SSO account device policy

You create single sign-on (SSO) accounts in XenMobile to let users sign on one-time only to access XenMobile and your internal company resources from various apps. Users do not need to store any credentials on the device. The SSO account enterprise user credentials are used across apps, including apps from the App Store. This policy is designed to work with a Kerberos authentication backend.

This policy applies only to iOS 7.0 and later.

To add or configure this policy, go to Configure > Device Policies. For more information, see Device policies.

iOS settings

  • Account name: Enter the Kerberos SSO account name that appears on users’ devices. This field is required.
  • Kerberos principal name: Enter the Kerberos principal name. This field is required.
  • Identity credential (Keystore or PKI credential): In the list, click an optional identity credential that can be used to renew the Kerberos credential without user interaction.
  • Kerberos realm: Enter the Kerberos realm for this policy. This is typically your domain name in all capital letters (for example, EXAMPLE.COM). This field is required.
  • Permitted URLs: For each URL for which you want to require SSO, click Add and then do the following:
    • Permitted URL: Enter a URL that you want to require SSO when a user visits the URL from the iOS device.

      For example, when a user tries to browse to a site and the web site initiates a Kerberos challenge: If that site is not in the URL list, the iOS device does not attempt SSO by providing the Kerberos token that Kerberos might have cached on the device from a previous Kerberos logon. The match has to be exact on the host part of the URL. For example, https://shopping.apple.com is valid, but https://*.apple.com is not.

      Also, if Kerberos is not activated based on host matching, the URL still falls back to a standard HTTP call. This could mean almost anything including a standard password challenge or an HTTP error if the URL is only configured for SSO using Kerberos.

    • Click Add to add the URL or click Cancel to cancel adding the URL.

  • App Identifiers: For each app that is allowed to use this login, click Add and then do the following:
    • App Identifier: Enter an app identifier for an app that is allowed to use this login. If you do not add any app identifiers, this login matches all app identifiers.
    • Click Add to add the app identifier or click Cancel to cancel adding the app identifier.
  • Policy settings
    • Remove policy: Choose a method for scheduling policy removal. Available options are Select date and Duration until removal (in hours)
      • Select date: Click the calendar to select the specific date for removal.
      • Duration until removal (in hours): Type a number, in hours, until policy removal occurs. Only available for iOS 6.0 and later.
SSO account device policy