Mobile CRM Security in CRM Online

In this article

    This article describes the security and requirements in CRM Online for Mobile CRM

    Client side security

    SuperOffice Mobile CRM is written in C# using Xamarin and is available for iOS and Android.

    Mobile CRM client application is signed using various certificates from various vendors*. A signed client application provides the end-user with a trust that the application is not altered in any way. It also provides a mechanism for giving trusted access to various features and APIs on the phone.

    *  Apple iOS Developer Certificate, Google Android Developer Certificate

    Mobile CRM uses local caching to speed up data access – this data is stored locally in the phone, but not commonly accessible on the mobile phones file memory / file system.

    Local storage:

    Mobile CRM saves data that is accessed in a local SQLite database. This is for all data that is shown in the Mobile CRM application, with the exception of documents.
    Data that the user does not have access to is not saved. The data is initially saved forever, but is periodically updated when accessed again.
    All local data is erased if Mobile CRM is removed from device, reconfigured to a new installation, or if a new user logs in.
    Both iOS and Android have default support for encrypting all content, if a pin code or password is used to lock the device.
    https://www.apple.com/business/docs/iOS_Security_Guide.pdf
    https://source.android.com/security/encryption/full-disk

    Mobile CRM are using the built in encryption features of the platform it is running on. Netserver authentication data is protected by additional encryption on top of the default OS encryption.

    Network and communication security

    Communication to CRM Online

    Mobile CRM communicates to CRM Online over HTTPS / TLS, just  as our web client.

    It access the CRM Online tenants NetServer  Web API (endpoint), which is based on REST (architecture) and uses OAuth for authentication .

    imagevq62n.png

    Communication to other sevices

    The Mobile CRM also have 2-way communication to SuperOffice Central Services (Microsoft Azure) for mobile services (currently only for "business card scanner")

    The Mobile CRM also have 1-way communication to Microsoft App Center: crash logs and diagnostics data (Mobile CRM -> MS App Center)

    The Mobile CRM also have 1-way communication from Google and Apple: Push notifications (-> Mobile CRM, not sending, only receiving)

    If IdP is set up towards users user account, user will be forwarded to the IdP service to validate user.

    Server side security

    See CRM Online security article on our Trust Center for detailed information.

    Authentication

    SuperID is a sign-in service and a federation gateway towards the identity providers. The SuperID sign-in service has 2 levels - basic and federated. Either with a SuperOffice password or delegated to an identity provider (IdP).
    The sign-in service determines how you get access to SuperOffice CRM Online and who manages your credentials.

    Identity provider (IdP) - federated identity is a generic term for establishing a person's digital identity by delegating to a trusted 3rd party as opposed to a centralized domain of trust. It refers to where the user stores their credentials.
    The trusted 3rd party is the identity provider (IdP)

    Password hash - we never store actual passwords, not even the encrypted version of them, in the CRM database or SuperID. Instead, we store a hash - an encrypted value that we can use to validate a password. We calculate the hash based on an industry-standard algorithm and store the random-looking string of characters. The transformation from a human-readable entered password to hash is a one-way operation: we can't reconstruct the password, so resetting a password means to generate a new hash for a new password.

    User accounts and passwords

    Model Password granularity Password type Password storage Password mngt. Authentication
    SuperID - basic one-to-many text string or key phrase centrally id.superoffice.com SuperID user account
    SuperID - federated one-to-many up to the identity provider Microsoft or Google identity provider Microsoft or Google account


    SuperID / Login

    SuperOffice identity provider SuperID, handling federation with other systems on behalf of all clients in Online (TrayApp/WebTools/MailLink, Pocket/Mobile, Crm.web, AppStore apps, etc.), has very good support for OpenID Connect.

    • We use industry-standard OAuth 2.0 access tokens and refresh tokens representing a user signed in to an application.
    • The access token is valid for 1 hour. The refresh token is valid for several years.
    • Access tokens can't be shared between applications.
    • The tokens are unique per user and application and are stored on the device.
    • WebTools, MailLink, and the mobile client use industry-standard OAuth 2.0 for Native Apps (RFC 8252).
    • Fingerprint authentication is available only for SuperOffice Onsite customers
    • The login screen in Mobile CRM for online customers, is the central web site that is shared with the web client.

    Authenticatin and IdP

    Mobile CRM will delegate authentication to SuperId. SuperId have standard support for Google and Microsoft and can offer custom implementations if needed.
    Integration with Office 365 and SharePoint requires that the user authenticates using Microsoft Azure AD.

    Customers who use Citrix and Office 365 often have a set-up where Azure AD Authentication is delegated to ADFS or other systems. We support this.

    • SuperId will use standard connector with Azure AD
    • All clients, including TrayApp/WebTools/MailLink, Pocket/Mobile, Crm.web, AppStore apps, etc. will delegate authentication to SuperId.
    • Login with Google will support the new Google security policy for mobile apps
    • Users using IdP (Google / MS365), the IdP admin can retract token authorization (expire)

    Prefereces:

    • SuperOffice Admin - Preferences - Global preferences:
      • Autologout time
        • Time in minutes the application can be kept idle in the background before an automatically logout is performed. Default value = 0, means no timeout.
      • Diable autologin
        • Prevent Mobile CRM client from logging in automatically on startup. Default = No.

    imaged0zh.png

    Configuration / setup of Mobile CRM

    Apps are distributed via the respective OS' app store channels.

    In order to download the Mobile CRM to your mobile device, open a web browser on your device and navigate to: online.superoffice.com/mobile and click "install" to choose your device type.

    It is a free app included with all user plans and available to all users of iOS or Android smartphones and tablets.

    As Mobile CRM can be used for both oniste installation and online tenants, the app needs to know which authenticatin service to use (CRM Online: True/False). There are 3 initial ways to set Mobile CRM to connect to CRM Online:

    • User select: User choice in Mobile CRM on first initial start of the app
    • soprotocol: The soprotocol is used to automatically configure Mobile CRM to connect to CRM Online.
    • QR-code: scan a QR-code in Web-client, using the Mobile CRM app.

    This will rediect the user to the CRM Online login page for authentication. User will here need to authenticate to log in. Log in with the same e-mail address and password you use for the SuperOffice CRM Online and you are ready to use SuperOffice Pocket CRM

    imagexkoj.png 

    FAQ

    Session timeout
    => Can we set a session timeout and where can it be set?
    A: Yes, set a value in SuperOffice Admin preferances: autologout time (minutes)

    Read Only mode
    => Can Mobile CRM be set up to be strictly 'read only'?
    A: The access rights are set via Roles in Admin, and will apply as same as Web client access

    Phone is stolen
    => in the scenario of the phone is stolen - do they have access to the CRM data?
    A:  SuperOffice Admin preferances: diable autologin can be set to force users to log in each time.
    If not set, they still needs to first be able to unlook the phone to start Mobile CRM. The user must change their SuperOffice CRM Online password to ensure to avoid possible data theft.

    Don't allow any software on mobile clients to cache customer data
    => My Enterprise Security team will not allow any software on mobile clients that can show / cache customer data, unless the software uses Two Factor Authentication (2FA) or access over VPN only, 
    A: Enable IdP for all users, and enable 2FA for the IdP provider. No option to support VPN to CRM Online.