Acronis Access Advanced - User Guide User Manual

Page 44

Once the certificate file has been created, remove its extension completely by deleting the “.PFX” or
“.P12″ from the file name. This is required so that the file can be opened into Acronis Access using
the standard iOS “Open In” function.

To send and install the file using email:

1. Compose an email to the user and attach the certificate file to the email. Ensure that you’ve

removed the extension from the certificate file, as described above.

2. When the user receives the email on their device, they simply to tap the attached file and choose

“Open in Acronis Access" from the pop-up menu.

3. Acronis Access will start and the user will be prompted to confirm they want to add the

certificate to Acronis Access .

4. The user will then be prompted to enter the private key password
5. Once the password is entered, the certificate is added to Acronis Access and the client will be

able to perform certificate authentication with a Gateway server and HTTPS reverse proxy server.

The status of the installed certificate can be viewed by opening the Settings menu in the Acronis
Access app.

2.1.3.9

Using Kerberos Constrained Delegation authentication

Gateway Servers in Acronis Access 5.1 or newer support authentication using Kerberos Constrained
Delegation.

This can be used in scenarios using Kerberos Constrained Delegation to authenticate Acronis Access
iOS clients through a reverse proxy using client certificates (e.g. TMG). In this scenario you will need
to install a user certificate (p. 42) in the Access Mobile Client app. This certificate needs to be bound
to Active Directory.

Another scenario is to authenticate mobile devices with client certificates using MobileIron
AppTunnel. In this scenario you must have Acronis Access and Mobile@Work installed on your device
and a MobileIron Sentry setup on a server. The Sentry is a standalone component which provides
access control and tunneling. It provides the secure infrastructure that AppTunnel uses for app data.
You don't have to install a client certificate in the Acronis Access app, as the MobileIron AppTunnel
will take care of that.

Note: Please visit the Using AppConnect with Kerberos Constrained Delegationsection for more information on
configuring MobileIron and Acronis Access with Kerberos Constrained Delegation.

The Apache Tomcat used by the Acronis Access Server does not support either Kerberos or client
certificate authentication. In order to use any of these authentication methods, you must have a
Gateway server installed on the same machine as the Acronis Access Server and the mobile clients
must enroll using the Gateway Server's address. When a user enrolls with the Gateway Server
instead of the Access Server, all authentication is done by the Gateway Server, thus allowing the use
of Kerberos Constrained Delegation and client certificates. All management features are still
enforced by the Acronis Access Server but the authentication is done by the Gateway Server.

Note: When using this method, if the Gateway Server service crashes or is disabled, clients enrolled with it will
not be able to connect to the management server even though the Acronis Access Server is still running.

Note: When using this form of authentication, mobile clients cannot access Sync&Share Data Sources.