Product Documentation

To add a single sign-on account device policy for iOS

Mar 03, 2015

You create single sign-on (SSO) accounts in XenMobile to let users sign on one-time only to access XenMobile and your internal company resources from various apps. Users do not need to store any credentials on the device. The SSO account enterprise user credentials are used across apps, including apps from the App Store. This policy is designed to work with a Kerberos authentication backend.

Note: This policy applies only to iOS 7.0 and later.
  1. In the XenMobile console, click Configure > Device Policies. The Device Policies page appears.


    Select Policies page

  2. Click Add to add a new policy. The Add a New Policy dialog box appears.


    Select SSO accounts

  3. Click More and then, under End user, click SSO Account. The SSO Account Policy page appears.


    SSO account device policy information page

  4. In the SSO Account Policy information pane, enter the following information:
    1. Policy Name: Type a descriptive name for the policy.
    2. Description: Optionally, type a description of the policy.
  5. Click Next. The iOS Platform information page appears.


    iOS SSO account policy information page

  6. In the iOS Platform information page, enter the following information:
    1. Account name: Enter the Kerberos SSO account name that appears on users' devices. This field is required.
    2. Kerberos principal name: Enter the Kerberos principal name. This field is required.
    3. Identity credential (Keystore or PKI credential): In the list, click an optional identity credential that can be used to renew the Kerberos credential without user interaction.
    4. Kerberos realm: Enter the Kerberos realm for this policy. This is typically your domain name in all capital letters (for example, EXAMPLE.COM). This field is required.
    5. Permitted URLs: Click Add and then do the following:
      1. Permitted URL: Enter a URL that you want to require SSO when a user visits the URL from the iOS device.

        For example, when a user tries to browse to a site and the website initiates a Kerberos challenge, if that site is not in the URL list, the iOS device does not attempt SSO by providing the Kerberos token that Kerberos might have cached on the device from a previous Kerberos logon. The match has to be exact on the host part of the URL; for example, http://shopping.apple.com is valid, but http://*.apple.com is not. Also, if Kerberos is not activated based on host matching, the URL still falls back to a standard HTTP call. This could mean almost anything including a standard password challenge or an HTTP error if the URL is only configured for SSO using Kerberos.

      2. Click Add to add the URL or click Cancel to cancel adding the URL.
      3. Repeat step i. and ii. for each URL you want to add.
    6. App Identifiers: Click Add and then do the following:
      1. App Identifier: Enter an app identifier for an app that is allowed to use this login.
        Note: If you do not add any app identifiers, this login matches all app identifiers.
      2. Click Add to add the app identifier or click Cancel to cancel adding the app identifier.
      3. Repeat step i. and ii. for each app identifier you want to add.
      Note: To delete an existing URL or app identifier, hover over the line containing the listing and then click the trash can icon on the right-hand side. A confirmation dialog box appears. Click Delete to delete the listing or Cancel to keep the listing.

      To edit an existing URL or app identifier, hover over the line containing the listing and click the pen icon on the right-hand side. Make any changes to the listing and then click Save to save the changed listing or Cancel to leave the listing unchanged.

  7. Under Policy Settings, next to Remove policy, click either Select date or Duration until removal (in days).
  8. If you click Select date, click the calendar to select the specific date for removal.
  9. In the Allow user to remove policy list, click Always, Password required, or Never.
  10. If you click Password required, next to Removal password, type the necessary password.


    Policy removal settings

  11. Expand Deployment Rules and then configure the following settings: The Base tab appears by default.


    Deployment rules

    1. In the lists, click options to determine when the policy should be deployed.
      1. You can choose to deploy the policy when all conditions are met or when any conditions are met. The default option is All.
      2. Click New Rule to define the conditions.
      3. In the lists, click the conditions, such as Device ownership and BYOD, as shown in the preceding figure.
      4. Click New Rule again if you want to add more conditions. You can add as many conditions as you would like.
    2. Click the Advanced tab to combine the rules with Boolean options.


      Advanced deployment rules with base rules

      The conditions you chose on the Base tab appear.
    3. You can use more advanced Boolean logic to combine, edit, or add rules.
      1. Click AND, OR, or NOT.
      2. In the lists that appear, choose the conditions that you want to add to the rule and then click the Plus sign (+) on the right-hand side to add the condition to the rule.

        At any time, you can click to select a condition and then click EDIT to change the condition or Delete to remove the condition.

      3. Click New Rule again if you want to add more conditions.

        In this example, the device ownership must be BYOD, the device local encryption must be True, and the device mobile country code cannot be only Andorra.

        Advanced deployment rules complete

  12. Click Next. The SSO Account Policy assignment page appears.
  13. Next to Choose delivery groups, type to find a delivery group or select a group or groups in the list to which you want to assign the policy. The groups you select appear in the right-hand Delivery groups to receive app assignment list.


    Policy assignment page

  14. Expand Deployment Schedule and then configure the following settings:
    1. Next to Deploy, click ON to schedule deployment or click OFF to prevent deployment. The default option is ON. If you choose OFF, no other options need to be configured.
    2. Next to Deployment schedule, click Now or Later. The default option is Now.
    3. If you click Later, click the calendar icon and then select the date and time for deployment.
    4. Next to Deployment condition, click On every connection or click Only when previous deployment has failed. The default option is On every connection.
    5. Next to Deploy for always-on connection, click ON or OFF. The default option is OFF.
      Note: This option applies when you have configured the scheduling background deployment key in Settings > Server Properties. The always-on option is not available for iOS devices.
    Note: The deployment schedule you configure is the same for all platforms. Any changes you make apply to all platforms, except for Deploy for always on connection, which does not apply to iOS.


    Deployment schedule

  15. Click Save to save the policy.