Chapter 4 Infrastructure and integration 34
With iOS 7 or later, apps can take advantage of your existing in-house Single Sign-On
infrastructure via Kerberos. The Kerberos authentication system used by iOS 7 or later is
the most commonly deployed Single Sign-On technology in the world. If you have Active
Directory, eDirectory, or Open Directory, it’s likely to already have a Kerberos system in place
that iOS 7 or later can use. iOS devices need to be able to contact the Kerberos service over a
network connection to authenticate users. In iOS 8, certicates can be used to silently renew a
Kerberos ticket, letting users maintain connections to certain services that leverage Kerberos
for authentication.
Supported apps
iOS provides exible support for Kerberos Single Sign-On to any app that uses the
NSURLConnection or NSURLSession class to manage network connections and authentication.
Apple provides all developers with these high-level frameworks to make network connections
seamlessly integrated within their apps. Apple also provides Safari, as an example to help you get
started by using SSO-enabled websites natively.
Congure Single Sign-On
You congure Single Sign-On using conguration proles, which may be either manually
installed or managed with MDM. The Single Sign-On payload allows exible conguration.
Single Sign-On can be open to all apps, or restricted by app identier, service URL, or both.
Simple pattern matching is used for URLs which must begin with either http:// or https://.
The matching is on the entire URL, so be sure that they’re exactly the same. For example, a
URLPrexMatches value of https://www.example.com/ won’t match https://www.example.
com:443/. You may specify http:// or https:// to restrict the use of SSO to either secure or regular
HTTP services. For example, using a URLPrexMatches value of https:// allows the SSO account to
be used only with secure HTTPS services. If a URL matching pattern doesn’t end with a slash (/),
a slash is appended.
The AppIdentierMatches array must contain strings that match app bundle IDs. These strings
may be exact matches (com.mycompany.myapp, for example) or may specify a prex match on
the bundle ID by using the wildcard character (*). The wildcard character must appear after a
period (.), and only at the end of the string (for example, com.mycompany.*). When a wildcard is
given, any app whose bundle ID begins with the prex is granted access to the account.
Virtual private networks (VPN)
Overview
Secure access to private corporate networks is available in iOS and OS X using established
industry-standard virtual private network (VPN) protocols. Out of the box, iOS and OS X support
Cisco IPSec, L2TP over IPSec, and PPTP. iOS also supports IKEv2. If your organization supports one
of these protocols, no additional network conguration or third-party apps are required in order
to connect Apple devices to your VPN.
iOS and OS X support SSL VPN from popular VPN providers. Like other VPN protocols supported
in iOS and OS X, SSL VPN can be congured manually on the Apple device, or by conguration
proles or mobile device management.
100% resize factor
