the OS version, device type, and carrier. The system settings application crashes when sending an unlock command to a Samsung Galaxy Note 3 with Kit Kat on the Verizon network. Similar unpredictable negative behaviors may manifest on other devices. [REF 54621] ● NitroDesk is not successfully wiped when the Remote Wipe command is sent to a device following a failed reconfiguration of NitroDesk. [REF 54644] ● On Samsung devices, it is possible that the Afaria MMEP file will be sent to the device multiple times. [REF 54662] ● The Afaria Samsung AES2 Client available from the Google Play store is not supported on Android KitKit devices. [REF 54672] ● A certificate on an Android device may not renew during the certificate renewal window. This can occur if multiple Android devices with certificates connect simultaneously for renewals. The certificate should renew during the next renewal window. [REF 54675] ● During enrollment of a Samsung SAFE device with an installed AES2 client, the client switches to the base/ MMEP application but does not present an activation screen for the Afaria client. Workaround: Enable device admin on the Afaria client or re-enroll the device. [REF 54684] 5.1.2.2 iOS Devices The known issues related to iOS devices are described below. ● The following known issues are raised with Apple: ○ Spotlight internet search restriction not disabling. ○ Unable to mirror the content to Apple TV with AirPlay restrictions policy. ○ iOS8: Managed Email domains not highlighting the mails from unmanaged accounts. ● After deleting the Enterprise SSO payload from the device, the Ticket Granting Ticket (TGT) is not removed from the device and single sign-on continues to work. [REF 50424] Workaround: Clear the cache on the device to remove the TGT and prevent single sign-on from working. ● Due to issues in the NitroDesk TouchDown application (V3.1.0 available in App Store), the iOS NitroDesk Calendar settings 'Work Day Start' and 'Work Day End' are not configured correctly, when the TouchDown application is configured through the Afaria 7 SP4 application. This issue has to be addressed by NitroDesk. [REF 51381] ● If a VPP-registered user enrolls an iOS 7 device and provides an invalid ID or password for the Web Clip prompt in the first attempt, a second attempt does not connect to the App Store correctly. This is an intermittent issue. [REF 51442] ● If you enroll an iOS device using an enrollment policy associated with a group that has VPP app policies linked, and if no service token (sToken) have been uploaded in the Server Configuration iOS Volume Purchase page, the enrollment of the device fails. If you link an iOS VPP policy (without sToken) to a group, post the enrollment of a device in the group, other application policies are not pushed to the device.[REF 51742] ● In the Afaria Administration console, if you try to delete an iOS 7 device that has VPP app policies attached, the device record will not get deleted. This issue occurs if the Afaria Server and the Afaria API services are installed on two physically separate machines. [REF 51741] ● NitroDesk policies are not applied to an iOS device if the enrollment policy is only linked to the All Devices group. 12 CUSTOMER © 2014 SAP SE or an SAP affiliate company. All rights reserved. SAP Mobile Secure Cloud Edition Release Notes Known Issues Workaround: Link the enrollment policy to another static, dynamic, or user group. [REF 51719] ● The On Demand VPN Safari Domain tag is not set correctly on iOS 7 devices. [REF Apple Bug 15085646] ● After re-installation, the Afaria client experiences errors when deleting key chain data on iOS 7 devices. This happens when users launch the application for the first time after re-installation. The error is visible in the iPhone Configurations Utility and not visible to the user. [REF Apple Bug 15167203] ● Deleting the Config Payload on devices does not always remove icons for MDM Application Policies set as Remove with MDM Control until the devices are restarted. [REF Apple Bug 14739116] ● iOS 7 devices may not generate identity certificates during enrollment or re-enrollment with enrollment policies with the Use Identity/X.509 Certificate option selected. An error obtaining the public key causes this issue. ● The Volume Purchasing Program (VPP) does not associate B2B licensing to applications and devices cannot install the B2B applications. [REF Apple Bug 15309518] ● The deployment of MDM-required Enterprise Application Policies might fail when devices initially enroll with Afaria. The MDM-required Enterprise Application Policies deploy successfully when policies are next applied to devices. ● The device ID prefix is stored in the SAP Afaria database and used by SAP Afaria, but the ID prefix is not retrieved from the database when the device is edited. [REF 54458] ● iOS payload encryption fails to report status on iOS 7.0 and 7.1 devices. [REF Apple bug 16470948] ● If the Install prompt for the MDM application policy push is displayed when the device auto-locks, unlocking the device dismisses the Install prompt and prevents the installation of the application. [REF Apple bug 16657452] ● iOS client enrollments using an MDM enrollment URL receive a ‘ClientDAL.RunQuery: Cannot convert to a uniqueidentifier’ error. [REF CSS 0120061532/0001496697/2014] ● Enrolling iOS 7 devices does not populate the purpose value for SSO/identity issued certificates. [REF 54102] ● The ICCID system variable for iOS devices is not populated, so it cannot be resolved in policies. [REF 52385] ● Expired MDM identity certificates for iOS devices do not renew automatically because devices cannot connect to SAP Afaria for MDM connections. MDM identity certificates for iOS devices must be renewed before expiry. [REF 54627] Workaround: Re-enroll devices if the certificates expire. Apple Device Enrollment Program ● The Apply Configuration and Skip Configuration options do not appear on the Apple Device Enrollment Program configuration screen. [REF Apple bug 16404559] Workaround: Click Back and then return to the screen to make the options appear. ● The Apple Device Enrollment Program does not support the use of user prompts (configured on the variable tab) in enrollment policies. If an enrollment policy includes user prompts, the user prompts are ignored. [REF 53062] ● The Apple Device Enrollment Program requires HTTPS for the entire communication process regardless of the Enrollment Server configuration. If the Enrollment Server will be configured for HTTP connections, then you need to specify the HTTPS port during installation of the Enrollment Server. [REF 53062] ● iOS payload encryption is not supported for the Apple Device Enrollment Program on iOS 7.1 devices. [REF Apple bug 16404749] ● The Apple Device Enrollment Program uses the same deferred delivery process for MDM required application polices as it uses for configuration policies with supervised payloads. This is to work around the Apple bug that executes the Apple Device Enrollment Program during setup but does not manage the prompting for SAP Mobile Secure Cloud Edition Release Notes Known Issues CUSTOMER © 2014 SAP SE or an SAP affiliate company. All rights reserved. 13 installation of MDM required application policies for the remainder of the setup. This prevents the prompts from appearing. [REF Apple bug 16430116] ● Apple does not display an invalid credentials message/screen to users when credentials fail authentication during Apple Device Enrollment. [REF Apple bug 16522434] ● The Apple Device Enrollment profile setting for the Skip Location Services setup panel does not work when using the cellular network on the device for setup. [REF Apple bug 16558155] ● Changing the Enrollment Server configuration (Server > Configuration > Component > Enrollment Server) changes the URL that devices must use for enrollment. For an SAP Afaria system using the Apple Device Enrollment Program, the Apple Profile must be updated to include the updated URL in the Apple Device Enrollment Profile pane (Server > Configuration > Enrollment > Apple Device Enrollment). To update the profile, update an item in the Apple Device Enrollment pane (other than the iOS Enrollment Policy list) and click Save to generate a new Apple Profile with the updated Enrollment Server URL. [REF 53062] ● The apply configuration functionality of the Apple Device Enrollment Program on devices intermittently returns the error message: "The configuration for your iPhone could not be downloaded from <CompanyName>. The request timed out." The issue seems to be related to connectivity or performance issues with the Apple Cloud server from which the device retrieves the Apple Device Enrollment Profile. This issue occurs approximately 5 times per 50 enrollments. [REF Apple bug 16657457] Workaround: Go back a screen and select Apply Configuration again a few seconds later. ● Choosing Skip the Configuration during activation of a device that is associated with an Apple Device Enrollment Program account applies the Supervised setting of the DEP payload. [REF Apple bug 17826636] Workaround: Disassociate the device from the DEP profile and perform a hard reset. 5.1.2.3 Windows Phone Devices The known issues related to Windows Phone devices are described below. ● With native Certificate retrieval mechanism, Afaria is unable to retrieve the root certificate of the CA through Certificate acquisition. Workaround: The root certificate of the CA must be installed on the device (only for self-signed CA). [REF 54264] ● Authentication for Windows Phone devices works only with samaccount name and UPN format settings. It does not work with any other formats including Common name. [REF 53888] ● LDAP-based authentication for Windows Phone devices is supported using UPN (User Principal Name) format (user@domain) only, samaccountname format (domain\user) is not supported for enrolling the devices. [REF 52268] 5.1.3 Mobile Application Management This section contains the known issues pertaining to Mobile Application Management (MAM) module in SAP Mobile Secure admin portal. ● Application workflow will not work if you are using Firefox browser. [REF SMS-7252] Workaround/Action: Use Microsoft Internet Explorer or Google Chrome browser. ● AES versions are not getting updated for Samsung Non-Safe Device. This is due to a timing issue/async on Afaria's part - between the time a device is added to the groups and the device receiving apply policy notification and initiating a connection to get and install new apps through MDM path. [REF SMS-4484] 14 CUSTOMER © 2014 SAP SE or an SAP affiliate company. All rights reserved. SAP Mobile Secure Cloud Edition Release Notes Known Issues Workaround/Action: Refresh the Afaria client or wait until daily apply policy task executes. ● Multiple application categories are not getting deleted. Only the last application category is deleted. [REF SMS-5387] Workaround: None. 5.2 Mobile Place This section describes the known issues in Mobile Place. ● Mobile Place does not support Android native browser. [REF SMS-4849] Workaround/Action: Use Google Chrome or Firefox browser. ● On navigating to a category that has commercial applications and on clicking Install All, an invalid error message is displayed. [REF SMS-5339] Workaround: Ignore the extra message dialog that appears after the warning message. ● Installing an application or installing all applications does not work for managed devices on an Android tablet. This is due to a timing issue/async on MDM's part - between the time a device is added to the groups and the device receiving apply policy notification and initiating a connection to get and install new apps through MDM path. [REF SMS-4778] Workaround/Action: Refresh the Afaria client or wait until daily apply policy task executes. ● Videos that are available with the application do not play on a Windows Phone device. [REF SMS-4715] Workaround: None. ● Irrelevant popup "Open this page in App Store" appears when installing enterprise applications on iOS8 devices. [REF SMS-4342] Workaround/Action: Ignore the popup. Click ok to continue installation of the application.. ● On a Galaxy S2 (Chrome), the app catalog page takes a very long time to load and the user is shown an error message "Unresponsive script". [REF SMS-4221] Workaround/Action: Refresh the browser. ● Customized favorite icon is not applied on Chrome browser. [REF SMS-2514] Workaround: None. ● On viewing Mobile Place in landscape mode on a device, the search suggestion cannot be scrolled. [REF SMS-6602] Workaround/Action: Switch to Potrait mode. ● The UI is distorted and completely left-aligned in the app details page (Samsung tab-kit kat) native browser. [REF SMS-2558] Workaround/Action: Use a different browser. ● With native browser on Android S3 devices, App does not change or changes slowly when trying to scroll on the hero control. [REF SMS-2479] Workaround/Action: Use a different supported browser on the device. This issue is specific to S3 native browsers. ● Due to issues with native browser on a Samsung S2 device, user experience is slow. Often user may have to refresh the browser or try the operation repeatedly. [REF SMS-2511] Workaround/Action: Use a different browser. ● On a Nokia 520 device, list of categories is not displayed on clicking “Categories” menu under the hamburger icon. [REF SMS-4708] Workaround/Action: Clear the cache and login to Mobile Place again.. SAP Mobile Secure Cloud Edition Release Notes Known Issues CUSTOMER © 2014 SAP SE or an SAP affiliate company. All rights reserved. 15 6 SAP Mobile App Protection by Mocana, cloud edition Release Notes 6.1 What’s New ● Atlas platform now supports iOS8 devices and apps. ● Atlas platform seamlessly updates the application when a user changes his/her AD password. User does not need to remember their old password. To login they simply enter their newly created password. ● End-To-End deployment and validation of SAP Fiori leveraging Mocana Atlas Platform. ● Atlas platform allows admins to ensure the device is under MDM management and is compliant. ● Atlas platform now allows admins to configure up to 64 static routes, thus allowing admins to direct traffic out of a known interface. ● Atlas platform now allows admin to configure the max duration for any one session to be active. Once duration is expired all session data is removed and user is asked to re-authenticate. ● Atlas platform now allows configuration so that certificates issued by a trusted certificate authority can be used to establish tunnel and server authentications. ● Attachments in wrapped apps will automatically open in an approved viewer if only one viewer is available, thus eliminating the need to ask the user to tap and select the only approved viewer. ● Compass now allows users to manually clear all traces and stored data from their browsing sessions so that on a shared device the next user does not have access to the previous user’s credentials and data. ● Compass on Android now allows users to add website shortcuts to the device’s home screen for convenience. ● Admin can now change the default application name for Compass on Android. ● Links in applications pre-pended with maphttp or maphttps will open in Compass. Applications do not have to be wrapped. ● All links in wrapped applications will open in Compass. If Compass is not installed then links will open in default browser. ● Atlas platform now allows admin to configure federation ID manually. This provides finer control, such as not requiring to re-wrap and re-install all applications in the federation when federation ID changes. 6.2 Fixed Issues ● MAP wrapper can now listen for Android framework broadcast messages. This allows Nitrodesk Touchdown services and receivers to restart. Note: This is currently only supported for headless DAR with Touchdown. ● For iOS, push notifications can only be enabled if the provisioning profile used to sign does not have any wildcards. 16 CUSTOMER © 2014 SAP SE or an SAP affiliate company. All rights reserved. SAP Mobile Secure Cloud Edition Release Notes SAP Mobile App Protection by Mocana, cloud edition Release Notes ● Clicking on the Back button in Compass on Android will take the user back to the main launcher page. Previously, the user was taken back to a blank page. ● Lockout Recovery policy is only applicable to non-Atlas VPN profiles. For Atlas profiles, the configured authentication provider, such as Active Directory, enforces lockout. To recover, a user must reset their corporate password via existing IT process. Atlas platform seamlessly updates the application upon password change. ● For Atlas profiles, the configured authentication provider handles incorrect login attempts. Thus for Atlas profiles, data wipe is no longer triggered by incorrect login attempts. Future releases will address scenarios that allow admin to trigger data wipe from Atlas. ● Smart Firewall policies will block all non-SSL traffic, therefore if the PAC file is located at an http site, then Compass wrapped with Smart Firewall will not be able to retrieve the PAC file. ● Crash with secure copy paste on Samsung S5 Android 4.4.2 with passphrase policy no longer occurs. ● Misalignment and content display issues resolved for ‘About Pages’ in Compass on iPhone and iPad. ● Lockout recovery is no longer required for app federations. Note: For non-Atlas VPN profiles, if lockout recovery is not selected, then there is no way to recover data if the user forgets their password. ● Installation no longer contains old links for downloading necessary packages. ● Locally stored data is no longer being deleted when DAR policy is selected. ● CBC mode can leak information about plaintext in rare cases. By default this mode is turned off but can be reenabled. ● Closed intenal IPC (LINX) and redis ports. ● Patched nginx to resolve open vulnerabilities. ● Turned off ICMP timestamp support. ● For iOS, mapbrowser.plist is now added to the list of assets that are protected against tampering. ● Compass now supports email links embedded in web pages. An external email client might be launched depending on the enforcement of MAP Email Enforcement policy. . 6.3 Known Issues ● The default configuration for Password Recovery on Atlas is set to false. MAP wrapped applications will not connect if Password Recovery is not enabled. Solution is to enable Password Recovery on Atlas. ● User password change during Atlas upgrade currently requires the user to either enter the old password or reinstall the app. ● Compass supports proxy via a PAC file. However, proxy authentication is currently not supported. Workaround is to disable proxy authentication temporarily in the interim while support is added in future releases. ● On Galaxy S3 running Android 4.1.1, force-stopping one app in a federation results in a force stop for all other apps because older versions of Android have the same shareUserID. ● For iOS7, the FIPS policy for certain applications is not working. FIPS policy is working for iOS8. The issues will be resolved in future release. ● Currently, Android apps (APKs) that have certain specific contents cannot be wrapped with policies. APKs that cannot be wrapped contain the use of Media playing (video, audio). Google API's (specifically Google Maps functionality), only when "Encrypted Data-at-Rest" policy is being applied. No workaround currently. SAP Mobile Secure Cloud Edition Release Notes SAP Mobile App Protection by Mocana, cloud edition Release Notes CUSTOMER © 2014 SAP SE or an SAP affiliate company. All rights reserved. 17 ● Print option is disabled by default on Compass for both Android and iOS. ● User is prompted for each app in a federation that is configured with Atlas PSK mode. ● Copying and pasting inside the browser yields unexpected behavior. This will be further investigated in future release. ● In iOS apps, some special-case data-at-rest (DAR) files are currently not encrypted by the Encrypted Data-atRest policy. This includes: (1) The screenshot of the app taken by iOS when the app is backgrounded. This screenshot is stored within the app, not in the Photos database. (2) Certain log files (redirected "stderr" and "stdout") written by the app and stored within the app. (3) Cache.db and certain other items created in the Cache directory. (4) Files written by an unwrapped app prior to being over-installed by a wrapped app (see #115 in this document for recommendation). ● iOS apps protected by Digital Rights Management (DRM) are not wrappable due to federal law. The MAP server prevents their upload. ● It is important to note that the “Jailbreak/Rooting Detection” policy isn’t fool-proof. This is the nature of jailbreak/rooting detection in general. The MAP policy detects certain known exploits, but there will be new exploits invented in the future that it does not detect. Future releases of MAP will adapt the “Jailbreak/ Rooting Detection” policy accordingly. Mitigation: Apply additional MAP policies in order to protect the app in a variety of ways even if the device is jailbroken/rooted. ● MAP does not explicitly prevent apps from using cloud services such as iCloud, which can allow users to freely save data outside the device. Recommendation: Restrict apps that require iCloud entitlements or use cloud storage. ● The user must successfully authenticate to the app once before lockout recovery can be used. If the user upgrades an app that did not have lockout recovery applied to a version that does and then immediately locks the app, the recovery process will not be available. If the user has authenticated at least once after the upgrade, the recovery process will be available. ● Apps wrapped using the Smart Firewall policy, which block non-SSL connections, will only work with secure versions of SSL (TLS 1.0/SSL 3.1 or greater). ● In v2.5.8, there is an added feature to allow for case insensitivity when entering the username for the Per app VPN policy. However, during rare occasions when the username must be changed, case insensitivity is not supported. The user MUST enter the correct case of the original username entered from the initial launch of the app in order to change the username. ● The Per App VPN policy is unable to create a VPN tunnel against the Mocana MAP Atlas for any apps that utilize secondary processes (multiprocess apps). This issue is targeted to be resolved in a future release. ● MAP wrapping adds Mocana security methods needed for securing the application. However, if an app already has 64K methods, this leaves no room to add MAP wrapper methods. This is an Android limitation. The solution is for the app developer to reduce the number of original methods in the apk to 50K-55K range. ● 64-bit applications are not supported. Support to be added in later releases as more 64-bit devices take larger market share. ● Under a race condition, Mocana Atlas will send two different PINs during certificate enrollment for multiple apps that are part of the same federation. For this to happen during certificate enrollment, the user has to launch the first app, background it, launch the second app, re-launch the first app, complete enrollment, launch the second app again, kill the second app and then re-launch the second app. ● Username change is currently not fully supported. It only works if connecting via settings and not via auth screen. 18 CUSTOMER © 2014 SAP SE or an SAP affiliate company. All rights reserved. SAP Mobile Secure Cloud Edition Release Notes SAP Mobile App Protection by Mocana, cloud edition Release Notes Important Disclaimers and Legal Information Coding Samples Any software coding and/or code lines / strings ("Code") included in this documentation are only examples and are not intended to be used in a productive system environment. The Code is only intended to better explain and visualize the syntax and phrasing rules of certain coding. SAP does not warrant the correctness and completeness of the Code given herein, and SAP shall not be liable for errors or damages caused by the usage of the Code, unless damages were caused by SAP intentionally or by SAP's gross negligence. Accessibility The information contained in the SAP documentation represents SAP's current view of accessibility criteria as of the date of publication; it is in no way intended to be a binding guideline on how to ensure accessibility of software products. SAP in particular disclaims any liability in relation to this document. This disclaimer, however, does not apply in cases of wilful misconduct or gross negligence of SAP. Furthermore, this document does not result in any direct or indirect contractual obligations of SAP. Gender-Neutral Language As far as possible, SAP documentation is gender neutral. Depending on the context, the reader is addressed directly with "you", or a gender-neutral noun (such as "sales person" or "working days") is used. If when referring to members of both sexes, however, the third-person singular cannot be avoided or a gender-neutral noun does not exist, SAP reserves the right to use the masculine form of the noun and pronoun. This is to ensure that the documentation remains comprehensible. Internet Hyperlinks The SAP documentation may contain hyperlinks to the Internet. These hyperlinks are intended to serve as a hint about where to find related information. SAP does not warrant the availability and correctness of this related information or the ability of this information to serve a particular purpose. SAP shall not be liable for any damages caused by the use of related information unless damages have been caused by SAP's gross negligence or willful misconduct. All links are categorized for transparency (see: http://help.sap.com/disclaimer). SAP Mobile Secure Cloud Edition Release Notes Important Disclaimers and Legal Information CUSTOMER © 2014 SAP SE or an SAP affiliate company. All rights reserved. 19 www.sap.com/contactsap © 2014 SAP SE or an SAP affiliate company. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company. The information contained herein may be changed without prior notice. Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors. National product specifications may vary. These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. All other product and service names mentioned are the trademarks of their respective companies. Please see http://www.sap.com/corporate-en/legal/copyright/ index.epx for additional trademark information and notices.
© Copyright 2024 ExpyDoc