Deploying Veeva CRM on iOS with OAuth 2.0 Support (MDM/MAM)
Veeva CRM with OAuth 2.0 support can be deployed using a mobile device management (MDM) or mobile application management (MAM) solution. Admins can use any mobile management solutions which are members of the AppConfig community or Microsoft InTune. Using a mobile management solution allows customers to control the deployment of the Veeva CRM app on managed iOS devices.
Customers without MDM can allows users to sign in with OAuth using the Use Custom Domain link. See Signing In with MFA and Custom Domain for more information.
For example, an admin enables OAuth 2.0 and uses an MDM to update the Veeva CRM app for all users. Sarah Jones can now enable OAuth 2.0 on her device and sign into the app using her IDP credentials.
Enabling OAuth 2.0 Authentication for Veeva CRM Online
Enable OAuth 2.0 for Veeva CRM on iOS
To enable OAuth 2.0 for offline users on iOS devices, connect the device to Salesforce OAuth:
- Navigate to Create > Apps.
- Create a Connected App. Enter the following:
- Access and manage your data (api)
- Access custom permissions (custom_permissions)
- Access your basic information (id, profile, email, address, phone)
- Allow access to your unique identifier (openid)
- Full access (full)
- Perform requests on your behalf at any time (refresh_token, offline_access)
- Provide access to custom applications (visualforce)
- Provide access to your data via the Web (web)
- Select Save.
|Connected App Name||Veeva CRM|
|Contact Email||Customer's email address|
|Enable OAuth Settings||Selected|
|Selected OAuth Scopes||
|Restrict to Device type||Tablet|
|App Binary URL||veeva://OAuth2|
Configuring Mobile Management for OAuth 2.0
Admins must upload a configuration file containing the OAuth 2.0 configuration details to the MDM/MAM. In the configuration file, an admin can configure OAuth 2.0 for up to four orgs: one production org and up to three sandbox orgs. The format of the configuration file varies by MDM/MAM.
- Create a configuration file with the following parameters and values:
- Upload the configuration file to the MDM/MAM.
- Deploy the Veeva CRM app.
|OAUTH2_SCOPE||openid refresh_token api web full profile|
|OAUTH2_CLIENT_ID||The Consumer Key from the Connected App|
|OAUTH2_CLIENT_SECRET||The Consumer Secret from the Connected App|
* Replace mydomain with the configured My Domain. See Enabling OAuth 2.0 Authentication for more information.
Each parameter must be prefixed with the appropriate org type (PRODUCTION, SANDBOX1, SANDBOX2, SANDBOX3), for example, PRODUCTION_OAUTH2_ACCOUNT_TYPE or SANDBOX2_OAUTH2_TOKEN_URL.
AppConfig MDMs and Microsoft InTune require different formats in the configuration file. The format of the configuration file for different AppConfig MDMs can also vary. To view a full XML example, download the AirWatch XML file or the Microsoft InTune XML file.
Customers can configure and deploy Delegated Authentication for Veeva CRM via MDM. However, the configuration for delegated authentication and OAuth 2.0 cannot be combined into one configuration file. Admins should create separate configuration files for delegated authentication and OAuth 2.0, and assign them accordingly to user groups in the MDM.
Using OAuth 2.0
The Enable OAuth2 Authentication toggle in the Settings app is automatically enabled when OAuth 2.0 is correctly configured and deployed through MDM.
When users sign into the Veeva CRM app for the first time, the IDP’s sign in screen displays. Sign in with the credentials for the IDP, not Veeva CRM credentials.
The OAuth session continues until either you sign out or the session expires.
Devices must be connected to the internet for users to sign in with OAuth. If the device is not connected, an error message displays and the user can refresh the signin screen after reconnecting to the internet.
Managing OAuth Orgs
To sign into the appropriate OAuth org:
- Navigate to the Settings for the device.
- Select the Veeva CRM app.
- Select OAuth2 Authentication.
- Select OAuth2 Orgs.
- Select the appropriate org.
Users can switch orgs while OAuth is enabled. Users should sync any pending changes and sign out of Veeva CRM before selecting a different org from the device settings.