SSO account device policy

March 26, 2020

Contributed by:

K C

You create single sign-on (SSO) accounts in XenMobile to let users sign on one-time only to access XenMobile and your internal company resources from various apps. Users do not need to store any credentials on the device. The SSO account enterprise user credentials are used across apps, including apps from the App Store. This policy is designed to work with a Kerberos authentication backend.

This policy applies only to iOS 7.0 and later.

To add or configure this policy, go toConfigure > Device Policies. For more information, seeDevice policies.

iOS settings

Account name:Enter the Kerberos SSO account name that appears on users’ devices. This field is required.
Kerberos principal name:Enter the Kerberos principal name. This field is required.
Identity credential (Keystore or PKI credential):在列表中,点击一个可选的身份凭证that can be used to renew the Kerberos credential without user interaction.
Kerberos realm:Enter the Kerberos realm for this policy. This is typically your domain name in all capital letters (for example, EXAMPLE.COM). This field is required.
Permitted URLs:For each URL for which you want to require SSO, clickAddand then do the following:
- Permitted URL:Enter a URL that you want to require SSO when a user visits the URL from the iOS device.
  For example, when a user tries to browse to a site and the web site initiates a Kerberos challenge: If that site is not in the URL list, the iOS device does not attempt SSO by providing the Kerberos token that Kerberos might have cached on the device from a previous Kerberos logon. The match has to be exact on the host part of the URL. For example,https://shopping.apple.comis valid, buthttps://*.apple.comis not.
  Also, if Kerberos is not activated based on host matching, the URL still falls back to a standard HTTP call. This could mean almost anything including a standard password challenge or an HTTP error if the URL is only configured for SSO using Kerberos.
- ClickAddto add the URL or clickCancelto cancel adding the URL.
App Identifiers:For each app that is allowed to use this login, clickAddand then do the following:
- App Identifier:Enter an app identifier for an app that is allowed to use this login. If you do not add any app identifiers, this login matchesallapp identifiers.
- ClickAddto add the app identifier or clickCancelto cancel adding the app identifier.
Policy settings
- 删除政策:Choose a method for scheduling policy removal. Available options areSelect dateandDuration until removal (in hours)
  - Select date:Click the calendar to select the specific date for removal.
  - Duration until removal (in hours):Type a number, in hours, until policy removal occurs. Only available for iOS 6.0 and later.

The official version of this content is in English. Some of the Cloud Software Group documentation content is machine translated for your convenience only. Cloud Software Group has no control over machine-translated content, which may contain errors, inaccuracies or unsuitable language. No warranty of any kind, either expressed or implied, is made as to the accuracy, reliability, suitability, or correctness of any translations made from the English original into any other language, or that your Cloud Software Group product or service conforms to any machine translated content, and any warranty provided under the applicable end user license agreement or terms of service, or any other agreement with Cloud Software Group, that the product or service conforms with any documentation shall not apply to the extent that such documentation has been machine translated. Cloud Software Group will not be held responsible for any damage or issues that may arise from using machine-translated content.

Was this helpful

SSO account device policy

March 26, 2020

Contributed by:

K C

March 26, 2020

Contributed by:

K C

SSO account device policy

iOS settings

In this article