The Polish branch of the Transgourmet group undertook a task to recognize and implement the SAP Afaria solution as a part of a pilot project. The role of BCC (now All for One Poland) was to support the employees of Transgourmet s in designing a configuration model of the tool and production implementation.
Recognizing possibilities of the tool and initial configuration of SAP Afaria required significant involvement from the employees of Transgourmet. The configuration policy developed during consultations is not final. Further appropriate development is currently a task of the system administrator at Transgourmet. An additional challenge results from the fact that the employees of the Polish branch of the company after the successful production start-up will support their German colleagues in works related to the activation of the system and mechanisms on the basis of which it operates. Despite this additional pressure, works were conducted effectively and after several days, it was possible to conduct tests on several basic devices.
The works were divided into three main stages: recognition, configuration and implementation. All works had a non-standard course. SAP Afaria is not a classic system we deal with on a daily basis; therefore, it is important to understand its purpose and logic.
SAP Afaria in Mobile Secure
SAP Afaria is a system used to manage remotely a fleet of mobile devices (laptops, tablets, smart phones) in a company and its security. Speaking of management, we mean complete control over particular devices, applications installed on them and data stored on them. Thanks to one of the Afaria modules, we can remotely connect new devices to it and send a request for installation of applications required for proper functioning or a request for configuration. Afaria is a part of the Mobile Secure solution that also consists of SAP Mobile Secure and SAP Mobile App Protection. SAP also offers an MDM solution (mobile device management) maintained in the cloud: SAP Mobile Device Management.
The most important functions
Below we present the basic functions of the SAP Afaria solution:
- Securing devices and data stored on them through cooperation with technologies such as LDAP or Active Directory in order to authorize users of the device. Afaria can also verify devices based on certificates issued by the domain controller, while communication between Afaria and the devices is encoded. Securing the devices can take place using appropriate policies forcing the users to maintain security of the password and encoding all corporate data. Afaria allows to remotely block or erase a lost or stolen device.
- Adjusting the devices to changing standards maintained by business. Using Afaria, we can define numerous attributes allowing the devices to communicate correctly inside and outside the company infrastructure. For example, it is possible to order the device to use particular logging data to the company wireless network. Afaria also allows synchronizing the device with the company mailbox, schedule and address book. What is even more important, these activities take place without any interference of the user in the device.
- Managing mobile applications. Thanks to Afaria, we can force installation of given applications on a defined set of devices. Additionally, in a simple way we can update the installed applications on the devices connected to the system or uninstall those that are not needed which directly affects security. Afaria make two methods of installing application available: from a public store (e.g. Apple AppStore or Google Play) or from your own local repository of applications. Afaria also allows blocking installation of other applications by users, which ensures maintenance of a given collection of properly updated applications on all devices.
- Reporting the use of devices and data stored on them. Afaria has a module allowing reports to be generated from devices containing data about the installed applications, connected accounts or data that is stored on the device. Reports significantly facilitate audits and security analysis of the devices connected to the system.
Afaria allows the management of company and private devices of the employees if they are based on the following technologies: Android, iOS, Windows, Windows CE, Windows Mobile, Windows Phone and Windows DM.
Mobile and Safe
Users of the SAP Afaria solution – mainly sales representatives of Transgourmet Polska – obtained a safe, stable and certain solution in their everyday work with necessary services dedicated for them, such as mailbox, intranet resources, applications and Business Intelligence reports, as well as software allowing effective and interactive work with clients out of the office.
Implementation of the system resulted in a possibility to standardize the system environment of the fleet of mobile devices that minimized the number of service requests related to the operation of these devices and applications installed on them, as well as accelerated the service. We can also monitor the use of the fleet of mobile devices on an ongoing basis and proactively respond to appearing issues. In comparison to the previously used solution the helpdesk administrators and employees have a complex, fully configurable, convenient and accessible system through which they can effectively provide solutions expected by developing and demanding business.
Through the integration of SAP Afaria with AD device and user traceability increased, and through the installation of personal certificates secure access to remote resources, compliant with the policy and security rules of an enterprise, was obtained. A dedicated VPN tunnel is used for secure communication between mobile device and IT resources. In case of losing a device, we eliminate the danger of unauthorized access to sensitive data.
Cooperation with BCC in this project allowed a “tailored” platform to manage mobile devices, develop their own policies and work standards with the system to be developed. Thanks to creating and implementing the concept in the workshop model and nearly from the ground up, in cooperation with BCC, we created a stable system that is still being developed and improved.
Bartłomiej Stryczek, IT Deputy Director, Transgourmet Polska
Modular architecture
The architecture of SAP Afaria is modular. The solution consists of several components. The most important include Afaria Server, Afaria Administration Console, Enrollment Server, Package Server and the database.
Despite the fact that the database is one of the essential elements, it is not attached to the installation package. Afaria can cooperate with the following database solutions: Microsoft SQL Server or SAP SQL Anywhere. The database ensures a place to store configuration data and a point to gather reports and logs that were performed previously.
The Afaria server is used as the main configuration point for the entire system. Thanks to it, we can create policies for the devices and group the devices based on the rules assumed before. It also allows management of the connected devices and generating reports. In order to perform these operations an administration interface (Afaria Administration Console) based on Internet technologies is used.
The Enrollment Server is used to connect the devices to the system. The server makes an interface appropriately prepared to initiate the connection from the devices to the Afaria server available. Another step of the connection process involves remote installation of the Afaria client application, which can be done from public or local repositories, placed in the Package Server service.
The last of the main elements of Afaria is Self-Service Portal that allows limited management of the users’ own devices and location of lost devices.
Afaria is a scalable solution. It allows creation of multi-element installations that allow to easily separate remote organization units. Such a scenario is recommended to companies that conduct their business activities in many countries. In such cases, it is necessary to determine the main server the basic task of which is to manage synchronization of configuration between all elements of the cluster. It is also possible to use Afaria in the “standalone” model, which has exactly the same possibilities like multi-server installation. Transgourmet uses exactly this system model.
The greatest advantage of Afaria is configuration flexibility. The main task of the administrator is to create policies consisting of definitions of security rules and standards maintained by the company. Each policy should be “atomic”, so as small as possible. Policies created in such a way can be assigned to numerous groups. In addition, each of the devices can be assigned to numerous groups, which results in a greater number of possible variants of system configuration.
Smart phones and tablets under control
Cooperation of BCC (now All for One Poland) with Transgourmet commenced after the completion of the first stage of works (installation of the system, which was implemented by the IT Department of the Transgourmet group in Germany) in June 2015. The main tasks of BCC involved the configuration of the system and conducting training of the administrators at Transgourmet regarding the system. At the subsequent stage, tests were conducted. BCC was also ready to support Transgourmet during the implementation of the system.
The first effect of the works was correct integration of the SAP Afaria system with the Active Directory catalogue services used by Transgourmet. The subsequent step involved configuration of a fully Polish profile of rules for the devices by defining parameters of the so-called tenant. Division into tenants is used to separate devices used in various organizational units. Policies and devices assigned to a tenant are invisible for others. At Transgourmet, they decided to divide the tenants according to the country in which a given branch is located.
Another step involved development of a scheme according to which policies for devices connected to the system will be assigned. The assumed scheme was the effect of the employees of Transgourmet and BCC consultants work. It was designed in such a way so that future organizational changes will not create unnecessary work related to system configuration regarding the changes. In this case, Transgourmet maintained policy atomicity to create numerous flexible groups to which mobile devices were connected.
Then training for the administrators was conducted and it involved advanced configuration of policies and management of the devices using the SAP Afaria system. The training resulted in common implementation of a strategy to create policies for the devices created before.
The final step of the second stage of works involved tests conducted on the mobile devices used by the employees of Transgourmet. During the tests configuration parameters which had not been taken into account before were specified and policies were expanded with new elements.
At the end of August, the administrators of Transgourmet commenced the process of implementing the SAP Afaria solution for all company mobile devices in Polish company branches. The training conducted and experience gained during the tests resulted in an efficient course of works.
Currently Transgourmet enjoys a modern system, which is a simple and most importantly efficient way to manage the growing fleet of mobile devices. Afaria also allowed the process of changing the device owner and software standardization to be facilitated. However, the greatest value of implementing the SAP Afaria system at Transgourmet is the improved level of security of mobile devices and data available on them. It is especially important at times when access of third persons to confidential data may involve serious legal and financial consequences.
Numerous users of company systems – from the mailbox to ERP or CRM solutions – cannot imagine work without access to them using their smart phones or tablets. Central management of these devices and ensuring a high level of their security in all situations becomes an important task for company IT administrators.