AppConnect container policies
The AppConnect container policy:
- authorizes an AppConnect app.
- specifies the data loss prevention settings for an AppConnect app.
- can be automatically created by MobileIron Core.
For each AppConnect app, make sure only one AppConnect container policy applies to each device.
AppConnect app authorization
Each AppConnect app requires an AppConnect container policy. The presence of an AppConnect container policy for a device is what authorizes the app on the device. You apply a label to the AppConnect container policy to apply it to a device.
If you later remove the AppConnect container policy, or remove the device’s label from the policy:
- an iOS AppConnect app becomes retired. A retired app becomes unauthorized on the device and the app deletes (wipes) all its sensitive data.
- an Android AppConnect app becomes unauthorized. If the app is unauthorized, when the device user tries to run it, the Secure Apps Manager displays a message that the app is unauthorized.
Data loss prevention settings
In the AppConnect container policy, you also configure data loss prevention (DLP) settings. Specifically, you configure whether you want the app to be allowed to use these features:
- Copy / paste (iOS only)
- Print (iOS only)
- Open In (document interaction) (iOS only)
- Open From (document interaction) (iOS only)
- Drag and Drop (iOS only)
- Screen capture (Android only)
An app’s AppConnect container policy overrides the corresponding settings on the AppConnect global policy.
Automatically created AppConnect container policies
When you upload an AppConnect app to MobileIron Core’s App Catalog, Core automatically creates an AppConnect container policy as follows:
- For Android AppConnect apps:
MobileIron Core always takes this automatic action. If the app has specified DLP settings, Core uses those settings. Otherwise, Core creates an AppConnect container policy with all the values set to not allowed. - For iOS AppConnect apps built with the AppConnect for iOS SDK or Cordova Plugin:
Core takes this automatic action only if an in-house app has specified its desired default values for the policy in its IPA file. This automatic action does not occur when you specify an Apple App Store AppConnect app as a recommended app. - For wrapped iOS AppConnect apps:
Core always takes this automatic action, setting all the DLP values to not allowed.
The name of the AppConnect container policy is:
|
For iOS AppConnect apps |
Default <bundle ID of app> Container Policy |
|
For Android AppConnect apps |
Default <package ID of app> Container Policy |
In the Admin Portal, on Policies & Configs > Configurations, the name of the app, not the name of the AppConnect container policy, displays in the name column.
You can override these DLP values by editing the app’s AppConnect container policy. MobileIron Core keeps in sync the labels that you apply to the app and the labels that you apply to the AppConnect container policy that Core automatically created.
Configuring AppConnect container policies
The following describes the steps to configure an AppConnect container policy.
Procedure
- In the Admin Portal, select Policy & Configs > Configurations.
-
Select the existing container policy for the app, or select Add New > AppConnect > Container Policy to create a new one.
Figure 1. AppConnect container policy
- Enter the requested information.
- Click Save.
- Select the new app policy.
- Select More Actions > Apply To Label.
- Select the labels to which you want to apply this AppConnect container policy.
- Click Apply.
Be sure to apply one of the labels that you selected to the device. To check the device’s labels:
- Go to Devices & Users > Devices.
- Expand the device details panel by clicking the up arrow for the desired device.
- In the Device Details panel, select Label Membership.
For a description of the fields in the AppConnect container policy, see AppConnect container policy field description.
AppConnect container policy field description
Use the following guidelines to create or edit an AppConnect container policy:
|
Item |
Description |
|
Name |
Enter brief text that identifies this AppConnect container policy. If MobileIron Core automatically created this policy:
|
|
Description |
Enter additional text that clarifies the purpose of this AppConnect container policy. |
|
Application |
Android: Select an Android AppConnect app from the MobileIron Core App Catalog. iOS: Select an iOS AppConnect app from the MobileIron Core App Catalog or enter the bundle ID of an iOS AppConnect app. A bundle ID is case sensitive. The drop-down selection includes an iOS AppConnect app only if both of the following statements are true:
|
|
Exempt from AppConnect passcode policy |
iOS only: Select this option if you want to allow the device user to use the app without entering the AppConnect passcode or Touch ID / Face ID. When you select this option, situations still occur when the device user must enter the AppConnect passcode. For example, if the user launches an AppConnect app that is not already running, the user is prompted to enter the AppConnect passcode. |
|
iOS Data Loss Prevention |
|
|
Allow Print |
iOS only: Select Allow Print if you want AppConnect apps to be allowed to use print capabilities. |
|
Allow Copy/Paste To |
iOS only: Select Allow Copy/Paste To if you want the device user to be able to copy content from the AppConnect app to other apps. When you select this option, then select either: •All apps Select All apps if you want the device user to be able to copy content from the AppConnect app and paste it into any other app. •AppConnect apps Select AppConnect apps if you want the device user to be able to copy content from the AppConnect app and paste it only into other AppConnect apps. |
|
Allow Open In |
iOS only: Select Allow Open In if you want AppConnect apps to be allowed to use the Open In (document interaction) feature. When you select this option, then select either: •All apps Select All apps if you want the app to be able to send documents to any other app. •AppConnect apps Select AppConnect apps to allow an AppConnect app to send documents to only other AppConnect apps. •Whitelist Select Whitelist if you want the app to be able to send documents only to the apps that you specify. Enter the bundle ID of each app, one per line, or in a semi-colon delimited list. For example: com.myAppCo.myApp1 com.myAppCo.myApp2;com.myAppCo.myApp3 The bundle IDs that you enter are case sensitive. •Open-In data loss prevention policy details •Sharing content from AppConnect for Android apps to non-AppConnect apps |
|
Allow Open From |
iOS only: Enabled by default. Select Allow Open From if you want AppConnect apps to be allowed to use the Open From (document interaction) feature by default. You can override this option in each app’s AppConnect container policy. When you select this option, then select either:
|
|
Allow Drag and Drop |
iOS only: Select Allow Drag and Drop if you want the device user to be able to drag content from the AppConnect app to other apps. When you select this option, then select either: •All apps Select All apps if you want the device user to be able to drag content from the AppConnect app and drop it into any other app. •AppConnect apps Select AppConnect apps if you want the device user to be able to drag content from the AppConnect app and drop it only into other AppConnect apps. |
|
Android Data Loss Prevention |
|
|
Allow Screen Capture |
Android only: Select Allow Screen Capture if you want the app to allow screen capture. |