Remotely disabling application connectivity

You can use the Remote Disable procedure to deny a user's access to a certain application version due to phase-out policy or due to security issues encountered in the application.

Before you begin

If you need to use the Remote Disable feature with servers and clusters that experience heavy loads, consider enabling the Remote Disable cache. Enabling the cache can improve performance by reducing how frequently the database is checked to see if an app has been remotely disabled. By default, the cache is disabled. To enable and configure the cache, add the following lines to the MobileFirst project worklight.properties file:

wl.remoteDisable.cache.enabled=true
wl.remoteDisable.cache.refreshIntervalInSeconds=1

The refresh interval determines how long (measured in seconds) values are kept in the cache before they are refreshed from the database. If you increase the interval, performance is improved as a result of fewer connections being made to the database, but you increase the duration before the remote disable state comes into effect. For example, if your infrastructure contains a cluster of four MobileFirst Server and you set wl.remoteDisable.cache.refreshIntervalInSeconds=1, the database is accessed 4 times per second to check the remote disable state.

Note: If code that uses the Remote Disable feature accesses a resource that is protected by OAuth authentication, and the client has a valid token, the MobileFirst Server is not called. As a result, the server does not check whether a specific application is disabled. The MobileFirst Server is called when the token expires or when the Remote Disable realm inside the token expires. When the realm expires, the Remote Disable authenticator is invoked and the server checks whether the specific application version is disabled. For more information about token expiration, see OAuth-based tokens.

About this task

Using the MobileFirst Operations Console, you can disable access to a specific version of a specific application for a specific mobile environment and provide a custom message to the user.

Procedure

To use this Remote Disable feature, from the first page of MobileFirst Operations Console, click the application name and change the access of the application version that must be disabled from Active to Access Disabled.
Add a custom message as shown in the following text:
```
This version is no longer supported. Please upgrade to the next version.
```
You can also specify a URL for the new version of the application (usually in the appropriate public or private app store). For some environments, the Application Center provides a URL to access the Details view of an application version directly. See Application properties.
Click Save.
When users run an application that is Remotely Disabled, they receive a text message about the access denial. They can either close the dialog and continue working offline, that is, without access to the MobileFirst Server, or they can upgrade to the latest version of the application. Closing the dialog keeps the application running, but any application interaction that requires server connectivity causes the dialog to be displayed again.

Modifying the behavior of the remote disable operation

As noted above, the default dialog that is displayed to a user when an application is remotely disabled contains two buttons, Get new version, and Close. Clicking Close closes the dialog, but allows the user to continue working offline, with no connection to the MobileFirst Server.

Note: The actual text on the two buttons is customizable, and can be overridden in the message.properties file.

In older versions of IBM MobileFirst™ Platform Foundation, when you disabled an application using the MobileFirst Operations Console, the default behavior was to completely disable or end it, such that the application would not function, even in offline mode.

There is a way to modify the default behavior of the Remote Disable feature to completely disable an application if there is a need to do so (such as a severe security flaw).

Add a new Boolean attribute to your initOptions.js file, named showCloseOnRemoteDisableDenial.
If this attribute is missing or is set to true, the Remote Disable notification displays the default behavior described earlier.
If this attribute is set to false (that is, "Do not show the Close button on the dialog"), the behavior is as follows:
- If you disable the application on the MobileFirst Operations Console and specify a link to the new version, the dialog displays only a single button, the Get new version button. The Close button is not shown. The user has no choice but to update the application, and this preserves the older behavior of forcing the user to exit the application.
- If you disable the application and do not specify a link to the new version, the dialog again displays only a single button, but in this case it displays the Close button.