Deploying Veeva CRM on iOS with OAuth 2.0 Support (MDM/MAM)

  • iPad
  • iPhone

Veeva CRM with OAuth 2.0 support can be deployed using a mobile device management (MDM) or mobile application management (MAM) solution. Admins can use any mobile management solutions which are members of the AppConfig community or Microsoft InTune. Using a mobile management solution allows customers to control the deployment of the Veeva CRM app on managed iOS devices.

Customers without MDM can allows users to sign in with OAuth using the Use Custom Domain link. See Signing In with MFA and Custom Domain for more information.

For example, an admin enables OAuth 2.0 and uses an MDM to update the Veeva CRM app for all users. Sarah Jones can now enable OAuth 2.0 on her device and sign into the app using her IDP credentials.

Configuration

Prerequisites

Enabling OAuth 2.0 Authentication for Veeva CRM Online

Enable OAuth 2.0 for Veeva CRM on iOS

To enable OAuth 2.0 for offline users on iOS devices, connect the device to Salesforce OAuth:

  1. Navigate to Create > Apps.
  2. Create a Connected App. Enter the following:
    3. Field Value
    Connected App Name Veeva CRM
    API Name Veeva_CRM
    Contact Email Customer's email address
    Enable OAuth Settings Selected
    Callback URL veeva://OAuth2
    Selected OAuth Scopes
    • Access and manage your data (api)
    • Access custom permissions (custom_permissions)
    • Access your basic information (id, profile, email, address, phone)
    • Allow access to your unique identifier (openid)
    • Full access (full)
    • Perform requests on your behalf at any time (refresh_token, offline_access)
    • Provide access to custom applications (visualforce)
    • Provide access to your data via the Web (web)
    App Platform iOS
    Restrict to Device type Tablet
    App Version 1.0
    App Binary URL veeva://OAuth2
  3. Select Save.

Configuring Mobile Management for OAuth 2.0

Admins must upload a configuration file containing the OAuth 2.0 configuration details to the MDM/MAM. In the configuration file, an admin can configure OAuth 2.0 for up to four orgs: one production org and up to three sandbox orgs. The format of the configuration file varies by MDM/MAM.

  1. Create a configuration file with the following parameters and values:
    2. Parameter Description Required
    OAUTH2_ACCOUNT_TYPE Salesforce

    OAUTH2_SCOPE openid refresh_token api web full profile
    OAUTH2_REDIRECT_URL

    veeva://OAuth2
    OAUTH2_AUTH_URL

    https://mydomain.my.salesforce.com/services/oauth2/authorize *

    OAUTH2_TOKEN_URL

    https://mydomain.my.salesforce.com/services/oauth2/token *

    OAUTH2_REVOKE_URL

    https://mydomain.my.salesforce.com/services/oauth2/revoke *

    OAUTH2_CLIENT_ID The Consumer Key from the Connected App
    OAUTH2_CLIENT_SECRET The Consumer Secret from the Connected App

    * Replace mydomain with the configured My Domain. See Enabling OAuth 2.0 Authentication for more information.

    Each parameter must be prefixed with the appropriate org type (PRODUCTION, SANDBOX1, SANDBOX2, SANDBOX3), for example, PRODUCTION_OAUTH2_ACCOUNT_TYPE or SANDBOX2_OAUTH2_TOKEN_URL.

    AppConfig MDMs and Microsoft InTune require different formats in the configuration file. The format of the configuration file for different AppConfig MDMs can also vary. To view a full XML example, download the AirWatch XML file or the Microsoft InTune XML file.

  2. Upload the configuration file to the MDM/MAM.
  3. Deploy the Veeva CRM app.

Customers can configure and deploy Delegated Authentication for Veeva CRM via MDM. However, the configuration for delegated authentication and OAuth 2.0 cannot be combined into one configuration file. Admins should create separate configuration files for delegated authentication and OAuth 2.0, and assign them accordingly to user groups in the MDM.

Using OAuth 2.0

The Enable OAuth2 Authentication toggle in the Settings app is automatically enabled when OAuth 2.0 is correctly configured and deployed through MDM.

When users sign into the Veeva CRM app for the first time, the IDP’s sign in screen displays. Sign in with the credentials for the IDP, not Veeva CRM credentials.

The OAuth session continues until either you sign out or the session expires.

Devices must be connected to the internet for users to sign in with OAuth. If the device is not connected, an error message displays and the user can refresh the signin screen after reconnecting to the internet.

Managing OAuth Orgs

To sign into the appropriate OAuth org:

  1. Navigate to the Settings for the device.
  2. Select the Veeva CRM app.
  3. Select OAuth2 Authentication.
  4. Select OAuth2 Orgs.
  5. Select the appropriate org.

Users can switch orgs while OAuth is enabled. Users should sync any pending changes and sign out of Veeva CRM before selecting a different org from the device settings.