Mobile Device Management (MDM)/Mobile Application Management (MAM)

Mobile device management (MDM)/Mobile Application Management (MAM) lets administrators control, secure, and enforce policies on smart mobile devices. In Laserfiche, MDM/MAM can be used by administrators to remotely configure specific Laserfiche app and certificate settings on Android and iOS devices.

App and Certificate Settings

Administrators can define the following app values and certificate settings and distribute them to users' devices:

App Values

  • Mobile server URL
  • Repository
  • Forms server
  • Organization (if using Laserfiche Directory Server)
  • Username
  • Upload using Wi-Fi only: If set to true, users will always upload documents using Wi-Fi and will not be able to disable the Upload using Wi-Fi only option in the app.
  • Use Document mode: If set to true, Document mode will always be used and documents will always be auto-cropped when taking photos to upload to the repository.
  • Upload as grayscale: If set to true, images uploaded to the repository or as a Forms attachment will always be captured and uploaded in grayscale only.

Certificate Settings

  • Self-signed certificate - This option controls if users can connect to servers using SSL with self-signed certificates. Certificate pinning must be disabled for this option to function properly.
  • Certificate pinning - If you do not want users to connect using self-signed certificates, you can configure this option so users can only connect if the certificate they are using is in the certificate pinset.
  • Certificate pinning set - If using certificate pinning, you can define the certificate thumbprints in this section.

Server Configuration

When downloading the app from an app store, the default certificate settings will allow self-signed certificates to authenticate and deny certificate pinning. If an administrator wants to change this configuration, the Allow self-signed certificate setting can be changed to False (or the checkbox cleared in iOS) and the Use certificate pinning setting can be changed to True (or select the checkbox in iOS). These certificate settings apply when connecting to any server (Forms server, Mobile server, Laserfiche Directory Server, etc.).

To secure your servers with SSL and set up an MDM profile to use certificate pinning so users connect securely:

  1. Install and set up your desired servers (Laserfiche Mobile server, Forms server, Laserfiche Directory Server, etc.).
  2. Enable SSL for each server and add certificates for them.
  3. Enable certificate pinning in MDM and add the thumbprints of the servers to the certificate pinset (see details in the iOS Configuration and Android Configuration sections below).
  4. When users use the managed Laserfiche app to connect to the servers, the app will not allow a connection if the server's certificate thumbprint is not in the pinset.

iOS Configuration

  1. In the MDM software of your choice, add the Laserfiche app as an iTunes App Store app.
  2. Copy and paste this code to create an XML file.

    <?xml version="1.0" encoding="UTF-8"?>
    <managedAppConfiguration>
    <version>
    10
    </version>
    <bundleId>com.laserfiche.lfmobile</bundleId>
    <dict>
    <string keyName="mobile_server_url">
    </string>
    <string keyName="repo_name">
    </string>
    <string keyName="forms_server_name">
    </string>
    <string keyName="lfds_organization">
    </string>
    <string keyName="username">
    <defaultValue>
    <userVariable value="username"/>
    </defaultValue>
    </string>
    <boolean keyName="allow_self_signed_cert">
    <defaultValue>
    <value>true</value>
    </defaultValue>
    </boolean>
    <boolean keyName="use_cert_pinning">
    <defaultValue>
    <value>false</value>
    </defaultValue>
    </boolean>
    <stringArray keyName="pinning_cert_list">
    </stringArray>
    </dict>
    <presentation defaultLocale="english">
    <field keyName="mobile_server_url" type="input">
    <label>
    <language value="eng">Mobile server url</language>
    </label>
    <description>
    <language value="eng">Mobile server URL</language>
    </description>
    </field>
    <field keyName="repo_name" type="input">
    <label>
    <language value="eng">Repository name</language>
    </label>
    <description>
    <language value="eng">Repository name</language>
    </description>
    </field>
    <field keyName="forms_server_name" type="input">
    <label>
    <language value="eng">Forms server name</language>
    </label>
    <description>
    <language value="eng">Forms server name</language>
    </description>
    </field>
    <field keyName="lfds_organization" type="input">
    <label>
    <language value="eng">LFDS Organization</language>
    </label>
    <description>
    <language value="eng">LFDS Organization</language>
    </description>
    </field>
    <field keyName="username" type="input">
    <label>
    <language value="eng">Username</language>
    </label>
    <description>
    <language value="eng">Username</language>
    </description>
    </field>
    <field keyName="allow_self_signed_cert" type="checkbox">
    <label>
    <language value="eng">Allow self-signed certificate</language>
    </label>
    <description>
    <language value="eng">Allow Laserfiche app to connect to servers with self-signed certificates when using https</language>
    </description>
    </field>
    <field keyName="use_cert_pinning" type="checkbox">
    <label>
    <language value="eng">Use certificate pinning</language>\
    </label>
    <description>
    <language value="eng">Allow Laserfiche app to connect to servers with certificates whose thumbprints are in the list below when using https</language>
    </description>
    </field>
    <field keyName="pinning_cert_list" type="input">
    <label>
    <language value="eng">Certificate pinning set</language>
    </label>
    <description>
    <language value="eng">Certificate thumbprints pinning set</language>
    </description>
    </field>
    <field keyName="upload_by_wifi" type="checkbox">
    <label>
    <language value="eng">Upload using Wi-Fi only</language>
    </label>
    <description>
    <language value="eng">Require users to only use Wi-Fi when uploading documents</language>
    </description>
    </field>
    <field keyName="auto_crop" type="checkbox">
    <label>
    <language value="eng">Use Document mode</language>
    </label>
    <description>
    <language value="eng">Require users to always crop documents using Document mode when taking photos</language>
    </description>
    </field>
    <field keyName="gray_scale" type="checkbox">
    <label>
    <language value="eng">Upload as grayscale</language>
    </label>
    <description>
    <language value="eng"> Require users to always upload documents and Forms attachments as grayscale images</language>
    </description>
    </field>
    </presentation>
    <license>
    </license>
    </managedAppConfiguration>

  3. Upload the XML file to the MDM software. Once uploaded, the app and certificate settings will be displayed for you to modify. For example, when using IBM MaaS360, a dialog box where you can edit the app values and certificate settings will be created.

    Note: You can add the app values and configure the certificate settings directly in the XML file if desired.

  4. Once the app values and certificate settings are configured, distribute the app to users' devices.

Android Configuration

  1. In the MDM software of your choice, add the Laserfiche app as a Google Play store app.
  2. Once added, the app and certificate settings will be displayed for you to modify. For example, when using IBM MaaS360, a dialog box where you can edit the app values and certificate settings will be created.
  3. Once the app values and certificate settings are configured, distribute the app to users' devices.

For more information on configuring and distributing MDM profiles, view your MDM software documentation.

Devices

Depending on the MDM software used, administrators typically send users an enrollment email to enroll in MDM. Once enrolled, the app (along with its settings) is installed on the user's device. Any changes to the MDM configuration will automatically be updated in the app.

The values defined will be automatically populated for the user when signing into the app. If the user replaces the default values with new values, the new values will be remembered the next time the user signs in. The MDM software will ensure the predefined repository, Forms server, and organization connect successfully with the Mobile server or Laserfiche Directory Server defined. The username value in the code is defined for you. This value will be converted to a %username% token in the MDM software and automatically populated on the app sign-in page with the username registered to the device. This is useful for those using Windows authentication. However, you can also replace this token with a specific username you want a user to sign in with.

When connecting to a secure server using SSL, the Laserfiche app will retrieve the server's certificate from the https callback and compare it to the MDM app configuration.

  • If the certificate settings have not been configured in MDM, the app will function as if it was not being managed by MDM.
  • If the certificate settings have been configured to use self-signed certificates, the user will be able to connect if the server is using a self-signed certificate.
  • If the certificate settings have been configured to use certificate pinning, the user can only connect if the server's certificate is in the certificate pinset. The user will be able to connect to the server with their self-signed certificate only if it is in the pinset.