We’re smarter together. Learn from this collection of community knowledge and add your expertise.

Do I need a passcode for that? Requiring passcodes for Mobile BI—capabilities and properties

by SAS Employee BobbieWagoner on ‎06-14-2017 02:00 PM (987 Views)

The capabilities associated with Visual Analytics Transport Service 7.3 enable an administrator to make the Visual Analytics server more secure as users connect to the server from Mobile BI on a tablet or phone.   When delivering training, due to time constraints, I don’t ususally take the time to have students add device connections.  Therefore, they may not see first-hand the effect of adding users to a role with one or more of these capabilities checked.  This blog will discuss, in more detail, the behavior that a user should see when the administrator has taken advantage of these capabilities.


The three capabilities are shown under Visual Analytics Transport Service 7.3 on the Capabilities tab when viewing the Properties of any Application role in SAS Management Console:




To view the effect of these capabilities, you first need to make sure that your Visual Analytics Services 7.3 Properties have the appropriate internal server name, to enable a connection from Mobile BI. In SAS Management console, on the Plug-ins tab, navigate to Applications Management-->Configuration Manager-->SAS Application Infrastructure-->Visual Analytics 7.3-->Visual Analytics Services 7.3.  Right-click on the item and select Properties.




Click on the Internal Connection tab and make sure that the host name is accurate for your server.   7980 is the correct port for a Linux server making use of a proxy.  For a Windows machine with the proxy configured, the port would be 80.  Without the proxy server, the port would be 8080 for both Windows and Linux.




While you are in SAS Management Console, take a look at the Properties for the Visual Analytics Transport Services 7.3.  (Expand Visual Analytics 7.3).




On the Advanced tab, several of these properties are directly related to the Visual Analytics Transport Services 7.3 capabilities.




If a user is subject to the Require Passcode on Mobile Devices capability, the two properties above that relate to passcodes control the number of attempts allowed to enter the passcode and the timeout length if the user enters an incorrect passcode.


  • passcode.attempts is the number of attempts allowed to enter a passcode correctly (the default is 5). If a user reaches the limit without success, the user is locked out for 15 minutes.  If the user tries and reaches the limit without success again, the user’s data, reports, settings, and connection information is removed from the device.
  • passcode.timeout is the value (in minutes) of the lockout time (default is 15 minutes) after the user exhausts the number of attempts allowed to enter the passcode.

The passcode that is required is a passcode to access the server, rather than the application itself.  The device itself may also have a feature (depending on device) to enable users to set passcodes on individual applications.


To illustrate the ‘require passcode’ capability, you can create a new custom role using the User Manager Plug-in. In the example here, the custom role is named Extra Mobile Security.  The Visual Analytics: Report Viewing role is a Contributing Role.




The capabilities of the role include the capabilities from the contributing Visual Analytics: Report Viewing role, with the Require Passcode on Mobile Devices checked on the Visual Analytics Transport Services 7.3 application capabilities.



The user Sally is added as a member of this role. Sally has a SAS metadata identity and an account on the VA server machine that she will be adding as a connection in Mobile BI.  The mobile screenshots below are taking from the most recent release of Mobile BI running on an iPad.




When Sally adds a connection with her credentials, she will see a prompt to create a 4-digit passcode to continue access. Once the passcode is created, it will be required in order to connect to the server.




If there is no activity for 5 minutes, Sally will be prompted for the passcode in order to continue server access. That default value is shown at the bottom of the Create a Passcode prompt screen.


When prompted for the passcode, if Sally doesn’t enter the correct code in 5 attempts, there will be a lockout of 15 minutes, based on the default time of the viewerservices.passcode.timeout  application property.



 The window ‘counts down’ the time as the 15 minute limit elapses.




You can also prevent offline access to mobile data on the server by assigning users to a role that has the Purge Mobile Report Data capability, shown below.  When a user who is assigned this capability connects to the server from Mobile BI, all reports accessed use the remote report data feature, which means that the data is only available while viewing the report.  When the report is closed, the data is purged from the device and the thumbnail image of the report no longer appears.  If the user attempts to open the report without a network connection, the report doesn’t open.



For more information on off-line mode, data limits, and passcodes, be sure to see these documents: SAS Mobile BI documentation for iPad, Android, and Windows http://support.sas.com/documentation/onlinedoc/mobile_bi/index.html The documents SAS Mobile BI and Offline Mode and SAS Mobile BI Security and the Mobile Device may be of particular interest.    

Your turn
Sign In!

Want to write an article? Sign in with your profile.

Looking for the Ask the Expert series? Find it in its new home: communities.sas.com/askexpert.