07. Administration

EBF Files server allows simultaneous access to multiple file sources on a mobile device. Access and interaction of these sources (called containers) is configurable by a simple to use administrative interface.

The containers or folders from various file systems are defined in the portal and then assigned to corresponding users. The following sections explain the administration role within the Admin Portal as well as the configurability of the mobile EBF Files application.

Permissions

The following diagram illustrates multi-tenant and/or multi-domain capacity of EBF Files server:

There are 3 different admin permission levels:

Tenant Administrator
Users are defined by configuration from an admin LDAP server and can:
- Create organizations
- Add domains to organizations
- Create containers
- Create domain designs
- Assign groups to containers
Organization Administrator
Users are again defined by configuration coming from the admin LDAP server:
- Add domains to organizations
- Create domain designs
- Create containers
- Assign groups to containers
End User
- No EBF Files Server Admin Portal access
- Container access through the EBF Files App

A tenant administrator can define multiple organizations representing for example different organizational branches.

Each organization, a tenant or organization administrator defines at least one domain that represent for example departments. Email suffix is used to identify the domain when the client logs on to the EBF Files server.

It is possible to define different settings and possibly branding for the client for each domain. The settings default from the organization.

For each domain the administrator can define containers. Each container contains independent settings and associated end user groups. Supported container types are:

SharePoint 2019 on Premise
SharePoint 2016 on Premise
SharePoint Online
Files Sharing
Files Sharing (Home Folder)

Settings

After first login to the EBF Files Server Admin Portal, you will be redirected to the settings page where you can search for AD groups of SUPERADMIN and TENANTADMIN.

Admin group(s) that will be set here, will be responsible for creating or updating organizations and domains.

IMPORTANT: Any admin who is not a member of the created group(s) will not be able to login to the web portal (be sure to put all needed groups).

After saving, you will be asked to login again (to get a new token).

Organizations

First create an organization:

Organizational settings act as defaults for the technical domains created under the organization level. The default (or edited) technical domains are containers within the mobile application. Assign a unique name for the organization:

Define the app appearance for the named organization:

The configuration defines the application appearance with the following roles and capabilities:


ORGANIZATION ADMIN ROLE	Administrators are allowed to create technical domains and make setting changes IMPORTANT: Any admin member of the AD group can view or edit this organization (admins from a different group will not see this organization).
APP TITLE	Application title displayed in the app
IMAGE	Background image for the login screen of the app
PRIMARY COLOR	Primary color of the main elements in the app
ALLOW FILE PROVIDER	Activation of iOS Files application integration
Allow other apps to import from EBF Files	Activate Open-in from EBF Files app files
ALLOW LOCAL STORAGE	Activate encrypted local storage on the end device
Allow users to save files to local storage	Enable saving documents to encrypted local storage on the end device
ALLOW FILE FORWARD	Enable forwarding of files via Email
Allow users to forward files from local storage	Enable forwarding of files from local storage
ALLOW FILE OPEN IN	Allow use of Open-In for files within the EBF Files application
Allow users to open files from local storage in other apps	Allow use of Open-In for files within the local storage of the EBF Files application
FORCE USER LOGIN	Activate user login on application start
Force users to login every time they open the app	Activate user login each time application opened

If you already have an organization as .json file you can import it.

Please check the assigned AD groups in the organisation/domain after import and adjust them as needed. This is important to keep them accessible for admins for later maintenance.

Domains

The technical domain is created in a 2-step process, first create a domain:

Next define the user administration associated with this domain:

You can configure the domain in this way:


Domain Name	Domain Name
Domain Type	Domain Type – AD or LDAP
LDAP Server	EBF Files Server resolvable FQDN or IP address of AD Domain Controller or LDAP server
Port	Port to use for communication with LDAP(S) server
Use SSL	SSL connection to the domain controller or LDAP server (use FQDN for server names)
LDAP BASE DN	Entry point for resolution of permission users and/or permission groups used on SMB file servers
LDAP Username	LDAP user with read rights
LDAP Password	LDAP user password
User Identification Selector	UPN – specify the allowed UPN suffixes in the field Identification Suffixes Email Suffix
Identification Suffixes	Permissible suffixes for user identification

Defined the default appearance and allowed actions within the EBF Files app, defaults come from the organization:

IMPORTANT: Any admin member of AD group can view or edit this domain. Admins from a different group will not see this domain.

Click „Save“ to assign domain configurations for the Admin Portal.

If you have already a domain as .json file you can import it.

Please check the assigned AD groups in domain after import and adjust them as needed. This is important to keep them accessible for admins for later maintenance.

Containers

After creating a domain group, domain admins members can create containers. These containers are available in the EBF Files application for the appropriate user groups. These containers can be additionally restricted in scope of use according to the settings in the container configuration.

The following data container types can be created.

OneDrive4Business
Sharepoint
FileShare

The container data protection types:

Public (0)
Internal (1)
Confidential (2)
Strict Confidential (3)

Data protection is applied when user want to copy/move a (file or folder) from one container to another.
those actions are possible only if the destination container has same data protection type or upper.
Example:

Container A has “Public” as data protection.
Container B has “Confidential” as data protection.

User who use Container A can copy/move to Container B, but user using Container B can copy only to the same container B.

OneDrive4Business

Create a container after selecting the company organization and corresponding technical domain:

First select the container type:

Next define the following:

Name of the container in the EBF Files app
Application ID from O365 for OneDrive Cloud: The Application ID is described on the following page:
Create an app with Microsoft Graph – OneDrive API – OneDrive dev center
Please make sure, the Application ID has the permissions required by EBF Files (see below).
In case of OneDrive on-premise enter the server URL in the corresponding field

Finally define:

User groups allowed to use the container in the EBF Files app
Container appearance
Interactions allowed in container

Menu Option	Description
User Groups	User group for the container within EBF Files app. Container access is authorized against the corresponding file backend
Icons	Icon for the file container in the EBF Files app
„+“-Symbol	Add a custom icon in .png form
Show hidden files	Display hidden files within the container
Show system files	Display system files within the container
Allow upload	Allow uploading of local files located on the device to the container
Allow edit	Allow processing of files from the container within the EBF Files app
Allow delete	Allow deletion of files within the container
Allow attach files to mails	Allow sending files as mail attachments
Allow open in other apps	Allow opening files in other applications
Allow synchronization	Allow automated synchronization of files
Start sync only in WiFi	Activate synchronization only over Wifi connection
Start sync on app start	Activate synchronization on application start

Click „Save“ to release use of the container in the app.

SharePoint

EBF Files can be associated MS SharePoint pages. Accessing pages from SharePoint O365/2013/2016/2019 is supported.

After selecting a company organization and corresponding technical domain a container can be created:

First select container type „SharePoint“ and version:

SharePoint Office 365
SharePoint On-Premise

Next define the following:

Name of the container in the EBF Files app
Application ID from O365 for SharePoint Cloud: The Application ID is described on the following page:
Create an app with Microsoft Graph – OneDrive API – OneDrive dev center
Please make sure, the Application ID has the permissions required by EBF Files (see below).
In case of SharePoint on-premise enter the server URL in the corresponding field

Additional settings for the new Sharepoint container need to be provided:

Menu Option	Description
User Groups	User group for the container in the EBF Files app
Icons	Icon for container in EBF Files app
„+“-Symbol	Add an icon in .png format
Show hidden files	Display hidden files within container
Show system files	Display system files within container
Allow upload	Allow upload of local files located on the device within container
Allow edit	Allow processing of files from container within the EBF Files app
Allow delete	Allow deletion of files within container
Allow attach files to mails	Allow sending files as mail attachments
Allow open in other apps	Allow opening files in other applications
Allow synchronization	Allow automated synchronization of files
Start sync only in WiFi	Activate synchronization only over Wifi connection
Start sync on app start	Activate synchronization on application start

File Share

Click „Save“ to release the container for use in the app.

The container type „File Share“ provides corresponding file server directories as containers within the EBF Files app.

The following options are available:

Home Directories
Share

With „Home Directory“ the user’s home directories from Active Directory can be represented as containers within the EBF Files app, while the „Share“ container allows file server based folders to be exposed as containers.

Select a company organization and a corresponding technical domain:

The first step as an example is to select container type „File Share“:

Now choose between Share or Home Directory.

For „Home Directory” configure the following:

Menu Option	Description
Container Name	Name of the container within the app
SMB Protocol	SMB protocol (SMB v2 recommended)
LDAP Home Directory attribute	LDAP/AD attribute of home directory
Path to append to LDAP Home Directory	Path to append to users‘ home directory path found in LDAP attribute
Authentication Mechanism	Authentication method (NTLM or Kerberos)
Domain Name	Domain Name
Kerberos Realm	Kerberos REALM
Kerberos Key Distribution Center	Kerberos Key Distribution Center
LDAP attribute to use as username instead of login username	Alternative LDAP username attribute
Prepend Domain to LDAP attribute to use as username	Prepend Domain to LDAP attribute to use as username

If „Share“ is selected, the following configuration applies:

Menu Option	Description
Container Name	Name of the container within the app
SMB Protocol	SMB protocol (SMB v2 recommended)
File Server Host	LDAP/AD attribute of home directory
File Server Path	Path to the base directory
Authentication Mechanism	Authentication method (NTLM or Kerberos)
Domain Name	Domain Name
Kerberos Realm	Kerberos REALM
Kerberos Key Distribution Center	Kerberos Key Distribution Center
LDAP attribute to use as username instead of login username	Alternative LDAP username attribute
Prepend Domain to LDAP attribute to use as username	Prefix domain before LDAP UserName attribute
Use administrative credentials	Use of a technical user to access the files
Username	Technical username
Password	Technical user password
Allow user to create public shares	This activates a feature in the app, where a user can grant (limited) access to a file or a folder for a limited period to an external participant via web interface. An email is sent to this participant with a link to the content.
Username for public access	Provide a (technical) user name here that allows access to this share.
Password for public access	Provide a password for the (technical) user here that allows access to this share.

For the File Server Path variables from LDAP can also be used (example: /Files-Share$/{sAMAccountName}). The LDAP field name must be written in brackets and can be used in any place in the path. Currently supported fields are:

name
mail
DN
firstName
lastName
displayName
phone
UUID
uid
sAMAccountName
UserPrincipalName

You need to complete the connection settings:

Menu Option	Description
User Groups	User group for the container within EBF Files app
Icons	Icon of container in EBF Files app
„+“-Symbol	Add a custom icon in .png format
Show hidden files	Display hidden files within container
Show system files	Display system files within container
Allow upload	Allow upload of local files located on the device within container
Allow edit	Allow processing of files from the container within the EBF Files app
Allow delete	Allow deletion of files within container
Allow attach files to mails	Allow sending files as mail attachments
Allow open in other apps	Allow opening files in other applications
Allow synchronization	Allow automated synchronization of files
Start sync only in WiFi	Activate synchronization only over Wifi connection
Start sync on app start	Activate synchronization at application start

Click „Save“ to release the container for use in the app.

Integrating EBF Files with UEM Systems

Connect the EBF Files app to the EBF Files server either with:

Direct access to the EBF Files server, if necessary with VPN. A VPN needs to be set up separately according to UEM vendor recommendations.
Access via an UEM gateway to the EBF Files Server. This is only available for MobileIron.

UEM compliance mechanisms can be used to secure the data connections of a mobile device, along with dynamic app configuration (like AppConfig) for app roll out and configuration.

App Config Parameters

Use the following key-value pairs in AppConfig or managed App configuration:


password	$NULL$ Select to leave the password blank. The user must enter a password when starting the app
serverUrl	EBF Files Server URL
username	$EMAIL$ Select to pre-fill user’s email address within the LDAP/AD directory for the EBF Files app
serverlessConfig	Use this instead of serverUrl (in combination with username and password), if you want to run EBF Files in serverless mode. The content of this parameter is coded in a JSON structure. Find more details below.

Optional additional fields are available:


allowLibraryUpload	true / false Activate/Deactivate the photo library allowing only camera integrated in EBF Files app to be stored
allowOnlySaveAs	true / false Determine whether changes to files are allowed on shared containers. If not, the user is informed about this restriction before opening the file and must select a folder in his OneDrive Container when saving the file
logLevel	„All“ – log level in the app
allowAnalytics	true / false Enable/Disable transmission of error analytics
allowLoadContentFromCache	true / false Enabled: the content will be loaded initially from the local data then compared with the server data in case there are updates, then populated. Disabled: the content will be loaded from the server then populated.
allowCustomCert	true / false Enable custom certificates to access on premise servers.
defaultImportPath	string: “/temp“ Used to indicate default location for imported files in the local documents container.
encryptionPasswordPolicy	JSON structure: {„MaxLength“: 16, „MinLength“: 3, „Complexity“: 0 } By default EBF files does not force a policy for the encryption password. By using this parameter you can establish a policy. Character classes that can be used are “uppercase”, “lower case”, “numbers”, “special character” MaxLength: Maximum length of the password MinLength: Minimum Length of the password Complexity: 0 = no restriction 1 = 2 out of 4 character classes must be used 2 = 3 out of 4 character classes must be used 3 = 4 out of 4 character classes must be used

Files Serverless Mode

The app configuration can be manually created and delivered to Files app in a Json format via UEM system, Files will parse the Json in order to create the containers.

App Configuration details

Attribute name

Sub-attributes

Value

Description

AppSettings:

An object containing the general settings of app

LicenseKeys
1. Polaris:
2. More can be added
LocalDocument
Settings
1. Activate
2. AllowOpenIn
PrimaryColor

1. string: “40nlp-…-bgh3pl7utz“
Several settings for local document container
All boolean values
string (Hex format: „#2494C5“)

Contains license keys for SDKs to be able to function correctly, these identifiers will be verified upon SDK initialization in the app.
Indicate whether allowed or not to have a user private container within the containers list (documents only stored locally in device and security measures still apply to this container: encrypted data / data wiped when needed).
Additionally Open-In action can be de-/activate here.
Represent the main color of the app (Application Theme/Style)

FileSystems:

A collection of FileSystem

each of which contains the settings for a container that should be applied to.

ContainerId
ContainerName
ContainerType
SecurityClass
ApplicationId
AllowedActions:
1. ShowHiddenFiles
2. ShowSystemFiles
3. AllowCreate
4. AllowUpdate
5. AllowDelete
6. AllowOpenIn
7. AllowSharing
8. AllowSync:
  1. OnlyWifi
  2. OnAppStart

Long
string
Enumeration (string matching the listed container types below)
Integer
string
All are boolean values

The unique identifier of the container
A short words naming the container
Indicates the type of the container, check the full list of container types.
See Creation of Data Containers
Dedicated for Online cloud providers, configured via the provider cloud platform such as Azure portal -> app registration.
The actions that will be permitted for a container:
1. SMB related property (Not important here = false)
2. SMB related property (Not important here = false)
3. The user is allowed to create/import new items into the current location (current container).
4. The user is allowed to update documents in the current location.
5. The user is allowed to delete items from the current location.
6. The user is allowed to open documents of current location into an external application.
7. The user is allowed to share documents of current location with other users.
8. The user can put items(documents/folders) into Sync, to allow the app to synchronize the content periodically.
  1. Allow Sync only for Wifi, or mobile data also
  2. Should Synchronize items on every app start

Here is an example of a Serverless Json configuration:

{
    "AppSettings": {
        "LicenseKeys": {
            "Polaris": "98h678as-2h11-1111-111l-daa4c67dddk"
        },
        "LocalDocumentSettings ": {
          "Activate": true,
          "AllowOpenIn": true
        },
        "PrimaryColor": "#000000"
    },
    "FileSystems": [
        {
            "ContainerId": 1,
            "ContainerName": "OneDrive Online",
            "ContainerType": "OneDriveOnline",
            "SecurityClass": 3,
            "ApplicationId": "450fdsaa-9800-330e-1111-1poj1egct6qw",
            "AllowedActions": {
                "ShowHiddenFiles": true,
                "ShowSystemFiles": true,
                "AllowCreate": true,
                "AllowUpdate": true,
                "AllowDelete": true,
                "AllowOpenIn": true,
                "AllowSharing": true,
                "AllowSync": {
                    "OnlyWifi": false,
                    "OnAppStart": false
                }
            }
        },
        {
            "ContainerId": 2,
            "ContainerName": "Sharepoint Online",
            "ContainerType": "SharePointOnline",
            "SecurityClass": 3,
            "ApplicationId": "450fdsaa-9800-330e-1111-1poj1egct6qw",
            "AllowedActions": {
                "ShowHiddenFiles": true,
                "ShowSystemFiles": true,
                "AllowCreate": true,
                "AllowUpdate": true,
                "AllowDelete": true,
                "AllowOpenIn": true,
                "AllowSharing": true,
                "AllowSync": {
                    "OnlyWifi": false,
                    "OnAppStart": false
                }
            }
        },
        {
            "ContainerId": 3,
            "ContainerName": "OneDrive OnPrem",
            "ContainerType": "OneDriveOnPrem",
            "ConfigContainerUsername": "username@domain.de",
            "SecurityClass": 1,
            "OnPremLink": "https://server-url.de",
            "AllowedActions": {
                "ShowHiddenFiles": true,
                "ShowSystemFiles": true,
                "AllowCreate": true,
                "AllowUpdate": true,
                "AllowDelete": true,
                "AllowOpenIn": true,
                "AllowSharing": true,
                "AllowSync": {
                    "OnlyWifi": false,
                    "OnAppStart": false
                }
            }
        },
        {
            "ContainerId": 4,
            "ContainerName": "SharePoint OnPrem",
            "ContainerType": "SharePointOnPrem",
            "ConfigContainerUsername": "username@domain.de",
            "SecurityClass": 0,
            "OnPremLink": "https://server-url.de",
            "AllowedActions": {
                "ShowHiddenFiles": true,
                "ShowSystemFiles": true,
                "AllowCreate": true,
                "AllowUpdate": true,
                "AllowDelete": true,
                "AllowOpenIn": true,
                "AllowSharing": true
            }
        }
    ]
}

ContainerType enumeration list

Here is the list of all container types accepted by the client application while parsing the configuration:

OneDriveOnline, SharePointOnline, OneDriveOnPrem, SharePointOnPrem.

Direct Connection

To roll out the app:

Upload the app in the Enterprise App Catalog – Import from the Public Apple App Store (EBF Files)
Store the AppConfig configuration

Settings and the app must be assigned to users and devices of a specific label or group.

MobileIron Secure Sentry Connection

To roll out the app with a Sentry connection:

Upload the app in MobileIron Enterprise App catalog – import from the Public Apple App Store (EBF Files)
Customize the Sentry configuration creating an „any Sentry“ service if not already present:
Select or define the identity certificate (SCEP Setting) for connection to the Sentry
Store AppConnect configuration

Securing AppConnect apps within the AppConnect Policy: It may be necessary to include the app in the AppConnect Policy to enable collaboration with Email+ and other AppConnect enabled applications.

Settings and the app must be assigned to users and devices of a specific label or group.

Troubleshooting

EBF Files server creates and maintains logs, if activated in the configuration. An administrator with access to the machine can view the logs.
Application errors can be monitored generating device logs on the mobile device where the EBF Files app is running.

Gathering Files server log files

The logging detail level is stored in the fileserver.properties file:

logging.level.root=INFO

logging.level.de.ebf=DEBUG

logging.level.de.ebf.files.backend.LoggingFilter=DEBUG

logging.level.com.hierynomus.smbj=WARN

Levels are as follows:


ALL	All messages are displayed
TRACE	Detailed debugging
DEBUG	Debugging errors
INFO	General information including program start, end, connection, processing
WARN	Warnings
ERROR	Errors
FATAL	Critical errors
OFF	Disabled

The logs are available in the following machine folders, depending on the selected server installation variant:

Appliance ISO Installation: var/log/files-server
Docker based Installation: /usr/share/files/logs

Display log files (iOS) with macOS

Open the console on your macOS device.
Connect your device to the macOS device and reproduce the problem during the active log process.
Copy the logs into a text program and save them as a text file.

Display log files (iOS) with Windows

The tool „iOSLogInfo“ collects device logs of an iOS device over a Windows system.

Preconditions:

Apple Windows iTunes application
Access to Lightning USB interface of device

The tool is run from the command prompt on Windows computers to collect console logs.

Download the iOSLogInfo tool: From here
Use a compression app (e.g. Winzip) to extract the folder to any directory
Make sure the device is connected to the PC via Lightning cable
Click on “Start” and enter „CMD“. Right-click on the command prompt and select „Run as administrator“ as shown below
Navigate to iOSLogInfo (e.g. cd C:\iosloginfo) from the command prompt
The following command starts collection of iOS console logs:
sdsiosloginfo.exe -d > c:\iosloginfo\consolelogs.txt

Perform actions on the iOS device, return to the command prompt and type “CTRL + C” to stop console logging
A .txt file named „consolelogs.txt“ has been created in the iOSLogInfo folder:

Note that iOSLogInfo provides many other features in addition to capturing iOS console logs.

A selection of additional commands:

Read console logs:

sdsiosloginfo.exe -d > C:\iOSLogInfo\consolelogs.log

Read crash logs:

sdsioscrashlog.exe -e -k C:\iOSLogInfo\crash_logs

Read memory allocation on the device:

sdsdeviceinfo.exe -q com.apple.disk_usage -x > C:\iOSLogInfo\iOS_Disk_Usage.xml

Read out device statistics:

sdsdeviceinfo.exe -x > C:\iOSLogInfo\iOS_Device_Stats.xml

Read iTunes logs:

sdsioscrashlog.exe -e -k C:\iOSLogInfo

Limitations

Restrictions for folders and files (SMB)

EBF Files server limitations primarily apply to the handling of directories and files within the server and corresponding application. For example, Microsoft Windows file restrictions apply to file operations within the application which are manifested in any respective containers.

Directory and file names are not case sensitive
Directory and file component names must not be longer than 255 characters
Directory names cannot end with slash (/). If specified, it will be removed automatically
File names cannot end with slash (/)
Reserved URL characters must be encoded
The following characters are not allowed: “ \ / : | < > * ?
Invalid URL path characters are not allowed. Codes like \uE000 are valid in NTFS filenames, but not other Unicode characters. For example control characters (0x00 to 0x1F, \u0081, etc.) are not allowed. For the rules for Unicode strings in HTTP/1.1, see RFC 2616, Section 2.2: Basic Rules and RFC 3987
The following file names referencing ports and destinations are not allowed: LPT1, LPT2, LPT3, LPT4, LPT5, LPT6, LPT7, LPT8, LPT9, COM1, COM2, COM3, COM4, COM5, COM6, COM7, COM8, COM9, PRN, AUX, NUL, CON, CLOCK$, dot (.), two dots (..)

Restrictions for working with files on Sharepoint

For EBF Files accessing Sharepoint files it is necessary, that library settings for each site are set to not require a checkout before editing.
This settings can be found in the site’s document library settings in the versioning page as shown below:

Supported file extensions

Files app supports a limited extension types (mime types) which are:

MsWord (.doc,…)
MsExcel (.xls, …)
MsPowerPoint (.ppt,…)
Pdf (.pdf)
Audio (wide range of audio file extensions): Compatibility depends on the supported codecs of the OS.
Image (wide range of image file extensions): Compatibility depends on the supported codecs of the OS.
Text (.txt)
Video (MOV, MP4): Compatibility depends on the supported codecs of the OS.

Was this article useful?

Still stuck? How can we help?

Updated on 19. Januar 2023

EBF product documentation

Find help using and administering EBF applications