02. Requirements and Configuration

8 min read

2.1 Minimum system version

EBF Files will run on both iOS/iPadOS version 17 and above.

For Android EBF Files works on Android 14 and up.

2.2 SMB support

EBF Files support SMB2 and SMB3 protocol (SMB3.0). For SMB3, encrypted SMB communication will be used by default, if the SMB server has encryption activated.

Set-SmbServerConfiguration -EncryptData 1

To enforce encrypted communication the SMB admin must activate this setting on the SMB server:

Set-SmbServerConfiguration -RejectUnencryptedAccess 1

For DFS shares it is important, that referrals must be created with FQDN addresses.

2.3 AppConfig

It is mandatory for EBF Files to receive an AppConfig or a Managed-AppConfig from an UEM System (e.g. Ivanti EPMM, Microsoft Intune, Jamf). The AppConfig can/must (see table below) contain the following key/value pairs, where all values are of type “string”:

Key	Value / Description
customerName	Ex.: “EBF GmbH”. This key is mandatory.
licenseKey	A valid license key that is being assigned to the customer which contains a validity end date. If the end date is reached, an error will pop-up when opening the app. You can contact our Sales team to receive valid license keys.This key is mandatory.
licenseCount	Ex.: 150 The licenseCount results from the number of devices that will use the app. This key is mandatory.
serverlessConfig	The content of this parameter is coded in a JSON structure. Find more details in chapter 02.5. This key is mandatory.
serverUrl	Provide the URL to an EBF Files server, if needed (legacy). This can not be used in combination with “serverlessConfig”.
allowAnalytics	Enable/Disable transmission of error analytics default = true
allowCustomCert	Enable custom certificates to access on premise servers. default = false
allowLibraryUpload	Activate/Deactivate the photo library allowing only camera integrated in EBF Files app to be stored. default = true
allowLoadContentFromCache	If enabled, the content will be loaded initially from the local data then compared with the server data in case there are updates, then populated. If disabled, the content will be loaded from the server then populated. default = false
deactivateAppEncryption	With his parameter the Administrator can deactivate the need for defining and entering an encryption password on startup of EBF Files. If deactivated, data is still encrypted on the device. default = false
defaultImportPath	Example: “/temp“ Used to indicate the default location for imported files in the local documents container.
encryptionPasswordPolicy	Value must be in JSON format. Please check chapter 02.4. for more details.
logLevel	Log level in the app (view and export in the settings screen). Possible values are „all“, “exception” and “none”. default = none
maximumPdfTabs	Defines how many tabs can be opened in the PDF editor on iPad in landscape mode. default = 3
documentEditorName	This is username that will be used to update the editor name in edited Polaris (office) documents. default = empty
pdfPageBufferSize	Use this to set a different value for PDF page cache (buffer) to have more pages pre-rendered in the PDF editor. Higher values consume more memory resources. A value of 3 or 5 gives already a good scrolling experience. Maximum value is 15. default = 1
username	Use this to pre-fill e.g. user’s email address for login to an EBF Files server. Used only in combination with “serverUrl”.

2.4 Encryption password policy

By default EBF Files does not force a policy for the encryption password. By using this parameter you can establish a policy.

Character classes that can be used are “upper case”, “lower case”, “numbers”, “special character”.

MaxLength: Maximum length of the password

MinLength: Minimum Length of the password

Complexity:
0 = no restriction
1 = 2 out of 4 character classes must be used
2 = 3 out of 4 character classes must be used
3 = 4 out of 4 character classes must be used

Example:
{ "MaxLength": 16, "MinLength": 3, "Complexity": 0 }

2.5 Container configuration

For parameter “serverlessConfig” a JSON string needs to be provided containing all the data needed to access the different data sources (containers).

Here is the list of all container types accepted by the client application while parsing the configuration:

OneDriveOnline, SharePointOnline, OneDriveOnPrem, SharePointOnPrem, MicrosoftSMBClient.

A description of the Json values can be seen in the table below:

Attribute name

Sub-attributes

Value type

Description

AppSettings:An object containing the general settings of app

LicenseKeys
1. Polaris:
LocalDocumentSettings
1. Activate
2. AllowOpenIn
PrimaryColor

String: “40nlp-…-bgh3pl7utz“
All are boolean values
string (Hex format: „#2494C5“)

Contains license keys for SDKs to be able to work correctly, these identifiers will be verified upon SDK initialization in the app.
Indicate whether allowed or not to have a user private container within the containers list (documents only stored locally in device and security measures still apply to this container: encrypted data / data wiped when needed):
1. A local container will be offered to the user, if true
2. Allow to use “Open-In” (Share) feature with documents of this container
Represent the main color of the app (Application Theme/Style)

FileSystems:

A collection of FileSystems each of which contains the settings for one or several containers.

Structure for OneDrive and Sharepoint containers:

ContainerId
ContainerName
ContainerType
ConfigContainerUserName
SecurityClass
OnPremLink
OnPremKerberosAuthLink
OnPremKerberosAuthLinkTypeSoap
ApplicationId
AllowedActions:
1. ShowHiddenFiles
2. ShowSystemFiles
3. AllowCreate
4. AllowUpdate
5. AllowDelete
6. AllowOpenIn
7. AllowSharing
8. AllowSync:
  1. OnlyWifi
  2. OnAppStart

Long
String
Enumeration (see above)
String
Integer
String
String
Boolean
String
All are boolean values

The unique identifier of the container
A short word combination naming the container
Indicates the type of the container.
Username to be prefilled in login screen (optionally needed for ContainerType “OneDriveOnPrem” and “SharePointOnPrem”). Please make sure this parameter is filled, when using Kerberos authentication.
See chapter 02.8.
The complete base URL (including protocol) of the Sharepoint/OneDrive On-Premise instance (mandatory for ContainerType “OneDriveOnPrem” and “SharePointOnPrem”)
The URL (including protocol) to be used for Kerberos authentication to OneDrive/Sharepoint servers (optionally needed for ContainerType “OneDriveOnPrem” and “SharePointOnPrem”)
Should be set to true, if the OnPremKerberosAuthLink is a SOAP endpoint
Dedicated for Online cloud providers, configured via the provider cloud platform such as Azure portal. Get more information about the Azure Application ID in chapter 02.10.
The actions that will be permitted for a container:
1. SMB related property (Not important here = false)
2. SMB related property (Not important here = false)
3. The user is allowed to create/import new items into the current location (current container).
4. The user is allowed to update documents in the current location.
5. The user is allowed to delete items from the current location.
6. The user is allowed to open documents of current location into an external application.
7. The user is allowed to share documents of current location with other users.
8. The user can put items(documents/folders) into Sync, to allow the app to synchronize the content periodically.
  1. Allow Sync only for Wifi, or mobile data also
  2. Should Synchronize items on every app start

Here is an example of a JSON configuration to be put into the AppConfig parameter “serverlessConfig”:
Files_Serverless_Config_Doku

2.6 AppTunnel/VPN

EBF Files uses server port 443 for communication with O365 and OneDrive/Sharepoint On-Premise data sources.

For SMB communication port 445 is used.

You may need to implement a VPN solution on the device to secure access to On-Premise data sources like OneDrive/Sharepoint On-Premise and SMB files servers.
It is recommended to use an UEM system’s VPN solution in that case.

2.7 Authentication and permissions

EBF Files currently allows user authentication via basic authentication and NTLM.
Kerberos SSO (Ivanti) can be used on iOS/iPadOS devices in combination with OneDrive/Sharepoint On-Premise servers.

For accessing documents from OneDrive/Sharepoint in O365 the Azure Application ID must be created with the following permissions all of type “Delegated”:

API permission name	Description
Directory.AccessAsUser.All	Allows the app to have the same access to information in the directory as the signed-in user.
Directory.Read.All	Allows the app to read data in your organization’s directory, such as users, groups and apps.
Files.ReadWrite	Allows the app to read, create, update and delete the signed-in user’s files.
Files.ReadWrite.All	Allows the app to read, create, update and delete all files the signed-in user can access.Allows the app to list groups, and to read their properties and all group memberships on behalf of the signed-in user.
GroupMember.Read.All	Allows the app to list groups, read basic group properties and read membership of all groups the signed-in user has access to.
People.Read	Allows the app to read a ranked list of relevant people of the signed-in user.
People.Read.All	Allows the app to read a scored list of relevant people of the signed-in user or other users in the signed-in user’s organization.
Sites.Manage.All	Allows the application to create or delete document libraries and lists in all site collections on behalf of the signed-in user.
Sites.Read.All	Allows the application to read documents and list items in all site collections on behalf of the signed-in user.
SitesReadWrite.All	Allows the application to edit or delete documents and list items in all site collections on behalf of the signed-in user.
User.Read	Allows users to sign-in to the app, and allows the app to read the profile of signed-in users.
User.ReadBasic.All	Allows the app to read a basic set of profile properties of other users in your organization on behalf of the signed-in user. This includes display name, first and last name, email address and photo.

If a customer is using an ADFS for authentication to Azure he must make sure that “forms-based authentication” is activated for the authentication to succeed on the device. Otherwise he could see a message like “An error occurred. Contact your administrator for more information.“

2.8 Android specifics

The admin needs to make sure a browser app is installed in the device’s Work Profile to allow EBF Files to open a web view internally for the user to login to O365.

2.9 Container security class

For each container a security class can be defined. Different security classes are:

Public (0)
Internal (1)
Confidential (2)
Strict Confidential (3)

The security class has an effect when a user wants to copy/move a file or folder from one container to another.
These actions are possible only if the destination container has the same security level or higher.
Example of a user with two containers A and B:

Container A has security class “Public” (0).
Container B has security class “Confidential” (2).

The user can copy/move documents from container A to Container B, but he cannot copy/move documents from container B to container A. Only copy/move of documents inside of container B is allowed.

2.10 Azure Application ID

The Azure Application ID is a resource in Microsoft Azure needed to give EBF Files access to a customer’s OneDrive and SharePoint data sources. It is mandatory for the app registration to have set the Azure App Registration Settings to:

Multitenant
The iOS app redirect URL to public / native app with URL: „msauth.de.ebf.files://auth“
The Android app redirect URL to public / native app with URL: “msauth://de.ebf.files/IF7piqtBrepbr0kQg79zjvHgTpE%3D”

Find more information on how to create an Azure Application ID here: Create Azure Application.