Skip to main content
Skip table of contents

Using configuration profiles to manage dynamic app policies

Dynamic app policies are managed on the gateway. These rules apply without having to re-secure the app, in response to events on the mobile device or to connections to the gateway. Define dynamic policies on the gateway as configuration profiles or as post-authentication policy rules:

Use configuration profiles on the gateway to define and apply policies that can dynamically modify the policies in the injectable. To configure the Browser Configuration, Diagnostics, or Secure Web Stack policies dynamically, see below. To define policy rules to respond dynamically to events on the mobile device, see Defining policy rules for client events

Browser configuration

Configuration profiles apply policies and customize the appearance and features of the Compass Browser app.

To add policy options to a configuration profile, use this template:

BASH
% set aaa config-profile profile-name compass-browser-configuration options...

To show the policy options set for a configuration profile, use the show command:

BASH
% show aaa config-profile
config-profile DEPprofile {
  compass-browser-configuration {
   theme-color 012345EF;
   site Google {
     allow-close true;
     url http://www.google.com;
     icon-url http://img.company.com/icon.jpg;
   }
   allow-bookmarks true;
   allow-history true;
   allow-email true;
   allow-url-entry true;
   allow-search true;
  }
}

Once you have defined a configuration profile, enable the policies for users with this command:

BASH
% set aaa post-auth-policy-match-rule 1000 action install-config-profile DEPprofile 
% commit

For more information about browser profiles, see Browser Configuration in the integration platform documentation.

Diagnostics

To add policy options to a configuration profile, use this template:

BASH
% set aaa config-profile profile-name diagnostics log-classes options...

You can also use configuration profiles to configure diagnostic log levels for tunneled apps:

BASH
% show aaa config-profile DEPprofile diagnostics
diagnostics {
  log-classes {
    keystore {
      severity minor;
    }
  }
}

Once you have defined a configuration profile, enable the policies for users with the install-config-profile command as shown above.

For more information, including the list of log classes, see the Diagnostics policy in the integration platform documentation.

Secure Web Stack

You can customize HTTP proxy details and Single Sign On configuration with the Secure Web Stack configuration profile. When configured, the secure web stack policy dynamically modifies the Secure Web Stack policy specified on the policy integration platform. See Secure Web Stack in the integration platform documentation.

ParameterDescription
enabled

Whether secure web stack is enabled or not.

Possible values: true or false.

proxy

Proxy configuration details.

Options (see below): hostname, pac-url, port, proxy-type

single-sign-on

Whether to share single sign-on cookies with the app. If enable=true and the app is secured with Secure Web Stack with SSO set to 1, then the app can receive the credentials immediately following authentication.

For more information about single sign-on cookies, see Configuring gateway Single Sign-On for CA Single Sign-On

Proxy settingDescription
hostname

The host name of the proxy server. 

Note: If you are using manual proxy, you must set the host name and port parameters for the proxy server.

pac-urlThe URL for the Proxy auto-configuration (PAC) file.
portThe port number of the proxy server. 
proxy-type

Values: none, manual, or automatic.

For example:

BASH
% set aaa config-profile test secure-web-stack proxy
% set aaa config-profile test secure-web-stack proxy proxy-type manual hostname proxy.qwe.com port 8080 show aaa config-profile
% set aaa config-profile test secure-web-stack single-sign-on enable true
% show aaa config-profile test
config-profile test {
  secure-web-stack {
    enabled        true;
    proxy {
      proxy-type manual;
      hostname   proxy.qwe.com;
      port       8080;
    }
    single-sign-on {
      enable true;
    }
  }
}

Once you have defined a configuration profile, enable the policies for users with the install-config-profile command as shown above.

Dynamic policy rules

Dynamic policy rules are defined and updated in configuration profiles on the gateway, but they are evaluated within the secured app. Configuration profiles (managed on the gateway) can dynamically modify the policies that were applied when the app was secured (via the integration platform). The rules in these profiles apply when certain events happen on the device.

Dynamic policy rules include these components:

  • Triggers: Events that determine when the rule is evaluated.
  • Conditions: Conditions that are evaluated when the rule is triggered.
  • Actions: Actions to take when a triggered rule's conditions are all true.

See Defining policy rules for client events for a description of the syntax and behavior of dynamic policy rules, including several examples.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.