Unlock a world of possibilities! Login now and discover the exclusive benefits awaiting you.
There is a high degree of difficulty here. From first principles, Qlik Sense was designed to be mobile ready by using responsive design in the front end UI. So it doesn't make much sense to restrict mobile users. That being said, this is confirmed to be working on my Qlik Sense February 2019 Patch 1 deployment.
Initial Configuration:
- You will need to enable Extended security environment for any virtual proxy which will be used (QMC > Virtual Proxies > Edit > Advanced):
- I would strongly encourage enabling DEBUG level logging for the proxy/proxies you are using for the Audit log level in order to confirm what is being sent by your mobile clients:
Application Configuration:
- You will need to add an element to the sheet to signal that you want to exclude it. In this example, I am using descriptions like so:
Security Rule Configuration:
- You will need to disable the default rule named Stream
- This rule inherits read rights to all the Apps in a stream as well as the App.Objects (sheets, stories, etc) in an app from read rights from the Stream
- Rebuild the Stream rule to exclude the sheets which have the descriptions. Example:
- Filter: App*
- Actions: Read + Publish
- Conditions: (resource.resourcetype = "App" and resource.stream.HasPrivilege("read")) or ((resource.resourcetype = "App.Object" and resource.published ="true" and resource.objectType != "app_appscript" and resource.objectType != "loadmodel") and resource.app.stream.HasPrivilege("read") and !(resource.description like "*Mobile*"))
- Context: Both Hub and QMC
- Note: the last clause, !(resource.description like "*Mobile*"), will mean that users who can see the objects from inheritance from the stream will not be able to see objects (practically only sheets will fit this restriction) which have a description including Mobile.
- Create a new rule to provide access to the "Mobile" sheets based on the environment of the user:
- Filter: App.Object_*
- Actions: Read + Publish
- Conditions: (((resource.published ="true" and resource.objectType != "app_appscript" and resource.objectType != "loadmodel") and resource.app.stream.HasPrivilege("read") and resource.description like "*Mobile*") and user.environment.os != "Linux")
- Context: Both QMC and Hub
- Note: I am using user.environment.os and scoping it to Linux to capture my Android device. You will want to confirm the elements which you can use in rules in the newly DEBUG Proxy > Trace > Audit log (this will be covered a bit more below)
Result:
Chrome Desktop:
iPhone:
Android:
Debugging notes:
I will say that these rules work for me, but you will need to confirm things precisely in your environment. Copying and pasting the rules may work, but may not. This style of deployment will require you to look into the logs mentioned above to confirm elements.
For example here are the Message column entries for the devices I tested (bolded elements are apt to be used in a rule):
iPhone: Headers that will be injected: [X-Qlik-Security, OS=Mac OS X; Device=iPhone; Browser=Safari 12.1; IP=::ffff:192.168.1.66; ClientOsVersion=Unknown; SecureRequest=false; Context=AppAccess; ] ...
Desktop: Headers that will be injected: [X-Qlik-Security, OS=Windows; Device=Default; Browser=Chrome 73.0.3683.103; IP=::ffff:192.168.1.71; ClientOsVersion=10.0; SecureRequest=false; Context=AppAccess; ]...
Android: Headers that will be injected: [X-Qlik-Security, OS=Linux; Device=Default; Browser=Chrome 73.0.3683.90; IP=::ffff:192.168.1.99; ClientOsVersion=Unknown; SecureRequest=false; Context=AppAccess; ]...
Once you have these details from the devices that you want to show the sheet to, then you can use them to fuel a security rule.
