Product Documentation

Credentials Device Policies

Jun 23, 2015

You can create credentials device policies in XenMobile to enable integrated authentication with your PKI configuration in XenMobile, such as a PKI entity, a keystore, a credential provider, or a server certificate. For more information about credentials, see Certificates in XenMobile.

You can create credential policies for iOS, Android, Android for Work, and Windows 8.1 Tablet devices. Each platform requires a different set of values, which are described in this article.

You need the following information before you can create this policy:
  • The credential information you plan to use for each platform, plus any certificates and passwords.
  1. In the XenMobile console, click Configure > Device Policies. The Device Policies page appears.

     

    Device Policies page

     

  2. Click Add to add a new policy. The Add New Policy dialog box appears.
  3. Click More and then, under Security, click Credentials. The Credentials Policy information page appears.
  4. In the Policy Information pane, type the following information:
    1. Policy Name: Type a descriptive name for the policy.
    2. Description: Type an optional description of the policy.
  5. Click Next. The Policy Platforms page appears.
    Note: When the Policy Platforms page appears, all platforms are selected and you see the iOS platform configuration panel first.
  6. Under Platforms, select the platforms you want to add.
    • if you selected iOS, configure the following settings:

      Credential type: In the list, click the type of credential to use with this policy.

      Enter the following information for the selected credential:
      • Certificate
        • Credential name: Enter a unique name for the credential.
        • The credential file path: Select the credential file by clicking Browse and navigating to the file's location.
      • Keystore
        • Credential name: Enter a unique name for the credential.
        • The credential file path: Select the credential file by clicking Browse and navigating to the file's location.
        • Password: Enter the keystore password for the credential.
      • Server certificate
        • Server certificate: In the list, click the certificate to use.
      • Credential provider
        • Credential provider: In the list, click the name of the credential provider.

      Policy Settings

       

      Policy removal settings

       

      1. Under Policy Settings, next to Remove policy, click either Select date or Duration until removal (in days).
      2. If you click Select date, click the calendar to select the specific date for removal.
      3. In the Allow user to remove policy list, click Always, Password required, or Never.
      4. If you click Password required, next to Removal password, type the necessary password.
    • If you selected Android, configure the following settings:

      Credential type: In the list, click the type of credential to use with this policy.

      Enter the following information for the selected credential:

      • Certificate
        • Credential name: Type a unique name for the credential.
        • The credential file path: Select the credential file by clicking Browse and then navigating to the file's location.
      • Keystore
        • Credential name: Type a unique name for the credential.
        • The credential file path: Select the credential file by clicking Browse and then navigating to the file location.
        • Password: Type the keystore password for the credential.
      • Server certificate
        • Server certificate: In the list, click the certificate to use.
      • Credential provider
        • Credential provider: In the list, click the name of the credential provider.
    • If you selected Windows 8.1 Tablet, configure the following settings:

      Store device: In the list, click root, My, or CA for the location of the certificate store for the credential. My stores the certificate in users' certificate stores.

      Credential type: Certificate is the only credential type for Windows 8.1 tablets.

      The credential file path: Select the credential file by clicking Browse and then navigating to the file's location.

  7. Expand Deployment Rules and then configure the following settings: The Base tab appears by default.

     

    Deployment rules

     

    1. In the lists, click options to determine when the policy should be deployed.
      1. You can choose to deploy the policy when all conditions are met or when any conditions are met. The default option is All.
      2. Click New Rule to define the conditions.
      3. In the lists, click the conditions, such as Device ownership and BYOD, as shown in the preceding figure.
      4. Click New Rule again if you want to add more conditions. You can add as many conditions as you would like.
    2. Click the Advanced tab to combine the rules with Boolean options.

       

      Advanced deployment rules with base rules

       

      The conditions you chose on the Base tab appear.
    3. You can use more advanced Boolean logic to combine, edit, or add rules.
      1. Click AND, OR, or NOT.
      2. In the lists that appear, choose the conditions that you want to add to the rule and then click the Plus sign (+) on the right-hand side to add the condition to the rule.

        At any time, you can click to select a condition and then click EDIT to change the condition or Delete to remove the condition.

      3. Click New Rule again if you want to add more conditions.

        In this example, the device ownership must be BYOD, the device local encryption must be True, and the device mobile country code cannot be only Andorra.

        Advanced deployment rules complete

         

  8. Click Next. The Credentials Policy assignment page appears.
  9. Next to Choose delivery groups, type to find a delivery group or select a group or groups in the list to which you want to assign the policy. The groups you select appear in the right-hand Delivery groups to receive app assignment list.
  10. Expand Deployment Schedule and then configure the following settings:
    1. Next to Deploy, click ON to schedule deployment or click OFF to prevent deployment. The default option is ON. If you choose OFF, no other options need to be configured.
    2. Next to Deployment schedule, click Now or Later. The default option is Now.
    3. If you click Later, click the calendar icon and then select the date and time for deployment.
    4. Next to Deployment condition, click On every connection or click Only when previous deployment has failed. The default option is On every connection.
    5. Next to Deploy for always-on connection, click ON or OFF. The default option is OFF.
      Note: This option applies when you have configured the scheduling background deployment key in Settings > Server Properties. The always-on option is not available for iOS devices.
    Note: The deployment schedule you configure is the same for all platforms. Any changes you make apply to all platforms, except for Deploy for always on connection, which does not apply to iOS.

     

    Deployment schedule

     

  11. Click Save to save the policy.