2.1 Minimum system version
EBF Files will run on both iOS/iPadOS version 15 and above.
For Android EBF Files works on Android 12 and up.
2.2 SMB support
EBF Files support SMB2 and SMB3 protocol (SMB3.0). For SMB3, encrypted SMB communication will be used by default, if the SMB server has encryption activated.
Set-SmbServerConfiguration -EncryptData 1
To enforce encrypted communication the SMB admin must activate this setting on the SMB server:
Set-SmbServerConfiguration -RejectUnencryptedAccess 1
For DFS shares it is important, that referrals must be created with FQDN addresses.
2.3 AppConfig
It is mandatory for EBF Files to receive an AppConfig or a Managed-AppConfig from an UEM System (e.g. Ivanti EPMM, Microsoft Intune, Jamf). The AppConfig can/must (see table below) contain the following key/value pairs, where all values are of type “string”:
Key | Value / Description |
customerName | Ex.: “EBF GmbH”.
This key is mandatory. |
licenseKey | A valid license key that is being assigned to the customer which contains a validity end date. If the end date is reached, an error will pop-up when opening the app. You can contact our Sales team to receive valid license keys. This key is mandatory. |
licenseCount | Ex.: 150
The licenseCount results from the number of devices that will use the app. This key is mandatory. |
serverlessConfig | The content of this parameter is coded in a JSON structure. Find more details in chapter 02.5.
This key is mandatory. |
serverUrl | Provide the URL to an EBF Files server, if needed (legacy).
This can not be used in combination with “serverlessConfig”. |
allowAnalytics | Enable/Disable transmission of error analytics
default = true |
allowCustomCert | Enable custom certificates to access on premise servers.
default = false |
allowLibraryUpload | Activate/Deactivate the photo library allowing only camera integrated in EBF Files app to be stored.
default = true |
allowLoadContentFromCache | If enabled, the content will be loaded initially from the local data then compared with the server data in case there are updates, then populated.
If disabled, the content will be loaded from the server then populated. default = false |
deactivateAppEncryption | With his parameter the Administrator can deactivate the need for defining and entering an encryption password on startup of EBF Files. If deactivated, data is still encrypted on the device.
default = false |
defaultImportPath | Example: “/temp“
Used to indicate the default location for imported files in the local documents container. |
encryptionPasswordPolicy | Value must be in JSON format. Please check chapter 02.4. for more details. |
logLevel | Log level in the app (view and export in the settings screen). Possible values are „all“, “exception” and “none”.
default = none |
username | Use this to pre-fill e.g. user’s email address for login to an EBF Files server.
Used only in combination with “serverUrl”. |
2.4 Encryption password policy
By default EBF Files does not force a policy for the encryption password. By using this parameter you can establish a policy.
Character classes that can be used are “upper case”, “lower case”, “numbers”, “special character”.
MaxLength: Maximum length of the password
MinLength: Minimum Length of the password
Complexity:
0 = no restriction
1 = 2 out of 4 character classes must be used
2 = 3 out of 4 character classes must be used
3 = 4 out of 4 character classes must be used
Example:
{
"MaxLength": 16, "MinLength": 3, "Complexity": 0
}
2.5 Container configuration
For parameter “serverlessConfig” a JSON string needs to be provided containing all the data needed to access the different data sources (containers).
Here is the list of all container types accepted by the client application while parsing the configuration:
OneDriveOnline
, SharePointOnline
, OneDriveOnPrem
, SharePointOnPrem
, MicrosoftSMBClient
.
A description of the Json values can be seen in the table below:
Attribute name | Sub-attributes | Value type | Description |
AppSettings:
An object containing the general settings of app |
|
|
|
FileSystems:
A collection of FileSystems each of which contains the settings for one or several containers. |
Structure for OneDrive and Sharepoint containers:
|
|
|
Here is an example of a JSON configuration to be put into the AppConfig parameter “serverlessConfig”:
Files_Serverless_Config_Doku
2.6 AppTunnel/VPN
EBF Files uses server port 443 for communication with O365 and OneDrive/Sharepoint On-Premise data sources.
For SMB communication port 445 is used.
You may need to implement a VPN solution on the device to secure access to On-Premise data sources like OneDrive/Sharepoint On-Premise and SMB files servers.
It is recommended to use an UEM system’s VPN solution in that case.
2.7 Authentication and permissions
EBF Files currently allows user authentication via basic authentication and NTLM.
Kerberos SSO (Ivanti) can be used on iOS/iPadOS devices in combination with OneDrive/Sharepoint On-Premise servers.
For accessing documents from OneDrive/Sharepoint in O365 the Azure Application ID must be created with the following permissions all of type “Delegated”:
API permission name | Description |
Directory.AccessAsUser.All | Allows the app to have the same access to information in the directory as the signed-in user. |
Directory.Read.All | Allows the app to read data in your organization’s directory, such as users, groups and apps. |
Files.ReadWrite | Allows the app to read, create, update and delete the signed-in user’s files. |
Files.ReadWrite.All | Allows the app to read, create, update and delete all files the signed-in user can access.Allows the app to list groups, and to read their properties and all group memberships on behalf of the signed-in user. |
GroupMember.Read.All | Allows the app to list groups, read basic group properties and read membership of all groups the signed-in user has access to. |
People.Read | Allows the app to read a ranked list of relevant people of the signed-in user. |
People.Read.All | Allows the app to read a scored list of relevant people of the signed-in user or other users in the signed-in user’s organization. |
Sites.Manage.All | Allows the application to create or delete document libraries and lists in all site collections on behalf of the signed-in user. |
Sites.Read.All | Allows the application to read documents and list items in all site collections on behalf of the signed-in user. |
SitesReadWrite.All | Allows the application to edit or delete documents and list items in all site collections on behalf of the signed-in user. |
User.Read | Allows users to sign-in to the app, and allows the app to read the profile of signed-in users. |
User.ReadBasic.All | Allows the app to read a basic set of profile properties of other users in your organization on behalf of the signed-in user. This includes display name, first and last name, email address and photo. |
If a customer is using an ADFS for authentication to Azure he must make sure that “forms-based authentication” is activated for the authentication to succeed on the device. Otherwise he could see a message like “An error occurred. Contact your administrator for more information.“
2.8 Android specifics
The admin needs to make sure a browser app is installed in the device’s Work Profile to allow EBF Files to open a web view internally for the user to login to O365.
2.9 Container security class
For each container a security class can be defined. Different security classes are:
- Public (0)
- Internal (1)
- Confidential (2)
- Strict Confidential (3)
The security class has an effect when a user wants to copy/move a file or folder from one container to another.
These actions are possible only if the destination container has the same security level or higher.
Example of a user with two containers A and B:
- Container A has security class “Public” (0).
- Container B has security class “Confidential” (2).
The user can copy/move documents from container A to Container B, but he cannot copy/move documents from container B to container A. Only copy/move of documents inside of container B is allowed.
2.10 Azure Application ID
The Azure Application ID is a resource in Microsoft Azure needed to give EBF Files access to a customer’s OneDrive and SharePoint data sources. It is mandatory for the app registration to have set the Azure App Registration Settings to:
- Multitenant
- The iOS app redirect URL to public / native app with URL: „msauth.de.ebf.files://auth“
- The Android app redirect URL to public / native app with URL: “msauth://de.ebf.files/IF7piqtBrepbr0kQg79zjvHgTpE%3D”
Find more information on how to create an Azure Application ID here: Create Azure Application.