Are “certificates to generate tokens used for application identity…

book

Article ID: 129688

calendar_today

Updated On:

Products

CA Mobile Device Management

Issue/Introduction



Are “certificates to generate tokens used for application identity…”? My response was NO that CA uses internal code but am forwarding question to CA for confirmation. I remembered that “session” cookies are used, contained in userprops.jar file but I don’t know how these cookies are generated. Back in the early days of this project, our Backend servers were having an issue, the CA Server windows Service would crash due to either malformed or missing Userprops.jar file on the client.

Environment

MDM 18.1

Resolution

Certificates are not generating any tokens for Application Identity. USRPROPS.JAR is generated per session by CAMDM client. If you delete the USRPROPS.JAR,  it will be created again in the next connection.

The "Require user authentication" option in session policies(which FedEx doesn’t use today) provides an additional layer of security for the CAMDM system. When this option is selected, CAMDM will prompt the user to input credentials when the client first attempts to run the session. These credentials will then be passed to the directory server defined in the Server -> Configuration -> Server -> Security page for verification. If the directory server confirms the validity of the credentials provided, the client will be given a cookie so that future sessions will not prompt the user for credentials. The aforementioned cookie is stored in the USRPROPS.JAR file, which is located in \ProgramData\CAMDMClient\Data. This file is only updated or overwritten when one of the following conditions is met:

* The Authentication Timeout, Auto Renew Period, or Assignment Timeout value as defined in Server -> Configuration -> Server -> Security elapses for the client
* The user attempts to connect via the CAMDM Client for the first time while the "Require user authentication" option is enabled in any session policy assigned to the user

For each stage of the authentication process, there are a few important idiosyncratic behaviors to note.

* Only the directory server for the tenant that the client resides in will be used to validate user credentials.
* If the Authentication Timeout and Assignment Timeout period is set to 0, the user will always be prompted for credentials when running a session with the "Require user authentication" option enabled.
* The CAMDM Client will automatically pre-populate the username field when prompting for credentials based on the Interactive User (currently logged on user). The CAMDM Client will not populate the password field, or automatically pass the user context upstream to the CAMDM server.

Unless the "Require user authentication" option is enabled for a specific session policy, any Windows 32-bit client that has a valid route over the network to the CAMDM server will be able to run that session.