Using configuration profiles to manage dynamic app policies
Dynamic app policies are managed on the gateway. These rules apply without having to re-secure the app, in response to events on the mobile device or to connections to the gateway. Define dynamic policies on the gateway as configuration profiles or as post-authentication policy rules:
Use configuration profiles on the gateway to define and apply policies that can dynamically modify the policies in the injectable. To configure the Browser Configuration, Diagnostics, or Secure Web Stack policies dynamically, see below. To define policy rules to respond dynamically to events on the mobile device, see Defining policy rules for client events.
Browser configuration
Configuration profiles apply policies and customize the appearance and features of the Compass Browser app.
To add policy options to a configuration profile, use this template:
% set aaa config-profile profile-name compass-browser-configuration options...To show the policy options set for a configuration profile, use the show command:
% show aaa config-profile
config-profile DEPprofile {
compass-browser-configuration {
theme-color 012345EF;
site Google {
allow-close true;
url http://www.google.com;
icon-url http://img.company.com/icon.jpg;
}
allow-bookmarks true;
allow-history true;
allow-email true;
allow-url-entry true;
allow-search true;
}
}Once you have defined a configuration profile, enable the policies for users with this command:
% set aaa post-auth-policy-match-rule 1000 action install-config-profile DEPprofile
% commitFor more information about browser profiles, see Browser Configuration in the integration platform documentation.
Diagnostics
To add policy options to a configuration profile, use this template:
% set aaa config-profile profile-name diagnostics log-classes options...You can also use configuration profiles to configure diagnostic log levels for tunneled apps:
% show aaa config-profile DEPprofile diagnostics
diagnostics {
log-classes {
keystore {
severity minor;
}
}
}Once you have defined a configuration profile, enable the policies for users with the install-config-profile command as shown above.
For more information, including the list of log classes, see the Diagnostics policy in the integration platform documentation.
Secure Web Stack
You can customize HTTP proxy details and Single Sign On configuration with the Secure Web Stack configuration profile. When configured, the secure web stack policy dynamically modifies the Secure Web Stack policy specified on the policy integration platform. See Secure Web Stack in the integration platform documentation.
| Parameter | Description |
|---|---|
| enabled | Whether secure web stack is enabled or not. Possible values: true or false. |
| proxy | Proxy configuration details. Options (see below): hostname, pac-url, port, proxy-type |
| single-sign-on | Whether to share single sign-on cookies with the app. If enable=true and the app is secured with Secure Web Stack with SSO set to 1, then the app can receive the credentials immediately following authentication. For more information about single sign-on cookies, see Configuring gateway Single Sign-On for CA Single Sign-On. |
| Proxy setting | Description |
|---|---|
| hostname | The host name of the proxy server. Note: If you are using manual proxy, you must set the host name and port parameters for the proxy server. |
| pac-url | The URL for the Proxy auto-configuration (PAC) file. |
| port | The port number of the proxy server. |
| proxy-type | Values: none, manual, or automatic. |
For example:
% set aaa config-profile test secure-web-stack proxy
% set aaa config-profile test secure-web-stack proxy proxy-type manual hostname proxy.qwe.com port 8080 show aaa config-profile
% set aaa config-profile test secure-web-stack single-sign-on enable true
% show aaa config-profile test
config-profile test {
secure-web-stack {
enabled true;
proxy {
proxy-type manual;
hostname proxy.qwe.com;
port 8080;
}
single-sign-on {
enable true;
}
}
}Once you have defined a configuration profile, enable the policies for users with the install-config-profile command as shown above.
Dynamic policy rules
Dynamic policy rules are defined and updated in configuration profiles on the gateway, but they are evaluated within the secured app. Configuration profiles (managed on the gateway) can dynamically modify the policies that were applied when the app was secured (via the integration platform). The rules in these profiles apply when certain events happen on the device.
Dynamic policy rules include these components:
- Triggers: Events that determine when the rule is evaluated.
- Conditions: Conditions that are evaluated when the rule is triggered.
- Actions: Actions to take when a triggered rule's conditions are all true.
See Defining policy rules for client events for a description of the syntax and behavior of dynamic policy rules, including several examples.