Data Vault Life Cycle

If SAP Mobile Platform Server is used, an administrator can enable the password policy. If enabled, the user must satisfy each rule. If “Allow Default Password” is enabled in the password policy, the Set Passcode screen does not appear, but the user can enable the app passcode using the Change Passcode option.

Logon Manager Default Password Policy

If the password policy is disabled, or if communication is not through SAP Mobile Platform, MAFLogonManagerNG applies the default password policy. You can configure the default password policy from the MAFLogonOperationsDefaultValues.plist, located in the MAFLogonManagerNG.bundle folder of your project.

Table 1: Default Password Policy Rules
Rule Name Description Default Value
keyMAFLogonPasswordPolicyIsEnabled Whether a password policy is provided True
keyMAFLogonPasswordPolicyExpirationDays Number of days after which the password policy expires 0 ~ infinite
keyMAFLogonPasswordPolicyHasDigits Whether the password requires one or more numeric digits NO
keyMAFLogonPasswordPolicyHasLowerCaseLetters Whether the password requires one or more lowercase letters NO
keyMAFLogonPasswordPolicyHasSpecialLetters Whether the password requires one or more special characters NO
keyMAFLogonPasswordPolicyHasUpperCaseLetters Whether the password requires one or more uppercase letters NO
keyMAFLogonPasswordPolicyIsDefaultPasswordAllowed Allows the device user to switch off custom app passcode YES
keyMAFLogonPasswordPolicyIsDefaultPasswordUsageOnByDefault If a default password is allowed, whether the switch on the device is, by default, on NO
keyMAFLogonPasswordPolicyLockTimeout Length of time, in seconds, after which the secure store is locked 0 ~ infinite
keyMAFLogonPasswordPolicyMinLength Minimum length of the password 8
keyMAFLogonPasswordPolicyMinUniqueChars Minimum number of unique characters in password 0 ~ none
keyMAFLogonPasswordPolicyRetryLimit Maximum number of retries before the secure store is erased 0 ~ infinite
keyMAFLogonPasswordPolicyIsFingerprintAllowed Whether the built in Fingerprint Reader sensor is allowed to be used or not. True

Creating the Data Vault

The data vault is created after a successful registration. If device users are allowed to do so, they can switch off the data vault passcode. Even if the the user does not specify a passcode, the data is secured with a default data vault passcode.

Protecting the Data Vault

If the data vault is locked with a custom passcode, the logon UI is presented with an Unlock screen. Users can unlock the data vault with the passcode they have set. If the user provides a wrong passcode multiple  times, the data vault deletes itself. You can determine the maximum number of tries by a data vault property, which you can set in the password policy.

Setting a Data Vault Timeout

You can set the data vault timeout in the password policy. MAFLogonManagerNG downloads it from the SAP Mobile Platform Server during registration.

Forgotten Passcode

When device users forget their passcodes, they can tap the Forgot passcode button on the Unlock screen, which erases all client-side data.

If there is an SAP Mobile Platform Server in the landscape, tapping the Forgot passcode button deletes both the client- and server-side registrations. This works only when the device is connected to a network where the SAP Mobile Platform Server is reachable. Otherwise, an administrator must manually remove the server-side registration.

Updating Data Vault Properties

MAFLogonManagerNG does not currently support policy changes. That is, if the password policy is changed on SAP Mobile Platform Server after a device user registers, MAFLogonManagerNG does not download and apply the new policy.

Error Messages

Data vault creation has a set of error codes and error messages that MAFLogonManagerNG can report. You can find the error codes and messages in the MAFSecureStoreManagerErrors.h file.
#define kErrorDomainMAFSecureStoreManager   @"MAFSecureStoreManagerErrorDomain"

#define keyMAFSecureStoreManagerErrorDescriptionParameters       @"errorDescriptionParameters"
#define keyMAFSecureStoreManagerErrorExceptionName               @"exceptionName"
#define keyMAFSecureStoreManagerErrorExceptionReason             @"exceptionReason"

#define errMAFSecureStoreManagerErrorUnknown                        0
#define errMAFSecureStoreManagerErrorAlreadyExists                  1
#define errMAFSecureStoreManagerErrorDataTypeError                  2
#define errMAFSecureStoreManagerErrorDoesNotExist                   3
#define errMAFSecureStoreManagerErrorInvalidArg                     4
#define errMAFSecureStoreManagerErrorInvalidPassword                5
#define errMAFSecureStoreManagerErrorLocked                         6
#define errMAFSecureStoreManagerErrorOutOfMemory                    7
#define errMAFSecureStoreManagerErrorPasswordExpired                8
#define errMAFSecureStoreManagerErrorPasswordRequired               9
#define errMAFSecureStoreManagerErrorPasswordRequiresDigit          10
#define errMAFSecureStoreManagerErrorPasswordRequiresLower          11
#define errMAFSecureStoreManagerErrorPasswordRequiresSpecial        12
#define errMAFSecureStoreManagerErrorPasswordRequiresUpper          13
#define errMAFSecureStoreManagerErrorPasswordUnderMinLength         14
#define errMAFSecureStoreManagerErrorPasswordUnderMinUniqueChars    15

Handling Timeout with MAF Logon Components

MAF manages the secure store lock timeout in the following ways:
  • It keeps the secure store open until the application is in the foreground. This way you can prevent data request failures happening because the application cannot read the necessary sensitive information (such as user name and password) from the Secure Store.
  • When the application is sent to the background, MAF sets the secure store lock timeout to a specified value. When the application is brought to the foreground again, the secure store can be either open or closed, depending on the amount of time the application spent in the background.

When the Secure Store is closed and the application calls the logonManager logon API, MAF presents the MAF Logon UI and the user can unlock the Secure Store with the app passcode provided at registration time.

The system administrator can have the user specify a custom app passcode, or can allow the user to switch off the passcode functionality. If the user switches off this functionality, the Secure Store is protected with the default password provided by the underlying component. The system administrator can specify this behavior per application or per connection type by adjusting the SAP Mobile Platform Server-side password policy.

If the password policy is not set on the server, the default password policy is enforced:
  • The password must be minimum 8 characters, regardless of the type of characters.
  • The user can switch off the app passcode.
  • Immediate timeout when the application is sent into background.