PAM360 Mobile Application - iOS

PAM360's mobile application for iOS brings the solution's comprehensive enterprise password management features to your fingertips, thereby making on-the-go management of your enterprise's privileged accounts and passwords more accessible through your mobile device. Since the iOS application uses advanced AES-256 encryption to encrypt all your data, accessing your enterprise accounts through your iOS device is just as secure as PAM360's desktop installation. The mobile application also secures all communication between your PAM360 server and the iOS application using the HTTPS protocol over SSL.

Note: The PAM360 iOS application requires a valid working instance of the ManageEngine PAM360 web application.

At the end of this document, you will have learned the following:

1. Salient Features
2. How does Secure Authentication Work in the PAM360 Mobile Application?
3. Getting Started with the Application

   3.1 Application Overview

   3.2 Installation and Authentication

4. PAM360 iOS Application - Navigation Menu

   4.1 Enterprise

   4.2 Requests

   4.3 Advanced

   4.4 Personal

   4.5 Settings

5. Uninstalling the Mobile Application

1. Salient Features

PAM360's iOS application comes with an all-encompassing set of features that can help you take control of your privileged accounts, even when you are away from the desktop installation.

• View and manage all passwords that are owned or managed by you.
• Approve/reject password requests and monitor who checks out passwords directly from the PAM360 iOS application. Also, send password requests, and perform password check in and check out through the mobile application.
• Incorporate ticket ID validation through PAM360's ticketing system integration to secure your access approval workflow even further.
• View and manage your SSH keys and SSL certificate details at any time.
• Store and manage your critical personal information such as credit card numbers for on-the-go access. PAM360's iOS application encrypts your personal data using the advanced AES-256 encryption algorithm.
• Save important passwords offline to access them even when you do not have access to the Internet.

2. How does Secure Authentication work in the PAM360 Mobile Application?

The application offers Two-Factor Authentication (TFA) for enhanced security. Once enabled, users have to authenticate themselves through two successive stages to access the mobile interface. There are three ways of doing the first level of authentication: PAM360's native authentication using Active Directory/LDAP/Microsoft Entra ID credentials, or via SAML SSO. The second level of authentication can be done through any of the Two-Factor Authentication provisions supported by PAM360. After the Two-Factor Authentication is complete, PAM360 prompts you to set up a passphrase for your account, with a minimum of 8 characters, used for mobile authentication. All your offline data is encrypted using the advanced AES-256 encryption algorithm. Please note that the application does not store your passphrase, and it is mandatory to enter the passphrase during login.

Administrators can selectively allow or restrict mobile application access to users. Navigate to Admin >> Users >> More Actions and click the Restrict Mobile Access option. The users with the restriction cannot log in to their PAM360 accounts through the iOS application.

Similarly, administrators can allow users to cache passwords in their mobile devices. Go to Admin >> General Settings >> User Management and select Allow password caching for offline access via mobile. Leave this option unchecked to restrict users from accessing passwords offline.

3. Getting Started with the Application

3.1 Application Overview

Supported Devices	iPhone, iPod Touch
Compatibility	Requires iOS 13.0 or higher
Size	19.5 Mb (approx)
Languages Supported	English, French, German, Japanese, Polish, Simplified Chinese, Spanish, Traditional Chinese, Turkish, Portuguese, Italian, Russian, and Dutch. Note: Please select your desired language on the PAM360 desktop installation and the mobile device.

3.2 Installation and Authentication

Follow the below steps to download and install the PAM360 mobile application:

1. Go to the App Store and search for ManageEngine PAM360 or click this direct link.
2. Click Install to install the application on your device.
3. After successful installation, enter the following details to get started with the mobile application:
   1. Enter the Server Name or IP address in which PAM360 is running, along with the Port. If your PAM360 server is installed in a physical network, ensure that the PAM360 server and the mobile application are connected to the same network. However, if your PAM360 server is hosted in the cloud, your mobile application will work from a different network as well.
   
   2. To login, enter the username & password of your PAM360 account. The iOS application supports three ways of authentication; login through PAM360's native authentication, through Active Directory/LDAP/Microsoft Entra ID authentication, and via SAML SSO. To login using Active Directory/LDAP credentials, select your domain name from the drop-down list. If SAML single sign on is enabled in your PAM360 server, a browser window opens within the application.
   
   3. Here, enter your SAML SSO credentials to login. To skip the SAML SSO login, close the browser window and you will be redirected to the application's login page.
   4. Set up a passphrase for your account. Please note that the application does not store your passphrase, and it is mandatory to enter the passphrase during login, each time you access the mobile application. You have a total of five attempts to enter the correct passphrase, after which you will be logged out of the application automatically. If you have forgotten your login passphrase, tap the Forgot Passphrase option to set up a new one.
   

4. PAM360 iOS Application - Navigation Menu

Once you have signed into your PAM360 account through the iOS application, you will see the Navigation Menu on the main screen with the following options that will help you navigate the iOS application efficiently:

1. Enterprise
2. Requests
3. Advanced
4. Personal
5. Settings

i. Choosing Client Organization as an MSP User

If you are an MSP user, PAM360's iOS application allows you to manage the administrative passwords of all your clients separately from a single management console. The application neatly segregates client organizations into different sections, which you can tap to view all the passwords belonging to that particular organization. As MSP admin, even though you can view the names of the organizations you manage, you will be able to view the data on all your customers only if you add their resources or if they share their resources with you. Your clients will be able to view the data belonging to their organization only.

As an MSP user, you can choose a client organization and view all the resources under it. To do so:

1. Tap the hamburger icon to open the Navigation Menu. Here, tap on the organization name to display all the available client organizations.
2. Tap the client organization name to display all the resources specific to the selected organization. Please note that the mobile interface will display only the resources specific to the selected organization.

4.1 Enterprise

By default, the application displays a list of all the resources on the main screen. From here, tap on any resource to view the accounts associated with it. Tap the hamburger icon at the top left corner to open the Enterprise menu. This menu displays a list of resources owned or managed by you, categorized as below:

1. All My Passwords
2. Favorites
3. Recents
4. Windows RDP Passwords
5. SSH Passwords
6. SSH Keys
7. SSL Certificates
8. Resource Groups

Each menu has a dedicated Search icon that allows you to locate accounts within the menu. The application loads a list of accounts as and when you scroll. When you search for an account using a keyword, the application searches for the keyword only in the already loaded list; to search through all available accounts, scroll to the end of the list to load all the accounts.

i. All My Passwords

This category lists all resources and accounts that are owned and managed by you. Tap on any resource/account name to view the resource/account details such as resource owner, resource URL, DNS name, resource type, passwords, resource name, account notes, and last accessed time. To view the password of a particular account, tap on the eye icon beside the password. Tap the Search icon to search for any account within the selected resource, using a search keyword.

ii. Favorites

This option is to have quick access to the list of passwords that you marked as Favorites. To mark any password as your favorite, tap the star icon beside the required password in any category. Marking passwords as Favorites helps you locate a particular account and its password easily, without the need to scroll through the entire list every time. Tap the Search icon to search for any account within the selected resource, using a search keyword.

iii. Recents

This menu helps you view-only the list of resources and passwords that you have recently viewed or used. From the list, you can tap on any resource to view its accounts and their corresponding details. Tap the Search icon to search for any account within the selected resource, using a search keyword.

iv. Windows RDP Passwords

If your network contains a list of resources of various OS types, the Windows RDP Passwords option will help you to view only the list of Windows resources and their corresponding accounts. Tap on any resource/account name to view the resource/account details such as resource owner, resource URL, DNS name, resource type, passwords, resource name, account notes, and last accessed time. To view the password of a particular account, tap on the eye icon beside the password.

v. SSH Passwords

This option gives you a consolidated view of all the resources that you can access through an SSH connection. Tap on any resource on this list to view its user accounts. Tap on any account to view the account details, such as the masked password, last modified time, last accessed time, and password expiry date. Tap the Search icon to search for any account within the selected resource, using a search keyword.

vi. SSH Keys

Tap the SSH Keys option from the Enterprise menu to view all the SSH keys that you are managing in the PAM360 repository. Tap any SSH key to view key details such as Key Type, Key Length, the key's Fingerprint, Username of the user who created the key, and Age of the key.

vii. SSL Certificates

Tap the Certificates option from the Enterprise menu to view all the SSL certificates that you are managing in the PAM360 repository. Tap any SSL certificate from the list to view the following certificate details: Common Name, Port, Validity period, SAN, Issuer, Signature Algorithm, Finger Print, Serial Number, Key Algorithm, Key Size, Issuer.

viii. Resource Groups

Administrators can create resource groups to combine similar resources for easier management. The grouping can be done either by specifying individual resources (Static group) or by specifying a set of criteria (Dynamic group). In the case of a dynamic or a criteria-based group, whenever a newly added resource matches the criteria of an existing group, PAM360 automatically adds the resource to this group. You can share the resource groups with other users or user groups. Users to whom the groups are shared can see the passwords of only the resources that are part of the shared group at that time.

Tap the Resource Groups option from the Enterprise Filter menu to view all the resource groups that are owned or managed by you. If a resource group has a subgroup, it will be indicated by a connection icon; to view the subgroups, simply tap the icon. If you wish to view the resources within a resource group, tap the name of the required resource group. Similarly, tap a resource name within the resource group to view the accounts that belong to the selected resource, and the account name to view the account details.

4.2 Requests

PAM360 provides an access control mechanism that allows administrators to grant password access to users for a specific period. Admins can start granting exclusive privileges once a password is ready to share, and only one user is allowed to use a particular password at a single point in time. Through PAM360's iOS application, administrators can view the list of pending password access requests from other users and act upon them.

As an administrator, the Password Access Requests tab offers two sections:

1. Pending - to view the list of password access requests.
2. Check-In - to view the passwords that are currently in use and yet to be checked in.
3. Approved - to view the password requests that are approved by the administrators. This option includes details about the resource such as the resource name, account name, and date & time.
4. Rejected - to view the password requests that are rejected by the administrators. This option includes details about the resource such as the resource name, account name, and date & time.

To send a password access request, tap an account, and tap the Request option in the account details section. Once your request has gone through, the status will change to Waiting for Approval.

Once an admin has approved your password request, you will be notified of the same, and the password will be available for Check Out. Once you check out the password for use, the status changes to In Use. Other users can see this status change in both the Check-In tab and the Account Details section of the particular account. To give up access to the password, tap the Check-In option. Now, the password is checked back into the PAM360 vault.

Once you check in the password and give up your access, you must go through the request-release workflow once again, if you should need access to it again. PAM360's iOS application also supports ticketing desk integration. Through the integration, PAM360 will prompt users to provide a ticket ID along with their request. Then, PAM360 will validate whether the ticket ID entered by the user exists in the ticketing system or not and only then grant access to the user to view the password.

4.3 Advanced

Advanced Search in PAM360's iOS application is a handy feature that can help you find any particular user or resource instantly. Tap Advanced from the navigation menu to either enter a keyword like Name, Department, Location, or use one of the many search filters available to tailor your search better. The Advanced Search section offers two separate tabs: Enterprise and Personal. In the Enterprise section, you can use search filters to tailor your search. The available search filters are Resource Name, DNS Name, User Account, Resource Type, Resource Description, Department, Location, Domain Name, and Resource URL. In the Personal section, the available search filters are Web Accounts, Banking, Credit Cards, and Contacts. In addition to these default search filters, if you have created any additional fields in PAM360's desktop installation, those custom column names will also appear as filters in the Advanced Search page. For example, the tab in PAM360 comes with an option to add Tags for the information you store. Use these tags as the keywords to search for data in the Personal section of the Advanced Search page.

4.4 Personal

Apart from storing enterprise passwords, PAM360's iOS application allows you to store personal passwords in the PAM360 repository. The application provides four default categories: Web Accounts, Banking, Credit Cards, and Contacts. Among these categories, you can save your utmost personal data such as your personal email account information, credit card numbers, and other banking data, contact addresses, and phone numbers.

In addition to the default categories, add any number of additional custom fields to your Personal tab from the desktop application to store other information. For instance, if you wish to store details about the properties that you own, then add a custom category named Properties.

The application stores your personal data in a private repository that only you can access through the Personal tab. All information stored here is encrypted independently and hidden from all other users, including the administrator. While adding account details to the Personal tab, there is an option to add Tags. Under this attribute, add keywords that can be used to search for the account under a particular category. Tap the Search icon and enter a keyword that was previously added as a tag to locate the account you are looking for.

4.4.1 Setting up a Personal Passphrase

To use the Personal tab in the application, you must set up a valid passphrase in PAM360's desktop installation and activate your Personal repository; do ensure the passphrase you provide matches the complexity rules enforced by your organization, if any. Once you set up your passphrase, you must enter it every time you need access to your personal passwords. Tap the refresh icon available at the top in case there is a change in the status of the personal passphrase. For example, if you try to login to your personal repository before setting up a passphrase, the application will not let you in. Once you create a passphrase in the desktop application, you can hit refresh in this page and login with your newly created passphrase right away, without moving out of the Personal tab.

Note: Please note that if you forget or misplace the passphrase used for your Personal repository, you cannot reset the passphrase or retrieve your personal data without it.

Alternatively, PAM360's iOS application provides the option to login to the Personal tab using your mobile device's Touch ID. Click here to learn how to enable Touch ID for the Personal tab.

4.4.2 Exiting the Personal Tab

To exit the Personal tab, tap the lock icon at the top right corner. You will return to the All My Passwords section and the Personal tab will be locked. To enter the Personal tab again, you must supply the passphrase again.

4.5 Settings

The Settings menu offers a comprehensive collection of options that are split categorically for ease of use. Use this menu to customize various security options, view login details, privacy policy of the iOS application, and more.

4.5.1 Login

The Login section displays the Username and Server address to which PAM360 is currently connected. If the High Availability feature is turned on in your environment, then the iOS application will also display the secondary server details on the Settings page. If the primary server is down, you can connect it to the secondary server for uninterrupted service.

4.5.2 Smart Login

The Smart Login feature enables seamless access to the PAM360 web interface by simply scanning the QR code presented on the PAM360 webpage. This direct login approach streamlines the process, providing password less authentication and substantially minimizing the effort required for web login, all while maintaining robust security measures.

1. Head to the PAM360 login webpage and select the Smart Sign-In option.
   
2. Using the QR scanner available in the Smart Login section, scan the QR code displayed on the PAM360 web interface.
   
3. By doing so, you will be logged in to your PAM360 account.

4.5.3 Security

The Security section has the following options:

i. Stay active in the background for
Set the duration for how long the application should remain logged in to your account when the application goes into the background. You can choose any one duration ranging from 1 to 8 hours. This option will allow you to stay logged into PAM360 when you need to switch between PAM360 and other applications multiple times. Alternatively, tap Never to log out as soon as the application goes into the background.

ii. Skip passphrase

If you leave the application, however briefly, without logging out, it will prompt you to enter your passphrase again to get back in. Set a duration for the application to not prompt for the passphrase while running in the background. You can choose any one duration ranging from 30 to 120 seconds. Alternatively, tap Never to always prompt for a passphrase during login.

iii. Clear Clipboard
PAM360's iOS application can preserve any data you copy from within the application for a specified duration. To copy any password, tap the copy icon that is present beside the password. Tap the Clear Clipboard option to set a duration to preserve content you have copied to the clipboard. You can choose any one duration ranging from 30 to 120 seconds. Alternatively, tap Never to never save any copied content in the clipboard.

iv. Reset Passphrase
Tap this option to erase all cached data saved in this device. Once reset, all offline passwords will be inaccessible and you will have to set up a new passphrase to reinstate access.

4.5.4 Touch ID

Use the toggle buttons to enable Touch ID support to access your Enterprise and Personal passwords. Enabling Touch ID will allow you to access your passwords without having to enter your passphrase every time. However, please note that, if you enable this option, your login credentials will be stored in your device's keychain.

4.5.5 Offline Access

The toggle buttons beside Enterprise and Personal indicate whether the PAM360 application is currently in online or offline mode. PAM360's iOS application offers a secure offline mode that allows you to access passwords even when you do not have access to the internet. To access passwords in the offline mode, download the required passwords first; only the passwords which are downloaded before going offline would be available for access in the offline mode. Apart from downloading individual passwords, the application allows you to download a group of passwords from the Enterprise menu, such as the Favorites, Recents, Windows RDP Passwords, and SSH Passwords. Additionally, you can download resource groups and personal passwords. To download passwords for offline access, go to the Enterprise menu, and click the downward arrow beside the required list of passwords.

4.5.6 Themes

Using this option, change the background color of your application. As of now, there are four colors to choose from: Blue, Green, Red, and Dark Blue.

4.5.7 Analytics

Apart from the above options, you can choose to share Usage Statistics or Crash Reports to ManageEngine by using toggle buttons under Analytics. Usage statistics data gives an insight into usability data such as what features of the application you use more, how frequently, etc. This type of data is used as research to learn user behavior, gather pain points, if any, and enhance the application's performance and user experience based on the data. Crash reports are detailed system logs that capture the state of the application when the crash happens. Collecting and analyzing this data will help us learn what caused the application to crash and rectify it in the next version.

4.5.8 Clear Offline Data

Under this, you will find two options:

Clear Enterprise Offline Data - Tap this option to clear all offline cache. This action will delete all your enterprise passwords that are saved offline.

Clear Personal Offline Data - Tap this option to clear all personal offline cache. This action will delete all your personal passwords that are saved offline.

4.5.9 About

Feedback - This option allows you to leave feedback regarding the functionality of the application anonymously.

Rate This App - This option redirects you to the App Store where you can leave a rating for the application.

Take a Tour - This option offers you a brief and concise tour of the main functionalities of the application.

In addition to the above, you can read PAM360's Privacy Policy and Acknowledgments in this section.

5. Uninstalling the Mobile Application

To uninstall the mobile application, follow the below steps:

1. Locate the ManageEngine PAM360 application on your device, long press the icon, and click Uninstall.
2. Tap OK in the confirmation pop-up.

Now, the PAM360 mobile application is successfully uninstalled. Once you uninstall the application, all PAM360-related data is removed from the device.