Mobile App Administration
Mobile access in Pyramid is governed centrally from the mobile settings section i the admin console.
Deployment Considerations
Web Site Setup and Communication
The mobile apps, like the main client operate over the standard web HTTP and HTTPS protocols. Since mobile connectivity is usually via the Internet (vs. intranet), the use of an HTTPS site with SSL certificates is STRONGLY RECOMMENDED for secure communication and authentication.
Since the web servers that will host the mobile app will be exposed to the Internet usually, they should be fully secured and protected with all relevant technologies like firewalls. On the other hand, since the mobile framework uses SSL encryption for communication, and can be deployed with two-factor authentication (see below), there is less need for mobile VPN's and other mobile security frameworks.
Client-Side Content
The mobile apps do not save any content or data offline once a session is closed. While in session, the client may store query and meta data fragments. These are flushed once a session is closed. This does not include any reports exported or printed to offline files like PDF and Excel.
Credentials can be optionally saved (see below) by the applications. If they are, they are encrypted and stored into the host operating system's settings database. If the application is uninstalled, these settings are removed.
Mobile Administrative Setup
In the Administrative console, under “Mobile” section, In “Device Settings” tab:
Supported Clients
Check-off which operating systems the mobile framework will operate it. If both boxes are unchecked, the native mobile devices will not be supported on the platform.
Mobile Device Saving Mode:
“Mobile device saving mode” can be configured as to how a user’s login credentials are to be saved on the device:
- Save User Name and Password: Saves the user name and password and it does not have to be entered on every login.
- Save Only User Name: Saves the user name, and the user will have to enter their password on each login attempt.
- Don’t Save: Does not save the user’s credentials they will have to be entered with each login.
Device Id Check
This option lets you manage which devices can or can’t login. By default, the switch is disabled, and all devices will work with the system (pending user authentication).
To enable the option to manage logins, check “Device Id Check”. Once enabled, two additional settings are provided: “Opt Out” and “Opt In”.
Opt Out:
All devices can login by default, and it keeps a log of every login. Admins then have an ability to block specific devices.
Blocking a device can be done by unchecking the “Enabled” box next to the user in the list.
Opt in:
All devices are blocked by default, and it keeps a log of every login attempt. Admins then have an ability to enable specific devices.
Allowing a device to log in can be done by checking the “Enabled” box next to the user.
Mobile Login Process
When the user clicks the "Login" button in the native app on their mobile, the mobile app will do the following:
- Check if the mobile operating system is supported.
- Check if the device ID is allowed (if the admin, “Device Id check” is enabled).
- Authenticate the user using their credentials.
Two Factor Authentication
An often requested feature for mobile application is two factor authentication. Pyramid includes this mechanism via the device ID.
The device ID check triggers a pre-check of the device itself before the user authenticates with the credentials. This double check process, of both the device and the user’s credentials, represents a two-factor authentication model. Further, the device ID is checked before the user credentials, providing better protection for brute force attacks.
Lost Devices
If a device is lost, admins can simply go to the device listing and block the device itself from accessing the platform, regardless of the user's credentials.
Mobile Security Flow
This graphic explains how the security mechanism for mobile operates compared to a standard desktop browser flow.