MicroStrategy ONE

Integrate with AppConfig-Compliant EMM Providers

MicroStrategy HyperMobile can be integrated with any Enterprise Mobility Management (EMM) provider that supports AppConfig guidelines. App Configuration for the Enterprise (AppConfig) delivers the first standard approach to configuring and securing applications in the enterprise. The goal of the AppConfig initiative is to define a collection of best practices for enterprise application developers to interpret application configurations and security policies from EMM (Enterprise Mobility Management) systems, and for EMM systems to configure and secure mobile applications. AppConfig lets enterprises leverage their existing investments in EMM systems, VPNs, and identity management solutions.

  • App Configuration

    Configure information such as Intelligence Server connectivity, project information, home screen configurations, and general app settings to eliminate the need to educate end users about first time setup.

  • Certificate Pinning

    Help prevent man-in-the-middle attacks by providing a trusted certificate hash to help establish a secure connection.

  • Security Policies and Access Control

    Restrict apps to run only on approved devices and enforce security policies such as required encryption and data loss prevention at the app level.

  • App Tunnel

    Selectively enable approved apps to use an app tunnel to connect to backend and corporate networks.

The workflow for integrating MicroStrategy HyperMobile with an EMM provider that supports AppConfig is described below. Examples are given for VM Workspace ONE UEM (formerly AirWatch) and Microsoft Intune, but the instructions can be extrapolated to integrate MicroStrategy HyperMobile with a different AppConfig-compliant EMM provider.

Add the MicroStrategy HyperMobile Application and Set Up the Application Configurations

The sections below explain how to use the AppConfig integration to push configurations to the MicroStrategy HyperMobile app, configure App Tunnel, and configure security restrictions.

App Configuration

With AppConfig, a mobile administrator can define a set of configuration keys that the MicroStrategy HyperMobile app will accept from the EMM server. These configuration keys are defined in the EMM administration console, normally stored as part of a profile assigned to the app for deployment. You can set up these configurations on the VM Workspace ONE UEM Console during the process of application distribution. The EMM provider also has the ability to update the configurations over the air at any point in the future to an existing application, without requiring the app itself to be reinstalled. You can create different profile assignments to deploy the application to different groups of devices, thereby applying different configuration settings to each.

One of the configuration keys that can be pushed to the MicroStrategy HyperMobile app is the ConfigurationURL which is a link to connect to the Library Server, where your Hyper card is deployed. End users are prompted to log in with the corresponding authentication options so that it’s effortless to set up connectivity information.

To set up App Configuration on the VM Workspace ONE UEM Console, during the application and configuration setup described above, set the value of the ConfigurationURL key to the URL that has the configuration information.

Obtain the ConfigurationURL

  1. Open MicroStrategy Workstation.
  2. Go to the Environments tab.
  3. Right-click an environment, choose Properties, and click HyperIntelligence for Mobile Configuration URL.

Certificate Pinning

Certificate pinning helps prevent man-in-the-middle attacks by using a trusted certificate hash to validate the connection to a server. A trusted certificate hash can be passed from an EMM platform, such as VM Workspace One UEM, to be used to verify the identity of the server. To leverage the certificate pinning feature available with AppConfig, navigate to Resources > Apps > Native > Public > MicroStrategy HyperMobile > Assignment. Then, click on the assignment name, navigate to Application Configuration, and supply the certificate hash to the CertificateMap field in the following format:

Copy
hostnameA,certificateHashA

For example, the following could be the CertificateMap string.

Copy
yourLibraryServer.com,sha256/yourCertificateHash

To support certificate pinning for multiple environments or to provide additional certificate hashes for one host, please separate all hostname,certificateHash pairs with a vertical bar (“|”). For example,

Copy
hostnameA,certificateHashA1|hostnameB,certificateHashB|hostnameA,certificateHashA2

The certificate hash must begin with sha256/.

Security Policies and Access Control

Organizations require granular security and data loss protection within their enterprise applications to prevent sensitive data and documents from leaking outside company control. For example, an app may include functionality that an enterprise wants to disable for security reasons, such as the ability to synchronize data with a public cloud like Dropbox. AppConfig leverages the out-of-the-box capabilities that iOS provides to enforce security settings and access control on enterprise apps.

Custom Security Settings

In addition to the mobile configuration specified by ConfigurationURL, administrators can restrict the availability of some app features for the purpose of preventing data leakage or data loss. These restrictions are passed to MicroStrategy HyperMobile by adding key-value pairs to the Application Configuration section on the Add Assignment screen. The following restrictions can be added as BOOLEAN key-value pairs:

Custom Security Keys Functionality
EnableDataLossPrevention The main switch for all of the app restrictions. Other options, such as DisableEmail or DisableCopyPaste, take effect only when EnableDataLossPrevention is set to true
DisableEmail Disable email functionality across the app (only limited to iOS native mail app)
DisableOpenIn Disable all sharing functionality in MicroStrategy HyperMobile, including sharing of cards or files. Also disable all the links on Hyper cards.
DisableCopyPaste Disable copy or paste options on all text fields and text boxes
DisableCameraAccess Disable the QR code and barcode scanner feature
DisableSaveToPhotos Disable the “Save to Photo“ menu on the iOS native popover when sharing Hyper cards
DisableSpotlightSearch Disable spotlight search functions

To verify the security settings in MicroStrategy HyperMobile, go to Account > View Log. When viewing the log, you can see the security settings.

App Tunnel

An application may require access to web services residing behind a corporate firewall, which requires a secure App Tunnel. The per-app VPN protocol achieves the goal of a secure App Tunnel. For example, VM Workspace ONE UEM can distribute VPN profiles to its managed devices and let apps such as MicroStrategy HyperMobile set up their own VPNs following the profiles. The VPN settings are included in device profiles on the VM Workspace ONE UEM Console.

These settings take effect after MicroStrategy HyperMobile is pushed to the device. When MicroStrategy HyperMobile is launched, it automatically connects to the VPN server, and the VPN icon is shown on the left side of the status bar.

  • App Configuration

    Configure information such as Intelligence Server connectivity, project information, home screen configurations, and general app settings to eliminate the need to educate end users about first time setup.

  • Certificate Pinning

    Help prevent man-in-the-middle attacks by providing a trusted certificate hash to help establish a secure connection.

  • Security Policies and Access Control

    Restrict apps to run only on approved devices and enforce security policies such as required encryption and data loss prevention at the app level.

  • App Tunnel

    Selectively enable approved apps to use an app tunnel to connect to backend and corporate networks.

The workflow for integrating MicroStrategy HyperMobile with an EMM provider that supports AppConfig is described below. Examples are given for VM Workspace ONE UEM (formerly AirWatch) and Microsoft Intune, but the instructions can be extrapolated to integrate MicroStrategy HyperMobile with a different AppConfig-compliant EMM provider.

Add the MicroStrategy HyperMobile Application and Set Up the Application Configurations

The sections below explain how to use the AppConfig integration to push configurations to the MicroStrategy HyperMobile app, configure App Tunnel, and configure security restrictions.

App Configuration

With AppConfig, a mobile administrator can define a set of configuration keys that the MicroStrategy HyperMobile app will accept from the EMM server. These configuration keys are defined in the EMM administration console, normally stored as part of a profile assigned to the app for deployment. You can set up these configurations on the VM Workspace ONE UEM Console during the process of application distribution. The EMM provider also has the ability to update the configurations over the air at any point in the future to an existing application, without requiring the app itself to be reinstalled. You can create different profile assignments to deploy the application to different groups of devices, thereby applying different configuration settings to each.

One of the configuration keys that can be pushed to the MicroStrategy HyperMobile app is the ConfigurationURL which is a link to connect to the Library Server, where your Hyper Card is deployed. End users are prompted to log in with the corresponding authentication options so that it’s effortless to set up connectivity information.

To set up App Configuration on the VM Workspace ONE UEM Console, during the application and configuration setup described above, set the value of the ConfigurationURL key to the URL that has the configuration information.

Obtain the ConfigurationURL

  1. Open MicroStrategy Workstation.
  2. Go to the Environments tab.
  3. Right-click an environment, choose Properties, and click Environment URL.

Certificate Pinning

Certificate pinning helps prevent man-in-the-middle attacks by using a trusted certificate hash to validate the connection to a server. A trusted certificate hash can be passed from an EMM platform, such as VM Workspace One UEM, to be used to verify the identity of the server. To leverage the certificate pinning feature available with AppConfig, navigate to Resources > Apps > Native > Public > MicroStrategy HyperMobile > Assignment. Then, click on the assignment name, navigate to Application Configuration, and supply the certificate hash to the CertificateMap field in the following format:

Copy
hostnameA,certificateHashA

For example, the following could be the CertificateMap string.

Copy
yourLibraryServer.com,sha256/yourCertificateHash

To support certificate pinning for multiple environments or to provide additional certificate hashes for one host, please separate all hostname,certificateHash pairs with a vertical bar (“|”). For example,

Copy
hostnameA,certificateHashA1|hostnameB,certificateHashB|hostnameA,certificateHashA2

The certificate hash must begin with sha256/ or sha1/.

Security Policies and Access Control

Organizations require granular security and data loss protection within their enterprise applications to prevent sensitive data and documents from leaking outside company control. For example, an app may include functionality that an enterprise wants to disable for security reasons, such as the ability to synchronize data with a public cloud like Dropbox. AppConfig leverages the out-of-the-box capabilities that Android provides to enforce security settings and access control on enterprise apps.

Custom Security Settings

In addition to the mobile configuration specified by ConfigurationURL, administrators can restrict the availability of some app features for the purpose of preventing data leakage or data loss. These restrictions are passed to MicroStrategy HyperMobile by adding key-value pairs to the Application Configuration section on the Add Assignment screen. The following restrictions can be added as BOOLEAN key-value pairs:

Custom Security Keys Functionality
EnableDataLossPrevention The main switch for all of the app restrictions. Other options, such as DisableSharing or DisableCameraAccess, take effect only when EnableDataLossPrevention is set to true
DisableSharing Disable sharing the card image and exporting the log file
DisableTwitterSharing Disable Twitter sharing
DisableOpeningLinks Disable opening links on cards
DisableCameraAccess Disable the QR code and barcode scanner feature
DisableRecentsPreview Disable screenshot on recent apps screen

App Tunnel

An application may require access to web services residing behind a corporate firewall, which requires a secure App Tunnel. The per-app VPN protocol achieves the goal of a secure App Tunnel. For example, VM Workspace ONE UEM can distribute VPN profiles to its managed devices and let apps such as MicroStrategy HyperMobile set up their own VPNs following the profiles. The VPN settings are included in device profiles on the VM Workspace ONE UEM Console.

These settings take effect after MicroStrategy HyperMobile is pushed to the device. When MicroStrategy HyperMobile is launched, it automatically connects to the VPN server and a key icon appears in the status bar.