PAM360 Mobile Application - Android

PAM360's Android mobile application makes the product's robust and efficient features more accessible by helping you manage and control your enterprise's privileged accounts and passwords through your mobile device. The Android application encrypts and stores all your data using AES-256 encryption; therefore, accessing your enterprise accounts through your Android device is as secure as accessing PAM360's desktop installation.
Furthermore, all communication between your PAM360 server and the Android application happens over an encrypted channel, secured using the HTTPS protocol over SSL.

Note: The PAM360 Android application requires a valid working instance of the ManageEngine PAM360 web application.

At the end of this document, you will have learned the following:

1. Significant Features
2. How does Secure Authentication Work in the PAM360 Mobile Application?
3. Getting Started with the Application

   3.1 Application Overview

   3.2 Installation and Authentication

4. PAM360 Android Application - Navigation Menu

   4.1 Enterprise Filters

   4.2 Password Access Requests

   4.3 Advanced Search

   4.4 Resource Groups

   4.5 SSH Keys

   4.6 Certificates

   4.7 CSR

   4.8 Personal

   4.9 Settings

5. Setting Up Secure Offline Mode
6. Uninstalling the Mobile Application

1. Significant Features

PAM360's Android application comes with a comprehensive set of features that can help you seamlessly take control of your privileged accounts, even when you are away from the desktop installation.

• View and manage all passwords that are owned or managed by you.
• Approve/reject password requests and monitor who checks out passwords directly from the PAM360 Android application. Also, send password requests, and perform password check in and check out through the mobile application.
• Incorporate ticket ID validation through PAM360's ticketing system integration to secure your access approval workflow even further.
• View and manage your SSH keys and SSL certificate details at any time.
• Store and manage your critical personal information such as credit card numbers for on-the-go access. PAM360's Android application encrypts your personal data using the advanced AES-256 encryption algorithm.
• Save important passwords offline to access them even when you do not have access to the Internet.

2. How does Secure Authentication work in the PAM360 Mobile Application?

The application offers Two-Factor Authentication for enhanced security. Once enabled, users have to authenticate themselves through two successive stages to access the mobile interface. There are three ways of doing the first level of authentication: PAM360's native authentication using Active Directory/LDAP/Microsoft Entra ID credentials, or via SAML SSO. The second level of authentication can be done through any of the Two-Factor Authentication provisions supported by PAM360. After the Two-Factor Authentication is complete, PAM360 prompts you to set up a passphrase for your account, with a minimum of 8 characters, used for mobile authentication. All your offline data is encrypted using the advanced AES-256 encryption algorithm. Please note that the application does not store your passphrase, and it is mandatory to enter the passphrase during login.

Administrators can selectively allow or restrict mobile application access to users. Navigate to Admin >> Users >> More Actions and click the Restrict Mobile Access option. The users with the restriction cannot log in to their PAM360 accounts through the Android application.

Similarly, administrators can allow users to cache passwords in their mobile devices. Go to Admin >> General Settings >> User Management and select Allow password caching for offline access via mobile. Leave this option unchecked to restrict users from accessing passwords offline.

3. Getting Started with the Application

3.1 Application Overview

Supported Devices	All Android devices
Compatibility	Requires Android version 5.0 and above
Size	5.3 Mb (approx)
Languages Supported	English, French, German, Hebrew, Japanese, Polish, Simplified Chinese, Spanish, Traditional Chinese, Turkish, Portuguese, Italian, Russian, and Dutch. Note: Please select your desired language on the PAM360 desktop installation and the mobile device.

3.2 Installation and Authentication

Follow the below steps to download and install the PAM360 mobile application:

1. Go to the Play Store and search for ManageEngine PAM360 or click this direct link.
2. Click Install to install the application on your device.
3. After successful installation, enter the following details to get started with the mobile application:
   1. Enter the Server Name or IP address in which PAM360 is running, along with the Port. If your PAM360 server is installed in a physical network, ensure that the PAM360 server and the mobile application are connected to the same network. However, if your PAM360 server is hosted in the cloud, your mobile application will work from a different network as well.
   
   2. To login, enter the username & password of your PAM360 account. The Android application supports three ways of authentication; login through PAM360's native authentication, through Active Directory/LDAP/Microsoft Entra ID authentication, and via SAML SSO. To login using Active Directory/LDAP credentials, select your domain name from the drop-down list. If SAML single sign on is enabled in your PAM360 server, a browser window opens within the application.
   
   3. Here, enter your SAML SSO credentials to login. To skip the SAML SSO login, close the browser window and you will be redirected to the application's login page.
   4. Set up a passphrase for your account.

   Notes:

   1. Please note that the application does not store your passphrase, and it is mandatory to enter the passphrase during login, each time you access the mobile application. You have a total of five attempts to enter the correct passphrase, after which you will be logged out of the application automatically. If you have enabled Swift Login options, you can use the Forgot Passphrase option in this page to login using that instead.
   2. If you are using the application in online mode and fail to provide the correct passphrase during the allowed attempts, the application will log you out and you have to log in again and set up a new passphrase to access the mobile application again.
   3. In case you fail to enter the correct passphrase while using offline mode, you cannot access the application until you log in through the online mode and change the passphrase again.
   4. Please note that every time you set up a new passphrase, all the offline password cache you have saved and settings you have customized will be deleted from your device.

4. PAM360 Android Application - Navigation Menu

Once you have signed into your PAM360 account through the Android application, you will see the Navigation Menu on the main screen with the following options that will help you navigate the Android application efficiently:

1. Enterprise Filters
2. Password Access Requests
3. Advanced Search
4. Resource Groups
5. SSH Keys
6. Certificates
7. CSR
8. Personal
9. Settings

i. Choosing Client Organization as an MSP User

If you are an MSP user, PAM360's Android application allows you to manage the administrative passwords of all your clients separately from a single management console. The application neatly segregates client organizations into different sections, which you can tap to view all the passwords belonging to that particular organization. As MSP admin, even though you can view the names of the organizations you manage, you will be able to view the data on all your customers only if you add their resources or if they share their resources with you. Your clients will be able to view the data belonging to their organization only.

As an MSP user, you can choose a client organization and view all the resources under it. To do so:

1. Tap the hamburger icon to open the Navigation Menu. Here, tap on the organization name to display all the available client organizations.
2. Tap the client organization name to display all the resources specific to the selected organization. Please note that the mobile interface will display only the resources specific to the selected organization.

4.1 Enterprise Filters

By default, the application displays a list of all the resources on the main screen. From here, tap on any resource to view the accounts associated with it. Tap the hamburger icon at the bottom left corner to open the Navigation Menu. In this menu, tap the Enterprise option to open the All My Passwords page. To view the Enterprise Filters, tap the downward arrow beside All My Passwords. The Enterprise Filters list displays a list of resources owned or managed by you, categorized as below:

1. All My Passwords
2. Favorites
3. Recently Accessed
4. SSH Passwords
5. Windows RDP Passwords

Each menu has a dedicated Search icon that allows you to locate accounts within the menu. The application loads the list of accounts as and when you scroll through the list. When you search for an account using a keyword, the application searches for the keyword only in the already loaded list; to search through all available accounts, scroll to the end of the list to load all accounts.

i. All My Passwords

This category lists all resources and accounts that are owned and managed by you. Tap on any resource/account name to view the resource/account details such as resource owner, resource URL, DNS name, resource type, passwords, resource name, account notes, and last accessed time. To view the password of a particular account, tap on the eye icon beside the password. Tap the Search icon to search for any account within the selected resource, using a search keyword.

ii. Favorites

This option is to have quick access to the list of passwords that you marked as Favorites. To mark any password as your favorite, tap the star icon beside the required password in any category. Marking passwords as Favorites helps you locate a particular account and its password easily, without the need to scroll through the entire list every time. Tap the Search icon to search for any account within the selected resource, using a search keyword.

iii. Recently Accessed

This menu helps you view only the list of resources and passwords that you have recently viewed or used. From the list, you can tap on any resource to view its accounts and their corresponding details. Tap the Search icon to search for any account within the selected resource, using a search keyword.

iv. SSH Passwords

This option gives you a consolidated view of all the resources that you can access through an SSH connection. Tap on any resource on this list to view its user accounts. Tap on any account to view the account details, such as the masked password, last modified time, last accessed time, and password expiry date. Tap the Search icon to search for any account within the selected resource, using a search keyword.

v. Windows RDP Passwords

If your network contains a list of resources of various OS types, the Windows RDP Passwords option will help you to view only the list of Windows resources and their corresponding accounts. Tap on any resource/account name to view the resource/account details such as resource owner, resource URL, DNS name, resource type, passwords, resource name, account notes, and last accessed time. To view the password of a particular account, tap on the eye icon beside the password.

Note: It is possible to take RDP connections in Android app from build 5530 and above.

4.2 Password Access Requests

PAM360 provides an access control mechanism that allows administrators to grant password access to users for a specific period. Admins can start granting exclusive privileges once a password is ready to share, and only one user is allowed to use a particular password at a single point in time. Through PAM360's Android application, administrators can view the list of pending password access requests from other users and act upon them.

As an administrator, the Password Access Requests tab offers two sections:

1. Pending - to view the list of password access requests.
2. Check-In - to view the passwords that are currently in use and yet to be checked in.

To send a password access request, tap an account, and tap the Request option in the account details section. Once your request has gone through, the status will change to Waiting for Approval. Once an admin has approved your password request, you will be notified of the same, and the password will be available for Check Out. Once you check out the password for use, the status changes to In Use. Other users can see this status change in both the Check-In tab and the Account Details section of the particular account. To give up access to the password, tap the Check-In option. Now, the password is checked back into the PAM360 vault.

Once you check in the password and give up your access, you must go through the request-release workflow once again, if you should need access to it again. PAM360's Android application also supports ticketing desk integration. Through the integration, PAM360 will prompt users to provide a ticket ID along with their request. Then, PAM360 will validate whether the ticket ID entered by the user exists in the ticketing system or not and only then grant access to the user to view the password.

4.3 Advanced Search

Advanced Search in PAM360's Android application is a handy feature that can help you find any particular user or resource instantly. Tap Advanced Search from the navigation menu to either enter a keyword like Name, Department, Location, or use one of the many search filters available to tailor your search better. The available search filters are Resource Name, DNS Name, User Account, Resource Type, Resource Description, Department, Location, Domain Name, and Resource URL. In addition to these default fields, if you have created any additional fields in PAM360's desktop installation, those custom column names will also appear as filters in Advanced Search.

4.4 Resource Groups

Administrators can create resource groups to combine similar resources for easier management. The grouping can be done either by specifying individual resources (Static group) or by specifying a set of criteria (Dynamic group). In the case of a dynamic or a criteria-based group, whenever a newly added resource matches the criteria of an existing group, PAM360 automatically adds the resource to this group. You can share the resource groups with other users or user groups. Users to whom the groups are shared can see the passwords of only the resources that are part of the shared group at that time.

Tap the Resource Groups option from the navigation menu to view all the resource groups that are owned or managed by you. If a resource group has a subgroup, it will be indicated by a right arrow icon; to view the subgroups, simply tap the arrow icon. If you wish to view the resources within a resource group, tap the name of the required resource group. Similarly, tap a resource name within the resource group to view the accounts that belong to the selected resource, and the account name to view the account details.

4.5 SSH Keys

Tap the SSH Keys option from the navigation menu to view all the SSH keys that you are managing in the PAM360 repository. Tap any SSH key to view key details such as Key Type, Key Length, the key's Fingerprint, Username of the user who created the key, and Age of the key.

4.6 Certificates

Tap the Certificates option from the navigation menu to view all the SSL certificates that you are managing in the PAM360 repository. Tap any SSL certificate from the list to view the following certificate details: IP Address, Port, Validity period, SAN, Issuer, Signature Algorithm, Finger Print, Serial Number, Key Algorithm, Key Size.

To create SSL certificates manually,

1. Tap Certificates from the navigation menu and select Create.
2. Specify the required details such as Common Name, SAN, Organization Unit, Organization, Location, State, and Country.
3. Select the Key Algorithm, Key Size, Signature Algorithm, and KeyStore type from the respective dropdowns.
4. Choose a Validity Type (Days, Hours, or Minutes) and mention the Validity.
5. Type the Store Password or tap the Generate Password icon to generate a key store password.
6. Enter the Expiry Notification Email address and tap the Tick button.

Your SSL certificate will be added to the list. You can view it anytime from the certificates list.

4.7 CSR

PAM360 mobile application allows you to view the Certificate Signing Requests (CSR) created in the web interface. Tap the CSR button from the navigation menu to view the CSR list. You can also create CSR in the mobile application by following the steps given below.

1. Tap CSR from the navigation menu and select Create.
2. Specify the required details such as Common Name, SAN, Organization Unit, Organization, Location, State, and Country.
3. Select the Key Algorithm, Key Size, Signature Algorithm, and KeyStore type.
4. Choose a Validity Type (Days, Hours, or Minutes) and mention the Validity.
5. Type the Store Password or tap the Generate Password icon to generate a key store password.
6. Enter the Expiry Notification Email address and tap the Tick button.

Your CSR will be added to the list. You can view it anytime from the CSR list.

4.8 Personal

Apart from storing enterprise passwords, PAM360's Android application allows you to store personal passwords in the PAM360 repository. The application provides four default categories: Web Accounts, Banking, Credit Cards, and Contacts. Among these categories, you can save your utmost personal data such as your personal email account information, credit card numbers, and other banking data, contact addresses, and phone numbers.

In addition to the default categories, add any number of additional custom fields to your Personal tab from the desktop application to store other information. For instance, if you wish to store details about the properties that you own, then add a custom category named Properties.

The application stores your personal data in a private repository that only you can access through the Personal tab. All information stored here is encrypted independently and hidden from all other users, including the administrator. While adding account details to the Personal tab, there is an option to add Tags. Under this attribute, add keywords that can be used to search for the account under a particular category. Tap the Search icon and enter a keyword that was previously added as a tag to locate the account you are looking for.

Note: To utilize the Personal tab on the PAM360 mobile application for managing personal information, the 'Allow users to manage their personal passwords' option should be enabled in the PAM360 web application.

4.8.1 Setting up a Personal Passphrase

To use the Personal tab in the application, you must set up a valid passphrase in PAM360's desktop installation and activate your Personal repository; do ensure the passphrase you provide matches the complexity rules enforced by your organization, if any. Once you set up your passphrase, you must enter it every time you need access to your personal passwords. Tap the refresh icon available at the top in case there is a change in the status of the personal passphrase. For example, if you try to login to your personal repository before setting up a passphrase, the application will not let you in. Once you create a passphrase in the desktop application, you can hit refresh in this page and login with your newly created passphrase right away, without moving out of the Personal tab.

Note: Please note that if you forget or misplace the passphrase used for your Personal repository, you cannot reset the passphrase or retrieve your personal data without it.

Alternatively, PAM360's Android application provides a Swift Login option that will allow you to quickly access Personal passwords instead of entering the passphrase every time. You can set up three different authentication methods for Swift Login: Fingerprint, Pin, or via Credentials. Click here to learn how to set up Swift Login in the Android application.

4.8.2 Exiting the Personal Tab

To exit the Personal tab, tap the lock icon at the top right corner. You will return to the All My Passwords section and the Personal tab will be locked. To enter the Personal tab again, you must supply the passphrase again.

4.9 Settings

The Settings menu offers a comprehensive collection of options that are split categorically for ease of use. Use this menu to customize various security options, view login details, privacy policy of the Android application, and more.

4.9.1 Login

The Login section displays the Username and Server address to which PAM360 is currently connected. If the High Availability feature is turned on in your environment, then the Android application will also display the secondary server details on the Settings page. If the primary server is down, you can connect it to the secondary server for uninterrupted service.

4.9.2 Smart Login

The Smart Login feature enables seamless access to the PAM360 web interface by simply scanning the QR code presented on the PAM360 webpage. This direct login approach streamlines the process, providing password less authentication and substantially minimizing the effort required for web login, all while maintaining robust security measures.

1. Head to the PAM360 login webpage and select the Smart Login option.
   
2. Using the QR scanner available in the Smart Login section, scan the QR code displayed on the PAM360 web interface.
   
3. By doing so, you will be logged in to your PAM360 account.

Note: You can also use the Smart Login feature as a widget by adding to the widget section or a shortcut by holding on to the PAM360 application.

4.9.3 Security

The Security section has the following options:

i. Swift Login
You can set up three different authentication methods for Swift Login: Fingerprint, Pin, or via Credentials. Use this option to log in quickly to the Android application using the local authentication on your phone.

ii. Swift Login - Personal

Tap this option to set up Swift Login for your personal passwords saved in the application.

Note: To allow login Fingerprint in the mobile application, go to Admin >> General Settings >> User Management and enable the Enable logins to mobile apps with fingerprint authentication option.

iii. Keep the session alive for
Set the duration for how long the application should remain logged in to your account when the application goes into the background. You can choose any one duration ranging from 1 to 8 hours. This option is helpful when you want to switch between PAM360 and other apps multiple times within a short span of time. Alternatively, tap Never to log out as soon as the application goes into the background.

iv. Skip passphrase for
If you leave the application, however briefly, without logging out, it will prompt you to enter your passphrase again to get back in. Set a duration for the application to not prompt for the passphrase while running in the background. You can choose any one duration ranging from 30 to 120 seconds. Alternatively, tap Never to always prompt for a passphrase during login.

v. Clear Clipboard
PAM360's Android application can preserve any data you copy from within the application for a specified duration. To copy any password, tap the copy icon that is present beside the password. Tap the Clear Clipboard option to set a duration to preserve content you have copied to the clipboard. You can choose any one duration ranging from 30 to 120 seconds. Alternatively, tap Never to never save any copied content in the clipboard.

vi. Clear Offline Cache
Tap this option to clear all offline cache. This action will delete all your enterprise passwords that are saved offline.

vii. Clear Personal Offline Cache
Tap this option to clear all personal offline cache. This action will delete all your personal passwords that are saved offline.

viii. Reset Passphrase
Tap this option to reset your passphrase for mobile authentication. Please note that resetting the passphrase will erase all the cached data from this device. This includes both enterprise and personal offline data unless you have set a different passphrase for your personal data. In that case, only the enterprise offline data will be erased.

ix. Allow Screenshots
Using the toggle button, you choose to allow or disallow screenshots within the application.

4.9.4 Privacy

Apart from the above options, you can choose to share Usage Statistics or Crash Reports to ManageEngine by using toggle buttons under Privacy.

Usage statistics data gives an insight into usability data such as what features of the application you use more, how frequently, etc. This type of data is used as research to learn user behavior, gather pain points, if any, and enhance the application's performance and user experience based on the data.

Crash reports are detailed system logs that capture the state of the application when the crash happens. Collecting and analyzing this data will help us learn what caused the application to crash and rectify it in the next version.

4.9.5 Themes

To change the Android application's theme, tap the drop-down under Themes >> UI Mode. Here, you can choose Light/Dark mode or choose to use the Battery Saver Mode.

5. Setting up Secure Offline Mode

PAM360's Android application offers a secure offline mode that allows you to access passwords even when you do not have access to the internet.

To access passwords in the offline mode, download the required passwords first; only the passwords which are downloaded before going offline would be available for access in the offline mode. Apart from downloading individual passwords, the application allows you to download a group of passwords from the Enterprise Filters, such as the Favorites, Recently Accessed, Windows RDP Passwords, and SSH Passwords. Additionally, you can download resource groups and personal passwords. To download passwords for offline access, go to the Enterprise Filters, and click the downward arrow beside the required list of passwords.

Note: Secure Offline Mode will work only if the Allow password caching for offline access via mobile option is enabled in General Settings.

6. Uninstalling the Mobile Application

To uninstall the mobile application, follow the below steps:

1. Locate the ManageEngine PAM360 application on your device, long press the icon, and click Uninstall.
2. Tap OK in the confirmation pop-up.

Now, the PAM360 mobile application is successfully uninstalled. Once you uninstall the application, all PAM360-related data is removed from the device.