Transcription
BlackBerry Dynamics Bindingsfor Xamarin.iOSDevelopment Guide4.2
2018-10-11Z 2
ContentsAbout this guide.5Relation to BlackBerry Dynamics SDK.5BlackBerry Dynamics background. 6BlackBerry Dynamics API reference. 6FIPS 140-2 compliance. 6Easy Activation. 7Securing cut-copy-paste on devices (Data Leakage Prevention, or DLP). 7Shared Services Framework.7Support for fingerprint authentication. 7Support for Face ID.8Support for client certificates.8Support for the "Do not require password" setting. 8Bypassing the App Lock screen. 9Supported languages. 9Requirements. 10BlackBerry Dynamics software versions. 10Compatibility with earlier releases. 10Licensing for Xamarin.10Software requirements.10BlackBerry Dynamics entitlement ID and version.10Distinction from and use with native language identifiers. 12Required build-time declarations: URL type. 12Security changes in iOS 9 and later.13Restricted key prefix. 14Steps to get started with the BlackBerry Dynamics Bindings for Xamarin. 15Install the BlackBerry Dynamics Bindings for Xamarin.15Location and names of DLLs. 15Install the BlackBerry Dynamics SDK.16Load bindings for a new project.17Enable apps to link for FIPS 140-2 compliance. 17Developing apps in Microsoft Visual Studio on Windows with the Mac Agent.18Implementing a BlackBerry Dynamics event listener. 19Specify GDappID and Version. 19Use GDnAppEvent to process events.19 iii
Special-case the OnNotAuthorized events.20On authorization, start the app UI. 21Implementing the BlackBerry Dynamics Launcher.22Sample apps. 24Testing and troubleshooting. 25Rely on Visual Studio testing tools.25About the BlackBerry Dynamics SDK for Xamarin.Forms.26Principal interfaces.26Using the BlackBerry Dynamics SDK for Xamarin.Forms. 26Readying your app for deployment: server setup.28Details of support for client certificates. 29BlackBerry Dynamics SDK support for personal certificates (PKCS12 or PKI certs).29Certificate requirements and troubleshooting.30Client certificate sharing among BlackBerry Dynamics-based applications. 30Kerberos PKINIT: User authentication with PKI certificates.31Legal notice. 34 iv
About this guideThis guide is an introduction to the BlackBerry Dynamics bindings for Xamarin. The guide focuses on how toinstall the SDK, how to use the provided plugins, and introduces the sample apps that are packaged with the SDK.This guide is intended for software developers who already have an understanding of developing software withXamarin. It is not a tutorial on programming with Xamarin. It assumes that you have working knowledge of thelanguage and concepts. The guide also assumes that you have installed the supported version of Xamarin. Forinformation about how to install, see the instructions at https://www.xamarin.com/.Relation to BlackBerry Dynamics SDKApps developed with the Xamarin bindings rely on the underlying BlackBerry Dynamics SDK. The full set of theSDK's APIs has been bound to a C#/.NET counterpart. For example: BlackBerry Dynamics SDK for iOS Objective-C: n C#/.NET: static onDelegate (stringapplicationDelegate); About this guide 5
BlackBerry Dynamics backgroundThe following sections provide some background information that can help you understand the features of theBlackBerry Dynamics SDK.The way that these features are implemented in your environment will depend on how your administrator hasconfigured your organization's servers, your network, and other infrastructure.BlackBerry Dynamics API referenceThe BlackBerry Dynamics SDK API reference describes the available interfaces, classes, methods, and muchmore.You can access the iOS API reference: Online at api-reference.html.In the installed directories for the BlackBerry Dynamics SDK for iOS. In Xcode, the BlackBerry Dynamics SDKReference can be viewed from the Organizer window in the Documentation section in Xcode.FIPS 140-2 complianceBlackBerry Dynamics apps must comply with U.S. Federal Information Processing Standards (FIPS) 140-2.The BlackBerry Dynamics SDK distribution contains FIPS canisters and tools and, by default, enforces FIPScompliance.There are two components involved in enabling FIPS:ComponentDescriptionBlackBerry Dynamics appThe app must start in FIPS-compliant mode. The BlackBerry DynamicsSDK determines whether a service is running in FIPS mode when theapp communicates with the server to receive policies. All apps must bewritten for FIPS compliance.Policy server (either standaloneGood Control or BlackBerry UEM)For more details on FIPS policies, see Readying your app for deployment:server setup.FIPS compliance enforces the following constraints: MD4 and MD5 are prohibited. As a result, access to NTLM-protected or NTLM2-protected web pages and filesis blocked.Wrapped apps are blocked.In secure socket key exchanges with ephemeral keys, with servers that are not configured to use DiffieHellman keys of sufficient length, BlackBerry Dynamics retries with static RSA cipher suites.Note: When you enable FIPS compliance, user certificates must use encryption that meets FIPS standards.If a user tries to import a certificate with encryption that is not compliant, the user receives an error messageindicating that the certificate is not allowed and cannot be imported. BlackBerry Dynamics background 6
Easy ActivationThe Easy Activation feature simplifies the provisioning process by allowing a BlackBerry Dynamics app to handoff activation to an app that is already installed on the device and can act as the activation delegate. The user hasto retrieve and manually enter an access key only the first time they install a BlackBerry Dynamics app.Securing cut-copy-paste on devices (Data Leakage Prevention, orDLP)You can use the BlackBerry Dynamics SDK to protect certain data copied and pasted between apps on your users'devices.For iOS, you don't need to do any additional programming to support secure cut and paste.Server administrators must enable the Data Leakage Prevention policies in the management console.To enable sharing among a group of apps, the apps must be provisioned from the same BlackBerry Controlservice for each user.If the Data Leakage Prevention settings are enabled in your environment, you can work around them when youneed to debug your app. For more information, see the BlackBerry Dynamics SDK API Reference.Shared Services FrameworkBlackBerry Dynamics-enabled apps can communicate with each other using the Shared Services Framework.There are two kinds of shared services: Server-side servicesClient-side servicesThe BlackBerry Dynamics SDK contains sample apps that show how these services work.For a conceptual background, see BlackBerry Dynamics Services Framework.Support for fingerprint authenticationSupport for fingerprint recognition is a supplement to standard BlackBerry Dynamics secure user authentication,not a replacement for it. BlackBerry Dynamics includes the following policies related to fingerprint authentication.These settings are configured using policies in the management console: Allow or disallow fingerprint authentication for BlackBerry Dynamics-based apps in general.If fingerprint authentication is allowed, you can also allow or disallow it for BlackBerry Dynamics appsimmediately after app coldstart. If you do not allow it after app coldstart, the user must enter the password forthe app.Require the end user to enter a password after a specified interval.Note: For app developers, no additional programming work is necessary for fingerprint authentication.For more information, see BlackBerry Dynamics and Fingerprint Authentication. BlackBerry Dynamics background 7
Support for Face IDThe BlackBerry Dynamics SDK for iOS version 4.0 and later supports Face ID. An administrator can enable ordisable the feature in a BlackBerry Dynamics profile in UEM or security policy in Good Control.For applications built for iOS 11 or later, each application must add the NSFaceIDUsageDescription key to theInfo.plist file. For more details about Face ID, see the BlackBerry Dynamics SDK for iOS API Reference.If a BlackBerry Dynamics app is using version 4.0 of the SDK and the management console has not beenupgraded to UEM 12.8 or later, or Good Control 5.0 or later, access to the Face ID feature is controlled by theTouch ID setting (Allow Touch ID for Idle Unlock).Support for client certificatesBlackBerry Dynamics supports many popular uses of client-side Public Key Infrastructure (PKI) certificates tosecure apps and communications: General requirements for working with PKI certsDescription of client certificate sharing among BlackBerry Dynamics apps on a deviceKerberos PKINIT: client certificates in the Kerberos authentication model. (This is not Kerberos ConstrainedDelegation, or KCD).Support for the "Do not require password" settingThe BlackBerry Dynamics Runtime supports the "Do not require password" setting in a BlackBerry Dynamicsprofile in UEM or in a security policy in standalone Good Control. When this setting is enabled by an administrator,users cannot set a password for a BlackBerry Dynamics app or BlackBerry Dynamics container. Note that thissetting does not apply to the device password.This setting is available in BlackBerry UEM 12.7 or later and standalone Good Control 3.0.50.70 or later.Security considerations Consider the security impact to your organization's environment before an administrator enables this setting.If enabling this feature does not meet security standards, consider other options, including authenticationdelegation or assigning the profile to specific users or groups that are already assigned device managementprofiles or other controls.Do not enable the "Do not require password" setting and authentication delegation in the same policy set.When the "Do not require password" setting is enabled, authentication can be accomplished only through userinteraction or autonomously. For more information, see "canAuthorizeAutonomously" in the SDK programmingreference for iOS or Android.User experience when the rule is enabled or disabledIf a BlackBerry Dynamics app requires a password and the administrator enables the "Do not require password"setting, the next time the user opens the app, the app displays a message that a password is no longer required.As long as the feature is enabled, the user is not prompted for a password.If the administrator disables the "Do not require password" setting, the next time the user opens the app, the appdisplays a message that a password is required. The user is prompted to specify a password. BlackBerry Dynamics background 8
iOS: Optional APIs for the "Do not require password" policy ruleYou can call the [GDiOS sharedInstance].canAuthorizeAutonomously method to determine whetherthis feature is enabled for a BlackBerry Dynamics app.If the app has received an APNS message or a Background Fetch period, or has been launched in the background,you can call the [GDiOS sharedInstance].authorizeAutonomously method to start the authorizationprocess.The SecureStore sample app illustrates the use of these methods.For syntax and details, see the SDK programming reference.Bypassing the App Lock screenBlackBerry Dynamics supports the ability of an app to bypass the BlackBerry Dynamics user authentication/lockscreen. Some organizations want this feature, particularly in VoIP apps where the user needs to respond quicklyto an incoming call.Note: Enabling this policy weakens the security inherent to BlackBerry Dynamics.For information about requesting this feature, the necessary programming for bypassing the lock screen, thesetup of a required app policy, and other details, see Bypass Unlock: BlackBerry Dynamics app Developer Guide.Supported languagesThe BlackBerry Dynamics SDK supports the following languages. No SDK calls are required to use a particularlanguage; the interface selects the appropriate language based on the language setting the user has configuredon their device. English (US)Chinese KoreanPortuguese (Brazil)Portuguese (Portugal)SpanishSwedish BlackBerry Dynamics background 9
RequirementsBlackBerry Dynamics software versions BlackBerry Dynamics SDK for iOS 4.2.xBlackBerry Dynamics Launcher Library for iOS 2.8.xBindings for Xamarin.iOS 4.2.xCompatibility with earlier releasesThe latest release of the BlackBerry Dynamics SDK is compatible with the previous two releases.Note: You should always build with and test against the most recent release. The most recent release has bugfixes and new features that you should test and deploy regularly.Licensing for XamarinTo create BlackBerry apps with Xamarin, you must purchase a valid software license from Xamarin. BlackBerrydoes not provide this license. You can use any of these license types: CommunityProfessionalEnterpriseSoftware requirementsDevelopment environment: Latest version of the BlackBerry Dynamics SDK for iOSXamarin.iOS 11.6.1.4 or later Follow the Xamarin.iOS requirementsmacOS 10.11.6 or laterXcode 8.1 or lateriOS SDK 10.0 or laterBlackBerry Dynamics entitlement ID and versionBlackBerry Dynamics apps are uniquely identified by a BlackBerry Dynamics entitlement ID (GDApplicationID)and entitlement version (GDApplicationVersion). The entitlement ID and entitlement version are used tomanage end-user entitlement for your apps, as well as for publishing and service provider registration. TheBlackBerry Dynamics entitlement ID was formerly known as the app ID or GD App ID.The entitlement ID is used in the app, in the BlackBerry UEM or standalone Good Control management console forapp management, and in some administrative user interfaces on the application developer portal. Requirements 10
Note: The entitlement ID and entitlement version are different from the native application ID and nativeapplication version. The native application ID is a unique identifier for the app that is used by the OS andassociated platforms (for example, the package name for Android or bundle identifier for iOS). The nativeapplication version is the app version number that you must change if you want to distribute a new version of anapp. You only need to change the entitlement version if the app starts to provide a new shared service or sharedservice version, or if the app stops providing a shared service or shared service version. For more informationabout when to change the entitlement ID and entitlement version, see the BlackBerry Dynamics API reference.Requirements for the entitlement ID and entitlement versionRequirementDescriptionRequired for appsYou must define both the entitlement ID and the entitlement version for allyour BlackBerry Dynamics apps, regardless of whether you use the BlackBerryDynamics Shared Services Framework. Developers and administrators shouldensure that the value specified for the GDApplicationVersion key in theapp configuration files is the same as the value the administrator specifies inBlackBerry UEM or in standalone Good Control.The entitlement version is independent of any native version identifier.For more information, see Distinction from and use with native languageidentifiers.Represent the same appacross all platformsThe same entitlement ID must be used to represent the app across allplatforms. By default, access to apps varies by the type of app: Naming schemeEntitlement ID formatDevelop a naming scheme to meet your needs. For example: Entitlement ID: com.manufacturingco.gdEntitlement version: 1.0.0.0Native application version: 2.0 The general form of an entitlement ID is company name . app name .The ID must use reverse domain name form, for example,com.company.example. Use a domain name owned by your organization.The ID must not begin with com.blackberry, com.good, com.rim, or net.rim.The ID can contain only lower-case letters, numeric digits, hyphens, andperiods.The string must follow the subdomain format defined in section 2.3.1 ofRFC 1035, as amended by Section 2.1 of RFC RFC 1123. Entitlement version valueBy default, all versions of partner or ISV apps are available to all authorizedusers in any organization that the app has been published to.By default, each version of a BlackBerry Dynamics app requires that theadministrator grant access in BlackBerry UEM or in standalone GoodControl before users can run the app on users' devices. The value must use one to four segments of digits, separate by periods(x.x.x.x).Each segment can be up to three digits and must not use a leading zero(for example, 01.02 is not valid). A segment can use a single 0.The first release of an app should use the entitlement version 1.0.0.0. Requirements 11
Distinction from and use with native language identifiersThe Entitlement ID and Entitlement Version are BlackBerry Dynamics specific metadata and are independent ofthe identifiers needed by the app platforms themselves. The key point is that the values and the native languageidentifiers' values can be the same but they do not necessarily have to be. Listed below by platform are theequivalent native identifiers, which are where the values of Entitlement ID and version are stored. Info.plist CFBundleIdentifierCFBundleVersionUnique native identifiers for enterprise appsIf you are developing a private app for use in your enterprise, make sure that the value you choose for the app'snative identifiers (Bundle ID and others constructs used on other platforms) is unique, especially with respect toapps that are available through the public app stores.Duplicate native identifiers can prevent the proper installation or upgrade of your own app.For all your native identifiers, devise a naming scheme that you can be relatively certain is unique.Mapping BlackBerry Dynamics entitlement ID to native identifiersTo take advantage of many features, such as Easy Activation, multi-authentication delegation, and the sharedservices framework, developers need to set up a map in the server between your defined Entitlement ID and thenative identifiers on the platforms for which your app is distributed. The native platforms have no knowledge ofthe Entitlement ID; thus the mapping is needed for the operating systems to take over the actual function of theapp.Native version identifiers: * wildcard allowed for blocking appThe SDK supports use of native version identifiers in keeping with the conventions described by the majorvendors. These same conventions apply to the use of the * wildcard in the server to deny apps by native version. Platform:iOSCFbundleVersionA series of integers separated by ".". No explicit limit on number of words.More information from AppleThe * character can be used in native version identifiers, but must always be preceded by a period (.) and must bethe last character in the native version string. Examples: Allowed: 2.3.*Not allowed: 2.*.32.* includes 2.*.*Required build-time declarations: URL typeYour app must declare a URL type so that it can be discovered by other apps on the same user's device.This enables BlackBerry Dynamics AppKinetics (shared services) communication, which is required formany BlackBerry Dynamics features.The URL type and schemes are declared in an iOS app's Info.plist file. Requirements 12
The URL type must be the same as the application's native bundle identifier. Within the URL type declaration,the following URL schemes must be declared. For an example, if the native bundle identifier of the applicationis com.example.gd.myapp and its BlackBerry Dynamics app version is 1, then the declared URL typeis com.example.gd.myapp and the schema declarations are shown below.Table 1: URL type discovery ryAlways requiredExactly as showncom.good.gd.discovery.Exactly as shownenterpriseRequired for in-house appsdeveloped by an enterprise;see Security changes in iOS 9 andlater native app identifier .Always requiredcom.example.gd.myapp.sc3Enables an app to useauthentication delegation andis required for all BlackBerryDynamics appscom.example.gd.myapp.sc2Required only if your appprovides a service that must bediscoverablecom.example.gd.myapp.sc2.sc3 native app identifier .sc2 native app identifier .sc2. GD app version # 1.0.0.0Security changes in iOS 9 and laterApple introduced underlying security changes in iOS 9 that can impact BlackBerry Dynamics SDK apps, dependingon how the apps are deployed. The changes relate to service discovery and keychain sharing. Review the newrequirements below and modify your apps as necessary:RequirementDescriptionAdd an "enterprise"discovery schemeIn the Xcode project's Info.plist file (or via the Xcode UI), in the URLSchemes CFBundleURLSchemes section, add the following line:com.good.gd.discovery.enterpriseThis scheme is in addition to the other required or optional schemes discussed inBuild-time required declarations: URL type. Requirements 13
RequirementDescriptionKeychain group sharingfor multiple appsApple's keychain group sharing allows groups of apps to share information thatis stored on a device's keychain. Keychain group sharing is required when you aredeveloping multiple inter-related apps. The setting is part of a project's build.To enable keychain group sharing in an Xcode project:1. Open the app's project file.2. Click the application target Capabilities tab.3. Turn on Keychain Sharing.You may be asked for your developer password and to choose a developmentteam. The provisioning profiles for each app must come from the same teamand must share the same App ID prefix (see below).4. In the Keychain Group field, type com.good.gd.data.If the settings for keychain group sharing change, it is recommended to do a freshreinstall of the new version of the app, instead of upgrading the old version. Thisensures that the new keychain settings take effect.Common applicationidentifier (App ID prefix)An App ID prefix is a unique ID that groups a collections of apps and enablesthose apps to share keychain and UIPasteboard data. Apps that share keychaindata must have a common App ID prefix from Apple.Note: If your enterprise applications do not share the same App ID prefix,BlackBerry Dynamics Easy Activation does not work because the apps cannotdiscover each other.For more information, see Technical Note TN2311: Managing Multiple App IDPrefixes.The Apple App ID prefix is completely independent of the BlackBerryDynamics entitlement ID.Restricted key prefixNote that the key prefix "blackberry" is reserved by BlackBerry and should not be used for key values, keyattributes, or key elements. For more information and examples, see the "Application Policies Definition" page inthe appendix of the BlackBerry Dynamics SDK API Reference for Android or iOS. Requirements 14
Steps to get started with the BlackBerry DynamicsBindings for XamarinFollow the steps below to start working with the BlackBerry Dynamics Bindings forXamarin.1. Install the BlackBerry Dynamics Bindings for Xamarin.2. Install the BlackBerry Dynamics SDK for iOS needed along with Xamarin. For details, see the BlackBerryDynamics SDK for iOS Development Guide.3. Familiarize yourself with the features of the software:4.5.6.7.8.9. For general information, see BlackBerry Dynamics background. To view code samples, see Sample apps .Understand the Requirements and possible constraints on your programming.Become familiar with available classes and methods in the BlackBerry Dynamics API reference.Set up your projects. For new projects, see Load bindings for a new project. For existing projects, seeImplementing a BlackBerry Dynamics event listener.Implementing the BlackBerry Dynamics LauncherTest your app.Deploy your app. For options, see Ready your app for deployment.Install the BlackBerry Dynamics Bindings for XamarinThe bindings are delivered in the form of Dynamic Link Libraries (DLL) in nested .zip files for each platform. Theyare Xamarin projects: A project with bindings for the BlackBerry Dynamics SDK for iOSA project for each of the Sample apps .A project for the BlackBerry Dynamics Launcher Library1. Download the package for your target platfrom (Android or iOS).2. Uncompress the package.3. If you want to implement the BlackBerry Dynamics Launcher Library, uncompress the included project.Note: If you want to create your own version of the BlackBerry Dynamics Bindings for Xamarin with customchanges, open the Xamarin Bindings library project GoodDynamics.iOS and check the reference to the GD libraryfrom the framework path (for example, on Mac the default location is orm/iOS/Frameworks/GD.framework). Look for it under Native References in the solution explorer.Location and names of DLLsThe DLLs are in the top directory of the project and for each sample app. The DLLs are named as follows: The SDK .zip package unzips to BlackBerry Dynamics SDK for Xamarin iOS version and containsExamples.zip, GoodDynamics.iOS.Launcher.zip, and GoodDynamics.iOS.zip.The .zip package GoodDynamics.iOS.Launcher.zip unzips the Launcher binding project.The .z
The BlackBerry Dynamics SDK for iOS version 4.0 and later supports Face ID. An administrator can enable or . Some organizations want this feature, particularly in VoIP apps where the user needs to respond quickly to an incoming call. Note: Enabling this policy weakens the security inherent to BlackBerry Dynamics.
