631-1410 (USA) or +61 3 9596 7186 (Australia & New Zealand) or +91 997 256 7970 (India) E : [email protected] W : www.rittmanmead.com Securing Oracle BI Mobile Mark Rittman, CTO, Rittman Mead ODTUG Mobile Day, Utrecht, April 2015
631-1410 (USA) or +61 3 9596 7186 (Australia & New Zealand) or +91 997 256 7970 (India) E : [email protected] W : www.rittmanmead.com T : +44 (0) 1273 911 268 (UK) or (888) 631-1410 (USA) or +61 3 9596 7186 (Australia & New Zealand) or +91 997 256 7970 (India) E : [email protected] W : www.rittmanmead.com About the Speaker •Mark Rittman, Co-Founder of Rittman Mead •Oracle ACE Director, specialising in Oracle BI&DW •14 Years Experience with Oracle Technology •Regular columnist for Oracle Magazine •Author of two Oracle Press Oracle BI books •Oracle Business Intelligence Developers Guide •Oracle Exalytics Revealed •Writer for Rittman Mead Blog : http://www.rittmanmead.com/blog •Email : [email protected] •Twitter : @markrittman
631-1410 (USA) or +61 3 9596 7186 (Australia & New Zealand) or +91 997 256 7970 (India) E : [email protected] W : www.rittmanmead.com T : +44 (0) 1273 911 268 (UK) or (888) 631-1410 (USA) or +61 3 9596 7186 (Australia & New Zealand) or +91 997 256 7970 (India) E : [email protected] W : www.rittmanmead.com About Rittman Mead •Oracle BI and DW Gold partner •Winner of five UKOUG Partner of the Year awards in 2013 and 2014 - including BI •World leading specialist partner for technical excellence, solutions delivery and innovation in Oracle BI •Approximately 80 consultants worldwide •All expert in Oracle BI and DW •Offices in US (Atlanta), Europe, Australia and India •Skills in broad range of supporting Oracle tools: ‣OBIEE, OBIA ‣ODIEE ‣Essbase, Oracle OLAP ‣GoldenGate ‣Endeca
631-1410 (USA) or +61 3 9596 7186 (Australia & New Zealand) or +91 997 256 7970 (India) E : [email protected] W : www.rittmanmead.com What is OBIEE? ‣Oracle Business Intelligence Enterprise Edition 11g (OBIEE) is a comprehensive business intelligence platform that delivers a full range of Tools ‣Adhoc Analysis ‣Dashboards ‣Notifications/Alerts ‣Pixel Perfect Reporting ‣Mobile ‣Scorecards ‣Mapping and other advances visualisation
[email protected] W : www.rittmanmead.com Built around a Common Enterprise Information Model •All reporting tools can take their data from a shared metadata layer •Defined as dimensional model, embeds common calculations and drill paths •Subject-area and row-level security •Three-layer design to provide abstraction from underlying complicated source systems Simplification of the Data Model Integration of Disparate DataSources Addition of Business Logic and Calculations
631-1410 (USA) or +61 3 9596 7186 (Australia & New Zealand) or +91 997 256 7970 (India) E : [email protected] W : www.rittmanmead.com OBIEE Benefits for Oracle Fusion Middleware Developers ‣A richer, more user-customizable set of graphs, tables and other data visualizations than provided by stock ADF DVT ‣Create formatted reports and distribute them to users ‣Metadata catalogs and repositories to provide business context, control access and organize reporting ‣Access to a wide range of data sources, including relational, OLAP, big data, file and application sources (and the ability to combine them together) ‣Ability to create alerts that test for business events ‣Embed BI insights into applications and business
631-1410 (USA) or +61 3 9596 7186 (Australia & New Zealand) or +91 997 256 7970 (India) E : [email protected] W : www.rittmanmead.com Displaying OBIEE Reports & Dashboards on Mobile Devices ‣OBIEE reports and dashboards can display on mobile devices ‣But they don’t use “responsive design” and aren’t that usable ‣Buttons and menu items too small ‣Too much content for smaller devices
[email protected] W : www.rittmanmead.com OBIEE Mobile Client Options •Oracle BI Mobile ‣Native iOS & Android apps, developed by Oracle and downloadable from the respective App Stores ‣Use your mobile device to view & interact with existing OBIEE content •Oracle BI Mobile App Designer (MAD) ‣Creates HTML5 based web applications ‣Ideal for creating departmental,focused line-of- business mobile apps ‣No data stored on device ‣Add graphics, corporate look-and-feel
631-1410 (USA) or +61 3 9596 7186 (Australia & New Zealand) or +91 997 256 7970 (India) E : [email protected] W : www.rittmanmead.com Mobile Device Security Concerns ‣OBIEE Mobile HD and BI Mobile App Designer are “secure” ‣Makes use of SSL, typically accessed via VPN etc ‣But for some organizations, this is not enough ‣Access to Organisation Data on Personal Device -Whole device accessing Network is a Security Risk -Mobile Malware -Copy/Paste Sensitive Information into other apps -Lost or Stolen Devices ‣To enable these types of apps, MDM (Mobile Device Management) solutions are used to deploy apps in a secure “container” environment
631-1410 (USA) or +61 3 9596 7186 (Australia & New Zealand) or +91 997 256 7970 (India) E : [email protected] W : www.rittmanmead.com BI Mobile HD Default Security Architecture ‣By default, adopts same security and authorisation approach as desktop OBIEE ‣Passwords stored on the device, in encrypted form (Keychain etc) ‣User credentials sent in plain text, unless SSL has been enabled ‣Recommendation is to enable SSO and SSL to improve default security setup on mobile devices
631-1410 (USA) or +61 3 9596 7186 (Australia & New Zealand) or +91 997 256 7970 (India) E : [email protected] W : www.rittmanmead.com What is an MDM Container? •Segregated Area on Device ‣Contains Company Approved Apps -Email -Intranet Sites -File Shares -BI Mobile HD -Custom Applications •No Company Data in/out of device other than via App Tunnel ‣Cannot Copy from Contain App to Notes or Browser outside container •Comes in the form of a signed App
631-1410 (USA) or +61 3 9596 7186 (Australia & New Zealand) or +91 997 256 7970 (India) E : [email protected] W : www.rittmanmead.com Vendors in the Mobile Device Management Space •Good •Mobile Iron •Oracle Mobile Security Suite • and many more!..
631-1410 (USA) or +61 3 9596 7186 (Australia & New Zealand) or +91 997 256 7970 (India) E : [email protected] W : www.rittmanmead.com What’s Involved in Running BI Mobile in an MDM Container? ‣Key difference is that BI Mobile HD runs within a secure MDM container ‣BI Mobile App Designer will also need to run within an MDM-supplied web browser ‣Two main vendor approaches to MDM containerisation ‣Bitzer and other vendors : take BI Mobile app libraries, compile and sign using customer certificate, then deploy using vendor container solution -Advantage is that this does not require changes to BI Mobile source code -Main certified and supported approach with Oracle (esp. after Bitzer acquisition) ‣Good and other vendors : similar approach but requires hooks and changes in BI Mobile source code to accommodate Good APIs -Can cause issues if customer does not use Good and Oracle APIs correctly (e.g. security, SSO integration)
631-1410 (USA) or +61 3 9596 7186 (Australia & New Zealand) or +91 997 256 7970 (India) E : [email protected] W : www.rittmanmead.com Oracle Mobile Security Suite •Previously known as Bitzer Secure Container •OMSS comes with a set of enterprise ready productivity apps •Wrapped apps can be installed on the container using the App Catalog feature of the container •Secure Web Browser •Access Intranet sites secured with Kerberos, NTLM, OAM •Secure File Manager •Secure Email, Calendar, Contacts, Tasks, Notes •Google Apps, and Lotus Notes •Attachments can be restricted to the container
631-1410 (USA) or +61 3 9596 7186 (Australia & New Zealand) or +91 997 256 7970 (India) E : [email protected] W : www.rittmanmead.com Installing Oracle Mobile Security Suite •Has to be installed into Windows Server 2003/2008 •MSAC and MSAS are mandatory •Create the following groups types in Active Directory ‣ Control or ‘End User’ Group ‣ Help Desk ‣ System Admin ‣ Company Admin •Choose Components to Install •Notification Server(MSNS) & File Manager(MSFM) are optional
631-1410 (USA) or +61 3 9596 7186 (Australia & New Zealand) or +91 997 256 7970 (India) E : [email protected] W : www.rittmanmead.com •Catalog is a list of all App Versions ‣Oracle Apps ‣Custom Apps •Oracle Supply additional Apps ‣Secure Mail ‣Browser ‣File System Access •Users can select the Apps to download OMSS Catalog
631-1410 (USA) or +61 3 9596 7186 (Australia & New Zealand) or +91 997 256 7970 (India) E : [email protected] W : www.rittmanmead.com Preparing an iOS App for Signing using Corporate Certificate ‣Oracle supply a set of libraries and source code you can use to create a signed version of the BI Mobile HD app, using your own corporate Apple Developer Program certificate ‣To perform this exercise you’re going to need to get involved in Apple iOS development! ‣Prerequisites ‣ Apple Xcode Objective-C IDE ‣ Apple Developer Program License - Agent Role - Apple main contact - Admin Role - Dev Team Leader who deploys apps ‣ Oracle Mobile Security Toolkit ‣ At least one registered physical device
631-1410 (USA) or +61 3 9596 7186 (Australia & New Zealand) or +91 997 256 7970 (India) E : [email protected] W : www.rittmanmead.com What is Xcode? ‣ Apple IDE ‣Used for development of ‣ iOS (iPad & iPhone) ‣ Mac ‣Integrated with Apple Developer Account ‣Deploy Apps to Apple App Store ‣Export Custom Apps for Enterprise or ad-hoc Deployment
631-1410 (USA) or +61 3 9596 7186 (Australia & New Zealand) or +91 997 256 7970 (India) E : [email protected] W : www.rittmanmead.com Importing and Signing the BI Mobile HD App •Create a New Xcode Project •From the menu, select File > New > Project •When asked to choose a template, under iOS, select Application. Then select Single View Application and click Next •Give your project a name and fill out the other fields with your organization's information. •In the Devices dropdown, specify the devices you are targeting. Make sure to select Universal. •Select a destination for your new project.
631-1410 (USA) or +61 3 9596 7186 (Australia & New Zealand) or +91 997 256 7970 (India) E : [email protected] W : www.rittmanmead.com Merge Toolkit with New Project •Download the Oracle Mobile Security Toolkit from OTN •Extract the files from the security toolkit zip. •Drag the following files to the project, as shown below: ‣OBIMobile.framework ‣Settings.bundle ‣OBIMobile.bundle •Delete the existing Images.xcassets folder and replace it with the one provided in the toolkit
631-1410 (USA) or +61 3 9596 7186 (Australia & New Zealand) or +91 997 256 7970 (India) E : [email protected] W : www.rittmanmead.com Testing the App • Xcode has a iPad/iPhone Simulator Built in ‣Ensure that the OBIEE HD Project created above is opened in XCode. ‣Select Product -> Destination -> [Your Device Type] ‣Next select Product -> Run
631-1410 (USA) or +61 3 9596 7186 (Australia & New Zealand) or +91 997 256 7970 (India) E : [email protected] W : www.rittmanmead.com Testing the App (cont..) ‣You will be able to navigate through the application. It is advisable you test everything thoroughly before it is distributed to users!
631-1410 (USA) or +61 3 9596 7186 (Australia & New Zealand) or +91 997 256 7970 (India) E : [email protected] W : www.rittmanmead.com Deploying an Application using XCode ‣Set your destination to be your registered device ‣Select Product >Archive to generate a .app file which we can upload into the Catalog in OMSS
631-1410 (USA) or +61 3 9596 7186 (Australia & New Zealand) or +91 997 256 7970 (India) E : [email protected] W : www.rittmanmead.com Deploying an Application using XCode (cont..) • Select a Deployment Type ‣iOS App Store ‣Ad Hoc Development ‣Enterprise Distribution • Select a Development Team ‣This will sign and compile the app into a .app file for distribution •You are not submitting this to the Apple App Store!
631-1410 (USA) or +61 3 9596 7186 (Australia & New Zealand) or +91 997 256 7970 (India) E : [email protected] W : www.rittmanmead.com Signing the App ‣You sign or certify the app to show that the code has not changed since your review ‣Unsigned Code may have had changes made to it that could compromise security ‣The App is Signed during the Deployment Process ‣Certificates are held in your Apple Developer Provisioning Profile
631-1410 (USA) or +61 3 9596 7186 (Australia & New Zealand) or +91 997 256 7970 (India) E : [email protected] W : www.rittmanmead.com Signing an Android App •Similar process to signing using Xcode, but uses Android Studio IDE •Build > Generate Signed APK. •On the Generate Signed APK Wizard window, click Create new to create a new keystore •Your key should be valid for at least 25 years, so you can sign app updates with the same key through the lifespan of your app. •You can Auto-Sign apps after you've set up a keystore
631-1410 (USA) or +61 3 9596 7186 (Australia & New Zealand) or +91 997 256 7970 (India) E : [email protected] W : www.rittmanmead.com Import App into OMSS ‣Import the .app file into the Catalog of OMSS so that you can distribute it to users ‣OMSS then sends provisioning email to users; to install app using enterprise app store, just click on link ‣Installed outside of main public Apple App Store process
631-1410 (USA) or +61 3 9596 7186 (Australia & New Zealand) or +91 997 256 7970 (India) E : [email protected] W : www.rittmanmead.com Good Technology MDM •Supports ‣iOS, Android ‣Windows Mobile, Blackberry •Containerisation at the Application Level ‣ App is Uploaded to Management Console ‣ Certificate is Applied, app is wrapped • Containerisation using an SDK ‣ SDK requires code integration i.e., a developer uses the Good Dynamics security libraries APIs in conjunction with their IDE ‣Developer can take advantage of services created by other developers (e.g. Writing to Sharepoint)
631-1410 (USA) or +61 3 9596 7186 (Australia & New Zealand) or +91 997 256 7970 (India) E : [email protected] W : www.rittmanmead.com Potential Customer Issues with Good ‣ All requests goes through a Good Proxy ‣ Proxy is outside company network ‣ Requests are transferred securely ‣ Can cause timeouts ‣Often issues around customer linking to corporate SSO - easy to get wrong if control incorrectly returned to BI Server ‣File returned from the BI Server doesn't match expected format so causes BI Mobile App to render incorrectly ‣Often tricky to debug as requires low-level network monitoring / knowledge, and BI Server not architected from ground-up for mobile client support
631-1410 (USA) or +61 3 9596 7186 (Australia & New Zealand) or +91 997 256 7970 (India) E : [email protected] W : www.rittmanmead.com ‣Useful for organizations not set up for iOS development ‣Requires Macs, basic understanding of Xcode ‣Wrapping and Deploying BI Mobile HD via OMSS ‣1 Week Service ‣ Wrap and Sign the Mobile BI iOS App -Using your certificates ‣ Handover & Basic Admin Training ‣Install & Configure OMSS -Integration with Active Directory Rittman Mead Services - BI Mobile MDM Starter Pack
631-1410 (USA) or +61 3 9596 7186 (Australia & New Zealand) or +91 997 256 7970 (India) E : [email protected] W : www.rittmanmead.com Rittman Mead Services - OBIEE/Mobile Consultancy • Advice on Best Practice ‣ OBIEE ‣ BI Mobile ‣ OMSS •Troubleshooting Issues •Full Implementations • Preparing existing setups for ‘Mobilization’ ‣Will my Dashboards work on Mobile? ‣Are my Dashboards usable on Mobile?
631-1410 (USA) or +61 3 9596 7186 (Australia & New Zealand) or +91 997 256 7970 (India) E : [email protected] W : www.rittmanmead.com T : +44 (0) 1273 911 268 (UK) or (888) 631-1410 (USA) or +61 3 9596 7186 (Australia & New Zealand) or +91 997 256 7970 (India) E : [email protected] W : www.rittmanmead.com Thank You for Attending! •Thank you for attending this presentation, and more information can be found at http:// www.rittmanmead.com •Contact us at [email protected] or [email protected] •Look out for our book, “Oracle Business Intelligence Developers Guide” out now! •Follow-us on Twitter (@rittmanmead) or Facebook (facebook.com/rittmanmead)
631-1410 (USA) or +61 3 9596 7186 (Australia & New Zealand) or +91 997 256 7970 (India) E : [email protected] W : www.rittmanmead.com Securing Oracle BI Mobile Mark Rittman, CTO, Rittman Mead ODTUG Mobile Day, Utrecht, April 2015