Skip to content

Client Policy & Security

Overview

The Lock and Wipe feature provides a comprehensive security mechanism to protect user data from unauthorized access or device misuse, ensuring sensitive information remains secure. It safeguards against scenarios such as a device being lost or stolen, or when a user wants to delete data stored locally.

Locking Mechanism

This mechanism locks the users out of the app on a specific device. Once locked, the user can unlock the app by connecting to the server and re-authenticating. The passcode (if set) and all existing data, including the offline OData store, remain on the device.

Wiping Mechanism

This mechanism locks the users out of the app and wipes all the app data (including local changes) on a specific device. It also wipes all the app-managed data on those devices, including unsaved offline data. This action is irreversible; the app will not restore any data that has been wiped.

Enabling Lock or Wipe

Administrators can control Lock and Wipe actions through two methods:

Toggle Lock and Wipe Buttons

This method allows administrators to instantly initiate user-specific lock or wipe actions.

  • In the mobile services cockpit, navigate to Mobile Applications > Native/MDK.
  • Select an application and navigate to the Users and Device Management tab.
  • Perform various actions, including locking and wiping for individual users and devices.

Once the app relaunches, resumes, or sends requests to the server, the Lock or Wipe actions will be triggered, prompting the user to re-authenticate. For Locking, the user will need to log in again after being locked out. In the case of Wiping, any unsaved offline OData will be permanently deleted, requiring the user to start the onboarding process again. This method works only in online mode since it requires a connection to the server. For offline cases, administrators may consider using the policy approach.

Configure Lock and Wipe Policy

Administrators can enable this policy directly in the mobile services cockpit to configure settings that apply to all clients. Locking or Wiping actions will start automatically once the configured time expires, even if the client is offline.

  • In the mobile services cockpit, navigate to Mobile Applications > Native/MDK.
  • Select an application and navigate to the Settings tab.
  • Click on Client Settings and then click on the Client Configuration tab.
  • Under the Locking and Wiping Policy section, select Enable Locking and Wiping Policy and configure the offline data management settings:
  • Offline Days Before Locking: Set the number of days before the application will be locked on the user's device. The number of days before locking must be fewer than the number of days before wiping. Zero (0) means locking is not enabled.
  • Offline Days Before Wiping: Set the number of days before the application will be wiped on the user's device. The number of days before wiping must be greater than the number of days before locking. Zero (0) means wiping is not enabled.

Device Compliance

The Mobile Development Kit has a Device Compliance Detection feature that enables app developers to perform security checks to determine if the underlying device has been compromised.

Client API

The client API isDeviceCompliant() returns a Boolean value that indicates the compliance status of the device:

  • Returns true if the device is compliant.
  • Returns false if the device is non-compliant or has been compromised.

App developers can use the isDeviceCompliant() API as shown in the following example:

export default function CheckDevicesCompliant(clientAPI) {
    var isRooted = clientAPI.isDeviceCompliant();  
    alert("Device Compliance is: " + isRooted);
}

Device Root Status Reporting

Administrators must enable the Device Compliance Detection policies in the mobile services Admin UI to ensure that compliance reports are sent to SAP Mobile Services.

Compliance Policy Enforcement

When the Device Compliance Detection is enabled in the mobile services cockpit:

  • Device compliance detection occurs automatically during app login and after each restart.
  • The compliance status of each device registration is displayed in the mobile services cockpit.

Compliance Status Definitions

  • Compromised: The device is rooted (non-compliant).
  • Compliant: The device is not rooted (compliant).
  • Unknown: The compliance status has not been reported.
Last update: May 21, 2025