Capsule Workspace App Wrapping leverages Capsule Workspace and extends it to offer 3rd party apps in a security container that provides multi security layers and access for both iOS and Android apps:

• Network Control

  • SSL VPN access to the organization’s resources. Authentication token is securely shared between the wrapped apps and Capsule Workspace.
  • Server-side Single Sign-On for standard HTTP-based applications.

• Data Loss Protection

  • Passcode Protection (passcode and passcode policy) is shared with Capsule Workspace and other wrapped applications that are installed on the device.
  • Local Data-at-Rest Protection (Files, Databases and Preferences).
  • Peripheral Data Loss Prevention control (Clipboard, Sharing, Screen Capture).
  • Built-in Capsule Docs viewer and editor.
  • Secure sharing between wrapped apps installed on the device.

• Management and Policy

  • Central management and policy through Mobile Access Blade.
  • In-app UserCheck™ enforces the security policy for the user (and shows relevant messages).
  • Remote Wipe.
  • Jailbreak/Root detection.

Capsule Workspace App Wrapping offers two different methods to fulfill Line-of-Business application needs:

• Wrapping Engine - Runs on closed app binary (IPA/APK) files and provides them with security layers that prevent data leakage and a built-in SSL VPN as a Capsule Workspace app.

• SDK Library - Gives the same abilities as the Wrapping Engine, but also gives developers control over the security features that can be added at development time. It provides more granular settings, which app parts to protect and how. The developer can choose between Quick Integration and Manual Integration. For more details, refer to the SDK on the Wrapping Portal.

The application owner must supply a binary of the app(s) for the wrapping process. In most in-house apps, the customer is also the application owner. If public 3rd-party app is needed, the vendor approval is required.

The Wrapping Portal consist of the wrapping, signing and deployment of the target app.

Wrapping Portal is cloud service, open to any user with User Center account, which takes the customer through the wrapping, signing and deployment process.

At the end of the process, Wrapping Token will be generated through the Wrapping Portal. This token should be configured in the required Mobile Access Blade profile.

Limitations

iOS Apps

1. Apple's modern WKWebView/SFSafariViewController is not supported. This is due to Apple using off-process loading and rendering model. Use UIWebView for web technologies.
2. Raw sockets and some of the low level CFNetwork API are not supported. Use NSURL Loading API (such as NSURLSession or NSURLConnection). Network requests performed using web technologies are also supported.
3. HTML5 storage is not supported. Use web containers which allow storage directly to the file system using NSData, Core Data or SQLite.
4. Core Data and SQLite are supported, but for wrapping, we rely on hardware and operating system security. SDK provides even more secure implementations of SQLite and Core Data components for secure storage. 

Android Apps

1. Apps which created using cross platform frameworks such as ReactNative, Xamarin and Titanium are not supported.
2. Networking layer supports HttpUrlConnection and HttpClient. Other methods like Socket API, libc network APIs and any third-party network stack implementations (e.g. OkHttp) are not supported. 

The solution is integrated:

• In Security Gateway R80.10
• In Security Gateway R77.30 with Take 266 and above of R77.30 Jumbo Hotfix Accumulator

• Wrapping Token

  The Wraping Token generated in the Wrapping Portal, should be set the in the proper field in the required Mobile Access Blade Profile.

  Configure the wrapping token according the instructions below:

  1. Close all SmartConsole windows (SmartDashboard, SmartView Tracker, SmartView Monitor, etc.).

  2. Connect with GuiDBedit Tool to Security Management Server / Domain Management Server.

  3. In the upper left pane, go to Table - Other - mobile_profiles.

  4. In the upper right pane, select the desired profile (Class Name mobile_profile).
     For example, select Default_Profile.

     Example:
     

  5. Press CTRL+F (or go to Search menu - Find) - paste future_compatibility_fields - click on Find Next.

  6. In the lower pane, right-click on the future_compatibility_fields - select Add... - in the Name field, enter a meaningful name - click on OK.

     Example:
     
     
     
     
     

  7. In the new created object:

     1. Double-click on the field_name - enter the word wrapping_token (case-sensitive) - click on OK

        Example:
        

     2. Double-click on the field_value - enter here the Wrapping Token that you either copied from the Wrapping Portal (in the left tree, click on the Enterprise Stores - click on your Enterprise Store), or received from a Check Point representative - click on OK

        Example:
        

     Final result:

     Example:
     

  8. Save the changes: go to File menu - click on Save All.

  9. Close the GuiDBedit Tool.

  10. Connect with SmartDashboard to Security Management Server / Domain Management Server.

  11. Install the policy onto the relevant Security Gateway / Cluster object.

  12. The device should get the new policy on the next log out -> log in, or sooner (depends on the mobile client).

  Using the profile assignment on Mobile Access Blade, the customer can assign wrapped applications to specific user groups or have different wrapped apps for different user groups. Wrapping Portal can wrap several apps in different apps buckets (with separate Wrapping Token) as needed.

• Wrapping QR Code

  For quick demonstration, server side configuration can be skipped and only scan the QR code within the Capsule Workspace's Enterprise Apps screen.

  After the scan, the wrapped app(s) will be available for installation on the Enterprise Apps screen.

  The wrapping QR code scanning option can be centrally disabled on Capsule Workspace by setting the value of the manual_wrapping_enabled attribute to false in the GuiDBedit Tool (as describe for the "Wrapping Token" above).

• How to enable this feature on the Mobile Access Gateway

  Version of Security Gateway	Default state of the feature
  Security Gateway R80.10 and above	Enabled. Nothing to do.
  Security Gateway R77.30 with Take 266 and above of R77.30 Jumbo Hotfix Accumulator	Disabled. Follow these steps to enable the feature: Connect to the command line on the R77.30 Mobile Access Gateway (over SSH, or console). Log in to Expert mode. Backup the current $CVPNDIR/conf/includes/Web_inside.location.conf file: [Expert@HostName:0]# cp -v $CVPNDIR/conf/includes/Web_inside.location.conf{,_ORIGINAL} Edit the current $CVPNDIR/conf/includes/Web_inside.location.conf file: [Expert@HostName:0]# vi $CVPNDIR/conf/includes/Web_inside.location.conf Enable the feature: CvpnClientSideLinkTrans on Note: To disable the feature, configure "CvpnClientSideLinkTrans off" Save the changes and exit from the Vi editor. Restart the Mobile Access software blade: [Expert@HostName:0]# cvpnstop ; cvpnstart

• Configuring Wrapped Applications on Mobile Access Blade

  The administrator needs to configure the access of the wrapped application to the organization, as any other Mobile Access Blade Web Application, while the link name must start with the word WRAPPED__.

  Example:
  

  This special application type will not appear as regular web application in the Capsule Workspace. It will also be invisible in the Mobile Access Blade Portal.
  This configuration should only set the access of the app in Mobile Access Blade.

  Administrator can configure the access, Single Sign-On and the authorization as any regular web application in the Mobile Access Blade.
  For more details, refer to Mobile Access Blade Administration Guide (R77.X, R80, R80.10).