Data Vault Life Cycle
If SAP Mobile Platform Server is used, an administrator can enable the password policy. If enabled, the user must satisfy each rule. If “Allow Default Password” is enabled in the password policy, the Set Passcode screen does not appear, but the user can enable the app passcode using the Change Passcode option.
Logon Manager Default Password Policy
If the password policy is disabled, or if communication is not through SAP Mobile Platform, MAFLogonManagerNG applies the default password policy. You can configure the default password policy from the MAFLogonOperationsDefaultValues.plist, located in the MAFLogonManagerNG.bundle folder of your project.
|Rule Name||Description||Default Value|
|keyMAFLogonPasswordPolicyIsEnabled||Whether a password policy is provided||True|
|keyMAFLogonPasswordPolicyExpirationDays||Number of days after which the password policy expires||0 ~ infinite|
|keyMAFLogonPasswordPolicyHasDigits||Whether the password requires one or more numeric digits||NO|
|keyMAFLogonPasswordPolicyHasLowerCaseLetters||Whether the password requires one or more lowercase letters||NO|
|keyMAFLogonPasswordPolicyHasSpecialLetters||Whether the password requires one or more special characters||NO|
|keyMAFLogonPasswordPolicyHasUpperCaseLetters||Whether the password requires one or more uppercase letters||NO|
|keyMAFLogonPasswordPolicyIsDefaultPasswordAllowed||Allows the device user to switch off custom app passcode||YES|
|keyMAFLogonPasswordPolicyIsDefaultPasswordUsageOnByDefault||If a default password is allowed, whether the switch on the device is, by default, on||NO|
|keyMAFLogonPasswordPolicyLockTimeout||Length of time, in seconds, after which the secure store is locked||0 ~ infinite|
|keyMAFLogonPasswordPolicyMinLength||Minimum length of the password||8|
|keyMAFLogonPasswordPolicyMinUniqueChars||Minimum number of unique characters in password||0 ~ none|
|keyMAFLogonPasswordPolicyRetryLimit||Maximum number of retries before the secure store is erased||0 ~ infinite|
|keyMAFLogonPasswordPolicyIsFingerprintAllowed||Whether the built in Fingerprint Reader sensor is allowed to be used or not.||True|
Creating the Data Vault
The data vault is created after a successful registration. If device users are allowed to do so, they can switch off the data vault passcode. Even if the the user does not specify a passcode, the data is secured with a default data vault passcode.
Protecting the Data Vault
If the data vault is locked with a custom passcode, the logon UI is presented with an Unlock screen. Users can unlock the data vault with the passcode they have set. If the user provides a wrong passcode multiple times, the data vault deletes itself. You can determine the maximum number of tries by a data vault property, which you can set in the password policy.
Setting a Data Vault Timeout
You can set the data vault timeout in the password policy. MAFLogonManagerNG downloads it from the SAP Mobile Platform Server during registration.
When device users forget their passcodes, they can tap the Forgot passcode button on the Unlock screen, which erases all client-side data.
If there is an SAP Mobile Platform Server in the landscape, tapping the Forgot passcode button deletes both the client- and server-side registrations. This works only when the device is connected to a network where the SAP Mobile Platform Server is reachable. Otherwise, an administrator must manually remove the server-side registration.
Updating Data Vault Properties
MAFLogonManagerNG does not currently support policy changes. That is, if the password policy is changed on SAP Mobile Platform Server after a device user registers, MAFLogonManagerNG does not download and apply the new policy.
#define kErrorDomainMAFSecureStoreManager @"MAFSecureStoreManagerErrorDomain" #define keyMAFSecureStoreManagerErrorDescriptionParameters @"errorDescriptionParameters" #define keyMAFSecureStoreManagerErrorExceptionName @"exceptionName" #define keyMAFSecureStoreManagerErrorExceptionReason @"exceptionReason" #define errMAFSecureStoreManagerErrorUnknown 0 #define errMAFSecureStoreManagerErrorAlreadyExists 1 #define errMAFSecureStoreManagerErrorDataTypeError 2 #define errMAFSecureStoreManagerErrorDoesNotExist 3 #define errMAFSecureStoreManagerErrorInvalidArg 4 #define errMAFSecureStoreManagerErrorInvalidPassword 5 #define errMAFSecureStoreManagerErrorLocked 6 #define errMAFSecureStoreManagerErrorOutOfMemory 7 #define errMAFSecureStoreManagerErrorPasswordExpired 8 #define errMAFSecureStoreManagerErrorPasswordRequired 9 #define errMAFSecureStoreManagerErrorPasswordRequiresDigit 10 #define errMAFSecureStoreManagerErrorPasswordRequiresLower 11 #define errMAFSecureStoreManagerErrorPasswordRequiresSpecial 12 #define errMAFSecureStoreManagerErrorPasswordRequiresUpper 13 #define errMAFSecureStoreManagerErrorPasswordUnderMinLength 14 #define errMAFSecureStoreManagerErrorPasswordUnderMinUniqueChars 15
Handling Timeout with MAF Logon Components
- It keeps the secure store open until the application is in the foreground. This way you can prevent data request failures happening because the application cannot read the necessary sensitive information (such as user name and password) from the Secure Store.
- When the application is sent to the background, MAF sets the secure store lock timeout to a specified value. When the application is brought to the foreground again, the secure store can be either open or closed, depending on the amount of time the application spent in the background.
When the Secure Store is closed and the application calls the logonManager logon API, MAF presents the MAF Logon UI and the user can unlock the Secure Store with the app passcode provided at registration time.
The system administrator can have the user specify a custom app passcode, or can allow the user to switch off the passcode functionality. If the user switches off this functionality, the Secure Store is protected with the default password provided by the underlying component. The system administrator can specify this behavior per application or per connection type by adjusting the SAP Mobile Platform Server-side password policy.
- The password must be minimum 8 characters, regardless of the type of characters.
- The user can switch off the app passcode.
- Immediate timeout when the application is sent into background.