Securing apps with the console
To apply Blue Cedar security to apps, configure the options in security policies, then apply the policies to the app. In general, you can set default values for policy options as policy profiles, then choose a policy profile when securing each app.
A policy profile is a collection of settings that are applied with a policy. For example, when you apply the Secure Microtunnel policy to an app, you choose a Secure Microtunnel profile that specifies the server, protocol, authentication method and other settings used by the app’s VPN. See the description for each policy to learn about the profile options.
A master policy profile is a collection of policy profiles. This provides a streamlined way to secure multiple apps within your organization with the same policies. See Master policy profiles.
A signing profile is a collection of code-signing information, used to certify that the app is provided by a trusted source. This code-signing information is specific to Android or iOS. See Signing Blue Cedar secured apps.
Blue Cedar policies include:
- App Customization: Allows you to customize the user interface of the Blue Cedar-related screens that device users see. These screens include enrollment screens seen when a user first enrolls a certificate from Blue Cedar-protected apps to the gateway and authentication screens when a user sets up or enters a local app authentication passcode. You can also translate or customize the strings that are displayed to device users.
- Browser Configuration: The policy console includes a special browser app, the Compass Browser. When the Secure Microtunnel policy is applied to Compass, it automatically logs a user in to the gateway to securely access any websites that your organization permits. The Browser Configuration policy allows you to specify websites for the user to access and add other restrictions. You can customize the user interface of the browser (including colors and icons) in a browser profile.
- Client Certificates: Blue Cedar obtains a client certificate as part of the enrollment process. This client certificate can be presented to web servers to streamline the user's experience. The Client Certificates policy allows you to define which sites are presented with Client Certificates and which sites are not.
- DAR Encrypted Data at Rest: Protects app data that is saved on the mobile device.
- Data Sharing: Data Sharing protection allows you to constrain what kind of data users can share between apps: copying and pasting between a protected app and another app, opening links and content in preferred external apps, and allowing apps to share a common passphrase, enrollment, and data-at-rest key.
Integrity and Posture: The Device Posture policy allows you to configure device-level settings on a per-app basis. Depending on these settings, the secured app checks the device settings before launching the app. Device Posture settings include device version, device screen lock, and jailbreak/rooting detection.
Diagnostics: Administrators can configure device logging on a per-app basis.
- FIPS 140-2 module: When the FIPS 140-2 module is enabled, the module performs a series of self-tests to validate the supported cryptographic algorithms.
- Local App Authentication: Requires the user to authenticate to an app using a local app passcode (PIN, passphrase, or fingerprint). You can configure the parameters of the passcode and the requirements for re-authentication.
- Secure Microtunnel: Establishes a secure microtunnel for individual mobile apps, using the Blue Cedar Enterprise infrastructure to secure the device's data in transit. Only the secured app has access to the connection, preventing rogue or malicious apps from accessing or performing reconnaissance on corporate networks.
- Secure Web Stack: Administrators can configure secured apps to integrate with your enterprise proxy infrastructure, using manual (single host) proxy or PAC URLs. You can also enable Single Sign-On so that your app can retrieve single sign-on cookies from the gateway.
- Trusted Server Certificates: The Trusted Server Certificates policy allows you to configure certification trust settings on a per-app basis.
The following sections describe the tasks available in the policy console to apply policies to apps, configure policy options, and deploy the secured apps. The details of the policies are described in Blue Cedar security policies.