Configuring SSO

These settings apply to supervised devices and devices operating in basic control mode.

The SSO settings let you configure account settings for using Single Sign-On technology. Single Sign-On (SSO) is an authentication method that allows a user to sign in to multiple services with a single ID. The Kerberos protocol is used for user authentication.

To configure the use of SSO on iOS MDM devices:

In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
In the policy properties window, select Application settings.
Select iOS and go to the Device configuration section.
On the SSO card, click Settings.
The SSO window opens.
Enable the settings using the SSO toggle switch.
Specify the following settings:
- In the Account name field, specify the name of the user's Single Sign-On account for Kerberos server authorization. You can either enter a value or select a macro by clicking the button.
- In the Authentication section, specify the authentication settings:
  - Kerberos user name
    Main name of the account of an iOS MDM device user on the Kerberos server. The Kerberos user name is case-sensitive and must be specified in the format <primary>/<instance>, where:
    
    1. <primary> is the user name.
    
    2. <instance> is a description of the primary name, such as "admin". The instance may be omitted.
    
    Example: if the Kerberos user name is mycompany/admin@EXAMPLE.COM or mycompany@EXAMPLE.COM, you must enter mycompany/admin or mycompany respectively,
    
    You can either enter a value or select a macro by clicking the button.
    
    Do not use the at sign (@) in this field. Otherwise the SSO profile will not be applied on the device.
  - Kerberos scope
    Name of the network to which Kerberos servers and iOS MDM devices belong. The scope must be entered using uppercase letters.
    
    The network name must match the domain name. For example, if the names match, the name of the scope for the example.com domain is EXAMPLE.COM.
    
    Example: if the Kerberos user name is mycompany/admin@EXAMPLE.COM, you must enter EXAMPLE.COM.
  - Authentication certificate
    The certificate used for user authentication.
- In the URL prefixes section, specify the addresses of websites on which Kaspersky Mobile Devices Protection and Management allows using SSO:
  - Limit account to the listed URLs
    Use of Single Sign-On for automatic sign-in only to websites added to the list of allowed web addresses. You can create a list of allowed web addresses by clicking the Add URL button next to the check box.
    
    If the check box is selected, the user can use Single Sign-On for authorization on websites that have been added to the list of allowed web addresses.
    
    If the check box is cleared or the list is empty, the user can use Single Sign-On for all websites within the Kerberos scope.
    
    Name of the network to which Kerberos servers and iOS MDM devices belong. The scope must be entered using uppercase letters.
    
    The network name must match the domain name. For example, if the names match, the name of the scope for the example.com domain is EXAMPLE.COM.
    
    Example: if the Kerberos user name is mycompany/admin@EXAMPLE.COM, you must enter EXAMPLE.COM.
    
    This check box is cleared by default.
  - Add URL
    Clicking the button adds the URL prefix field for specifying a new website in the list of web addresses for which automatic Single Sign-On is allowed.
    
    The button is available if the Limit account to the listed URLs check box is selected.
    
    The web address must begin with http:// or https://. Automatic Single Sign-On is performed only when the URL fully matches the URL template. For example, the web address https://example.com/ does not match the web address https://example.com:443/.
    
    To allow Single Sign-On access only to websites that use the HTTP protocol, enter the value http://. To allow access only to websites that use the secure HTTPS protocol, enter https://.
    
    If the web address does not end with the "/" symbol, Kaspersky Mobile Devices Protection and Management adds this symbol automatically.
    
    If the list of allowed web addresses is empty, the user can use Single Sign-On to automatically sign in to all websites within the Kerberos scope.
    
    Name of the network to which Kerberos servers and iOS MDM devices belong. The scope must be entered using uppercase letters.
    
    The network name must match the domain name. For example, if the names match, the name of the scope for the example.com domain is EXAMPLE.COM.
    
    Example: if the Kerberos user name is mycompany/admin@EXAMPLE.COM, you must enter EXAMPLE.COM.
- In the Bundle IDs section, specify the IDs of apps in which Kaspersky Mobile Devices Protection and Management allows using SSO:
  - Limit account to the listed apps
    Using Single Sign-On for automatic sign-in to apps added to the list of bundle identifiers. You can create a list of bundle IDs by clicking the Add app button next to the check box.
    
    If the check box is selected, the user can use Single Sign-On only for authorization in apps that have been added to the list of bundle IDs.
    
    If the check box is cleared or the list is empty, the user can use Single Sign-On for all apps within the Kerberos scope.
    
    Name of the network to which Kerberos servers and iOS MDM devices belong. The scope must be entered using uppercase letters.
    
    The network name must match the domain name. For example, if the names match, the name of the scope for the example.com domain is EXAMPLE.COM.
    
    Example: if the Kerberos user name is mycompany/admin@EXAMPLE.COM, you must enter EXAMPLE.COM.
    
    This check box is cleared by default.
  - Add app
    Clicking the button adds the Bundle ID field for specifying a new bundle ID in the list of apps for which automatic Single Sign-On is allowed.
    
    The button is available if the Limit account to the listed apps check box is selected.
    
    Automatic Single Sign-On is performed only when the added ID fully matches the bundle ID. For example: com.mycompany.myapp.
    
    To grant access to several apps using Single Sign-On, use the "*" symbol after the "." character. For example: com.mycompany.*. Access will be allowed to all apps whose bundle ID begins with the specified prefix.
    
    If the list of bundle IDs is empty, the user can use Single Sign-On to automatically sign in to all apps within the Kerberos scope.
    
    Name of the network to which Kerberos servers and iOS MDM devices belong. The scope must be entered using uppercase letters.
    
    The network name must match the domain name. For example, if the names match, the name of the scope for the example.com domain is EXAMPLE.COM.
    
    Example: if the Kerberos user name is mycompany/admin@EXAMPLE.COM, you must enter EXAMPLE.COM.
Click OK.
Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with the iOS MDM Server.

As a result, once the policy is applied, SSO is configured on the iOS MDM device.

Page top