Mobility is a relevant business need for sales representatives, field workers, and many types of company personnel. Handhelds being used in the enterprise ecosystem present new challenges for IT administrators and security principals. Personal and corporate data management, as well as application and device provisioning, is a part of enterprise IT policy enforcement. Mobile devices, such as smartphones and tablets, are changing both customers’ and enterprises’ views of what can be accomplished with a mobile device. These changes encourage enterprise application vendors to speed up their development and deliver business applications for mobile platforms.

Mobile solution providers are facing various challenges. One of the top challenges is the fact that operating system and hardware markets are fragmented. In the foreseeable future there will not be a single operating system that dominates the market. Android, Blackberry, iOS, Symbian, and Windows Mobile are currently the most popular ones. As a solution for this challenge, software vendors are delivering frameworks such as Sybase Unwired Platform, PhoneGap, and many others. These platforms provide single development and deployment capabilities to multiple platforms. The same approaches apply in mobile device management (e.g., use a single platform to manage multiple devices regardless of diverse mobile operating systems).

Corporate IT departments face situations in which employees are willing to, or must, use their private mobile devices for company purposes. Nevertheless, almost every enterprise has a policy that prohibits or limits employee-owned private device access to the company’s IT resources such as network, documents, and data in enterprise systems. The following sections explain how these challenges can be overcome, and outline the basic concepts of Sybase Afaria and how to use the platform to control heterogeneous devices.

Afaria Architecture and Prerequisites

IT administrators and other people who work within the infrastructure area need to understand mobile infrastructure architecture, threats, hardware, and software solutions. Thus, management needs to support them to be able to identify and choose a suitable solution for mobile device management, keeping in mind that the solution might need to support multiple mobile hardware platforms and mobile operating systems. Certain mobile operating systems such as Android may even vary depending on a device vendor. For example, features that are available on one Android-based device are not available on the other vendor’s Android devices. These and many other challenges can be expected in the enterprise mobile market. Combining Sybase Afaria with other Sybase products is SAP’s answer to the challenges in the mobile market.

Afaria can be installed on one of the following server operating systems:

• Windows Server 2008
• Windows Server 2008 R2
• Windows server 2003
• Windows server 2003 R2

For management of iOS-based devices, Afaria requires a Certificate Authority server with a set of specific Certificate authority features. All required Certificate authority features are available only with the Enterprise edition of Windows Server 2008 and Windows Server 2008 R2. In addition to the Certificate Authority server, a specific mobile device management (MDM) certificate from Apple is required (more information can be found at https://www.apple.com/ipad/business/integration/mdm/). This certificate allows access to the Apple Push Notification Service (APNS). Furthermore, Afaria requires a database server such as Sybase SQL Anywhere, Microsoft SQL Server, or Oracle. From an architectural point of view, there are two possible Afaria scenarios: with or without a middleware server.

Figure 1 shows a high-level architecture with a middleware server. You can use Sybase Relay server, ISA, TMG, or a reverse proxy server as your middleware server. For load-balancing solutions, third-party products that support session persistence may be an option because Sybase Relay Server is not a load-balancing solution by itself.

Figure 1

Afaria architecture with middleware server

Additionally, for iOS device management an Afaria server requires an outgoing connection to APNS servers and a connection to a Simple Mail Transfer Protocol (SMTP) gateway. These connections are required for a mobile device management (MDM) package deployment to mobile devices. An SMS (Short Message Service) gateway is optional and does not function in scenarios with certain mobile devices (e.g., tablets that do not use SIM cards). The APNS delivers MDM packages even if push notifications are disabled on a mobile device. For other vendor devices, no additional vendor-specific servers are required.

Afaria Server Setup and Administration

For rapid Afaria deployment, Sybase provides a preinstalled virtual machine that it refers to as the Afaria Software Appliance. This virtual machine includes the operating system (Microsoft Windows 2008 R2 Enterprise edition), Afaria and its components, and the database platform. The installed operating system has not been activated or licensed.

Once installed, this Afaria installation supports enrollment of iOS, Android, Windows, and Java devices. Other components can be installed to support other device types if necessary. The preconfigured virtual machine has implemented stand-alone Afaria server architecture. A Microsoft Certificate Authority server is optional and may be replaced with an external Certificate authority server of your choice. The Afaria Software appliance is available for download from https://frontline.sybase.com for license owners.

Alternatively, installing Afaria from scratch is possible, providing more control over the installed components and allowing for a multitier architecture. After you install an Afaria server with its prerequisites (such as MDM certificates from Apple or Certificate Authority server) and hot fixes (hot fixes and installation instructions are available from https://frontline.sybase.com), the next step is to become familiar with Afaria server administrator. The Afaria administrator is a Web application for Afaria server management.

The first step to start Afaria server administration is to map users to Afaria server user roles. By default Sybase ships Afaria with two server user roles: Administrators and Help Desk (Figure 2). However, you also can create new or custom user groups and assign different sets of permissions. Therefore, you can have more controlled differentiation between create, read, and modify authorization for the server settings. This flexibility allows the implementation of different scenarios.  For example, you should allow a help desk user to register new devices, but restrict them from making changes to existing ones. When the initial user setup is been done, users can log on to the Afaria administrator and start server administration.

Figure 2

Afaria access policies

Afaria manages mobile devices by channels and policies. Which mechanism is applied depends on the mobile device operating system. For instance, Android and Symbian are managed by channels, but iOS devices are managed by policies.

As an example we use mobile device management mechanisms with a simple pass code implementation for iOS, Android, and Palm devices. In this example scenario you implement a pass code policy with a minimum pass code length of four characters, and the device automatically locks after five minutes. Start with iOS device policy implementation. Figure 3 shows all available policies.

Figure 3

Available iOS policies

From all available parameters you set minimum pass code length and auto lock settings according to your defined pass code policy. In this case we use four minimum symbols and five minutes for auto lock (Figure 4).

Figure 4

Define an iOS Passcode Policy

Now you’re ready to define the configuration channel for Android and Palm devices. Configuration channels can be set for one device type at a time. In Figure 5 the configuration channel is set for an Android client.

Figure 5

Configuration channel for an Android client

After a new channel is created you can select settings that you want to apply (Figure 6).

Figure 6

Configuration Manager Channel Editor for Andorid passcode channel

Creating a channel for a Palm device is similar to the process used to create a channel for an Android device (Figure 7).

Figure 7

Configuration Manager Channel Editor for Palm passcode channel

As shown in Figures 6 and 7, features vary slightly based on the device platform. Therefore, we recommend that you choose not only the handheld OS but also the hardware vendor wisely according to your enterprise needs.

iOS and Android are among the most popular mobile platforms; therefore, let’s look more closely at iOS and Android device management. For iOS and Android device configuration management, we recommend installing an Afaria client on the device. After a management policy or device configuration channel has been created on Afaria server, the next step is to deploy this policy to the client device. In case of iOS device it is done by performing an outbound notification to an iOS client sending configuration data. Similar principles apply to the Android platform (e.g., data that is defined in the configuration channel is sent to the Android device with the Afaria client installed on it). The client application has a connection with the Afaria server.

In various cases it might become necessary to change the security policies on a particular device or group of devices. This can be done in Afaria by running security commands, such as device lock, pass code/password reset, and device wiping. Those certainly come in handy if a device has been lost or stolen, or if an employee has been terminated. For example, client device remote wipe clears all data and sets the iOS device to factory default (Figure 8). These commands are executed without user interaction on the device.

Figure 8

iOS device security commands

Application Deployment

As mentioned earlier, there are various scenarios for enterprise application development. Applications can be HTML5 and JavaScript applications (running in a hybrid Web container) or custom-built native applications. Sybase Unwired Platform (SUP) hybrid Web container applications are deployed to mobile devices directly from the SUP server. Once the hybrid Web container (HTML and JavaScript application runtime) is installed, all other application life cycle management is performed from the SUP server. No third-party tools are needed for this job. On the other hand, the hybrid Web container (application runtime) itself needs to be deployed to the device at least once.

Applications for iOS and Android devices are delivered as Portal Packages. From the Afaria agent on the device, users can browse a list of applications and install applications on their devices. Packages can include applications that have been developed within the organization, as well as applications delivered from the Apple App Store or Android Market (Figure 9).

Figure 9

Available application deployment scenarios for iOS and Android devices

Before application packages can be delivered to iOS devices, the following prerequisites have to be fulfilled:

• The iOS device is under Afaria mobile device management control. This prerequisite means that the Afaria client application from the Apple App store should be installed on a device.
• For applications that are taken from the Apple App Store, the application number should be located and recorded.
• Enterprise applications that are going to be delivered with Afaria must use the Apple iOS Developer program procedures to compile the application. The Afaria administrator needs to be able to use a .IPA file.

Before deploying applications to an Android device, you need to complete the following procedures:

• Verify that the Afaria Agent is installed on the device.
• Locate and record the Android Market Application package name.
• For Android Enterprise Application packages create the compiled application (.APK file) and make it available for Afaria.

In order to use iOS AppStore Applications, the device user must have an iTunes account from Apple. Each iOS Enterprise application requires an associated provisioning policy on the client device in order to run. For Android Market applications, device users also must have an Android market account (this account is usually associated with the users’ Gmail accounts).

For Symbian, Palm, and Windows Mobile Professional and Standard operating systems, Afaria provides software distribution via a software manager. It can be used to distribute and install commercial or custom-built software to Afaria clients. Software is distributed by creating channels that are assigned to a client type profile and are used to publish software packages to clients. Afaria users can then subscribe to these channels to install selected software. The software manager checks for your installation criteria (e.g., OS version and other requirements) to ensure successful delivery and installation of software. This feature is available on Windows Mobile clients.

Sybase takes this step even further by enabling enterprise application developers to retrieve configuration data, such as client certificates and other resources, from the Afaria Portal Package server. This library is available for both Android and iOS developers. Sybase ships static link library files that must be added to your application’s project. This process is a standard procedure and does not require additional skills from developers. The only technical requirements to use static link library calls are:

• The Afaria client must be installed and provisioned on an Android or iOS device.
• The Afaria client must be connected to the Afaria server at least once.
• Libraries and documentation are available as part of Afaria 6.6 Feature Pack 1 Hot Fix 2011_06.

As seen above, today’s mobile device market is highly heterogeneous and has many standards across platforms that do not allow the enterprise easy combinations of different device types and operating systems. Moreover, mobility at this stage is a fast moving IT field and is changing rapidly. The challenge for IT administrators is to keep track of and manage devices efficiently in this environment.

With Sybase Afaria, the management of various devices and platforms is integrated into a single platform, supporting administrators in all areas of device management as described above, though still accommodating the fact that available features and configuration patterns are often device specific based on the variety of mobile devices. For this reason we recommend that enterprises try to homogenize the landscape as much as possible and select platforms wisely, always remaining focused on users’ unique mobility goals and requirements.

Sybase released its new Afaria 7 on February 27, 2012. This release features a browser-independent access console, faster performance, new application programming interfaces (APIs), a new and improved admin user interface (UI), among many other improvements. A complete list of the new features can be found at www.sybase.com.

Janis Bicans

Janis Bicans is a senior consultant at SIA ecenta Baltic Labs specializing in SAP Mobile Solutions. He has a total of three years experience in SAP products and nine years with Microsoft technologies as IT system administrator and developer.

You may contact the author at Janis.Bicans@ecenta.com.

If you have comments about this article or publication, or would like to submit an article idea, please contact the editor.

Sebastian Angerer

Sebastian Angerer is a consulting manager for the EMEA region at ecenta AG in Walldorf, Germany, with a total of nine years of experience in SAP products. In the role of solution architect, he has contributed to many successful SAP CRM projects worldwide, providing functional and technical consulting as well as managing the delivery of projects.

You may contact the author at Sebastian.angerer@ecenta.com.

If you have comments about this article or publication, or would like to submit an article idea, please contact the editor.