Configuring Archibus Mobile Apps - System Administrator

As a System Administrator, you may need to get your staff up and running with the Archibus Mobile Client and the Archibus mobile business apps.

Establishing authentication for mobile devices

In order to grant access to Web Central from mobile devices, you must implement one of the following Web Central authentication configurations:

-- OR --

Some sites are already running an SSO configuration for their desktop and Smart Client workstations. When deploying mobile apps, they have a choice: use SSO or use Archibus Authentication for their mobile users. To use Archibus Authentication for their mobile users, the system administrator sets up a separate application server to serve the mobile users; this separate application server can share the same project database (and so share data with the desktop and the Smart Client users).

Authentication Configurations

You can use all authentication options with either http or https.

You can use SSO or certificate security with any Archibus authentication configuration (e.g. request header, remote user).

Not all authentication configurations can be supported in all mobile environments; see the table below.

  Archibus Authentication LDAP SSO Certificate Authentication

Desktop Web Browser

Chrome Yes Yes Yes Yes
Firefox Yes Yes Yes Yes

Native Mobile Client

Android Yes Yes Yes Yes (On Android 5+)
iOS 8, 9, 10 Yes Yes Yes Yes
Mobile Device Management Software Yes Yes Yes,
Call AI ProfServices2		 Yes,
Call AI ProfServices2

Mobile Web Browser (without Native Mobile Client)

Android Yes Yes Yes,
Call AI ProfServices1		 No3
iOS 8, 9, 10 Yes Yes Yes,
Call AI ProfServices1		 No3

Footnotes:

1Although this configuration prohibits Archibus from accessing a unique Device ID, Archibus can generate a stable ID to use for mapping as appropriate for your deployment. Call Archibus Professional Services for a statement of work if this configuration is required.

2Different vendors for Mobile Device Management Software have different APIs. Call Archibus Professional Services for a statement of work for integration if this configuration is required.

3Browsers cannot access keychain for security reasons.

Note: As described in Shared Mobile Devices and Multiple Devices per User, Archibus mobile applications allow sharing the same device between several users. The applications maintain each of the user's data on the device. For this reason, it is possible for a user to access another user's data when the device is shared. Mobile devices are not designed for such sharing, and do not provide built-in per-user security for files and data. If this is a concern for your site, you should not share devices between users; you should assign one device to one user.

Archibus Authentication configuration

The default installation of Archibus enables Archibus Authentication. Users install the Archibus Mobile Client. On first use, the Mobile Client prompts for username and password, and registers the Device ID of the device to that user. From then on, Web Central creates Archibus User sessions to process requests that include that Device ID, and Web Central will give those sessions all the rights of the Archibus User that corresponds to that Device ID.

Some sites additionally use VPN security or grant access only from specific IP addresses for in order to grant access devices outside the firewall.

Single Sign-On (SSO) configurations

If your site uses its own authentication server for single sign-on, you may wish to configure your authentication server to map mobile Device IDs to internal user names. Have your authentication server lookup the username for that Device ID and insert the username into the request header. The authentication server can then forward requests to Web Central, which can use one of its SSO configurations for processing SSO requests.

One of the typical SSO configurations is to configure your authentication server to use Personal Security Certificate Authentication. With this method, the authentication server only allows requests from mobile devices that have valid Personal Security Certificates.

Combining authentication options

If your current Web Central installation does not use one of configurations described above, you can establish a different instance of Web Central on your application server to serve the mobile users. For instance, you can use Archibus Authentication configuration on one instance (http:\\archibusserver:8080) for mobile users, and use another instance (http:\\archibusserver:8081) in SSO configuration with authentication server configured to use Windows Integrated Authentication for your Web Central and Smart Client users.

Reinitializing

Just as you may sometimes reboot your iPhone or iPad to reinitialize it after unusual events, you may need to reinitialized the Archibus apps.

If you get a "Prohibited calling login() when user is already authenticated" error, restart your Web browser.

If you want to completely reinitialize your mobile device:

  1. Sync the mobile device with the server to save any changes you have in progress. Reinitializing will clear the device, but a subsequent re-sync will bring back all your changes.
  2. Delete the browser's Web cache.
  3. Delete the browser's SQLite database.

On an iPhone or iPad:

  1. Delete the browser's Web cache using Settings / Safari / Clear Cookies and Data.
  2. Delete the browser's SQLite database by using Settings / Safari / Advanced / Website Data, selecting Edit, and then selecting the icon located beside the name of your Archibus server.

On Google Chrome:

  1. Delete the browser's Web cache using Tools / Clear browsing data.
  2. Delete the browser's SQLite database by navigating to the chrome://settings/cookies URL, selecting the name of your Archibus server in the list, and then using the clear action.

Other configuration tasks

Archibus System Management Help covers additional configuration tasks, such as controlling the fields displayed on an audit form or having a mobile app call a workflow rule. For information, see: