Enable the device access management features

All devices that access the MobileFirst Server are recorded in the runtime database without any additional configurations. However, MPF does not enforce the device access settings that are set from the operations console unless you enable a property on the MobileFirst Server.

More processing is required on the MobileFirst Server when this property is enabled to enforce access management on devices. Appropriate performance testing must be done before production to measure how enabling this feature impacts the server's performance.

1. Set the wl.device.enableAccessManagement=true property on the MobileFirst Server (this value is false by default). The wl.device.tracking.enabled=true property must also be set (this value is true by default).

2. Capture the UserID. The user ID is recorded for the device automatically when the user logs in to an authentication realm that is marked as isInternalUserID. The following example shows a sample authentication configuration file:

   <?xml version="1.0" encoding="UTF-8" standalone="no"?>
   <tns:loginConfiguration xmlns:tns="http://www.worklight.com/auth/config"
                           xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
     <!-- Licensed Materials - Property of IBM        5725-G92 (C) Copyright IBM Corp. 2006, 2013. All Rights Reserved.
          US Government Users Restricted Rights - Use, duplication or        disclosure restricted by GSA ADP Schedule Contract with IBM Corp. -->
     <securityTests>
       <customSecurityTest name="DummyAdapter-securityTest">
         <test isInternalUserID="true" realm="SampleAppRealm" />
       </customSecurityTest?
     </securityTests>
     <realms>
       <realm loginModule="StrongDummy" name="SampleAppRealm">
         <className>com.worklight.core.auth.ext.FormBasedAuthenticator</className>
       </realm>
     </realms>
     <loginModules>
       <loginModule name="StrongDummy">
         <className>com.worklight.core.auth.ext.NonValidatingLoginModule</className>
       </loginModule>
     </loginModules>
   </tns:loginConfiguration>

   Since a security test can include several realms that require a user ID, only the realm that has the isInternalUserID property is recorded for the device in the runtime database. For a mobileSecurityTest, the realm set by the testUser element is used. For more information about security tests, see Security tests.

   If the user is authenticated through the UserCertificateAuthenticator, the serial number generated for the certificate that is sent to the device is automatically saved in the runtime database. For more information about the UserCertificateAuthenticator and serial number, see User certificate authentication.

Parent topic: Mobile application management