CUSTOMER
Mobile Secure Cloud Edition
Document Version: 1.0 ( 2014-12-19 )
SAP Mobile Secure Cloud Edition
Release Notes
Content
1
Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2
New Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
3
Enhancements/Changes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
4
Fixed Issues. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
4.1
SAP Mobile Secure Admin Portal. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
4.1.1
Mobile Device Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8
4.1.2
Mobile Application Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
4.2
Mobile Place. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
5
Known Issues. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10
5.1
SAP Mobile Secure Admin Portal. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10
5.1.1
General. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
5.1.2
Mobile Device Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
5.1.3
Mobile Application Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
5.2
Mobile Place. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
6
SAP Mobile App Protection by Mocana, cloud edition Release Notes. . . . . . . . . . . . . . . . . . . . . . .16
6.1
What’s New. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
6.2
Fixed Issues. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16
6.3
Known Issues. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17
2
CUSTOMER
© 2014 SAP SE or an SAP affiliate company. All rights reserved.
SAP Mobile Secure Cloud Edition Release Notes
Content
1
Overview
SAP Mobile Secure cloud edition allows you to secure mobile devices, mobile applications, and the mobile content
of your enterprise.
●
●
●
Mobile Device Management – SAP Mobile Secure is the trusted solution to manage and secure deployments
of mobile devices for any size of company.
○
Mobile Device Management – quickly self-enroll devices for enterprise use; have control needed by preconfiguring settings, and enforcing security and compliance policies.
○
Highly secure and scalable – meets the requirements of the world's largest enterprises. Remotely lock
and wipe managed devices, control security settings for bring-your-own-device (BYOD) or corporateowned devices.
○
Robust analytics – use built-in robust analytics for instant insight into mobile device usage and the ability
to take immediate action.
Mobile Application Management – SAP Mobile Secure cloud edition allows you to manage and secure
applications on your devices. Mobile Place is the end user portal for SAP Mobile Secure, cloud edition. It
combines the best features of Mobile Application Management (MAM) and Mobile Device Management
(MDM), providing a single interface into the Enterprise Mobility Management environment for both managed
and unmanaged users and devices.
○
Manage applications by adding, modifying, and deleting applications.
○
Approve applications that can be consumed by users.
○
App Wrapping – SAP Mobile Secure helps organizations accelerate mobile initiatives by automating app
security. App Wrapping technology enables enterprises to quickly secure existing corporate and thirdparty applications without having to write any code. To use the App Wrapping feature, you will have to buy
a separate license at an additional cost.
Mobile Content Management – SAP Mobile Documents is designed for enterprise deployments where
collaboration, security, and control of business content are critical. Users enjoy anytime, anywhere access to
view and collaborate on personal and corporate content, in an easy-to-use, native mobile app. To use SAP
Mobile Documents, you will have to buy a separate license at an additional cost.
SAP Mobile Secure cloud edition product documentation is available on SAP Help Portal.
SAP Mobile Secure Cloud Edition Release Notes
Overview
CUSTOMER
© 2014 SAP SE or an SAP affiliate company. All rights reserved.
3
2
New Features
The new features introduced in this update of SAP Mobile Secure Cloud Edition are:
Table 1:
Area
Feature
Mobile Secure Admin Portal and Mobile
Place
Provide a customized support page that
will appear as Support menu item in Mo­
bile Place.
Mobile Secure Admin Portal (Application Administrators can add a Fiori applica­
Management) and Mobile Place
tion and deploy the Fiori application in
Mobile Place.
Mobile Place
View device information and location of
the device; New device actions that can
be performed from Mobile Place are:
●
Mobile Secure Admin Portal
Documentation Location
●
Mobile Secure Administration Guide
> Account Management > Custom­
izing Mobile Place
●
Mobile Place User Guide > App Cat­
alog
●
Mobile Secure Administration Guide
> Application Management > Add­
ing a Fiori Application
●
Mobile Place User Guide > App Cat­
alog > Installing a Fiori Application
Mobile Place User Guide > App Catalog
Android - Delete E-mail, Delete Email & Data
Create a Mobile Secure organization ac­
count and associate accounts of subsid­
iaries to organization account.
Mobile Secure Administration Guide:
●
Creating an Organization Account
and Associating Subsidiary Ac­
counts
●
Account Management > User Man­
agement > Adding Users
Mobile Secure Admin Portal (Analytics)
View custom reports in SAP Lumira
Launchpad from Analytics > Custom
tab.
Mobile Secure Administration Guide >
Analytics
Mobile Secure Admin Portal
Configure Single Sign-On (SSO) for Mo­
bile Place.
Mobile Secure Administration Guide:
Mobile Secure Admin Portal (Device Ad­
ministration)
4
Upload SSL certificate for Windows
Phone to enable auto-discovery.
CUSTOMER
© 2014 SAP SE or an SAP affiliate company. All rights reserved.
●
Account Management > Updating
Mobile Place Settings
●
Account Management>Configuring
Single Sign-On for Mobile Place
Mobile Secure Administration Guide >
Device Management > Managing Device
Settings
●
Auto-Discovery Support for Win­
dows Phone Enrollment
●
Creating and Configuring the AutoDiscovery Server
SAP Mobile Secure Cloud Edition Release Notes
New Features
Area
Feature
Documentation Location
Mobile Secure Admin Portal (Device Ad­
ministration)
Support for iOS 7 activation lock and by­
pass code; New Allow activation lock op­
tion for supervised devices in the iOS En­
rollment policy; A new security action to
clear the activation code on a supervised
device with Find My iPhone enabled; A
new hardware inventory item for storing
the device's bypass code.
Device Administration > Policies > En­
Mobile Secure Admin Portal (Device Ad­
ministration)
iOS 8 new supervised device commands
to change the device name and to clear
the restrictions password on the device.
Device Administration > Device Adminis­
tration > Performing Security Actions on
Devices > Security Actions for iOS Devi­
ces
Mobile Secure Admin Portal (Device Ad­
ministration)
iOS 8 consent text to display end-user li­
cense agreement in the enterprise appli­
cation.
Device Administration > Policies > En­
rollment Policies > Creating an Enroll­
ment Policy for iOS
SAP Mobile Secure Cloud Edition Release Notes
New Features
rollment Policies > Creating an Enroll­
ment Policy for iOS
Device Administration > Device Adminis­
tration > Performing Security Actions on
Devices > Security Actions for iOS Devi­
ces
CUSTOMER
© 2014 SAP SE or an SAP affiliate company. All rights reserved.
5
3
Enhancements/Changes
The enhancements/changes introduced in this update of SAP Mobile Secure Cloud Edition are:
Table 2:
Area
Description
Documentation Location
Mobile Secure Admin Portal
While adding a new application, applica­
tion description now supports HTML
content.
Mobile Secure Administration Guide >
Application Management
Mobile Secure Admin Portal
Mobile Secure Admin Portal
Mobile Secure Admin Portal
Mobile Secure Admin Portal (Device Ad­
ministration)
●
Adding an Enterprise Application
●
Adding a Web Application
●
Adding a Fiori Application
While adding a new application, if an icon Mobile Secure Administration Guide >
for an application is not provided, then
Application Management
the default application icon is displayed.
● Adding an Enterprise Application
●
Adding a Web Application
●
Adding a Fiori Application
While adding a new application, a filtered Mobile Secure Administration Guide >
list is displayed for selecting trial users.
Application Management
●
Adding an Enterprise Application
●
Adding a Web Application
●
Adding a Fiori Application
While adding a new application, a filtered Mobile Secure Administration Guide >
list is displayed for selecting app owners. Application Management
Updates to iOS WiFi payloads in configu­
ration policies for iOS 8:
●
When Proxy is set to Automatic
●
New security types
●
New Accepted EAP Type parame­
●
Adding a Enterprise Application
●
Adding a Web Application
●
Adding a Application from Commer­
cial App Store
●
Adding a Fiori Application
Device Administration > Policies > Con­
figuration Policies > Configuration Poli­
cies for iOS Devices > MDM Payloads >
WiFi Payload
ters
Mobile Secure Admin Portal (Device Ad­
ministration)
Option to upload identity certificate in
iOS 8 SSO payload, to renew the Ker­
beros credentials without user interac­
tion.
Device Administration > Policies > Con­
figuration Policies > Configuration Poli­
cies for iOS Devices > MDM Payloads >
Enterprise SSO Payload
Mobile Secure Admin Portal (Device Ad­
ministration)
Inventory tracking for the new restric­
tions added in the iOS configuration pol­
icy.
Device Administration >Device Adminis­
tration > Device Inspector > Hardware
Inventory for iOS Devices > Restrictions
Hardware Inventory
6
CUSTOMER
© 2014 SAP SE or an SAP affiliate company. All rights reserved.
SAP Mobile Secure Cloud Edition Release Notes
Enhancements/Changes
Area
Description
Mobile Secure Admin Portal (Device Ad­
ministration)
The OpenSSL Libraries on the server are
upgraded to version 1.0.1j.
SAP Mobile Secure Cloud Edition Release Notes
Enhancements/Changes
Documentation Location
CUSTOMER
© 2014 SAP SE or an SAP affiliate company. All rights reserved.
7
4
Fixed Issues
This section describes all the fixed issues in the product at the time of release.
4.1
SAP Mobile Secure Admin Portal
This section describes all the fixed issues in SAP Mobile Secure Admin portal.
4.1.1
Mobile Device Management
This section contains the fixed issues pertaining to Mobile Device Management (MDM) module in SAP Mobile
Secure admin portal.
4.1.1.1
General
The general fixed issues related to Mobile Device Management module in Mobile Secure Admin portal are
described below.
●
When a new certificate authority (CA) profile definition is added to the CA server and the server is unavailable,
there is a delay before the new profile definition appears. [REF 54390]
●
Hiding a column in “Custom Data” view actually removes it from the view. [REF 54477]
●
In the Afaria Administrator, the “Last Connection” column of the “Custom” view is dropped during an upgrade
from SP04 to SP05. [REF 856666]
●
The API sample to remove devices from Groups using the GUID or UDID, rather than the UID, fails.
●
The API sample to open a policy using an enrollment code rather than the policy ID fails.
●
The existing enrollment server (aips) web.config file is overwritten during the upgrade process.
4.1.1.2
Android Devices
The fixed issues related to Android devices are described below.
●
Reenrolling Android devices revokes all policy certificates. [REF 54576]
●
The “Purpose” field on the certificate view for the SLL (static link library) application on Android is blank. [REF
54638]
8
CUSTOMER
© 2014 SAP SE or an SAP affiliate company. All rights reserved.
SAP Mobile Secure Cloud Edition Release Notes
Fixed Issues
4.1.1.3
iOS Devices
The fixed issues related to iOS devices are described below.
●
Expired iOS policy certificates are not auto-renewed. [REF 54551]
●
When an iOS configuration for Exchange Active Sync policy is set up to configure the Exchange password on
the device during enrollment, and the policy is reapplied to the device after enrollment, and the user also
manually enters a policy, the Exchange password field on the device is blanked out. [REF 51328]
●
Enrolling an iOS client using the MDM enrollment URL results in an error. [REF SMS-5372]
4.1.2
Mobile Application Management
This section contains the fixed issues pertaining to Mobile Application Management (MAM) module in SAP Mobile
Secure admin portal.
●
Occasionally, retire and delete actions text for workflow does not appear. [REF SMS-4752]
●
While adding a commercial application from Apple play store, the country name is invalid when the URL of the
commercial application contains the country name. For example, URL is https://itunes.apple.com/us/app/
find-my-iphone/id376101648?mt=8. [REF SMS-4495]
●
If the URL contains the country name while adding a commercial application from Apple play store, an alert
that application is not supported is displayed. [REF SMS-4494]
4.2
Mobile Place
This section describes the fixed issues in Mobile Place.
●
In application catalog, clicking on a newly created web app intermittently hangs the screen with a wait cursor.
[REF SMS-5481]
●
App Catalog page is unresponsive (performance issue) on mobile devices. [REF SMS-4618]
●
Application Catalog page is unresponsive when using native browser on Android devices. [REF SMS-4618]
SAP Mobile Secure Cloud Edition Release Notes
Fixed Issues
CUSTOMER
© 2014 SAP SE or an SAP affiliate company. All rights reserved.
9
5
Known Issues
This section describes all the known issues in the product at the time of release.
5.1
SAP Mobile Secure Admin Portal
This section describes all the known issues in SAP Mobile Secure Admin portal.
5.1.1
General
The general issues related to Mobile Secure Admin portal are described below.
●
For Network Access Control to function, a Mobile Secure identity, unique to each enterprise, must be
specified in the cloud settings. Currently this setting is not accessible to enterprise administrators. [REF
SMS-4590]
Workaround/Action: To set this value, please open a support case with the username that should be used to
populate the field, and the operations team will populate the field with the supplied value. This user must have
the Afaria Helpdesk role at minimum.
●
After renewing Apple MDM APNs certificate and uploading it through portal, iOS enrollment did not work.
Uploaded APNs certificate is correctly installed in the SAP Afaria server but did not remove the old certificate,
causing enrollment to fail. [REF SMS-2245]
Workaround/Action: Please open a support case to remove previous MDM APNS certificate from Afaria
server environment.
●
On selecting the Account Users menu and creating a new user with user name containing multi-byte
(example: Chinese) characters, an error occurs when saving information in Add New User dialog. [REF
SMS-1662]
Workaround: None.
5.1.2
Mobile Device Management
This section contains the known issues pertaining to Mobile Device Management (MDM) module in SAP Mobile
Secure admin portal.
10
CUSTOMER
© 2014 SAP SE or an SAP affiliate company. All rights reserved.
SAP Mobile Secure Cloud Edition Release Notes
Known Issues
5.1.2.1
Android Devices
The known issues related to Android devices are described below.
●
An Android device's user value format changes from <user> to <domain>\<exchangeID> when the Afaria
client is launched for the first time. This occurs for Android devices with Nitrodesk installed that have been
manually enrolled. This behavior is by design. When the device enrolls, a UserID is supplied and displayed in
the User column of the Device list. When the client is launched for the first time, this value changes to the
<domain>\<exchangeID> format. This does not occur for devices enrolled through the Self-Service Portal.
[REF 52256]
●
Following an Afaria Server upgrade to SP5, you cannot remove a WiFi SSID from a device using the Samsung
WiFi configuration policy if the device is running a pre-SP5 version of the Afaria client application.
Workaround: Upgrade the client to SP5. [REF 52690]
●
If the SAP Afaria client is deleted from the SAP Afaria server and devices try to connect using the client
without re-enrolling, the sessions on Android devices fail with a "The Server refused to accept a connection
from this client due to security restrictions" error message. The SAP Afaria client reconnects and displays a
"This Client is not approved" error message. [REF 53792]
●
Users can uninstall an application even when uninstallation is disabled in a Samsung SAFE Application
configuration policy if the same application is set as optional in an Android Enterprise Application policy.
If you create a Samsung policy for an application with installation and uninstallation settings, do not create a
separate Android Enterprise Application policy for the application. [REF 53908]
●
If a user deactivates the Afaria Samsung MMEP application from the Device administrators page of a
Samsung device, they can bypass policies and restrictions previously applied to the device.
Workaround: Create and deploy a Device Manager policy (
Android Configuration
Samsung SAFE
Device Manager Policy ) with Allow Afaria Device Admin Deactivation set to "No”. [REF 53909]
●
If inventory is deleted for an Android device from the Devices page of the Afaria Administration console, the
device does not receive policies during the next session and the user receives a message that "Certificate
failed authentication. Try reset credentials, enroll again or contact your administrator".
Workaround: Reset credentials or re-enroll the device. [REF 53910]
●
Android 4.2 and later devices will not connect successfully over SSL if the certificate has been signed with an
MD5 signature. This is a security restriction of Android 4.2+ devices. [REF 53914]
●
The Samsung Email Account configuration policy creates a duplicate email account on Android KitKat devices
on subsequent sessions. This occurs if the incoming and outgoing user names are not in the format
<username>@<domain>. KitKat devices require this format. [REF 54457]
●
Unable to create an Exchange account on a Samsung S3/ICS device using a Samsung Exchange account
policy if a prior attempt to create the account failed because of invalid settings.
Workaround: Remove the Email address value from the EAS account in the policy and reapply it to the device;
then re-add the Email address value and reapply the policy to the device. [REF 54556]
●
Intermittent issues when installing applications from Google Play Store. Problems may include Google Play
Store or the device crashing. This is an issue with Google Play Store. [REF 54589]
●
If you delete the INV log on an Android device with GCM server enabled, the GCM Registration ID is deleted as
well. When you reconnect and send an outbound request, the request fails and an error message is written to
the server log.
Workaround: Re-enroll the device to populate the GCM registration ID. [REF 54617]
●
Re-enrolling Android devices issues new SSO certificates consistently, but EAS certificates only
intermittently. Re-enrolling does not issue new NitroDesk, Wi-Fi, or SCEP certificates. Clearing data issues all
new certificates, but EAS certificates only intermittently. [REF 54618]
SAP Mobile Secure Cloud Edition Release Notes
Known Issues
CUSTOMER
© 2014 SAP SE or an SAP affiliate company. All rights reserved.
11
●
Use of the Android device commands, Administrator Lock and Unlock, should be used with extreme caution.
These actions have exhibited different behaviors dependent on the OS version, device type, and carrier. The
system settings application crashes when sending an unlock command to a Samsung Galaxy Note 3 with Kit
Kat on the Verizon network. Similar unpredictable negative behaviors may manifest on other devices. [REF
54621]
●
NitroDesk is not successfully wiped when the Remote Wipe command is sent to a device following a failed
reconfiguration of NitroDesk. [REF 54644]
●
On Samsung devices, it is possible that the Afaria MMEP file will be sent to the device multiple times. [REF
54662]
●
The Afaria Samsung AES2 Client available from the Google Play store is not supported on Android KitKit
devices. [REF 54672]
●
A certificate on an Android device may not renew during the certificate renewal window. This can occur if
multiple Android devices with certificates connect simultaneously for renewals. The certificate should renew
during the next renewal window. [REF 54675]
●
During enrollment of a Samsung SAFE device with an installed AES2 client, the client switches to the base/
MMEP application but does not present an activation screen for the Afaria client.
Workaround: Enable device admin on the Afaria client or re-enroll the device. [REF 54684]
5.1.2.2
iOS Devices
The known issues related to iOS devices are described below.
●
The following known issues are raised with Apple:
○
Spotlight internet search restriction not disabling.
○
Unable to mirror the content to Apple TV with AirPlay restrictions policy.
○
iOS8: Managed Email domains not highlighting the mails from unmanaged accounts.
●
After deleting the Enterprise SSO payload from the device, the Ticket Granting Ticket (TGT) is not removed
from the device and single sign-on continues to work. [REF 50424]
Workaround: Clear the cache on the device to remove the TGT and prevent single sign-on from working.
●
Due to issues in the NitroDesk TouchDown application (V3.1.0 available in App Store), the iOS NitroDesk
Calendar settings 'Work Day Start' and 'Work Day End' are not configured correctly, when the TouchDown
application is configured through the Afaria 7 SP4 application. This issue has to be addressed by NitroDesk.
[REF 51381]
●
If a VPP-registered user enrolls an iOS 7 device and provides an invalid ID or password for the Web Clip
prompt in the first attempt, a second attempt does not connect to the App Store correctly. This is an
intermittent issue. [REF 51442]
●
If you enroll an iOS device using an enrollment policy associated with a group that has VPP app policies linked,
and if no service token (sToken) have been uploaded in the
Server
Configuration
iOS Volume
Purchase page, the enrollment of the device fails.
If you link an iOS VPP policy (without sToken) to a group, post the enrollment of a device in the group, other
application policies are not pushed to the device.[REF 51742]
●
In the Afaria Administration console, if you try to delete an iOS 7 device that has VPP app policies attached,
the device record will not get deleted. This issue occurs if the Afaria Server and the Afaria API services are
installed on two physically separate machines. [REF 51741]
●
NitroDesk policies are not applied to an iOS device if the enrollment policy is only linked to the All Devices
group.
12
CUSTOMER
© 2014 SAP SE or an SAP affiliate company. All rights reserved.
SAP Mobile Secure Cloud Edition Release Notes
Known Issues
Workaround: Link the enrollment policy to another static, dynamic, or user group. [REF 51719]
●
The On Demand VPN Safari Domain tag is not set correctly on iOS 7 devices. [REF Apple Bug 15085646]
●
After re-installation, the Afaria client experiences errors when deleting key chain data on iOS 7 devices. This
happens when users launch the application for the first time after re-installation. The error is visible in the
iPhone Configurations Utility and not visible to the user. [REF Apple Bug 15167203]
●
Deleting the Config Payload on devices does not always remove icons for MDM Application Policies set as
Remove with MDM Control until the devices are restarted. [REF Apple Bug 14739116]
●
iOS 7 devices may not generate identity certificates during enrollment or re-enrollment with enrollment
policies with the Use Identity/X.509 Certificate option selected. An error obtaining the public key causes this
issue.
●
The Volume Purchasing Program (VPP) does not associate B2B licensing to applications and devices cannot
install the B2B applications. [REF Apple Bug 15309518]
●
The deployment of MDM-required Enterprise Application Policies might fail when devices initially enroll with
Afaria. The MDM-required Enterprise Application Policies deploy successfully when policies are next applied
to devices.
●
The device ID prefix is stored in the SAP Afaria database and used by SAP Afaria, but the ID prefix is not
retrieved from the database when the device is edited. [REF 54458]
●
iOS payload encryption fails to report status on iOS 7.0 and 7.1 devices. [REF Apple bug 16470948]
●
If the Install prompt for the MDM application policy push is displayed when the device auto-locks, unlocking
the device dismisses the Install prompt and prevents the installation of the application. [REF Apple bug
16657452]
●
iOS client enrollments using an MDM enrollment URL receive a ‘ClientDAL.RunQuery: Cannot convert to a
uniqueidentifier’ error. [REF CSS 0120061532/0001496697/2014]
●
Enrolling iOS 7 devices does not populate the purpose value for SSO/identity issued certificates. [REF 54102]
●
The ICCID system variable for iOS devices is not populated, so it cannot be resolved in policies. [REF 52385]
●
Expired MDM identity certificates for iOS devices do not renew automatically because devices cannot connect
to SAP Afaria for MDM connections. MDM identity certificates for iOS devices must be renewed before expiry.
[REF 54627]
Workaround: Re-enroll devices if the certificates expire.
Apple Device Enrollment Program
●
The Apply Configuration and Skip Configuration options do not appear on the Apple Device Enrollment
Program configuration screen. [REF Apple bug 16404559]
Workaround: Click Back and then return to the screen to make the options appear.
●
The Apple Device Enrollment Program does not support the use of user prompts (configured on the variable
tab) in enrollment policies. If an enrollment policy includes user prompts, the user prompts are ignored. [REF
53062]
●
The Apple Device Enrollment Program requires HTTPS for the entire communication process regardless of
the Enrollment Server configuration. If the Enrollment Server will be configured for HTTP connections, then
you need to specify the HTTPS port during installation of the Enrollment Server. [REF 53062]
●
iOS payload encryption is not supported for the Apple Device Enrollment Program on iOS 7.1 devices. [REF
Apple bug 16404749]
●
The Apple Device Enrollment Program uses the same deferred delivery process for MDM required application
polices as it uses for configuration policies with supervised payloads. This is to work around the Apple bug
that executes the Apple Device Enrollment Program during setup but does not manage the prompting for
SAP Mobile Secure Cloud Edition Release Notes
Known Issues
CUSTOMER
© 2014 SAP SE or an SAP affiliate company. All rights reserved.
13
installation of MDM required application policies for the remainder of the setup. This prevents the prompts
from appearing. [REF Apple bug 16430116]
●
Apple does not display an invalid credentials message/screen to users when credentials fail authentication
during Apple Device Enrollment. [REF Apple bug 16522434]
●
The Apple Device Enrollment profile setting for the Skip Location Services setup panel does not work when
using the cellular network on the device for setup. [REF Apple bug 16558155]
●
Changing the Enrollment Server configuration (Server > Configuration > Component > Enrollment Server)
changes the URL that devices must use for enrollment. For an SAP Afaria system using the Apple Device
Enrollment Program, the Apple Profile must be updated to include the updated URL in the Apple Device
Enrollment Profile pane (Server > Configuration > Enrollment > Apple Device Enrollment). To update the
profile, update an item in the Apple Device Enrollment pane (other than the iOS Enrollment Policy list) and
click Save to generate a new Apple Profile with the updated Enrollment Server URL. [REF 53062]
●
The apply configuration functionality of the Apple Device Enrollment Program on devices intermittently
returns the error message: "The configuration for your iPhone could not be downloaded from
<CompanyName>. The request timed out." The issue seems to be related to connectivity or performance
issues with the Apple Cloud server from which the device retrieves the Apple Device Enrollment Profile. This
issue occurs approximately 5 times per 50 enrollments. [REF Apple bug 16657457]
Workaround: Go back a screen and select Apply Configuration again a few seconds later.
●
Choosing Skip the Configuration during activation of a device that is associated with an Apple Device
Enrollment Program account applies the Supervised setting of the DEP payload. [REF Apple bug 17826636]
Workaround: Disassociate the device from the DEP profile and perform a hard reset.
5.1.2.3
Windows Phone Devices
The known issues related to Windows Phone devices are described below.
●
With native Certificate retrieval mechanism, Afaria is unable to retrieve the root certificate of the CA through
Certificate acquisition.
Workaround: The root certificate of the CA must be installed on the device (only for self-signed CA). [REF
54264]
●
Authentication for Windows Phone devices works only with samaccount name and UPN format settings. It
does not work with any other formats including Common name. [REF 53888]
●
LDAP-based authentication for Windows Phone devices is supported using UPN (User Principal Name)
format (user@domain) only, samaccountname format (domain\user) is not supported for enrolling the
devices. [REF 52268]
5.1.3
Mobile Application Management
This section contains the known issues pertaining to Mobile Application Management (MAM) module in SAP
Mobile Secure admin portal.
●
Application workflow will not work if you are using Firefox browser. [REF SMS-7252]
Workaround/Action: Use Microsoft Internet Explorer or Google Chrome browser.
●
AES versions are not getting updated for Samsung Non-Safe Device. This is due to a timing issue/async on
Afaria's part - between the time a device is added to the groups and the device receiving apply policy
notification and initiating a connection to get and install new apps through MDM path. [REF SMS-4484]
14
CUSTOMER
© 2014 SAP SE or an SAP affiliate company. All rights reserved.
SAP Mobile Secure Cloud Edition Release Notes
Known Issues
Workaround/Action: Refresh the Afaria client or wait until daily apply policy task executes.
●
Multiple application categories are not getting deleted. Only the last application category is deleted. [REF
SMS-5387]
Workaround: None.
5.2
Mobile Place
This section describes the known issues in Mobile Place.
●
Mobile Place does not support Android native browser. [REF SMS-4849]
Workaround/Action: Use Google Chrome or Firefox browser.
●
On navigating to a category that has commercial applications and on clicking Install All, an invalid error
message is displayed. [REF SMS-5339]
Workaround: Ignore the extra message dialog that appears after the warning message.
●
Installing an application or installing all applications does not work for managed devices on an Android tablet.
This is due to a timing issue/async on MDM's part - between the time a device is added to the groups and the
device receiving apply policy notification and initiating a connection to get and install new apps through MDM
path. [REF SMS-4778]
Workaround/Action: Refresh the Afaria client or wait until daily apply policy task executes.
●
Videos that are available with the application do not play on a Windows Phone device. [REF SMS-4715]
Workaround: None.
●
Irrelevant popup "Open this page in App Store" appears when installing enterprise applications on iOS8
devices. [REF SMS-4342]
Workaround/Action: Ignore the popup. Click ok to continue installation of the application..
●
On a Galaxy S2 (Chrome), the app catalog page takes a very long time to load and the user is shown an error
message "Unresponsive script". [REF SMS-4221]
Workaround/Action: Refresh the browser.
●
Customized favorite icon is not applied on Chrome browser. [REF SMS-2514]
Workaround: None.
●
On viewing Mobile Place in landscape mode on a device, the search suggestion cannot be scrolled. [REF
SMS-6602]
Workaround/Action: Switch to Potrait mode.
●
The UI is distorted and completely left-aligned in the app details page (Samsung tab-kit kat) native browser.
[REF SMS-2558]
Workaround/Action: Use a different browser.
●
With native browser on Android S3 devices, App does not change or changes slowly when trying to scroll on
the hero control. [REF SMS-2479]
Workaround/Action: Use a different supported browser on the device. This issue is specific to S3 native
browsers.
●
Due to issues with native browser on a Samsung S2 device, user experience is slow. Often user may have to
refresh the browser or try the operation repeatedly. [REF SMS-2511]
Workaround/Action: Use a different browser.
●
On a Nokia 520 device, list of categories is not displayed on clicking “Categories” menu under the hamburger
icon. [REF SMS-4708]
Workaround/Action: Clear the cache and login to Mobile Place again..
SAP Mobile Secure Cloud Edition Release Notes
Known Issues
CUSTOMER
© 2014 SAP SE or an SAP affiliate company. All rights reserved.
15
6
SAP Mobile App Protection by Mocana,
cloud edition Release Notes
6.1
What’s New
●
Atlas platform now supports iOS8 devices and apps.
●
Atlas platform seamlessly updates the application when a user changes his/her AD password. User does not
need to remember their old password. To login they simply enter their newly created password.
●
End-To-End deployment and validation of SAP Fiori leveraging Mocana Atlas Platform.
●
Atlas platform allows admins to ensure the device is under MDM management and is compliant.
●
Atlas platform now allows admins to configure up to 64 static routes, thus allowing admins to direct traffic out
of a known interface.
●
Atlas platform now allows admin to configure the max duration for any one session to be active. Once
duration is expired all session data is removed and user is asked to re-authenticate.
●
Atlas platform now allows configuration so that certificates issued by a trusted certificate authority can be
used to establish tunnel and server authentications.
●
Attachments in wrapped apps will automatically open in an approved viewer if only one viewer is available,
thus eliminating the need to ask the user to tap and select the only approved viewer.
●
Compass now allows users to manually clear all traces and stored data from their browsing sessions so that
on a shared device the next user does not have access to the previous user’s credentials and data.
●
Compass on Android now allows users to add website shortcuts to the device’s home screen for convenience.
●
Admin can now change the default application name for Compass on Android.
●
Links in applications pre-pended with maphttp or maphttps will open in Compass. Applications do not have to
be wrapped.
●
All links in wrapped applications will open in Compass. If Compass is not installed then links will open in
default browser.
●
Atlas platform now allows admin to configure federation ID manually. This provides finer control, such as not
requiring to re-wrap and re-install all applications in the federation when federation ID changes.
6.2
Fixed Issues
●
MAP wrapper can now listen for Android framework broadcast messages. This allows Nitrodesk Touchdown
services and receivers to restart. Note: This is currently only supported for headless DAR with Touchdown.
●
For iOS, push notifications can only be enabled if the provisioning profile used to sign does not have any
wildcards.
16
CUSTOMER
© 2014 SAP SE or an SAP affiliate company. All rights reserved.
SAP Mobile Secure Cloud Edition Release Notes
SAP Mobile App Protection by Mocana, cloud edition Release Notes
●
Clicking on the Back button in Compass on Android will take the user back to the main launcher page.
Previously, the user was taken back to a blank page.
●
Lockout Recovery policy is only applicable to non-Atlas VPN profiles. For Atlas profiles, the configured
authentication provider, such as Active Directory, enforces lockout. To recover, a user must reset their
corporate password via existing IT process. Atlas platform seamlessly updates the application upon password
change.
●
For Atlas profiles, the configured authentication provider handles incorrect login attempts. Thus for Atlas
profiles, data wipe is no longer triggered by incorrect login attempts. Future releases will address scenarios
that allow admin to trigger data wipe from Atlas.
●
Smart Firewall policies will block all non-SSL traffic, therefore if the PAC file is located at an http site, then
Compass wrapped with Smart Firewall will not be able to retrieve the PAC file.
●
Crash with secure copy paste on Samsung S5 Android 4.4.2 with passphrase policy no longer occurs.
●
Misalignment and content display issues resolved for ‘About Pages’ in Compass on iPhone and iPad.
●
Lockout recovery is no longer required for app federations. Note: For non-Atlas VPN profiles, if lockout
recovery is not selected, then there is no way to recover data if the user forgets their password.
●
Installation no longer contains old links for downloading necessary packages.
●
Locally stored data is no longer being deleted when DAR policy is selected.
●
CBC mode can leak information about plaintext in rare cases. By default this mode is turned off but can be reenabled.
●
Closed intenal IPC (LINX) and redis ports.
●
Patched nginx to resolve open vulnerabilities.
●
Turned off ICMP timestamp support.
●
For iOS, mapbrowser.plist is now added to the list of assets that are protected against tampering.
●
Compass now supports email links embedded in web pages. An external email client might be launched
depending on the enforcement of MAP Email Enforcement policy.
.
6.3
Known Issues
●
The default configuration for Password Recovery on Atlas is set to false. MAP wrapped applications will not
connect if Password Recovery is not enabled. Solution is to enable Password Recovery on Atlas.
●
User password change during Atlas upgrade currently requires the user to either enter the old password or
reinstall the app.
●
Compass supports proxy via a PAC file. However, proxy authentication is currently not supported.
Workaround is to disable proxy authentication temporarily in the interim while support is added in future
releases.
●
On Galaxy S3 running Android 4.1.1, force-stopping one app in a federation results in a force stop for all other
apps because older versions of Android have the same shareUserID.
●
For iOS7, the FIPS policy for certain applications is not working. FIPS policy is working for iOS8. The issues will
be resolved in future release.
●
Currently, Android apps (APKs) that have certain specific contents cannot be wrapped with policies. APKs
that cannot be wrapped contain the use of Media playing (video, audio). Google API's (specifically Google
Maps functionality), only when "Encrypted Data-at-Rest" policy is being applied. No workaround currently.
SAP Mobile Secure Cloud Edition Release Notes
SAP Mobile App Protection by Mocana, cloud edition Release Notes
CUSTOMER
© 2014 SAP SE or an SAP affiliate company. All rights reserved.
17
●
Print option is disabled by default on Compass for both Android and iOS.
●
User is prompted for each app in a federation that is configured with Atlas PSK mode.
●
Copying and pasting inside the browser yields unexpected behavior. This will be further investigated in future
release.
●
In iOS apps, some special-case data-at-rest (DAR) files are currently not encrypted by the Encrypted Data-atRest policy. This includes: (1) The screenshot of the app taken by iOS when the app is backgrounded. This
screenshot is stored within the app, not in the Photos database. (2) Certain log files (redirected "stderr" and
"stdout") written by the app and stored within the app. (3) Cache.db and certain other items created in the
Cache directory. (4) Files written by an unwrapped app prior to being over-installed by a wrapped app (see
#115 in this document for recommendation).
●
iOS apps protected by Digital Rights Management (DRM) are not wrappable due to federal law. The MAP
server prevents their upload.
●
It is important to note that the “Jailbreak/Rooting Detection” policy isn’t fool-proof. This is the nature of
jailbreak/rooting detection in general. The MAP policy detects certain known exploits, but there will be new
exploits invented in the future that it does not detect. Future releases of MAP will adapt the “Jailbreak/
Rooting Detection” policy accordingly.
Mitigation: Apply additional MAP policies in order to protect the app in a variety of ways even if the device is
jailbroken/rooted.
●
MAP does not explicitly prevent apps from using cloud services such as iCloud, which can allow users to freely
save data outside the device. Recommendation: Restrict apps that require iCloud entitlements or use cloud
storage.
●
The user must successfully authenticate to the app once before lockout recovery can be used. If the user
upgrades an app that did not have lockout recovery applied to a version that does and then immediately locks
the app, the recovery process will not be available. If the user has authenticated at least once after the
upgrade, the recovery process will be available.
●
Apps wrapped using the Smart Firewall policy, which block non-SSL connections, will only work with secure
versions of SSL (TLS 1.0/SSL 3.1 or greater).
●
In v2.5.8, there is an added feature to allow for case insensitivity when entering the username for the Per app
VPN policy. However, during rare occasions when the username must be changed, case insensitivity is not
supported. The user MUST enter the correct case of the original username entered from the initial launch of
the app in order to change the username.
●
The Per App VPN policy is unable to create a VPN tunnel against the Mocana MAP Atlas for any apps that
utilize secondary processes (multiprocess apps). This issue is targeted to be resolved in a future release.
●
MAP wrapping adds Mocana security methods needed for securing the application. However, if an app
already has 64K methods, this leaves no room to add MAP wrapper methods. This is an Android limitation.
The solution is for the app developer to reduce the number of original methods in the apk to 50K-55K range.
●
64-bit applications are not supported. Support to be added in later releases as more 64-bit devices take larger
market share.
●
Under a race condition, Mocana Atlas will send two different PINs during certificate enrollment for multiple
apps that are part of the same federation. For this to happen during certificate enrollment, the user has to
launch the first app, background it, launch the second app, re-launch the first app, complete enrollment,
launch the second app again, kill the second app and then re-launch the second app.
●
Username change is currently not fully supported. It only works if connecting via settings and not via auth
screen.
18
CUSTOMER
© 2014 SAP SE or an SAP affiliate company. All rights reserved.
SAP Mobile Secure Cloud Edition Release Notes
SAP Mobile App Protection by Mocana, cloud edition Release Notes
Important Disclaimers and Legal Information
Coding Samples
Any software coding and/or code lines / strings ("Code") included in this documentation are only examples and are not intended to be used in a productive system
environment. The Code is only intended to better explain and visualize the syntax and phrasing rules of certain coding. SAP does not warrant the correctness and
completeness of the Code given herein, and SAP shall not be liable for errors or damages caused by the usage of the Code, unless damages were caused by SAP
intentionally or by SAP's gross negligence.
Accessibility
The information contained in the SAP documentation represents SAP's current view of accessibility criteria as of the date of publication; it is in no way intended to be a
binding guideline on how to ensure accessibility of software products. SAP in particular disclaims any liability in relation to this document. This disclaimer, however, does
not apply in cases of wilful misconduct or gross negligence of SAP. Furthermore, this document does not result in any direct or indirect contractual obligations of SAP.
Gender-Neutral Language
As far as possible, SAP documentation is gender neutral. Depending on the context, the reader is addressed directly with "you", or a gender-neutral noun (such as "sales
person" or "working days") is used. If when referring to members of both sexes, however, the third-person singular cannot be avoided or a gender-neutral noun does not
exist, SAP reserves the right to use the masculine form of the noun and pronoun. This is to ensure that the documentation remains comprehensible.
Internet Hyperlinks
The SAP documentation may contain hyperlinks to the Internet. These hyperlinks are intended to serve as a hint about where to find related information. SAP does not
warrant the availability and correctness of this related information or the ability of this information to serve a particular purpose. SAP shall not be liable for any damages
caused by the use of related information unless damages have been caused by SAP's gross negligence or willful misconduct. All links are categorized for transparency
(see: http://help.sap.com/disclaimer).
SAP Mobile Secure Cloud Edition Release Notes
Important Disclaimers and Legal Information
CUSTOMER
© 2014 SAP SE or an SAP affiliate company. All rights reserved.
19
www.sap.com/contactsap
© 2014 SAP SE or an SAP affiliate company. All rights reserved.
No part of this publication may be reproduced or transmitted in any
form or for any purpose without the express permission of SAP SE
or an SAP affiliate company. The information contained herein may
be changed without prior notice.
Some software products marketed by SAP SE and its distributors
contain proprietary software components of other software
vendors. National product specifications may vary.
These materials are provided by SAP SE or an SAP affiliate company
for informational purposes only, without representation or warranty
of any kind, and SAP or its affiliated companies shall not be liable for
errors or omissions with respect to the materials. The only
warranties for SAP or SAP affiliate company products and services
are those that are set forth in the express warranty statements
accompanying such products and services, if any. Nothing herein
should be construed as constituting an additional warranty.
SAP and other SAP products and services mentioned herein as well
as their respective logos are trademarks or registered trademarks
of SAP SE (or an SAP affiliate company) in Germany and other
countries. All other product and service names mentioned are the
trademarks of their respective companies.
Please see http://www.sap.com/corporate-en/legal/copyright/
index.epx for additional trademark information and notices.