GOOD ACCESS SECURE BROWSER GUIDE - PRODUCTNAMETM
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Good Access Secure Browser Guide
Software Version 2.2
Last Updated:February 11, 2015
ProductNameTM
Legal Notice This document, as well as all accompanying documents for this product, is published by Good Technology Corporation (“Good”). Good may have patents or pending patent applications, trademarks, copyrights, and other intellectual property rights covering the subject matter in these documents. The furnishing of this, or any other document, does not in any way imply any license to these or other intellectual properties, except as expressly provided in written license agreements with Good. This document is for the use of licensed or authorized users only. No part of this document may be used, sold, reproduced, stored in a database or retrieval system or transmitted in any form or by any means, electronic or physical, for any purpose, other than the purchaser’s authorized use without the express written permission of Good. Any unauthorized copying, distribution or disclosure of information is a violation of copyright laws. While every effort has been made to ensure technical accuracy, information in this document is subject to change without notice and does not represent a commitment on the part of Good. The software described in this document is furnished under a license agreement or nondisclosure agreement. The software may be used or copied only in accordance with the terms of those written agreements. The documentation provided is subject to change at Good’s sole discretion without notice. It is your responsibility to utilize the most current documentation available. Good assumes no duty to update you, and therefore Good recommends that you check frequently for new versions. This documentation is provided “as is” and Good assumes no liability for the accuracy or completeness of the content. The content of this document may contain information regarding Good’s future plans, including roadmaps and feature sets not yet available. It is stressed that this information is non-binding and Good creates no contractual obligation to deliver the features and functionality described herein, and expressly disclaims all theories of contract, detrimental reliance and/or promissory estoppel or similar theories. Legal Information © Copyright 2015. All rights reserved. All use is subject to license terms posted at www.good.com/legal. GOOD, GOOD TECHNOLOGY, the GOOD logo, GOOD FOR ENTERPRISE, GOOD FOR GOVERNMENT, GOOD FOR YOU, GOOD APPCENTRAL, GOOD DYNAMICS, SECURED BY GOOD, GOOD MOBILE MANAGER, GOOD CONNECT, GOOD SHARE, GOOD TRUST, GOOD VAULT, and GOOD DYNAMICS APPKINETICS are trademarks of Good Technology Corporation and its related entities. All third-party technology products are protected by issued and pending U.S. and foreign patents. Secure Browser Product Guide 2
Table of Contents
Good Access and the Good Dynamics Platform 1
Purpose and Audience 1
What's New 1
About Good Access and Good Control Cloud: Intranet Resources Not Available 2
How Good Access Protects Your Enterprise 2
Basic Authentication 3
Digest Authentication 3
NTLMv2 Authentication 3
Proxy Authentication 3
RSA SecurID Soft Token (Two-Factor) Authentication 4
Required Format for RSA SecurID CTF URL 4
SSL/TLS 5
Containerization of Encrypted Data, Cache, and Cookies 5
Remote Data Wipe 5
Additional Good Access Features and Benefits 5
Kerberos Authentication Support 5
Recommended Good Dynamics Configuration: Direct Connect 6
Flexible Deployment 6
Support for WebKit 7
ECMA Script/JavaScript Engine 7
Supported File Types 7
YouTube Videos Not Supported 8
Supported Audio Formats and Required Tag 8
Enabling APK Installation on Android 8
Good Control Settings 8
Android Device Settings 8
In Good Access 9
The GD SDK and the Good Dynamics API 9
Supported Human Languages 10
Secure Browser Product Guide iii
About Cookies 11
Working with Good Access on iOS 11
Viewing Settings, Bookmarks, History, Downloads 11
Opening and Sharing URLs ("Send Link") 11
Adding Bookmarks 12
Back to Caller App 12
Adding Pages to Tab View 12
Using Settings 13
Pinging, Tracing, and Looking Up 13
Examining the Console to Debug Problems 13
Sending Feedback to Good Technology 14
Importing an RSA SecurID Token 14
Enrolling in Good MDM on iOS with Good Access 14
Prerequisites for Enrollment 15
Steps for Activation and Enrollment 15
Environment and System Prerequisites 15
Minimal Server Hardware Specifications 16
Server and OS Software Specifications 16
Server and OS Software Specifications 17
Network Requirements 17
Intranet Port Configurations 17
Recommended Good Dynamics Configuration: Direct Connect 18
SSL Ciphers between GC and GP Servers for Direct Connect 18
Outbound Firewall Configurations 18
Other Considerations 21
Installing the Good Dynamics Platform 21
Configuring SSL-Certificate-Based Client Authentication in Good Dynamics 22
Using Kerberos Authentication 22
Domain to Kerberos Realm Mapping 23
Secure Browser Product Guide iv
Good Control Basics 24
Viewing Registered Applications 24
Granting Application Permissions 25
Managing Application Permissions for a Group 25
Setting User Policies 26
Security Policies 26
Provisioning Policies 26
Compliance Policies 26
Setting Good Access Application Policy 27
General Tab 27
Security Tab 27
Network Tab 27
RSA Tab 28
Allowing Third-Party Applications 28
Setting Up a Proxy Auto-Configuration (PAC) File 28
What is a PAC File? 28
Considerations of Syntax and File Size 29
Why Use a PAC File? 29
Example of a Simplified PAC File 29
Configuring PAC Settings in Good Control 31
Testing Your PAC Configuration 32
Provisioning and Activating Good Access 32
Good Access User Agent String 34
RSA SecurID 34
Choosing Routing Options and Restricting Domains 35
Supplemental Steps for Existing GFE Customers 37
37
Data Loss/Dropped Client Connections 37
User Cannot Activate Good Access 37
Good Access Logging and Diagnostics 38
Secure Browser Product Guide v
Good Access Interoperability with Other Good Apps 39
Good Access Authentication Delegation 39
Appendix A: Frequently Asked Questions 40
Appendix B: Feature Summary 43
Appendix C: iOS Browser Support for HTML5 and CSS3 45
Appendix D: Android Browser Support for HTML5 and CSS3 55
Appendix E: RSA Implementation Guide for Software Token Authenticators 65
Product Configuration 67
Configuring a Good Control RSA Application Policy for Good Access 67
iOS: Enabling and Using the Good Access RSA SecurID Authenticator 68
Android: Enabling and Using the Good Access RSA SecurID Authenticator 76
Revision History 86
Secure Browser Product Guide vi
Good Access and the Good Dynamics Platform
Good Access and the Good Dynamics Platform
The Good Dynamics (GD) secure mobility platform integrates app containerization, MAM, an enterprise app
store, MDM and more, simplifying the creation of mobile apps and the ongoing management of applications,
data, and devices. As GD’s secure browser, Good Access leverages GD and its framework to give your authorized
users access to the corporate intranet through the enterprise firewall without using a VPN—all while your IT
group automatically controls device settings on any managed or unmanaged device.
Purpose and Audience
This guide is intended both for end users of Good Access and for IT administrators, web developers, and others
possessing equivalent technical knowledge. It describes Good Access, then takes you step-by-step through set
up, deployment, and client device activation of the Good Access application.
Platform requirements and Good Access operational fundamentals are summarized below. More complete
details concerning GD platform administration can be found online on the Good Dynamics Network (GDN).
What's New
The latest release of Good Access includes the following new features:s
Platform Feature
iOS l Support for Good Mobile Device Management
Support for on-device SSL certificate stores. The new Allowed Certificates security policy in
Good Control specifies which type of certificate store is allowable.
l Support for multi-realm/multi-domain Kerberos Constrained Delegation
l Support for webclips on iOS:
l New application policy in Good Control to enable webclips on iOS.
New control in Good Access to save a webclip. Tap the bookmark icon and then tap Save
a webclip.
l Support for streaming video in HLS format
Secure Browser Product Guide 1
Good Access and the Good Dynamics Platform
Platform Feature
Previous release:
l Support for SSL-certificate-based client authentication with Good Dynamic Direct connect
deployment configuration
l Blocking of third-party keyboards
Android l Support for Good Mobile Device Management
Support for on-device SSL certificate stores. The new Allowed Certificates security policy in
Good Control specifies which type of certificate store is allowable.
l Support for multi-realm/multi-domain Kerberos Constrained Delegation
l Support for streaming video in HLS format
Previous release:
l Support for SSL-certificate-based client authentication with Good Dynamic Direct connect
deployment configuration
l Support for Android L
About Good Access and Good Control Cloud: Intranet Resources Not
Available
When you use Good Access with the Good Control Cloud configuration, intranet servers (resources on your
internal network) are not accessible.
In the on-premise configuration of Good Control, the administrator has access to a Good Proxy server, which
must be configured to allow such access from outside the enterprise firewall. However, in the current
configuration of Good Control Cloud, there is no administrator-accessible Good Proxy server, because by
definition of "cloud" the administrator is relieved of tasks or responsibility for servers, ports, web proxies, and
anything relating to the hardware or network (a benefit to the administrator). Unfortunately, this also means
that access to an intranet cannot be configured in Good Control Cloud, because their are multiple distributed
intranets belonging to different enterprises, intranets that for security cannot be part of the shared cloud
configuration.
How Good Access Protects Your Enterprise
The objective of browser security is to establish rules and measures to use against attacks on your network and
sensitive data originating from outside. There are numerous ways to protect the transfer of information. Good
Access employs the most effective methods developed for mobile devices to date, using console policies on
Good Control that determine the list of intranet domains, sub-domains, and embedded internet domains that
you, as IT administrator, want to make available to your mobile users on a user group or individual basis. Good
Access further provides a secure browser history, which can be cleared, along with support for naming and
Secure Browser Product Guide 2
Good Access and the Good Dynamics Platform editing bookmarks, in addition to pinch and zoom, and landscape mode—all requiring no special end-user training. Additional network access and data transmission safeguards include: Basic Authentication HTTP Basic authentication (BA) implementation is the simplest technique for enforcing access controls to web resources because it doesn't require cookies, session identifiers or login pages. Rather, HTTP Basic authentication uses static, standard HTTP headers which means that no handshakes have to be done in anticipation. However, the BA mechanism provides no confidentiality protection for the transmitted credentials. They are merely encoded with BASE64 in transit, but not encrypted or hashed in any way. Basic Authentication should therefore only be used over HTTPS. Digest Authentication The Digest Authentication protocol is designed for use with HTTP and SASL exchanges. These exchanges require that parties that seek to authenticate must demonstrate their knowledge of secret keys. This process improves upon earlier versions of HTTP authentication, in which users provide passwords that are not encrypted when they are sent to a server, leaving them vulnerable to capture by attackers, or that are encrypted but sent in an expensive, ongoing, Secure Sockets Layer (SSL) session. Digest Authentication has similar security characteristics to the NTLM protocol in that both Digest and NTLM are challenge/response protocols. Challenge/response protocols require an authenticating server to generate a challenge containing some amount of unpredictable data. A client then uses a key derived from the user’s password to encrypt the challenge and forms a response. The server, or a trusted service such as Active Directory, can verify that the user possesses the correct password by comparing the client’s encrypted response to a stored response based on the credential associated with the user in Active Directory or in the server account database for local users. If the responses match, the user is authenticated. NTLMv2 Authentication NTLMv2 is a challenge-response authentication protocol and a cryptographically strengthened replacement for NTLMv1. The core acronym stands for NT LAN Manager in a Windows network. Kerberos, as the preferred authentication protocol for Windows and Active Directory domains, is used when a server belongs to a Windows Server domain or if a trust relationship with a Windows Server domain is established in some other way; for instance, Linux to Windows AD authentication. Essentially, NTLMv2 sends two 16-byte responses to an 8-byte server challenge. The two responses are (1) the HMAC-MD5 hash of the server challenge, a randomly generated client challenge, and (2) an HMAC-MD5 hash of the user's password and other identifying information. The exact formula is to begin with the NT Hash, which is stored in the SAM or AD, and continue to hash in, using HMAC-MD5, the username and domain name. Proxy Authentication In multi-tier environments, proxy authentication allows you to control the security of middle-tier applications by preserving client identities and privileges through all tiers, and auditing actions taken on behalf of clients. For Secure Browser Product Guide 3
Good Access and the Good Dynamics Platform example, this feature allows the identity of a user using a web application (also known as a "proxy") to be passed through the application to the database server. Proxy authentication allows a user to perform a simple bind to an AD LDS instance, while still maintaining an association to an Active Directory account. Lightweight Directory Services (LDS), formerly known as Active Directory Application Mode (ADAM), provide directory services for directory-enabled applications without incurring the overhead of domains and forests and the requirements of a single schema throughout a forest. In proxy authentication, two accounts are involved in the transaction. The first is a special object in AD LDS called a userProxy object. The second is the user's account in Active Directory. The AD LDS userProxy object is a representation of the Active Directory account. The proxy object is tied to the Active Directory account through that account's security identifier (SID). There is no password stored on the actual proxy object itself. When a user performs a simple bind to an LDS instance with a proxy object, the bind is redirected to Active Directory by passing the SID and password to a domain controller. The AD LDS server performs the authentication, and the entire process is invisible to the end user. RSA SecurID Soft Token (Two-Factor) Authentication The RSA SecurID soft token authentication mechanism uses a “token” assigned to the end user which generates an authentication code at fixed intervals (typically 60 seconds) using a built-clock and a ran-dom key known as the “seed,” which is different for each token. On-demand tokens provide a token¬code via email, eliminating the need to provision a token to the user. File-based provisioning is also supported. Essentially, RSA SecurID transforms an iOS or Android device into a SecurID authentication device. The software consists of an application and a separately installed software-based security token that transfers password protection and authentication delegation to Good For Enterprise (GFE). A software token generates a 6-digit or 8-digit pseudorandom number, or tokencode, at regular intervals. When the tokencode is combined with a PIN, it is called a passcode. The tokencode or passcode serves as a one-time password (OTP). Authorized device users can use OTP values, along with other security information, to verify their identity when they attempt to access resources protected by SecurID, such as Virtual Private Networks (VPNs) and web applications. Users enter a new OTP every time they authenticate to a protected resource. Required Format for RSA SecurID CTF URL After you have generated the CTF URL with the RSA Authentication Manager, you need to replace the protocol portion of the URL to send an HTTP URL to GFE to import the RSA token into Good Access. Change This To This com.rsa.securid://ctf?ctfData=numeric_string http://ctf?ctfData=numeric_string or com.rsa.securid://ipaddress/ctf?ctfData=numeric_ string Secure Browser Product Guide 4
Good Access and the Good Dynamics Platform
Change This To This
or
custom_url_scheme://ctf?ctfData=numeric_string
Note: The seed record must be delivered in an sdtid file or a CTF URL.
After you have replaced the URL format, send the HTTP URL to Good For Enterprise to import the RSA token into
Good Access.
SSL/TLS
The Secure Socket Layer (SSL) transmission protocol employs a cryptographic system that uses two keys to
encrypt data—a public key known to everyone and a private or secret key known only to the recipient of the
message. Transport Layer Security (TLS) is the successor to SSL. Both protocols use X.509 certificates and
asymmetric cryptography to identify the counterparty with whom they are talking, and to exchange a symmetric
key. This session key is then used to encrypt data flowing between the parties, providing data/message
confidentiality, along with message authentication codes for message integrity and message authentication. An
important characteristic is "perfect forward secrecy", so the short term session key cannot be derived from the
long-term asymmetric secret key.
Containerization of Encrypted Data, Cache, and Cookies
A secure container on the client device is used for all Good Access browsing activity, storing all data in encrypted
format. This “containerization” ensures the separation of corporate data from the user’s personal data.
Remote Data Wipe
Wiping data is a process which allows IT admins to remotely erase data from a client device when a violation or
breach of security policy is detected, a user’s network permissions are changed or revoked, or the user’s
employment is terminated. When data is wiped, the secure container on the device where company-owned files
and folders were located is physically rewritten with zeroes to prevent data recovery, in contrast to ordinary files
deletion, wherein only the pointer to the file in the file allocation table is deleted.
Additional Good Access Features and Benefits
Kerberos Authentication Support
On both iOS and Android devices, Good Access fully supports Kerberos Authentication, an integral part of Active
Directory implementations that has increasingly become a centerpiece of enterprise-level interoperability,
providing secure user authentication via the Active Directory domain controller, which maintains the user
account and login information necessary to access your enterprise network.
The Kerberos protocol governs three system “participants”: (1) a Key Distribution Center (KDC), (2) the client
device, and (3) the server it desires to access. The KDC is installed as part of the domain controller and performs
two service functions: the Authentication Service (AS) and the Ticket-Granting Service (TGS).
Secure Browser Product Guide 5Good Access and the Good Dynamics Platform
Essentially, when logging onto your network, users must negotiate access by providing a login name and
password that is verified by the AS portion of the KDC within their domain. The KDC has access to the Active
Directory user account information. Once successfully authenticated, the user is granted a Ticket to Get Tickets
(TGT) that is valid for the local domain. The TGT is cached on the device, which uses it to request sessions with
services throughout the network. The TGT’s default expiration is set and controlled by your IT admin.
To learn how to enable Kerberos authentication for Good Access on Good Dynamics see Domain to Kerberos
Realm Mapping .
In addition, Good Access is now certified for Kerberos Constrained Delegation (KCD), a Good Dynamics
platform feature that lets domain administrators restrict the network resources that a service trusted for
delegation can access. This is done by limiting the scope where application services can act on a user’s behalf.
When configured, KCD restricts which front-end service accounts can delegate to their back-end services. By
supporting constrained delegation across domains, services can be configured to use constrained delegation to
authenticate to servers in other domains rather than using unconstrained delegation. This provides
authentication support for across domain service solutions by using an existing Kerberos infrastructure without
needing to trust front-end services to delegate to any service.
Recommended Good Dynamics Configuration: Direct Connect
To improve performance and reduce latency, with GD Direct Connect, you can establish a connection directly
with a GP server via a DMZ proxy, bypassing the GD NOC relay servers entirely. This results in the following
measurable benefits:
l Reduces round-trip time when your servers are located across the globe.
l Reduces latency for heavy data transactions like large document downloads.
l Restricts the flow of user data over networks in certain geographic locations where compliance requirements
demand it, even when encrypted.
For details about Direct Connect, see Direct Connect.
Flexible Deployment
As with all sufficiently complex enterprise applications, Good Access and the proprietary web apps you plan to
deploy now or in the future will require a well thought-out deployment strategy to properly orchestrate
interdependent systems. For instance, even a basic web application will need to consider source code,
configuration files, content management data, application data, user data, cached data, search indices, content
delivery networks, background jobs, system monitoring tools, and external services and APIs, in addition to the
all-important user experience, especially during the release process.
For all GD-enabled apps, as well as enterprise web apps securely accessed from Good Access, there are a number
of flexible deployment options and combinations of options your IT group can leverage:
l On premises deployment
l Cloud deployment
Secure Browser Product Guide 6Good Access and the Good Dynamics Platform l Support for SaaS-based apps Your Good Professional Services team is available and ready to explain the various options and to assist in the appropriate implementation for your enterprise. Support for WebKit WebKit core classes transparently handle programmatic and client requests. WebKit creates all the necessary model and view classes used to represent and display the incoming content. When a user clicks a link, WebKit automatically relinquishes control of the old objects and creates new ones to handle the new page. WebKit views are designed to handle multiple frames, each with their own scroll bar, and many MIME types. You do not need to implement custom views for your application to display web content in your application When desired, you can extend WebKit to handle the details of client requests, frame and resource loading, window operations, and downloading. You do this by implementing delegate objects. WebKit furnishes a number of hooks allowing applications to customize the user interface. For example, you can specify the menu items that are displayed when the user clicks a particular type of resource. You can also implement your own document models and views to handle specific MIME types. Because of this extensibility, WebKit can be used to develop increasingly innovative web applications for your corporate intranet users. One important caveat to Good Access support for WebKit is that, because it is open source and both Apple and the Google open source community are free to modify and extend it, Good Access will only address the latest added, amended, and fixed WebKit issues periodically. ECMA Script/JavaScript Engine Good Access for iOS uses native UIWebView for rendering, whereas on Android devices Google’s open source V8 JavaScript engine is used. V8 compiles JavaScript to native machine code before executing it, instead of more traditional techniques such as executing bytecode or interpreting it. The compiled code is additionally optimized (and re-optimized) dynamically at runtime, based on heuristics of the code's execution profile. Optimization techniques used include inlining, elimination of expensive runtime properties, and inline caching, among many others. Supported File Types Good Access supports all file types/extension except for the following: l .msg Microsoft Outlook message format l .zip Compressed file archive Supported Video Formats on iOS, Required Tag, and Byte Streaming To securely play videos on web sites, the HTML 5 tag with the element's src attribute is required at the time the page is loaded in the browser. If Good Access cannot detect a tag, the video playback is not secured. Here's a sample of the tags:
Good Access and the Good Dynamics Platform
Good Access and the Good Dynamics Platform
3. Scroll to find the Unknown Sources heading.
4. Make sure the checkbox next to this heading is checked.
In Good Access
1. Download the desired APK file. It is stored in your Good Access Downloads folder.
2. Go to your Good Access Downloads folder, find the downloaded APK file, and tap it to begin the installation.
The GD SDK and the Good Dynamics API
Like all GD-enabled apps, the important and powerful security features of Good Access are implemented using
the GD SDK, with versions currently available for both Android and iOS devices.
Short for Software Development Kit, the Good Dynamics Client SDK is the collection of tools you use to securely
enhance and customize your enterprise mobility applications, as well as allowing secured data to be shared
between GD-enabled apps like Good Access. Again, the SDK supports both Android and iOS devices. The server
side of Good Dynamics, known as the GD Platform, is where IT commonly or selectively configures and controls
GD-enabled apps on either type of device even though the respective GD SDKs remain distinct.
In all cases and regardless of device OS, you can impose GD SDK functionality in your apps to securely enforce:
l User/Device Initialization and Authentication. Every GD-enabled app is required to implement the GD
initialization process, ensuring that the user’s identity is verified by the NOC, and that the correct security
policies for the application/user are provisioned for the device. These policies control authentication
thresholds like password strength, idle timeout, etc.
For added convenience, where desired, you can also configure GD’s Easy Activation feature for your users.
Easy Activation simplifies the provisioning process by allowing a Good Dynamics or Good for Enterprise
application to “hand-off” activation to a suitable Good application that is already installed on the device,
allowing it to act as the activation delegate. The user will still have to retrieve and manually enter a legitimate
access key, but only once, right after the first time the app is installed on the device. Thereafter, if a suitable
activation delegate is detected, the Easy Activation setup option is presented to the user. If an activation
delegate is not discovered, the user is prompted to use the standard provisioning process with an access key.
l Secure Data Storage. When employed, the SDK furnishes an encrypted container in which application files
can be securely stored. Using the SDK you can invoke the secure data storage APIs for file system, database,
and core data.
l Secure Communications. Otherwise inaccessible behind your enterprise firewall, the SDK lets you securely
connect your client apps to your enterprise servers using GD’s Socket, HTTP Request, or URL Loading System
APIs.
l Secure Push Channel. More efficient than polling, the SDK lets you create and maintain a secure push
connection to and from enterprise servers. Though not currently supported by Good Access, this feature will
be supported in upcoming versions.
Secure Browser Product Guide 9Good Access and the Good Dynamics Platform
l Shared Services (also known as AppKinetics). Allows secure data sharing between GD apps or for one GD
application to be used as the authorization delegate for another. An advanced topic currently beyond the
scope of this particular guide, GD’s AppKinetics technology creates an ecosystem of protected, interoperable,
mobile applications to maximize employee productivity and effectiveness.
Using the GD SDK to exploit Good Dynamics APIs allows you to create and manage enterprise-class mobile apps
like Good Access that deliver the highest security standards. This means you can:
l Containerize any app – by quickly embedding encryption and policy controls into your custom apps, even
when source code is unavailable.
l Secure your infrastructure – by automatically encrypting app data in motion and providing app-level
authentication outside the firewall.
l Secure communications app-to-app – using patent-pending inter-app communication technology to
automatically secure document transfer between GD-enabled apps (e.g., open in) as well as Good for
Enterprise.
l Enable policy controls – empowering your IT group to enforce app-level security controls for jailbreak and
root detection, password, lock/wipe, compliance, app-specific custom policies and data leak prevention (DLP).
l Change policy dynamically – allowing IT to modify policy over the air (OTA) at any time without requiring an
app update.
See GD Platform Infrastructure for a brief overview of the physical architecture.
Otherwise, beginning with Environment and System Prerequisites, succeeding topics, along with additional
resources available on the Good Developers Network (GDN), will take you through the process of setting up the
Good Dynamics infrastructure (if it isn’t set up already), deploying Good Access, and then showing your users
how to activate the browser on their provisioned devices.
Supported Human Languages
Good Access supports the following human languages.
l Dutch
l English
l French
l Italian
l German
l Spanish
l Swedish
Secure Browser Product Guide 10Working with Good Access on iOS
About Cookies
Good Access supports both persistent and non-persistent cookies, which in general are used to maintain session
information.
Working with Good Access on iOS
Here are some details about working with Good Access controls.
Use the controls at the bottom for different features, which are described below:
Viewing Settings, Bookmarks, History, Downloads
Click the Settings control to view your bookmarks, browsing history, and the files you have
downloaded. Also, this control includes Settings, which is described in Using Settings .
Opening and Sharing URLs ("Send Link")
When you are browsing web pages, click the bookmarks/sharing icon to share the hyperlink (sometimes
called "Send Link") you are viewing with some other Good application.
When you click Share, you are prompted to select the application to share with:
Secure Browser Product Guide 11Working with Good Access on iOS You can open and share many different kinds of URLs, including mailto URLs. When you open URLs, you are prompted to choose which browser to open it with, either Good Access itself or any other browser apps from Good on your device. Adding Bookmarks With the bookmarks/sharing control , you can add a bookmark for the current page. For a list of all your bookmarks, see Viewing Settings, Bookmarks, History, Downloads Back to Caller App In many of the interactions between Good Access and other Good applications, after you have completed some function, you are prompted to return to the original application you shared from. This prompt is Back to Caller App. Adding Pages to Tab View If you have a set of web pages you want to switch among, click to add them to the tab view, where you can navigate between them more easily. Secure Browser Product Guide 12
Working with Good Access on iOS
Using Settings
Click the Settings control to view or change the Good Access configuration settings. You also have
many features in Settings you can use to troubleshoot and send feedback to Good Technology.
Pinging, Tracing, and Looking Up
With the Network Utility, you can use standard networking troubleshooting tools:
l Ping: This is equivalent to the well-known ping command. You can ping servers on the Internet or otherwise
to see if your connection is good or if the server is responding.
l Trace: This is equivalent to the well-known traceroute command. You can find out the path ("hops")
through the network from your device to some server on the Internet. This is useful especially for debugging
network latency.
l Lookup: This is equivalent to the well-known nslookup command. You can enter an IP address to discover its
associated fully qualified domain name, or vice versa.
To use the network utilities:
1. Tap the Settings control .
2. Tap Settings.
3. Scroll to find and tap Network Utility.
4. Enter the fully qualified domain name or IP address of the server or device you want to check.
5. Tap Ping.
6. From the control displayed at the bottom, tap Trace or Lookup, if that is what you want to do.
7. Tap Go.
The results of the command are displayed in the area below.
Examining the Console to Debug Problems
You can examine Good Access's built-in console to see the possible causes of difficulties you might encounter.
For example, suppose you are attempting to get at a certain web site, but your access is blocked. You can look at
the console messages to see if your access is blocked by a policy from your IT administrator.
To examine the console messages:
Secure Browser Product Guide 13Working with Good Access on iOS 1. Tap the Settings control . 2. Tap Settings. 3. Scroll to find and tap Console. 4. Look at the displayed messages to see if they inwhat the problem mdicateight be. For instance, for a block by policy, you might see this: Sending Feedback to Good Technology Good Technology values your comments, suggestions, and ideas. To send feedback about Good Access: 1. Tap the Settings control . 2. Tap Settings. 3. Scroll to find and tap Feedback. 4. Follow the remaining prompts. Good Technology thanks you for your feedback. Importing an RSA SecurID Token This topic is detailed in Appendix E: RSA Implementation Guide for Software Token Authenticators . Enrolling in Good MDM on iOS with Good Access Your IT administrator has defined certain device policies that affect the features and behavior of your device, such as password length or ability to use the camera and other features. Every iOS mobile device to be managed by Good Mobile Device Management (MDM) must be enrolled in the service so that these device policies can be applied to your device. Enrollment is a series of steps that places the device under managed control. Secure Browser Product Guide 14
Environment and System Prerequisites
Prerequisites for Enrollment
1. You have at least one Good-based application so your device can be enrolled.
At this time, Good Technology has supplied Good Access 2.2 for enrollment on iOS, because it has been built
with the required version of the GD SDK. Download Good Access from the App Store.
2. Your IT administrator will send an email that includes the name of that application and an access key you need
to activate that application and enroll in Good MDM.
3. Multiple device management profiles are not allowed by iOS.
Any previously installed a device management profile on iOS (such as a profile from GFE) clashes with Good's
mobile device management profile. The new profile cannot be installed.
Important: You must remove the old device profile before enrolling in Good MDM.
This is Apple's design of iOS, not a flaw. iOS does not allow possible conflicts among multiple profiles.
Steps for Activation and Enrollment
1. Make sure you are ready with the details discussed in Enrolling in Good MDM on iOS with Good Access
2. Start the Good-based application provided by your IT administrator.
3. From the email you received, enter your email address and the access key.
4. Set a password for this application.
5. You are informed that the MDM enrollment process will start. Tap Start MDM Enrollment.
6. You are asked if you want to install the displayed profile. Tap Install.
7. If you have a passcode on your device, enter it to proceed.
8. Tap Install to continue.
9. Tap Install to continue.
10. You are informed that your device will be put under Remote Management. Tap Trust.
11. Enrollment is complete; the profile is installed. Tap Done.
Environment and System Prerequisites
Detailed in GD Server Installation, your GD infrastructure is composed of three primary server components: a
database, Good Control (GC), and Good Proxy (GP).
The GC and GP servers can be installed on the same host machine. Or, each can reside on its own unique host.
For production environments, it is strongly recommended that the database reside on a machine separate from
both GC and GP. However, all three components may be safely installed on the same machine in a development
and/or test environment.
Secure Browser Product Guide 15Environment and System Prerequisites
Minimal Server Hardware Specifications
The following are the minimum hardware requirements for the GC and GP servers.
Note: These are minimal and are most often used when deploying all components on a single hardware system.
In production, you will need more power. Exact hardware sizing depends on the performance you need. See the
GD Sizing Guide for results of performance testing to help you make this determination.
Minimal
Component Minimum RAM Minimum Disk
Processor
Good Control Pentium 4GB. GC allocates approximately 1.5GB of RAM at start-up 100GB. For
dual-core, installation, a
2 GHz minimum of 50GB
is required for the
installation files
and log files.
Good Proxy Pentium 4GB. The default Java Runtime Engine (JRE) heap size is 100GB. For
dual-core, 2.5GB. The recommended heap size is 60% of physical installation, a
2 GHz memory. You can change the heap size after installation with minimum of 50GB
the instructions in the GC console online help topic is required for the
Maintenance & Troubleshooting > Increasing the GP installation files
Server's Java Heap Size. and log files.
Database Pentium Initial size
dual-core,
2 GHz
l Data files:
2GB [or
10GB?], which
grow
approximately
2GB per year.
l Redo logs:
100 MB
Server and OS Software Specifications
The GD servers require one of the following operating systems, real or virtualized:
l Windows Server 2012 or Windows 2012 R2
l Windows Server 2008 or 2008 R2, 32 or 64-bit versions
l Windows 7
Secure Browser Product Guide 16Environment and System Prerequisites
Note: Although Good Technology supports Windows 7 for development and testing,do not use Windows
7 as a production platform.
The GD servers need the following network connections:
l A connection to a Microsoft Active Directory server, unless you are installing the Good Proxy in a separate
domain.
l A connection to a database (see Server and port diagram for specifics)
Server and OS Software Specifications
The GD servers require one of the following operating systems, real or virtualized:
l Windows Server 2012 or Windows 2012 R2
l Windows Server 2008 or 2008 R2, 32 or 64-bit versions
l Windows 7
Note: Although Good Technology supports Windows 7 for development and testing,do not use Windows
7 as a production platform.
The GD servers need the following network connections:
l A connection to a Microsoft Active Directory server, unless you are installing the Good Proxy in a separate
domain.
l A connection to a database (see Server and port diagram for specifics)
Network Requirements
This section describes a standard network integration of the GC and GP servers behind the enterprise firewall.
Intranet Port Configurations
Each GD platform component uses different ports, so you must configure the host machine for each component
accordingly. Make sure the following ports are open and available, and ensure that these ports are not in use by
other servers or processes.
l The GC server host needs open inbound ports 443 and 17317. Port 443 is required for administrators and
users to log into the GC console. The GP and GW installers connect to a GC server over port 443 during the
server setup process. GP servers connect to GC servers on port 17317 during policy updates.
l The GP server host needs open inbound ports 17080 and 17433. Additionally, it should have at least 30,000
ports in the dynamic TCP port allocation, which are needed for outbound connections to the GD NOC. (When
Direct Connect is configured, however, these ports become inbound.)
l The database host machine needs open inbound port 1521 open for Oracle or port 1433 open for SQL
Server.
Secure Browser Product Guide 17Environment and System Prerequisites
Recommended Good Dynamics Configuration: Direct Connect
To improve performance and reduce latency, with GD Direct Connect, you can establish a connection directly
with a GP server via a DMZ proxy, bypassing the GD NOC relay servers entirely. This results in the following
measurable benefits:
l Reduces round-trip time when your servers are located across the globe.
l Reduces latency for heavy data transactions like large document downloads.
l Restricts the flow of user data over networks in certain geographic locations where compliance requirements
demand it, even when encrypted.
For details about Direct Connect, see Direct Connect.
SSL Ciphers between GC and GP Servers for Direct Connect
By default, SSL communications between the GC and GP servers over port 443 for the Direct Connect
configuration uses the following ciphers:
l TLS_RSA_WITH_AES_256_CBC_SHA256 OR
l TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
One reason you might need to add more ciphers is if you have your own proxy server between your client
devices and the GP server configured for Direct Connect. This middle proxy is the one that determines which SSL
ciphers to use. You need to ensure that the GP server ciphers correspond to those required by your own proxy.
If you need to add more ciphers, after installation, edit the GP server’s configuration file
c:\good\gps.properties and add the names of the ciphers to the gps.directconnect.supported.ciphers key.
See List of Supported SSL Ciphers between GC and GP Servers for Direct Connect .
Outbound Firewall Configurations
If you limit outbound requests through your enterprise firewall, you need to permit access to the following IP
ranges in order for the GC and GP servers to connect to the GD Network Operations Center (NOC):
l 206.124.114.1 through 206.124.114.254 (206.124.114.0/24) on port 443
l 206.124.121.1 through 206.124.121.254 (206.124.121.0/24) on port 443
l 206.124.122.1 through 206.124.122.254 (206.124.122.0/24) on port 443
You may alternatively wish to permit access to the specific network host names:
l gdentgw.good.com on port 443
l gdrelay.good.com on port 443
l gdweb.good.com on port 443
l gdmdc.good.com on port 443
Secure Browser Product Guide 18Environment and System Prerequisites
If you make connections through a web proxy server, please make sure to enter the proxy information in both
the GC and GP installers when asked to do so.
Note that no inbound ports through the enterprise firewall are required for the Good Dynamics platform.
The following diagram details the ports and connections between the components of the GD platform. Keep the
following in mind as you read the diagram:
l All connections are TCP, not UDP.
l Arrows originate at the point from which communications are established. The direction of the arrows neither
reflects the flow of data nor the end which initiates commands.
l The selection of high or low port numbers for clients connecting to Good Technology NOC servers is
configurable for each enterprise.
l “Secure Communication” refers to data that is sent by using the GD Socket and GD HTTP Request APIs.
Secure Browser Product Guide 19Environment and System Prerequisites Server and port diagram Secure Browser Product Guide 20
Installing the Good Dynamics Platform
Other Considerations
Other initial environment considerations include provisioning for email support and running the GC console on a
Windows PC.
Email Server Configuration Requirements
For email, the GD platform depends on the proper configuration of server software, like Microsoft Exchange,
which is not subject to the direct control of the GD installation software. This essentially means if you are using
Exchange or Domino for email, you will need to configure the respective server to include a dedicated receive
connector for your GC server’s IP address.
Browser Recommendations for GC Console
The following browsers are currently supported:
l Firefox 3.6 and later
l Chrome 13 and later
l IE8, IE9, and IE10
Versions of Internet Explorer older than IE 7 are not supported.
Installing the Good Dynamics Platform
Complete server-side installation instructions for the GD Platform are available in GD Server Installation
Instructions found in the Resource Library on the Good Developer Network. The setup steps concisely
enumerated here are strictly intended to overview the process for level-of-effort scoping purposes.
To successfully deploy your GD Platform infrastructure, you must:
a. Setup the requisite database; either Oracle XE 10g/11g or Microsoft SQL Server, the latter using SQL Server
Management Studio.
b. Properly install Good Control and Good Proxy behind your firewall, singly or in cluster, allocating the
appropriate communications channels, port-to-port, between the database, the GD NOC, and your enterprise
application servers, at which point you can also determine if you wish to also use Direct Connect to speed up
long-distance transmissions of high-traffic applications.
Note: Direct Connect requires opening a bidirectional port. Refer to the Direct Connect Feature Summary and
Configuration Guide for details.
c. Upon completing GD server installation, be sure to look through the GC and GP release notes for the latest
information on updating your database and server software.
d. Install the GD SDK.
l In support of Android clients, see GD SDK for Android: Installation and, for additional detail, Getting
Started with the GD SDK for Android.
Secure Browser Product Guide 21Using Kerberos Authentication
l In support of iOS clients, see GD SDK for iOS: Installation. Additional details are available in Getting Started
with the GD SDK for iOS.
e. Although the GC and GP server installers generate SSL certificates for your servers to use, you have the option
of replacing these with certificates signed by well-known certificate authorities like VeriSign and Thawte, or
with certificates generated by your own enterprise CA. GD Server Installation Instructions contains complete
instructions for generating, installing, and/or switching to CA-signed SSL certificates.
f. Connect Good Control with the database and configure all GC-related database properties.
g. Configure global GC server properties, namely:
l User self-service (optional)
l Active Directory settings for searching and verifying new users
l GD NOC server locations and connection configurations.
h. Configure all other local and server-specific properties.
While many properties can be modified directly from the GC console, some properties are view-only and not
editable. If the property is global in scope, you can change it from any GC console in the cluster. For server-
specific settings, however, you must log into the console of the server requiring individual modification to
change its properties.
Important: Always save property changes to the database.
i. Configure Good Proxy to connect to other servers through a web proxy server and optionally change/switch
its SSL certificate.
GP server property values are initially set based on information supplied to the GP installer and should not be
modified unless your proxy server configuration changes or you need to use a different proxy server. As well, the
GP installer stores a GC-signed certificate for its use, although you can switch to a CA-signed certificate by
modifying your GP server’s gd.security.keystore.alias property.
Configuring SSL-Certificate-Based Client Authentication in Good Dynamics
Configuring Good Control and Good Proxy in the Direct Connect configuration to enable SSL-certificate-based
client authentication is documented in GD Direct Connect on the Good Developer Network.
Using Kerberos Authentication
Kerberos Constrained Delegation is a GD deployment option for user authentication. The Kerberos ticketing
service issues "authentication tickets" that are used for user authentication.
There are two parts to setting up Kerberos Constrained Delegation for Good Access:
l Installing Kerberos with the GD servers. This topic is discussed in detail in Kerberos Constrained Delegation.
l Enabling Kerberos for Good Access. This is discussed below.
Secure Browser Product Guide 22Using Kerberos Authentication As part of setting an application policy in Good Control for the Good Access application, you can enable Kerberos fowardable tickets. 1. Login to Good Control. 2. Open Policy Sets, open the desired policy, click the Application Policies tab, find Good Access in the list of applications, click the triangle to the left of the name, and click the Network tab. 1. Make sure that Enable Kerberos Forwardable Ticket is checkmarked. 2. If you have multiple Kerberos domains and want to include them as authentication sources, see Domain to Kerberos Realm Mapping . 3. Save your changes. Domain to Kerberos Realm Mapping When a client attempts to access a service running on a particular server, it knows the name of the service (host) and the name of the server (foo.example.com), but because more than one Kerberos realm may be deployed on your network, it must guess at the name of the realm in which the service resides. By default, the name of the realm is taken to be the DNS domain name of the server, upper-cased. foo.example.org → EXAMPLE.ORG foo.example.com → EXAMPLE.COM foo.hq.example.com → HQ.EXAMPLE.COM In some configurations, this will be sufficient, but in others, the realm name which is derived will be the name of a non-existent realm. In these cases, the mapping from the server's DNS domain name to the name of its realm must be specified For Good Access domain to realm mapping, you can record a list of comma-separated equivalencies in which the first mapping in the list is treated as the default domain mapping. It will be used if the user has left the Domain field empty, as well as when the server requires NTLM or Kerberos authentication. To map domains to Kerberos realms: 1. Login to Good Control. 2. Open Policy Sets, open the desired policy, click the Application Policies tab, find Good Access inthe list of applications, click the triangle to the left of the name, and click the Network tab. 1. Enter the list of comma-separated values in the field provided using this syntax. The value of REALM must be in uppercase: REALM=domain Example: EASTDOM=east.company.com 2. Save your changes. Secure Browser Product Guide 23
Good Control Basics
Good Control Basics
Complete instructions on navigating and using your GC console are in the online help, accessed by clicking the
Help link in the extreme upper right corner of the screen. Here, we merely cover the basics. Remember that,
before your first application can be setup, the following conditions must be met:
l GC and other infrastructure components are installed at the enterprise.
l GC and other infrastructure components are registered on the Good Dynamics network.
l You have a Good Dynamics client application, like Good Access.
l The Application Server, if any, is installed at a known address.
With the foregoing in place, your Good Control console can now be used to securely manage three general types
of applications:
l Good Applications – apps provided by Good are automatically available to your licensed enterprise.
l Partner Applications – are provided by business partners of Good and are also made available automatically.
l Enterprise Applications – are custom apps written for or by your enterprise for your enterprise users. Unlike
Good and Partner apps, these must be manually added through the GC console.
With respect to Good apps and Partner apps, GC admins can choose to allow or deny these applications for the
Everyone user group, applications groups, or even individual users. Administrators cannot, however, modify app
information such as the application name, nor can they add or delete application versions.
By contrast, Enterprise applications must first be registered in the GC console before they can be securely
deployed and managed. Registration information must match the information configured in the client libraries of
each application, and each Application ID must be unique. Then, like all GC-managed apps, you can choose to
allow or deny these applications to user groups and/or individuals as your IT policies dictate. Likewise at this
point, all server-side components requiring access by an app must also be registered in GC.
The following topics cover the basics of Good Control administration:
l Viewing Registered Applications
l Granting Application Permissions
l Managing Application Permissions for a Group
l Setting User Policies
l Setting Good Access Application Policy
l Using Kerberos Authentication
Viewing Registered Applications
To view currently registered applications, click Applications in the main navigation panel on the left side of the
screen. The list of all applications registered with GC are displayed, sorted first by Enterprise apps, followed by
Good and Partner apps.
Secure Browser Product Guide 24Good Control Basics
From the list of Good applications, make sure that Good Access is included.
Granting Application Permissions
Good Control has two levels of application permissions: group level and user level. Creating application groups is
an easy way to apply the same baseline application permissions to many users. By creating a new group, then
setting its allowed and denied applications, you can add users to the group in batch. Each added user inherits all
the permissions of the new group.
An “Everyone” group is automatically created when GC is installed. By default, all GC users belong to this group,
furnishing a quick and reliable method of enabling an application for all users. The following application group
rules apply:
l Users can belong to multiple groups.
l The most restrictive permission will apply when a user exists in more than one group.
l User level permissions set explicitly for an individual always override group level permissions.
Managing Application Permissions for a Group
Application groups are an easy way to apply the same base application permissions to many users.
On the edit screen for a group, make sure the Applications tab is active. To grant permission to an application or
application version, click the Add icon for the Allowed Applications list. A popup displays a list of applications
and application versions not yet permitted or denied for the group. If the list is long, you can use the filter to limit
the list. You can also select from the View dropdown to limit the list to only Organization applications or Good or
Partner Applications.
Important: Your designated Good Control administrator will need to manually enable previous version of Good
Access—specifically versions 1.1.0.0 and 1.0.0.0—so that users who fail to immediately upgrade to the latest
version are not unnecessarily blocked from using the Good Access browser currently on their device. Hence, if
you do not take the following steps, some users will be disabled upon upgrade to the most current version of
Good Access.
To grant permissions to the “Everyone” group to use earlier versions of Good Access:
1. Open the Applications tab, the click the Add icon for Allowed Applications.
2. Filter the list by entering “good access" in the search field and clicking the checkmark.
3. Explicitly mark (check) both Good Access – 1.1.0.0 and Good Access – 1.0.0.0 (as pictured). Each of these
versions is registered with Application ID com.good.gdgma.
4. Click OK to apply your changes.
Apart from the app name and version(s), the process is identical for defining group permissions for any other
registered application in Good Control.
Secure Browser Product Guide 25You can also read
