Skip to content

Device Compliance

Introduction

SAP BTP SDK for iOS v9.2 introduces device compliance detection, a security feature that allows app developers to call an API that internally performs various security checks and identifies whether the underlying device is compromised or not.

Once the device compliance status is identified, the app developer can also report the status to SAP Mobile Services using the provided API.

In case the device is compromised, the app developer can then define the application behavior accordingly.

Enabling Device Compliance Policy

You can enable device compliance policy by enabling Device Compliance Detection in the Client Configuration tab under Mobile Settings Exchange feature in mobile services cockpit. It can also be enabled during the Create new application process in SAP BTP SDK Assistant for iOS v9.2.

iOS Device Compliance Settings

Usage

An app developer can leverage the device compliance detection feature using the SAPFoundation framework APIs directly as described below.

    // detect if device is not compliant (compromised)
    let isDeviceCompromised = DeviceComplianceChecker.isDeviceCompromised()
    // upload device compliance status to Mobile Services
    try await SAPcpmsDeviceSecurityAuditUploader.upload(isDeviceCompromised: isDeviceCompromised, sapURLSession: sapURLSession, settingsParameters: settingsParameters)

Another method is to use the SAPFioriFlows framework, which makes it more convenient, as described below.

Once device compliance policy is enabled, add the newly introduced SAPcpmsSecurityPolicyApplyStep to the onboardingSteps and restoringSteps in OnboardingFlowProvider.swift.

SAPcpmsSecurityPolicyApplyStep provides integration to use the detection API and uploads compromised information. This step reads the configuration from the SAP Mobile Services settings response and orchestrates the compliance detection with the upload process.

In case Device Compliance Detection is not enabled in mobile services cockpit, adding SAPcpmsSecurityPolicyApplyStep will not have any effect during actions such as onboarding, restoration, and passcode reset (it does not perform a detection check or upload the compliance status to SAP Mobile Services.

Based on the policy set in mobile services cockpit, SAPcpmsSecurityPolicyApplyStep is automatically added in the OnboardingFlowProvider.swift while generating the client application using Create new application or Reuse existing application from the SAP BTP SDK Assistant for iOS.

    public var onboardingSteps: [OnboardingStep] {
        return [
            ...
            CompositeStep(steps: SAPcpmsDefaultSteps.settingsDownload),
            CompositeStep(steps: SAPcpmsDefaultSteps.applyDuringOnboard),
            SAPcpmsSecurityPolicyApplyStep(),
            ...
        ]
    }

    public var restoringSteps: [OnboardingStep] {
        return [
            ...
            CompositeStep(steps: SAPcpmsDefaultSteps.settingsDownload),
            CompositeStep(steps: SAPcpmsDefaultSteps.applyDuringRestore),
            SAPcpmsSecurityPolicyApplyStep(),
            ...
        ]
    }

Precondition

SAPcpmsSecurityPolicyApplyStep needs to run any time after SAPcpmsSettingsDownloadStep. SAPcpmsSettingsDownloadStep, usually used indirectly through SAPcpmsDefaultSteps.settingsDownload, will obtain the required policy information.

Last update: June 12, 2023