Mobile-application management

The MobileFirst mobile-application-management capabilities provide MobileFirst Server operators and administrators with granular control over user and device access to their applications.

MobileFirst Server tracks all attempts to access your mobile infrastructure, and stores information about the application, the user, and the device on which the application is installed. The mapping between the application, the user, and the device, forms the basis for the server's mobile-application management capabilities.

Use IBM MobileFirst™ Platform Operations Console to monitor and manage access to your resources:

Search for a user by name, and view information about the devices and applications that they are using to access your resources.
Search for a device by its display name, and view the users that are associated with the device, and the registered MobileFirst applications that are used on this device.
Block access to your resources from all instances of your applications on a specific device. This is useful when a device is lost or stolen.
Block access to your resources only for a specific application on a specific device. For example, if an employee changes departments, you can block the employee's access for an application of the previous department, but allow the employee access from other applications on the same device.
Unregister a device, and delete all the registration and monitoring data that was gathered for the device.

Access-blocking has the following characteristics:

The blocking operation is reversible. You can remove the block by changing the device or application status in MobileFirst Operations Console.
The block applies only to protected resources. A blocked client can still use the application to access an unprotected resource. See Unprotected resources.
Access to adapter resources on MobileFirst Server is blocked immediately when you select this operation. However, this might not be the case for resources on an external server because the application might still have a valid access token that has not expired.

Device status

MobileFirst Server maintains status information for every device that accesses the server. The possible status values are Active, Lost, Stolen, Expired, and Disabled.
The default device status is Active, which indicates that access from this device is not blocked. You can change the status to Lost, Stolen, or Disabled to block access to your application resources from the device. You can always restore the Active status to allow access again. See Managing device access in MobileFirst Operations Console.

The Expired status is a special status that is set by MobileFirst Server after a preconfigured inactivity duration elapses since the last time that the device connected to this server instance. This status is used for license tracking, and it does not affect the access rights of the device. When a device with an Expired status reconnects to the server, its status is restored to Active, and the device is granted access the server.

Device display name

MobileFirst Server identifies devices by a unique device ID, which is assigned by the MobileFirst client SDK. Setting a display name for a device allows you to search for the device by its display name. Application developers can use the setDeviceDisplayName method of the WLClient class to set the device display name. See the WLClient documentation in MobileFirst client-side API. (The JavaScript class is WL.Client.) Java™ adapter developers (including security-check developers) can also set the device display name by using the setDeviceDisplayName method of the com.ibm.mfp.server.registration.external.model MobileDeviceData class. See MobileDeviceData.

Managing device access in MobileFirst Operations Console

To monitor and manage device access to your resources, select the Devices tab in the MobileFirst Operations Console dashboard.

Use the search field to search for a device by the user ID that is associated with the device, or by the display name of the device (if set). See Device display name. You can also search for part of the user ID or the device display name (at least three characters).
The search results display all the devices that match the specified user ID or device display name. For each device, you can see the device ID and display name, the device model, the operating system, and the list of users IDs that are associated with the device.

The Device Status column shows the status of the device. You can change the status of the device to Lost, Stolen, or Disabled, to block access from the device to protected resources. Changing the status back to Active restores the original access rights.

You can unregister a device by selecting Unregister in the Actions column. Unregistering a device deletes the registration data of all the MobileFirst applications that are installed on the device. In addition, the device display name, the lists of users that are associated with the device, and the public attributes that the application registered for this device are deleted.

Note: The Unregister action is not reversible. The next time that one of the MobileFirst applications on the device attempts to access the server, it will be registered again with a new device ID. When you select to register the device again, the device status is set to Active, and the device has access to protected resources, regardless of any previous blocks. Therefore, if you want to block a device, do not unregister it. Instead, change the device status to Lost, Stolen, or Disabled.

To view of all the applications that were accessed on a specific device, select the expand arrow icon next to the device ID in the devices table. Each row in the displayed applications table contains the name of the application, and the application's access status (whether access to protected resources is enabled for this application on this device). You can change the application's status to Disabled to block access from the application specifically on this device.