General Administration and Policy Enforcement within MSAC

Create a new user Vishal Parashar in Active Directory. Add this user to mobileuser and mobileadmin groups.

1. Navigate to the AD machine (windowserver1.idc.oracle.com). From Start > Administrative tools >
Active Directory Users and Computers,
   Right-click Users node, and Create a new user.

   

2. Specify the user details as shown below.

   

3. Specify the required password.

   

   Click Finish.

   

4. Double-click the user Vishal Parashar. Click  General and enter E-mail. Click Member Of
   and add mobileuser and mobileadmin groups to the user.

   

5. Click OK.

   

The user Vishal Parashar is now a member of mobileuser and mobileadmin groups, therefore VishalP@idc.oracle.com
should be able to login to the mobile device and access the mobile device/applications that is managed by OMSS.

1. Make sure the user Vishal Parashar has a mail box setup on the Exchange server (so that he can receive email invite
   from OMSS to download secure workspace container).

2. Open Exchange Management Console in the Windows machine (This assumes that you have Microsoft Exchange
   Server setup pre configured).

3. Create a new mail box as shown below.

   

   Select User Mailbox.

   

   Select Existing users. Select the user Vishal Parashar.

   

   Provide details for the Mailbox Settings.

   

   Verify Summary and Click New.

   

   The wizard completes successfully. Click Finish.

   

   Verify that the user is added in the mailbox.

   

4. Navigate to the mobile device (iPad/iPhone) for the user (Vishal Parashar).

   Create a new mail account for Vishal Parashar as shown below:

5. On the iPhone, Navigate to Settings > Mail, Contacts, Calendars > Click Add Account > Choose Other >
Choose Add Mail Account. Specify the following values.

   

6. Click Next. Specify the following values. Click Done.

   

   Note: windowserver1.idc.oracle.com is the machine where Exchange Server is configured.

You will validate the setup tasks done in the previous sections.

1. In the Linux machine (idgovserver1.idc.oracle.com), where OMSS is installed, Login to MSAC as
admin@idc.oracle.com . Click Settings > LDAP Settings.

   

2. Click Incremental sync. This will pull in the newly created user within MSAC. From MSAC, you will be able to
   manage the user, using policies for mobile device access.

   

3. Click Users. You should be able to view the user Vishal Parashar. Any newly created user who gets pulled into
   MSAC, gets added automatically to the Default group.

   

4. Click Invite. Click Send, to send the email invite to download the secure workspace container.

   

5. Go to the user's (Vishal Parashar's) mobile device and check the email client to see if you receive the email.

   

6. Download and install SSL certificate (for MSAS host) followed by the secure workspace container.

   Note: See previous OBE, Installing a Secured Workspace Container on an iOS device using an email process on how
   to perform this step.

   

7. Click MyCompany on the user's mobile device to login to the secure workspace container. Enter the
   required credentials.

   

   

1. Navigate back to MSAC and Click Container. Observe that the secure workspace container record gets generated
   for the user Vishal Parashar's login to the workspace, from his mobile device.

   

2. Click the container row and click Details, Activity and Policy.

   

   Details shows the information about the groups that the user is a member of, unique container id,
   policy assigned to this container etc. Default policy is assigned by default. Device details show where
   the container is running such as iOS 8.1 and iPhone 7,1.

   The bmax URL https://idgovserver1.idc.oracle.com/bmax/bmconfig_kinit_kinit.json is the configuration URL
   for the container. The final evc version is the container version.

3. Activity shows all the activity log of events such as container creation, registration, container lock, wipe operation,
   successful login/logout etc for that container. Policy shows the aggregate of all the specific policies for this container. If there
   are multiple policies in the container, you will get the aggregate, that is the net result of all the policies for that container.

   

   

4. Observe the dashboard metrics:

   Click Dashboard and observe that you can filter the metrics based on Groups, Devices and Date Range. Observe
   the active and new containers, any policy violations, active logins, top 5 users, apps and devices.

   

You will create a custom policy rather than using the default policy.

1. Login to MSAC. Select Policies > Add Policy. Enter name as MyCompanyPolicy and select the group mobileusers
   to which this policy applies (The users vishalp@idc.oracle.com and sanjays@idc.oracle.com are members of
mobileusers group). Click Save. By default, the new policy inherits the property values from the default policy.

   

   

1. Click  MyCompanyPolicy. Authentication has all the properties for PIN, pertain to certificate-based authentication (when
   using Kerberos with Pkinit) and hence they do not apply to this OBE.

   Authentication only property in Authentication, enables the ability to hide the contents of the container from the user
   if container is purely being used as authentication client and not for any app UI. Select enabled. Click Save.

   

2. Test Authentication-only property:

   Navigate to the mobile device and launch the secure workspace container. Login as vishalp@idc.oracle.com and observe
   the message displayed. You cannot directly login to the secure workspace container as it is purely for authentication and
   not for application user-interface.

   

   Click MobileBI app on the same screen as the secure workspace container icon, and observe that it redirects you to
   the secure workspace container. Since you are already authenticated, it redirects you back to the  MobileBI app without
   challenging you again for credentials. In this use-case secure workspace is purely being used for authentication.

3. Authentication Frequency:

   Login to MSAC as admin@idc.oracle.com. Reset the authentication only property to disabled for MyCompanyPolicy.
   Observe the authentication frequency is by default set to Session. Authentication Frequency specifies how often
   users are forced to login.

   • A setting of Always makes the mobile users authenticate every time they try to access the mobile security container
     on their device.
   • Idle Timeout enforces authentication each time the Idle Timeout Period has been reached. The Timeout Period is the
     duration(number of minutes) a container is allowed to remain inactive before prompting with the login screen. This has a
     maximum value of two hours. This period continues to apply while the user is outside the container.
   • Session allows users to exit the mobile security container to use other apps and does not require them to log in upon return
     until the session ends. A session expires when the Oracle's token expires (configurable with default of 10 hours) or the device
     closes the app due to low memory or user manually closes the app (double-click home button and swipe the app up).

   Change authentication frequency to Always. Click Save.

   

4. Test Authentication Frequency property:

   Navigate back to the mobile device. Close the previously opened MobileBI secure workspace app, if open (double-click
   home button and swipe the app up). Click the secure workspace container and login as vishalp@idc.oracle.com. Once
   logged in, Click Home and then re-launch the secure workspace container.

   Observe that, since you set the Authentication frequency to Always, It will prompt you to login again. Every time you
   leave the secure workspace container to another app or back to the home page and then try to come back into the
   secure workspace container, you would have to re-authenticate.

1. Login to MSAC as admin@idc.oracle.com. Click Policies. Select MyCompanyPolicy. Navigate to Catalog, scroll and
   see the enterprise applications available to the mobile users to add to their secure workspace.

   You can click x on the top-left of any vApp icon to remove it from that policy's User Catalog. Any vApp removed from the
   User Catalog is removed from the Groups where this policy applies.

   

2. Select Install on Homepage for WorkBetter1.0 app. This can be used to automatically install  app
   on the home page of the mobile users (rather than mobile users having to add the WorkBetter app explicitly from
   +VApp icon within secure workspace container). This allows the administrator to configure "birth-right apps".

   Note:
   Install on Homepage (checked) makes vApp appear on the user's main screen or homepage within the secure workspace container.
   Install on Homepage (unchecked) makes the vApp available in the user's catalog, which can be accessed if they go to the Catalog
   page on their secure workspace container. This selection does not automatically put the vApp on the container home page.

   Upgrade Alert (checked) alerts the user each time app is launched that an upgrade app is available, until such time it is installed.
   Upgrade Alert (unchecked) displays a badge on the catalog app indicating that an update is available, but does not alert the user
   at login.

   WorkBetter

   Click Save.

3. Test Install on Home page property:

   Navigate back to the mobile device. Close the previously opened MobileBI secure workspace app, if open. Login to secure
   workspace container using vishalp@idc.oracle.com. Observe that  WorkBetter app is automatically installed within the
   secure workspace container. WorkBetter app does not appear on the home screen along with MobileBI yet).

   

4. Click WorkBetter app within secure workspace container. Click Install to install the app
   next to MobileBI app on the home page.

   

   Click Install again.

   

   The Installation is under progress.

   

   The installation is complete.

   

In this section, you will add the web application OMSS Doc Library https://docs.oracle.com/en/ to the secure workspace.

1. The WEB app has to be first added to the catalog. Login to MSAC as admin@idc.oracle.com. Click Catalog.

   

   In the Catalog page, Click +Add vApp and add the new app as shown below. Click Save.

   

2. Once added to the catalog, these apps can be made available within the policies under Catalog. Click Policies >
MyCompanyPolicy > Catalog. Add the new OMSS Doc Library using Add vApp to user Catalog as shown below.

   

   Click Save.

   

3. Navigate to the mobile device and login to the secure workspace container. The new WEB app (OMSS Doc Library)
   becomes available within the user catalog in the secure workspace container. Click +Add vApp icon within the
   secure workspace container. 

   

   Search for OMSS Doc Library app in the Catalog. Select the app from the user catalog.

   

   Click Install. Install the app within the secure workspace.

   

   The app is installed and is now available in the secure workspace.

   

   Click the app from the container and the following page is loaded in the browser.

   

   Click the container icon to get back to the Home Page.

1. Login to MSAC and view the DLP policies. Navigate to Policies > MyCompanyPolicy > Container/Apps. Observe the actions
   to be taken in case of compromised platform. Observe that currently this is set to Lock . Whenever there is any policy violation,
   the container will be locked. You will study these properties in the next step.

   Observe the DLP policies that restrict email, instant message, video chat, social share, print, file share, copy/paste, save to
   media gallery, save to local contacts.

   

   

2. Test the print, email, video chat, instant message features (Data Leakage Protection):

   Navigate to the mobile device and launch  WorkBetter app (if not already logged in, login as vishalp@idc.oracle.com
   when prompted). Click Menu on the Dashboard.

   

3. Select People.

   

4. On the People page, Click any person such as Susan Mavris. Click the email address to send out
   an email to her. Observe that the email is disabled.

   

5. Similarly, try to SMS an employee such as Sundar by clicking the SMS icon. Observe that it is
   disabled. Click Phone which starts video chat, and observe that it is disabled as well.

   

   Video Chat is disabled. Click OK.

   

6. Go back to the Home page on the mobile device. Launch MobileBI app. Select Demo.
   On the Server Configuration window, Click OK.

   

7. Select any of the recent reports. Click arrow icon at the bottom. This allows you to share this report. Try
   Print option. It should show you the message that Printing is disabled.

   

   Details in the dashboard is shown below.

   

   Click Print.

   

   Observe the message that printing is disabled.

   

8. From the MSAC home page, Click Containers. On the containers page, you can view all the containers
   which are in Active, Inactive, Locked or Wiped state by selecting from the drop down option.

   

9. Click the container corresponding to vishalp@idc.oracle.com. On Policy you can see all the properties that
   apply to this container based on aggregate policies (if any) that are applicable.

   

   Note: All the properties under MSAC >Policies are defined by the Default policy or any custom/user defined
   policy or a mix of multiple policies that you might have created.

   However, if you want to see the policies that are specific to a particular container (that it inherits from the
   aggregate policies defined above), you should view the container specific policy. (You can only view the
   policies here, however to create or modify policies, you have to navigate to MSAC > Policies).

   If there are multiple policies being used, and you are not getting the desired result, this is a good place to
   observe the aggregate of all the properties set by various policies on the container being used which might
   give you a pointer as to why you are not seeing the desired results.

1. For MyCompanyPolicy, Click Time Access and modify the Time Access interval from 1:00 am – 1:00 am to
   1:00 am - 2:00 am. Click Add.

   

   Note: Choose such an hour which is different from your current time when doing this OBE.

   Click Save.

2. Navigate to Container/Apps > MyCompanyPolicy . Verify if the compromised platform property is set to Lock.
   That is in case of any policy violation, the container will be locked.

   

   Click Policy. You can see all the properties that apply to this container including the Time Access policy
   you just modified.

   

   

3. From the mobile phone, close the secure workspace container and any of it's protected apps, if open. Try to re-open
   Secure Workspace or one of the containerized apps that you installed on your device.

   Enter your credentials to login (vishalp@idc.oracle.com). After authentication you will see the following message
   that the container is locked.

   

4. Navigate back to MSAC. Click Containers. Change the filter of containers(from drop down menu) from Active
   to Locked. You should see the locked container.

   

   This is because in case of policy violation, you had set the compromised platform to be locked.

5. To unlock the container, move the mouse cursor over the row which shows the container as locked. The
   Unlock and Wipe buttons will appear to the right. Click Unlock.

   

   Observe the the status of the container. This is now changed from Locked to Locked/unlock pending.

   

6. In order to remove Time Access policy, Navigate to Policies > MyCompanyPolicy > Time Access.
   Click Remove to remove the time access policy that caused the lock of the container. Click Save.

   

7. From the mobile device, If secure workspace is already open, close it. Re-open the secure workspace. Enter your
   credentials (for example VishalP@idc.oracle.com) to login. After authentication you will be able to
   access the secure workspace container.

   To view the event activity on this container, Click Containers within MSAC. Click the container corresponding to
   the user VishalP@idc.oracle.com.

   Observe that the container is now in Active state (in the previous step it was Locked, which you had unlocked
   after removing the policy violation).

   

8. Click the container row for VishalP@idc.oracle.com. It expands below and you have access to several
   information related to this specific container. Click Activity and review the relevant events on creating,
   registering, locking, unlocking, policy violation etc.

   

   

9. Click Details and observe the panel section vApps, which shows all the apps installed on that container.

   

   You can also see the device on which this container is installed (iphone7,1), the OS version of the device (iOS8.1),  the
   group membership of the user vishalp@idc.oracle.com (default group, mobileadmin and mobileusers), the unique
   container id, the policies applicable to this container (MyCompanyPolicy, Default Policy) and the Configuration URL
   for the container (in case of Kereberos with password authentication)
   https://idgovserver1.idc.oracle.com/bmax/bmconfig_kinit_kinit.json

Geo-fencing is a way of controlling where a container (and associated mobile apps) can be used. In this case, the “where”
is the location of the mobile device and secure enterprise workspace. The setting for geo-fencing indicates where the container
can be used,  for example in this city, state or country. The setting is multi-valued, so you can specify a number of locations
and it’s the union of these settings, that determine where the access is granted.

1. Login to MSAC. Navigate to Policies > MyCompanyPolicy > Geo Access.

   

2. Enter Redwood City in set geofence by textbox. Select the recommendation as in the below screenshot. Click Save.

   

3. Click MyCompanyPolicy > Container/Apps. Verify if location services is enabled.

   

4. From the mobile phone, If your secure workspace is already open, close it. Reopen the secure workspace. Enter
   your credentials to login (vishalp@idc.oracle.com). After authentication you will see the following message that
   the container is locked. This is because you have set the Geo Access to Redwood City. If you try to login from
   any other place, it will enforce the compromised platform policy value, which is to lock the container.

   

5. You can verify this in the mobile device. Navigate to Settings > Privacy > Location Services. The
   value for MyCompanyWorkspace should be set to Always.

   Note: The Geo Access section would only work if location services was enabled on the container when it
   was installed, as shown below.

   

   

6. Go back to MSAC. Select Containers. Change the filter of containers from Active to Locked and observe
   the locked container. Click the container row and properties panel will open below the container row. On this
   new area you will find lot of details related to this container.

   Click Activity. Click Location Map.

   

7. This shows you the exact location of the mobile device from where you tried to access the secure container. Since this
   location is not Redwood City, the container got locked as per the compromised platform property.

   

8. To unlock the container, move the mouse cursor over the container row, the Unlock and Wipe buttons will appear.
   Click Unlock.

   

9. A pop-up will appear, Click Unlock. To remove Geo Access policy, Navigate to Policy > MyCompanyPolicy > Geo Access.
   Click Remove to remove the geo access policy that caused the lock of the container. Click Save.

   

Another type of access control is based on the device types, that is on the devices by types - ( Android or iOS) or
by OS version - ( Android OS version and iOS version), can the secure workspace container be used.

In this case, the device indicates which devices are on the white-listed set of devices (device type, OS level). If new devices
come to the market, you can even add the list of devices in the drop-down to include those devices.

1. Login to MSAC. Navigate to Policies > MyCompanyPolicy > Devices.

   

2. Observe the listing of 11 iPhone types, 6 iPad types and 255 Android devices which are supported for container
   deployment. If you want to restrict access only for the secure workspace container to be deployed on these
   devices, Un select other devices.

   

   You can also see the minimum version of iOS and Android that is supported.

3. In this OBE, you will add iPhone 6 and 6 Plus as supported devices (which is currently not in the list). Observe that the
   iPhone 6 Plus which is currently being used to build this OBE is shown as iPhone 7,1 (platform string for iOS device
   iPhone 6 Plus). You will see how to update this, how to display a more traditional display name for the platform string,
   iPhone 6 Plus, and also add iPhone 6 to the list of devices supported.

   From MSAC Home page, Click Settings > Server Settings > Export Unmapped Devices.

   

4. Open the unmapped_devices-<timestamp>.csv file in MS Excel. This csv file is space and case sensitive.

   

   Note: iphone7,1 is the platform string for iPhone 6 Plus. Similarly iPhone7,2 is the platform string for
   iPhone 6. See Apple Documentation for more on Platform string for iOS devices.

5. You will update the file as shown below with the display name for iPhone7,1 as iPhone 6 Plus and you will
   add a new row for iPhone 6 as well.

   

6. Save the file as CSV file. If you get a warning as shown below, click Yes.

   

7. Log back into MSAC and Navigate to Settings > Server Settings. Click Update Device Details. Select the
   csv file saved in the previous step and click Open.

   

8. It should display that the upload was successful.

   

9. Click Containers and observe that the Device Type for vishalp@idc.oracle.com container record got
   updated to iPhone 6 Plus.

   

10. Click the container row to see more details. Observe that the iOS version and the Device Type in the Details
    tab is iPhone 6 Plus and 8.1.

    

11. You can also see that in MyCompanyPolicy > Devices, the iPhone7,1 device got updated to iPhone 6 Plus
    and iPhone 6 device got added to the list.

    

1. Login to MSAC. Select Policies > MyCompanyPolicy. Click Container/Apps. Observe offline access
allowed option is set to No.

   

2. On the mobile device disable the network. On iPad/iPhone switch on the Airplane mode.

   

3. On the mobile device try to open the secure workspace, enter the credentials and tap on Login button,
   you will get an error and you will not be able to login. Click OK.

   

4. In order to change the offline access setting in OMSS server, access MSAC console. Select Policies >
MyCompanyPolicy > Container/Apps, and set offline access allowed option to Yes. Click Save.

   

5. On the mobile device enable the network (i.e, turn AirPlane mode off), to allow for the secure workspace client to
   communicate with the OMSS server in order to push the policies to propagate to the client.

   

6. After the device is connected again to the network (ie., Airplane mode is off) try to access the secure workspace. You
   will be required to authenticate and the secure workspace will open.

   Disable the network on the mobile device again (i.e, turn Airplane mode on). Close the previously opened secure
   workspace container. Now try to access the secure workspace. You will be required to authenticate and the secure
   workspace will open, even as your device is offline (Airplane mode is on).

   You will now revert back the changes made for this OBE. Login to MSAC, Select Policies > MyContainerPolicy >
Container/Apps, and set offline access allowed option to No. On the mobile device, turn the Airplane mode off
   and close the secure workspace container.

Publish http://www.oracle.com/technetwork as a secure web site within workspace container.

1. Login to MSAC. Click Catalog. Click +Add vApp. Add a new application of the type Web with the name
   OTN Portal and the URL as http://www.oracle.com/technetwork/index.html. Specify the Version as 1.
   Click Save.

   

   The OTN Portal app is added.

   

   Note: If you want to give your own custom icon for this OTN Portal icon, which will appear within the secure workspace container,
   you could change the default icon URL from https://idgovserver1.idc.oracle.com:443/acp/images/default_mvl.png to
   your own custom icon URL such as https://idgovserver1.idc.oracle.com:443/acp/images/<my_image_name>.png. Make
   sure to add your custom <my_image_name>.png file to the following location: /opt/oracle/omss/msac/lattice/images.

2. Navigate to Policies > MyCompanyPolicy > Browser. Observe that the address bar and download are both enabled for
   the browser within secure workspace container.

   

3. Click Catalog for MyCompanyPolicy and add OTN Portal to be visible within the user catalog. Enter OTN Portal
   in the Add vApp to User Catalog text field and press Enter.

   

4. OTN Portal should now be visible in the list of user catalog. Click Save.

   

5. Navigate to the mobile device. Login to the secure workspace container as vishalp@idc.oracle.com. Observe
   the secure browser icon. Click the browser icon. You should be able to see address bar where you can type in a URL.
   You should also be able to Click the "Share" icon (at the bottom horizontal bar - a rectangular box with up arrow) and
   observe that Download page option is enabled.

   

   

6. Click +Add vApp. Search and add OTN Portal from the user catalog to your secure workspace. 

   

   Click Install to install OTN Portal web app to the secure workspace.

   

7. Click OTN Portal icon and observe the browser address bar is enabled. Similar to the secure browser
   exercise before, "download this page" option is also enabled.

   

   Now you will disable the address bar and disable the download option. Login to MSAC. Click Policies >
MyCompanyPolicy > Browser. Select No for address bar and download enabled options. Click Save.

   

8. Navigate back to the mobile device. Close the secure workspace if already open. Relaunch the workspace
   and login as vishalp@idc.oracle.com.

   Observe that the Secure browser is no longer visible. Launch the OTN Portal and observe that the address bar
   is no longer visible. Click the share icon at the bottom of the page and observe that the Download
   this page option is no longer visible.

   

   

   

9. Reset the properties back to the default values. Login to MSAC and Navigate to Policies > MyCompanyPolicy >
Browser. Enable browser address bar and download option. Click Save.

   

The Client Settings tab has the following fields:

Shows Save Check Box in Login Page controls whether users must enter their username and password each time they log in. An
option to remember the username appears on the login screen if the client is configured as the KINIT or OTP authentication type
and this field is set to True.

Open URL in Secure Browser, controls whether a URL is opened in the Secure Browser. When users click a protected URL,
your company's SharePoint for example, the following steps are executed. If this value is set to True, the URL then opens in the
Secure Browser inside the container. If it set to False, then the website opens in the default browser of the device.

Poll Interval displays the frequency, in seconds, at which the client polls the server for new policies and commands. Enable Add
vApp controls whether the Catalog app (Add vApp) is present on the users' home screen.

Advance Certificate Expiration Warning Time (days) provides a menu that can be set to 1 to 30 days. This causes the container
to warn users about upcoming certificate expiration, that many days in advance.

1. Shows Save Check Box in Login Page:

   On the mobile device, close the secure workspace app. Relaunch secure workspace container. Observe that there is a
   checkbox on the login page to remember username.

   

2. Login to MSAC as admin@idc.oracle.com. Navigate to Settings > Client Settings. Set Shows Save Check Box in Login
Page to False. Click Save.

   

3. On the mobile device, Re-launch the secure workspace container. Observe the checkbox on the login page to remember
   username. (This is because policy hasn't been pushed to the client unless you first login). Login as vishalp@idc.oracle.com.
   Now close the secure workspace container.

   Open the container again and observe that Remember Username checkbox is no longer present in the login page.

   

4. Login to MSAC as admin@idc.oracle.com. Navigate to Settings > Client Settings. Set show
save checkbox in login page to True. Click Save.

5. Enable Add vApp button:

   When you login to secure workspace container, you observe the +Add vApp icon which gives users access
   to the user catalog from where they can add apps to use within the secure workspace container

   

6. If you want to disable access to the user catalog, you can set the property enable add vApp button to false from
   Settings > Client Settings on MSAC. Click Save.

   

7. On the mobile device, Re-launch the secure workspace container. Login as vishalp@idc.oracle.com. Observe that the vApp icon
   is not there anymore.

   

   Note: The use-case for this is that the administrator wants to take control of the workspace. The only way
   an app can be added to the container is the administrator publishes the app to the policy and makes it a birth-right app.
   The app can only be installed from the Home page as a birth-right app as shown below.

   

8. Login to MSAC as admin@idc.oracle.com. Navigate to Settings > Client Settings. Reset enable add vApp button
   back to true. Click Save.

The Web settings tab controls which web sites are proxied through MSAS, which web sites are blacklisted/blocked and which web sites
bypass MSAS and go directly to the internet.
Access Type are:

• Proxy which causes matching URLs to proxy requests through Mobile Security Access Server.

• Direct which causes matching URLs to go direct to the Internet.

• Block causes matching URLs not be accessed, that is, it puts those URLs on a blacklist.

• Any website not explicitly set to proxy or blocked is by default set to direct.

On a fresh installation, the default configuration is that, all URLs are allowed, and all URLs are proxied
by the client devices through their associated Oracle Mobile Security Access Server. The web settings configured
in Mobile Security Administrative Console become active as soon as a single edit is made to the web settings.

The web settings configuration is retrieved by each Oracle Mobile Security Access Server every 15 minutes, and
is used to update the bmaxaccess.conf(/opt/oracle/omss/msas/conf) and bmax.pac (/opt/oracle/omss/msas/htdocs/bmax)files.
The .pac file controls which URLs are proxied by the client devices through the Oracle Mobile Security Access Server.

Note: There is a corresponding SSL port (443 instead of 80) pac file  corresponding to bmax.pac named stunnel.pac
found in the same location as bmax.pac. You don't have to explicitly modify or add entries to this file. Internally
the changes made to bmax.pac file get automatically reflected in stunnel.pac.

The URLs listed in all lines are matched against the requested URLs, as follows:

• Simple string matching is performed.
• Each entry can include any portion of the requested URL, including the scheme, host, path, or query string,
  or any parts of those.
• All requested URLs and entries in the access list are converted to lowercase before matching.

Each entry in the access list is comprised of the URL part to match against and a directive on whether the
requested URL should be allowed or denied.

1. Requested URLs can match multiple entries in the access list.
2. Block overrides Direct which overrides Proxy, such that requested URLs matching all three are blocked.

In this OBE, you will create four rules, two for blocked/denied and other two for proxied. The other sites
would by default be set to direct access.

1. Login to MSAC. Click Settings > WebSettings. Click +Access URL match. In access url,
   enter .oracle.com and set access type to Proxy. Click Save.

   

2. Add another record to proxy traffic coming from oraclecorp.com domain site. In access url,
   enter .oraclecorp.com and set access type to Proxy. Click Save.

   

3. Add another record to block facebook site. In access url, enter facebook.com and set
   access type to Block. Click Save.

   

4. Finally, add another record to block twitter site. In access url, enter twitter.com and set access type to Block. Click Save.

   

5. If there are any other records, delete them using the delete button to the right of the record (hover your mouse on the row). In effect the
   Access URL match rules should look like the following.

   

6. MSAS needs to know how to route every request that it receives. In any organization, to do this, MSAS needs to know the
   proxy rules configured by the Corporate IT. Correspondingly the entries in MSAS config file has to be changed. A sample of the
   configuration file (bmaxhttps.conf) is shown below. This file is available in the directory /opt/oracle/omss/msas/conf. This file
   will be edited to configure MSAS to send back-end requests through an intermediate proxy.

   

   In any organization, this file needs to be edited and the two lines that describe ProxyRemoteMatch should be un-commented. You
   need to specify the proxy rules for the organization.

   An example of a proxy rule is given below.
   ProxyRemoteMatch ^http://(?!.+[.]us[.]example[.]com|.+[.]idc[.]example[.]com|.+[.]examplecorp[.].com|
login[.]example[.]com|.+[.]examplemobile[.].+|.+[.]exampleqa[.]com|.+[.]exampleqa1[.]com).*
http://148.87.19.20:80
ProxyRemoteMatch ^https://(?!.+[.]us[.]example[.]com|.+[.]idc[.]example[.]com|.+[.]examplecorp[.].com
|login[.]example[.]com|.+[.]examplemobile[.].+|.+[.]exampleqa[.]com|.+[.]exampleqa1[.]com).*
https://148.87.19.20:80

   This causes the internal traffic to stay internal, but sends the external traffic through the proxy. You have to use the IP address
   of the proxy server instead of the hostname due to intermittent problems with the proxy IP address lookup.

7. Give approximately 15 minutes for the changes to be reflected in bmax.pac file under /opt/oracle/omss/msas/htdocs/bmax
   directory. Validate this by checking the bmax.pac file under /opt/oracle/omss/msas/htdocs/bmax directory. You can find below the
   proxy rules being applied. That is you can see facebook or twitter being blocked and oraclecorp.com redirected to Proxy and so on.

   

   Note: Under the covers, stunnel.pac file is automatically updated.

   

8. Now open the access.<timestamp>.log file for msas under /opt/oracle/omss/msas/logs directory.
   su
pwd for root: <pwd>
cd /opt/oracle/omss/msas/logs
tail -f access.<timestamp>.log

   

9. Navigate to the mobile device and login to the secure container as vishalp@idc.oracle.com. Open the secure browser
   (Click browser icon) and enter twitter.com followed by facebook.com.
   Observe the log file terminal window. Note the Forbidden 403 error message.

   

10. On the secure browser make sure you can access proxied website, For example, bug.oraclecorp.com

    

    As seen in the screenshot above, the request to the website is proxied through MSAS. The initial response is
    302, MSAS then redirects it to mobile URL which results in the response code of 200.

11. On the secure browser, Verify if you can access some direct website For example, cnn.com successfully.

    

    As seen in the screenshot above, the request to the website does not go through MSAS. It is bypassed
    and is directly redirected to the cnn.com website.

12. Important Note:
    Accessing secure URLs from outside workspace using bmax.pc on the secure workspace:
    If you want to allow accessing the secure URLs from outside the workspace either as embedded links in an email
    from Apple's native email client, and not the secure email client within the workspace, or directly accessing secure
    URLs from safari browser, not the secure browser within the workspace, or a third party non-containerized app trying
    to invoke internal secure URL, then you have to specify the location of bmax.pac file.

    Depending on your use-case and corporate policies, here are some possible options:

    1. Using Wi-Fi:
       Set the location of bmax.pac file under Wi-Fi settings of the mobile device under HTTP Proxy (Auto) URL setting.

       

    2. Using Cellular Connection:
       The above approach doesn't work for cellular conection. In which case, you have to use VPN
       and in the VPN profile under Proxy Auto settings, you will have to set the location of
bmax.pac. Go to Settings > VPN

       

       Click Add VPN Configuration.

       

       Specify the VPN properties. Observe that the bmax.pac location is specified under Proxy Auto settings.

       

    3. Using Apple Configurator:
       If you want to avoid the use of VPN, run the mobile device in Supervision mode using Apple Configurator and
       set the bmax.pac in global proxy settings in Apple configurator.

       More information on Apple Configurator can be found here. Apple Configurator makes it easy for anyone to
       mass configure and deploy iPhone, iPad, and iPod touch in a school, business, or institution.

       

       

    In summary:

    • If the mobile device is configured for Wi-Fi, ensure that the proxy with the URL of the bmax.pac file is specified.

    • If the mobile device is configured for VPN, ensure that the proxy with the URL of bmax.pac file is specified on the
      VPN and is not needed in the WIFI configuration.

    • If you want to avoid use of VPN, ensure that the proxy with the URL of bmax.pac file is specified in global
      proxy setting when mobile devices are running in supervised role using apple configurator.

    • These are some of the possible solutions to be able to access secure protected corporate resource URLs (for
      eg. sharepoint webdav URL) from outside the secure workspace container.

Locking the device keeps the corporate files and data ,along with any cached data/preferences encrypted and inaccessible from the
device. Lock button disables a container from operating and stops user access to vApps or information. Lock presents a default
message window, where administrators can add a message to the lock alert for users to see. In contrast, a wipe command returns
apps to their “factory installed state”, where all downloaded files, data, and cache within the container is wiped from the device.

Note: This wipe operation is only applicable to the secure workspace container unlike a Wipe/Erase command issued from Find my
iPhone from iOS devices or icloud.com which wipes out the entire data on the device.

In the Oracle Mobile Security solution, a device wipe will restore the container and containerized apps to their “factory installed” state
by deleting all files, data, user preferences and cache from the mobile device. This is done without any impact whatsoever to the user’s
personal files and information, such as contacts, photos, music, email, downloaded books, etc.The container wipe is a key advantage
over MDM (mobile device management) solutions, which will wipe the entire device, including both personal and business information.

There are scenarios where an automated device wipe may be warranted. These may include:

1. Compromised device: When you detect that the device has been tampered with, placing it in a high-risk category e.g. jailbroken
   (iOS) or has been rooted (Android).

2. Account Lockout: When the configured number of failed login attempts has been exceeded, thus possibly indicating a stolen device.

3. Inactivity Period exceeded: When a device hasn’t been online and connected to the Mobile Security solution in the specified period.
   This may indicate the user no longer needs access to the corporate services.

When the user leaves the company, if the de-provisioning process is automated (e.g. Oracle Identity Manager, etc.), then the terminated
user may be automatically de-provisioned from the corporate directory security groups, thereby disabling his/her access to the Mobile
Security solution. However, the admin console also provides an interface to immediately wipe the terminated user’s device if this action
needs to happen immediately. This use case will demonstrate the device wipe.

1. In some cases, a wipe is being initiated due to a lost/stolen device. In that case, the wipe should be only for the container
   installed on that specific device.

   

2. In other cases, the wipe should be directed at all users of a security group. The Oracle Mobile Security solution includes
   not only fine-grained wipe (e.g.individual container on an individual device), but also coarse-grained wipe for all containers
   of all users in a specified security group.

   

3. The wipe command deletes the files and data within downloaded container apps, but does not delete the apps themselves. It
   essentially returns the apps to their “factory installed” state, eliminating all corporate data in the process.

   The wipe deletes all corporate data from the device. However, it doesn’t by itself prevent the user from going through the process
   of reconfiguring the secure Enterprise Workspace. Presumably, other security measures have been put in place when it warrants
   a device wipe due to any employee leaving the organization. These might include disabling the user’s login ability in the corporate
   directory, de-provisioning the user from any security groups in the corporate directory, etc.

   If the device has been stolen and you want to wipe the secure workspace data, Login to MSAC as admin@idc.oracle.com
   and Click Containers. Select the row corresponding to container for vishalp@idc.oracle.com . Click Wipe.

   

   Note: Do not press the Wipe button. This is shown for demonstration only.

4. To see the list of all Wiped containers, select Wiped from the Drop down list.

   

5. If you were already logged into the secure workspace container, when the wiped command was issued by the
   administrator, on your mobile device you will see the following message.

   

6. Observe that you are still able to login to a container that has been wiped, except all the personal data would be
   removed and content goes back to the default or factory settings. On the mobile device, login to the secure container
   as vishalp@idc.oracle.com and observe that you are able to login.

   

7. Click MobileBI app. Observe that you have to accept the license terms again even though you had accepted the
   terms before. This shows the state of the secure container.All the app data goes back to the "factory settings"
   or default configutation.

   

8. Login to MSAC and Click Containers.Observe that the container is now in Active state.