Configuring content sites in the [email protected] configuration

Content sites configured in the [email protected] configuration are automatically added to the [email protected] app. Device user action is not required. These sites are called Group sites. SharePoint (including OneDrive for Business), WebDAV, CIFS, and DFS sites are configured in the Content Sites section of the [email protected] configuration. Box and SharePoint sites that use Federated authentication, are configured in the Custom Configurations section using key-value pairs.

Adding SharePoint, WebDAV, CIFS, and DFS sites

Content sites configured in the [email protected] configuration are automatically added to the [email protected] app. Device user action is not required. SharePoint (including OneDrive for Business), WebDAV, CIFS, and DFS sites are configured in the Content Sites section of the [email protected] configuration.

Procedure

  1. In the Admin Portal, go to Policies & Configs > Configurations.
  2. Select Add New > [email protected].
  3. Use the following guidelines to create or edit a [email protected] setting and add content sites:
  4. Click Save.
  5. Select the [email protected] configuration.
  6. Click More Actions > Apply To Label.
  7. Select the appropriate labels to which you want to apply the configuration.
  8. Click Apply.

    [email protected] is a document centric application. It relies on an API (in native mode) to query directories and files. If the entity being queried is not a folder or file, the APIs fail. As a result, List support is limited to DocumentLibrary. No other type of List is supported.

Support for variables in configuring content sites

Variables allow you to configure content server access that is specific to the user or group. For example, in Active Directory, you can specify a user’s home directory on a network drive as an attribute. If you include the variable in the URL for the content site, the user's view of the network drive will be their home folder.

Prerequisites for using variables for configuring content sites

  • Requires LDAP or AD integration.

Supported Content sites for variables

  • SharePoint (including Office 365)
  • Network Drives
  • Cloud Storage

Variables for Box and Dropbox are not supported.

Supported variables for configuring content sites

$EMAIL$

$USERID$

$FIRST_NAME$

$LAST_NAME$

$USER_UPN$

$DISPLAY_NAME$

$USER_CUSTOM1$

$USER_CUSTOM2$

$USER_CUSTOM3$

$USER_CUSTOM4$

  1. Add the SharePoint or WebDAV site as a User site in [email protected]
  2. In Sites, tap on the SharePoint or WebDAV site.
  3. Navigate to the folder you want to configure as a Group site.
  4. Tap, hold, and then release the ... menu.
  5. The menu items will display.
  6. Select one of the menu items to either view the URL or email the URL.

Adding Box enterprise as a Group site

You add a key-value pair in the Custom Configurations section to configure Box as a Group site. Group sites are automatically pushed to the [email protected] app.

Procedure

  1. In the Ivanti EPMM Admin Portal, go to Policies & Configs > Configurations > Add New > [email protected] > [email protected].
  2. Scroll down to the Custom Configurations section.
  3. Add the SITE_DETAILS_N key-value pair. For more information, see “Key-value pairs to configure app behavior” section.
  4. Click Save.
  5. Device users can also add a Box User site.

    Android devices support only one Box site. This can either be a Group site or a User site.

Adding a SharePoint Group site with Federated authentication

You add a key-value pair in the Custom Configurations section to configure a SharePoint site that uses Federated authentication as a Group site. Group sites are automatically pushed to the [email protected] app. If authentication to the SharePoint server is done using Active Directory Federation Services (ADFS), the users must enter their enterprise AD or LDAP credentials to authenticate to the server.

Procedure

  1. In the Ivanti EPMM Admin Portal, go to Policies & Configs > Configurations > Add New > [email protected] > [email protected].
  2. Scroll down to the Custom Configurations section.
  3. Add the SITE_DETAILS_N key-value pair. For more information, see “Key-value pairs to configure app behavior” section.
  4. Click Save.

Adding a SharePoint Group site with certificate based authentication

Certificate based authentication with Entrust PIV-D certificates and p12 certificates are supported for SharePoint sites.

  • In Android 4.1,4.2, 4.3 and 4.4 devices, cert-based auth related to webview certificate challenge is not supported.
  • Cert-based auth does not support tunneling.

Adding a SharePoint Group site with derived credentials

Derived credentials with Entrust PIV-D certificates and p12 certificates are supported for SharePoint sites with ADFS. See the Ivanti Derived Credentials Guide for EPMM for information about how to set up derived credentials with [email protected]

Adding Google Drive as a Group site

You add a key-value pair in the Custom Configurations section to configure Google Drive as a Group site. Group sites are automatically pushed to the [email protected] app.

Variables are not supported in the URL for configuring the Google Drive site. For example, you will not be able to specify a user name as part of the JSON value. However, you can configure fAUTOFILL_CREDENTIALS key-value pair to autofill the username for Google Drive.

Procedure

1. In the Ivanti EPMM Admin Portal, go to Policies & Configs > Configurations.
2. Select the [email protected] configuration to which you want to add Google Drive.
3. Click Edit.

4. Scroll down to the Custom Configuration section.
5. Click Add+ to enter the following key value pair:

 

Key

Value

SITE_DETAILS_N

Where n is a number 1-100

Example:

SITE_DETAILS_1

Enter parameters for the content site in the following JSON format:

{"name":"name for the site","domain":"Dropbox","url":"https://dropbox.com”}

 

Values are case sensitive.

Description

name for the site: Enter a name for the site. Example: SharePoint .

6. Click Save.

Authentication with an identity provider (IdP)

If your Google Drive setup uses an identity provider (IdP) for authentication, device users are directed to the IdP without having to go through any intermediate screens.

If Google Drive is set up through the [email protected] configuration in Ivanti EPMM, you must also configure the AUTOFILL_CREDENTIALS key-value pair to enable this feature.

Configuring DFS content site

Distributed File System (DFS) allows administrators access to group shared folders located on different servers by transparently connecting them to one or more DFS namespaces. DFS uses CIFS protocol.

Requirements

  • Standalone Sentry 8.0.1 through the most recently released version.
  • Standalone Sentry 8.5.0 through the most recently released version is required for create, upload, and delete (CUD) operations for files and folders.
  • Ivanti EPMM 9.0.0.0 through the most recently released version.

Before you begin

  • Ensure that you have Standalone Sentry set up for AppTunnel.: DFS traffic must be tunneled through Standalone Sentry. Context headers, server-side proxy, and ATC are not supported for tunneling to DFS servers.
  • Ensure that the necessary SCEP or Certificate setting is created. You will reference the SCEP or Certificate setting when you create the AppTunnel rule in the [email protected] configuration.

Configuration tasks summary

The following configuration tasks are required. These tasks are done in the Ivanti EPMM Admin Portal.

  1. Enable DFS in Standalone Sentry settings.

    See Enabling DFS.

  2. Configure an AppTunnel service for a CIFS repository in Standalone Sentry settings.

    See Configuring an AppTunnel service for DFS.

  3. Configure AppTunnel rules and DFS content site in [email protected] configuration.

    See Configuring AppTunnel rules and DFS site in the [email protected] setting.

Enabling DFS

  1. In the Admin Portal, go to Services > Sentry.
  2. Edit the entry for the Standalone Sentry that supports AppTunnel.
  3. In the App Tunneling Configuration section, select the check box for Enable DFS.

Configuring an AppTunnel service for DFS

  1. In the Admin Portal, go to Services > Sentry.
  2. Edit the entry for the Standalone Sentry that supports AppTunnel.
  3. In the App Tunneling Configuration section, under Services, click + to add a new service.
  4. Use the following guidelines to configure a tunnel service:

    Item

    Description

    Service Name

    The Service Name is used in the [email protected] configuration for setting up tunneling to the content repository.

    Enter one of the following:

    • A unique name for the service that [email protected] accesses. One or more of your internal app servers provide the service. You list the servers in the Server List field.
      • The service name must begin with CIFS_.
      • A service name cannot contain these characters: 'space' \ ; * ? < > " |.
    • <CIFS_ANY>

    Select <CIFS_ANY> to allow tunneling to any URL for a CIFS-based or DFS content server. Typically, you select <CIFS_ANY> if the URL for a CIFS-based or DFS content server contains wildcards for tunneling, such as *.myCompany.com.

    The order of the Service Name entries does not matter.

    Do not select <ANY>, <TCP_ANY>, <IP_ANY>, or <IP_ANY_WP8.1> for tunneling to DFS.

    Server Auth

    Select Pass Through

    The Sentry passes through the authentication credentials, such as the user ID and password (basic authentication) or NTLM, to DFS.

    Server List

    The Server List field is not applicable when the service name is <CIFS_ANY>.

    Enter the DFS server’s host name or IP address (usually an internal host name or IP address). Include the port number on the DFS server that Standalone Sentry can access.

    Example: fs1.companyname.com:445

    You can enter multiple servers. Depending on the Global Configuration settings for the Sentry, either round-robin or priority distribution is used to load balance the servers. Separate each server name with a semicolon.

    Example: fs1.companyname.com:445;fs2.companyname.com:445

    TLS Enabled

    Not applicable for app tunnel to DFS.

    Proxy/ATC

    Not applicable for app tunnel to DFS.

    Server SPN List

    Not applicable for app tunnel to DFS.

  5. Click Save.

Configuring AppTunnel rules and DFS site in the [email protected] setting

  1. In the Admin Portal, go to Policies & Configs > Configurations.
  2. Select the [email protected] configuration and click Edit.
  3. In the AppTunnel Rules section, use the following guidelines to add an AppTunnel rule for CIFS repository:

    Item

    Description

    AppTunnel Rules

    Configure AppTunnel rules settings for [email protected]

    When [email protected] tries to connect to the URL configured here, Standalone Sentry creates a tunnel to the content server.

    To add an AppTunnel entry, click + .

    To delete an AppTunnel entry, click - .

    Sentry

    Select the Standalone Sentry on which you configured the AppTunnel service. The drop-down list contains all Standalone Sentrys that are configured to support AppTunnel.

    Service

    Select an AppTunnel Service Name from the drop-down list.

    This service name specifies an AppTunnel service configured in the App Tunneling Configuration section of the specified Sentry.

    URL Wildcard

    Enter one of the following:

    A content server’s hostname

    Example: cifs-windows.yourcompany.com

    A hostname with wildcards, if the Service Name is <CIFS_ANY>. The wildcard character is *.

    Example: *.yourcompanyname.com

    If you want finer granularity regarding what requests Standalone Sentry tunnels, configure multiple AppTunnel rows.

    The Sentry and Service fields that you specify in this AppTunnel row determine the target content server.

     

    A hostname with wildcards works only with the service <CIFS_ANY>. Unlike services with specific service names, these services do not have associated app servers. The Standalone Sentry tunnels the data to the URL specified in the app.

    Ivanti recommends that you carefully consider how you use wildcards. For example, do not use just * for the URL.

    The order of these AppTunnel rows matters. If you specify more than one AppTunnel row, the first row that matches the hostname requested is chosen. That row determines the Standalone Sentry and Service to use for tunneling.

    Do not include a URI scheme, such as http:// or https:/, in this field.

    Port

    Enter the port number that [email protected] can request. Typically, the port number is 445.

    Identity Certificate

    Select the Certificate or the SCEP profile that you created for devices to present to the Standalone Sentry that supports app tunneling.

  4. In the Content Sites section, enter the following information:

    Item

    Description

    Name

    Enter a name for the content site.

    This name will be displayed on the device.

    URL

    Enter a valid URL for the DFS. Both domain name and IP address are supported.

    A valid URL must start with http:// or https://.

    Format example:

    https://resolvablehostname:445/URL

    Variables:

    You can enter a valid URL with variables for the content site. Variables in the protocol or the hostname are not supported. See also, Support for variables in configuring content sites.

    Examples with variables:

    \\$USER_CUSTOM1$

    Format of DFS URL with UserId:

    https://resolvablehostname:445/users/$USERID$

     

    LDAP or AD integration is required for using variables.

    If the Site URL is invalid, it will not be distributed to users.

    Domain

    Select CIFS from the drop-down list.

    Subdomain

    Select NetworkDrive from the drop-down list.

    Authentication

    Select if the device has to authenticate to the server.

    Only basic authentication is supported.

    Published Site

    Select to designate the site as a Published site.

  5. Click Save.
  6. Select the [email protected] configuration.
  7. Click More Actions > Apply To Label.
  8. Select the appropriate labels to which you want to apply the configuration.
  9. Click Apply.