Mobile application management

The Mobile Application Management feature enables mobile operators and administrators to securely track, search, and control access to users through the mobile applications used on their devices, all from the operations console.

The MobileFirst Server runtime tracks devices that access the mobile infrastructure by the MobileFirst apps used by the users. Each user, whether employee, customers, suppliers, or business partners, can use several devices to access your mobile environment through one or more apps that you deployed. IBM operations console now provides a view into this mapping of user to devices through the apps used to access the MobileFirst Server. Mobile operators and administrators can use the console to not only search for registered users by name, but also block access to a specific app from a specific user's device. They can also block any MobileFirst App installed on the device from connecting to the MobileFirst Server.

When multiple applications from the same enterprise are installed to the same device, it is desirable to disable access for all of the applications at once when the device is lost, stolen, or its security compromised. When these applications on the same device are authenticated to and routing traffic through a MobileFirst Server, administrators can disable access for all MobileFirst applications on that device.

In some cases, it might not be desirable to block access for every MobileFirst application installed on the device. MobileFirst application management features allow the administrator to view each individual application installed on a user's device and select which applications to block access.

When a MobileFirst application requires a certificate from the user to authenticate, the serial number of the certificate is recorded on the MobileFirst Server. In addition to viewing each application installed on a device, the certificate serial number can also be viewed in the operations console. This feature allows administrators to revoke access to an application installed on the device using the serial number to locate and revoke the certificate.

IBM MobileFirst Platform Foundation maintains a database table of device IDs, among other device-related metadata, to enable this feature. In addition to the device ID column in the database, a status column is also kept. The possible status values are:

• active

• lost

• stolen

• expired (the device has not connected to this MobileFirst Server in 90 days) - configurable

• disabled

When a MobileFirst application from a device attempts to connect through the MobileFirst Server, the device ID is stored in the in-memory session data on the server. This device ID is checked against the database before any further processing of the inbound message. If the status column for this device ID is any value other than active, a 401 forbidden is returned. If the status is lost, stolen, or disabled, only an administrator with access to the operations console or direct database access can restore the status to the active state.

• User to device mapping and control
  Starting in IBM Worklight v6.1.0, the MobileFirst Server tracks the devices that access the system as part of the core runtime database. We can now enable the user to device mapping feature, which provides the ability for mobile operators or administrators to query their mobile systems by user. A device friendly name can also be established to see the devices that are mapped to a user. Further, specific controls can be applied to a user-app-device mapping to either disable that link or reactivate that link to address common situations. For example, a user loses a device and must block all access from that device. Another example is the requirement to block access to an app across all devices, or block access to an app on a device, when a user changes departments. Reactivation is available for all of these disablement control actions.

• Device access management in the operations console
  Since IBM Worklight v6.1.0, the console displays a new tab called Devices. With this tab, the MobileFirst administrator can search for devices that access the MobileFirst Server and manage their access rights.

• Enable the device access management features
  All devices that access the MobileFirst Server are recorded in the runtime database without any additional configurations. However, MPF does not enforce the device access settings that are set from the operations console unless you enable a property on the MobileFirst Server.

• Performance implications for the server
  We must consider two questions when you measure the Mobile Application Management feature and its impact on performance.

Parent topic: Monitoring and mobile operations