AppConnect global policy

The AppConnect global policy applies to all AppConnect apps on devices. These AppConnect apps include:

MobileIron Core applies a default AppConnect global policy automatically to all devices. You can modify the default AppConnect global policy. You can also create custom AppConnect global policies and apply those to specific devices.

IMPORTANT: If you are using AppConnect on iOS devices but not on Android devices, apply a separate AppConnect Global policy to Android devices. Do not use the same AppConnect Global policy for both iOS and Android devices. In the AppConnect Global policy for Android devices, ensure that for AppConnect the Disabled option is selected.

In the AppConnect global policy, you configure:

  • whether AppConnect is enabled for the devices
  • AppConnect passcode requirements
  • out-of-contact timeouts
  • the app check-in interval
  • the default end-user message for when an app is not authorized
  • whether AppConnect apps with no AppConnect container policy are authorized by default
    See AppConnect global policy
  • default settings for data loss prevention policies

AppConnect passcode requirements

On the AppConnect global policy, you specify whether the device user is required to enter an AppConnect passcode to access the AppConnect apps on the device. For the highest possible security when using AppConnect, Ivanti recommends that each device has both a device passcode and an AppConnect passcode. You can also allow users to use Touch ID or Face ID (iOS) or fingerprint (Android) instead of the AppConnect passcode to access secure apps. For more information about whether to require an AppConnect passcode, see:

For Android, if users create an AppConnect passcode more than 60 minutes after registering the device, they must first enter their MobileIron Core credentials. After users creates the AppConnect passcode, the AppConnect container is created.

When you require an AppConnect passcode, you also specify:

  • Passcode Type
  • Minimum Passcode Length
  • Minimum Number of Complex Characters
  • Maximum Passcode Age
  • Auto-Lock Time
  • Passcode history
  • Maximum Number of Failed Attempts
  • Passcode strength requirements

If the device user fails to correctly enter the AppConnect passcode after a certain number of attempts, the user cannot access AppConnect apps. Specifically:

  • On iOS devices, device users must enter their Core credentials and then create a new AppConnect passcode.
  • On Android devices, send an Unlock AppConnect Container command to the device from the Admin Portal. The command removes the secure apps passcode. The user can then create it again.

Configuring the AppConnect global policy

You configure the AppConnect global policy on Mobileiron Core in Policies & Configs > Policies.

Procedure 

  1. In the Admin Portal, select Policies & Configs > Policies.
  2. Edit the default AppConnect global policy, or select Add New > AppConnect to create a new one.
  3. Enter the requested information.
  4. Click Save.
  5. If you created a new policy, apply the appropriate labels to the AppConnect global policy.
    If you are using the default AppConnect global policy, it automatically applies to all devices.

For a description of the fields in the AppConnect global policy, see AppConnect global policy field description

AppConnect global policy field description

Use the following guidelines to create or edit an AppConnect global policy:

Table 4.   AppConnect global policy fields

Item

Description

Default Value

Name

Required. Enter a descriptive name for this policy. This text is displayed to identify this policy throughout the Admin Portal. This name must be unique within this policy type.

TIP: Though using the same name for different policy types is allowed (e.g., Executive), consider keeping the names unique to ensure clearer log entries.

Default AppConnect Global Policy

Status

Select Active to turn on this policy.

Select Inactive to turn off this policy.

Active

Priority

Specifies the priority of this custom policy relative to the other custom policies of the same type. This priority determines which policy is applied if more than one policy is associated with a specific device. Select Higher than or Lower than, then select an existing policy from the drop-down list. For example, to give Policy A a higher priority than Policy B, you would select Higher than and Policy B.

Because this priority applies only to custom policies, this field is not enabled when you create the first custom policy of a given type.

For more information about policy priorities, see “Prioritizing policies” in Getting Started with Core.

 

Description

Enter an explanation of the purpose of this policy.

Default AppConnect Global Policy

AppConnect

Select Enabled to enable AppConnect on the device.

Select Disabled to disable AppConnect on the device.

When you select Enabled, the screen displays the rest of its fields.

Disabled

AppConnect Passcode

Passcode Type

Specify the type of passcode:

  • Numeric
    The passcode is allowed to have only digits in it. However, the device user can choose to create an alphanumeric passcode.
  • Alphanumeric
    The passcode must contain at least one digit and one letter.
  • Don't Specify
    The passcode is allowed to have characters of any type.

Alphanumeric

Minimum Passcode Length

Select a number between 1 and 16 to specify the minimum length for the passcode.

4

Minimum Number of Complex Characters

Select a number between 1 and 10 to specify the minimum number of special characters that must be included in the passcode. Select “-” to require no special characters in the passcode.

This option is only applicable when the passcode type is alphanumeric.

A special character is any character which is not 0-9, a-z, or A-Z. For example, $, \, and ä are special characters.

1

Maximum Passcode Age

Enter a value between 1 and 730.

Specifies the number of days the secure apps passcode is valid. The value is updated on a device when the next device check-in occurs. After the passcode age is exceeded (that is, the passcode expires), device users see an alert that the passcode has expired after they authenticate.. Device users must create a new passcode before they can access secure apps.

If you do not want the passcode to expire, leave the field blank, which is the default.

None

Auto-Lock Time

Select the maximum amount of time to allow as an inactivity timeout. After this period of inactivity in AppConnect apps, the device user is locked out of the apps if an AppConnect passcode is required. The device user must reenter the AppConnect passcode to access AppConnect apps.

15 minutes

Passcode history

Select a value from 1 to 12, or “-”.

This value specifies the number of most recently used secure apps passcodes that device users cannot use when changing their passcode.

The default value is 1, which means that when users create a new passcode, the only restriction is that they cannot reuse their current passcode.

If you do not want a passcode history, select “-”. In this case, the user can reuse any previous passcode, including the current passcode.

Case is not considered when passcode reuse is evaluated. This means that device users cannot just change the case for a past passcode and reuse that passcode. Password and passWord are considered the same when a passcode is evaluated for reuse. Passcode history is preserved even after AppConnect is disabled and re-enabled. This requires [email protected] 12.11.10 for iOS or Secure Apps Manager 9.2.0 for Android.

If you change this field value from none to a value between 1 and 12:

  • On iOS devices, the next time that users change the passcode, [email protected] puts the new passcode in the history. Therefore, after this policy change, users can reuse the current passcode the first time they change the passcode.

  • On Android devices, the Secure Apps Manager puts the current passcode in the history the next time that the user logs in. Therefore, after this policy change, users who are already logged in can reuse the current passcode the first time they change the passcode.

1

Maximum Number of Failed Attempts

Select a value between 2 and 10. Select “--” if you do not want to limit failed attempts.

Specifies the number of failed authentication attempts after which the option selected for Maximum Number of Failed Attempts Action is applied.

iOS

Device users must enter their Core credentials and then create a new AppConnect passcode.

After the passcode is reset, the [email protected] client does not flip back to the AppConnect app.

Android

Send an Unlock AppConnect Container command to the Android device from the Admin Portal. The command removes the secure apps passcode. Users can then create it again.

If the maximum is greater than 5, after the 5th attempt, the user can attempt to reenter the secure apps passcode only after waiting progressively longer time periods.

Self-service AppConnect passcode recovery

10

Maximum number of failed attempts action

Block: Select to block the AppConnect app if the AppConnect passcode retry attempts exceed the configured maximum number of failed attempts.

Retire: Select to retire the AppConnect app if the AppConnect passcode retry attempts exceed the configured maximum number of failed attempts. When AppConnect apps are retired, they become unauthorized (blocked), and the secure data is deleted (wiped). The app remains functional with only the unsecure data.

On Android devices, fingerprint login does not work if the maximum failed attempts exceeds the configured value.

Block

Passcode is required for iOS devices

Select this field if you require device iOS users to enter an AppConnect passcode to use any AppConnect app.

Not selected

Use Touch ID or Face ID when supported

This option is available only if you selected Passcode is required for iOS devices.

Select this field to allowdevice users to enter their Touch ID (fingerprint) or Face ID, if available, to access secure apps.

When you select this option, another option appears that begins When using Touch ID or Face ID, fall back to: Most customers keep the default which is Device passcode. Selecting AppConnect passcode is less frequently used.

Touch ID or Face ID for accessing secure apps

Not selected

When using Touch ID or Face ID, fall back to:

These options are available only if you selected Use Touch ID or Face ID when supported.

Most customers keep the default which is Device passcode. This option gives the device user the convenience of using Touch ID or Face ID rather than an AppConnect passcode to access secure apps. If entering the Touch ID or Face ID fails, the user enters (falls back to) the device passcode to access secure apps.

With the AppConnect passcode option, when the auto-lock time for AppConnect apps expires, the device user uses Touch ID or Face ID rather than the AppConnect passcode to re-access AppConnect apps. If entering the Touch ID or Face ID fails, the user enters (falls back to) the AppConnect passcode to access secure apps. The device user also uses the AppConnect passcode for other situations requiring AppConnect authentication such as the first time an AppConnect app is launched or when the user logs out of secure apps in [email protected]

IMPORTANT: Use the option AppConnect passcode only if you have a compelling reason to not require your users to have a strong device passcode.

Touch ID or Face ID for accessing secure apps

Device Passcode

Allow iOS users to recover their passcode

This option is available only if you selected Passcode is required for iOS devices.

Select this option to allow a device users to recovery their AppConnect passcode themselves.

This option defaults to allowed. If you disable this option, no method is available to recover a forgotten AppConnect passcode on iOS devices. The device user must delete and reinstall [email protected] and each AppConnect app.

Self-service AppConnect passcode recovery

Selected

Lock AppConnect apps automatically when the screen is off

This option is available only if you selected Passcode is required for iOS devices.

Select this option to automatically log out device users from AppConnect apps when the device screen is turned off due to either inactivity or user action.

To access AppConnect apps after unlocking the screen (whether or not unlocking the screen requires user authentication), the device user must re-enter the AppConnect passcode (or Touch ID/Face ID).

This setting requires:

  • [email protected] 10.0.0 for iOS or supported newer versions.
  • AppConnect apps built or wrapped with AppConnect 4.1 for iOS or supported newer versions.

Previous versions of these components ignore this setting.

Not selected

Passcode is required for Android devices

Select this field if you require Android device users to enter an AppConnect passcode to use any AppConnect app.

Selected

Allow Android users to recover their passcode

This option is available only if you selected Passcode is required for Android devices.

This option defaults to not allowed.

Self-service AppConnect passcode recovery

Not selected

Use fingerprint authentication when supported

This option is available only if you selected Passcode is required for Android devices.

Select this option to give the device user the convenience of using a fingerprint instead of an AppConnect passcode to access AppConnect apps on Android devices.

Fingerprint login for AppConnect apps for Android

Not selected

Lock AppConnect apps automatically when the screen is off

This option is available only if you selected Passcode is required for Android devices.

Select this option to automatically log out device users from AppConnect apps when the device screen is turned off due to either inactivity or user action.

To access AppConnect apps after unlocking the screen (whether or not unlocking the screen requires user authentication), the device user must re-enter the AppConnect passcode (or fingerprint).

This setting is supported with Secure Apps Manager 8.3.0 or supported newer versions. Previous versions of the Secure Apps Manager ignore this setting.

Lock Android AppConnect apps when screen is off

Not selected

Check for AppConnect passcode strength

Select this option if you want to set a required level of AppConnect passcode strength.

When you select this option, a slider displays. Use the slider to select the desired AppConnect passcode strength, or enter a value between 0 and 100 in the text field.

AppConnect passcode strength

Not selected

Passcode Strength

This option is available only if you selected Check for AppConnect passcode strength.

Use the slider to select the desired AppConnect passcode strength, or enter a value between 0 and 100 in the text field.

AppConnect passcode strength

35

End User Terms of Service

Enable End User Terms of Service

When selected, end users must accept the terms of service before they can access AppConnect apps.

However, selecting this option does not present users with the terms of service if either of the following are true:

The terms of service is not configured.

The AppConnect passcode is not required. That is:

- Passcode is required for Android devices is not selected for Android devices.
- Passcode is required for iOS devices is not selected for iOS devices.

For details about configuring the terms of service, see "Terms of service" in theCore Device Management Guide.

This feature requires:

  • For iOS devices: [email protected] 10.0.2 for iOS or supported newer versions.
  • For Android devices: [email protected] 10.1 for Android and Android Secure Apps Manager 8.4.0 or supported newer versions.

Not selected

End User Terms of Service Frequency

Select one of the following:

  • Always: End users must accept the terms of service each time they are prompted to enter their AppConnect passcode or biometric identification.
  • Once: End users must accept the terms of service only one time. On iOS devices, this occurs when they create their AppConnect passcode. On Android devices, this occurs when they are first prompted to enter their AppConnect passcode or biometric identification.

If the terms of service is updated in the user's language after the user has accepted it, the user will be asked to accept it once again.

Always

AppConnect Security Controls On Device

Device Out Of Contact

Wipe AppConnect Apps After

Specify a value from 1 through 90 days. Leave the field empty if you do not want to wipe AppConnect apps when the device is out of contact with MobileIron Core.

Once the AppConnect global policy is applied to the device, wiping the AppConnect apps occurs on the device after the specified time without reconnecting to MobileIron Core.

30 days

Android

Device Compromised

Android only:

Select Wipe AppConnect data if you want to retire all secure apps when the device is compromised (rooted). When secure apps are retired, they become unauthorized (blocked), and their data is deleted (wiped).

After the device has checked in and received the AppConnect global policy, no further interaction is required from Core. [email protected] detects when the device is compromised and retires the secure apps.

Select None to cause no action when the device is compromised.

Device-initiated security controls for AppConnect for Android

None

USB Debug Enabled

Android only:

Select Wipe AppConnect data if you want to retire all secure apps when USB debugging is enabled on the device. When secure apps are retired, they become unauthorized (blocked), and their data is deleted (wiped).

After the device has checked in and received the AppConnect global policy, no further interaction is required from Core. [email protected] detects when USB debugging is enabled and retires the secure apps.

Select None to cause no action when USB debugging is enabled.

Device-initiated security controls for AppConnect for Android

None

Remove AppConnect apps (and apps data) when device is retired

Android only:

Select this option to remove AppConnect apps and associated apps data when the device is retired. The policy silently removes the apps from Samsung Knox devices, and prompts the user to uninstall the apps from other types of devices.

None

iOS

Enable mutli-user auto sign-out after X minutes of inactivity

iOS only:

Select this option to configure automatic sign-out on multi-user iOS devices.

Valid values are from 5 minutes to 120 minutes.

This feature requires [email protected] 11.0 for iOS or supported newer versions.

"Setting automatic sign-out for multi-user devices" in the Core Device Management Guide for iOS and macOS Devices.

Not selected

App Authorization

App Check-in Interval

iOS only:

Select the maximum number of minutes until devices running AppConnect apps receive updates of their AppConnect global policy, their AppConnect app configuration, and their AppConnect container policies.

Note that these policies and settings are not updated on the device when:

  • the device checks in at its regular sync interval.
  • you force a device check-in from the Devices & Users screen.

However, in the [email protected] for iOS app on the device, the Check for Updates option does sync the policies and settings related to AppConnect.

 

Regarding Android:

The app check-in interval does not apply to Android. However, the AppConnect-related policies and settings are updated on the device when the device checks in. Device check-in occurs:

  • according to the sync interval specified on the device’s sync policy.
  • when you force a device check-in from the Devices & Users screen.
  • when the device user uses the Force Device Check-in feature in [email protected] on the device.

60 minutes

Unauthorized Message

Enter the default message that [email protected] displays if the app is not authorized on the device. If you do not enter a default message, the system provides one.

If AppConnect apps are unauthorized (blocked) due to a security policy violation, the out-of-compliance message is displayed instead of this message.

None

Data Loss Prevention Policies

Apps without an AppConnect container policy

Select Authorize if you want AppConnect apps to be authorized by default. If you do not select this option, app authorization is determined by the labels applied to the AppConnect container policy and the device.

If you select this option, then you can also select:

  • the iOS data loss prevention policies
  • the Android screen capture policy

Not selected

iOS

Copy/Paste To

iOS only:

Select Allow if you want the device user to be able to copy content from AppConnect apps to other apps. You can override this option in each app’s individual AppConnect container policy.

When you select this option, then select either:

  • All apps
    Select All apps if you want the device user to be able to copy content from the AppConnect app and paste it into any other app.
  • AppConnect apps
    Select AppConnect apps if you want the device user to be able to copy content from the AppConnect app and paste it only into other AppConnect apps.
    Select

Comparison with AppConnect for iOS copy/paste policy

Not selected

Print

iOS only:

Select Allow if you want AppConnect apps to be allowed to use print capabilities by default. You can override this option in each app’s individual AppConnect container policy.

Not selected

Open In

iOS only:

Select Allow if you want AppConnect apps to be allowed to use the Open In (document interaction) feature by default. You can override this option in each app’s AppConnect container policy.

When you select this option, then select either:

  • All apps
  • AppConnect apps

    Select AppConnect apps to allow an AppConnect app to send documents to only other AppConnect apps.

  • Whitelist

    Select Whitelist if you want the app to be able to send documents only to the apps that you specify.

    Enter the bundle ID of each app, one per line.

    For example:

    com.myAppCo.myApp1

    com.myAppCo.myApp2

    The bundle IDs that you enter are case sensitive.

Not selected

Open From

iOS only:

Select Allow if you want AppConnect apps to be allowed to use the Open From (document interaction) feature by default. You can override this option in each app’s AppConnect container policy.

When you select this option, then select either:

  • All apps

    Select to allow an AppConnect app to receive documents from any app.

  • AppConnect apps

    Select AppConnect apps to allow an AppConnect app to receive documents from only other AppConnect apps.

  • Whitelist

    Select Whitelist if you want an AppConnect app to receive documents only from the apps that you specify.

    Enter the bundle ID of each app, one per line.

    For example:
    com.myAppCo.myApp1

    com.myAppCo.myApp2

    The bundle IDs that you enter are case sensitive.

Not selected

Enabled if Apps without an AppConnect container policy is enabled.

Drag and Drop

iOS only:

Select Allow if you want the device user to be able to drag content from AppConnect apps to other apps. You can override this option in each app’s individual AppConnect container policy.

When you select this option, then select either:

  • All apps
    Select All apps if you want the device user to be able to drag content from the AppConnect app and drop it into any other app.
  • AppConnect apps
    Select AppConnect apps if you want the device user to be able to drag content from the AppConnect app and drop it only into other AppConnect apps.

Not selected

Android

Copy/Paste

Android only:

Specify one of the following options:

  • No restrictions

    The device user can copy and paste between any apps, whether the apps are AppConnect apps or unsecured apps. The device exhibits standard copy/paste behavior. This option is the default.

  • Clipboard use: The device uses the standard Android clipboard for all copy/paste activity. That is, AppConnect apps and unsecured apps all use the same clipboard.

  • Among AppConnect apps

    Copy and paste is not possible between AppConnect apps and unsecured apps. The device user can copy and paste among AppConnect apps, and within an AppConnect app. The user can also copy and paste among unsecured apps and within an unsecured app.

    This option prevents data leaks into or out of the secure container.

  • Clipboard use: AppConnect apps share a clipboard, and unsecured apps share a separate clipboard.

  • Within an AppConnect app

    The device user can copy and paste within each AppConnect app. However, the user cannot copy and paste among AppConnect apps, or between AppConnect apps and unsecured apps. The user can also copy and paste among unsecured apps and within an unsecured app.

    This option is the most restrictive.

  • Clipboard use: Each AppConnect app has its own clipboard. Unsecured apps share one clipboard among all unsecured apps.

Copy/Paste for AppConnect for Android

No restrictions

Camera

Android only:

Select Allow to allow camera photo access for all the AppConnect apps on an Android device.

When you select this setting, an AppConnect app can, for example, use a camera app to take a photo with the camera and allow the device user to save the photo.

Interaction with the lockdown policy regarding Android camera access

Not selected

Gallery

Android only:

Select Allow to allow all the AppConnect apps on an Android device to access images from the gallery.

When you select this setting, an AppConnect app can, for example, allow a device user to attach images from the gallery to an email.

Not selected

 

MediaPlayer

Android only:

Select Allow to allow all the AppConnect apps to stream media to media players.

When you select Allow, AppConnect apps can stream the following file types to media players:

  • MP3 audio files
  • WAV audio files
  • MP4 video files

The supported file size depends on the Android Secure Apps version as well as the device.

DLP policy for media player access.

Not selected

 

Screen capture

Android only:

Select Allow if you want AppConnect apps to allow screen capture by default. You can override this option in each app’s AppConnect container policy.

Not selected

Web

Android only:

Select Allow to allow an unsecured browser to attempt to display a web page when a device user taps the page’s URL in a secure app.

If you do not select Allow, only [email protected] can display the page.

Web DLP policy for browser launching

Not selected

Non-AppConnect apps can open URLs in [email protected]

Android only:

Select Allow to allow device users to choose to view a web page in [email protected] or other AppConnect-enabled browser when they tap a link (URL) in an app that is not AppConnect-enabled.

DLP allowing links from non-AppConnect apps to open in [email protected]

Not selected

Self-service AppConnect passcode recovery

You can allow self-service AppConnect passcode recovery on both iOS and Android devices. Self-service AppConnect passcode recovery allows device users to recover their AppConnect passcode themselves if they forgot it. Device users first enter their MobileIron Core registration credentials before creating a new AppConnect passcode.

Although allowing self-service AppConnect passcode recovery can decrease support calls for passcode assistance and improve the device user experience, your security requirements can be more important to you. Evaluate your priorities for security and device user experience and make the right choice for your enterprise.

However, self-service AppConnect passcode recovery behaves differently on the two platforms, as summarized in the following table:

 

Table 5.   Self-service AppConnect passcode recovery on iOS versus Android

 

iOS

Android

Default value in AppConnect global policy

Self-service AppConnect passcode recovery is allowed.

Self-service AppConnect passcode recovery is not allowed.

What happens when self-service recovery is not allowed?

No method is available to recover a forgotten AppConnect passcode.

The device user must delete and reinstall [email protected] and each AppConnect app.

Therefore, if you do not allow self-service AppConnect passcode recovery, consider increasing the number of failed passcode attempts on the AppConnect global policy.

You can send an Unlock AppConnect Container command from the MobileIron Core Admin Portal. This command removes the AppConnect passcode. The device user then creates a new AppConnect passcode.

Touch ID / Face ID impact

You can choose to use Touch ID or Face ID, when supported on the device, regardless of whether you allow or disable self-service AppConnect passcode recovery. Disabling or allowing AppConnect passcode recovery is not relevant when the device is using Touch ID or Face ID with fallback to device passcode.

Not applicable.

Fingerprint impact

Not applicable

You can choose to use fingerprint, when supported on the device, regardless of whether you allow or disable self-service AppConnect passcode recovery.

When the device user creates a new AppConnect passcode, the user must again choose whether to enable fingerprint login.

Maximum number of failed attempts on the AppConnect global policy

If you allow self-service AppConnect passcode recovery, the device user can create a new AppConnect passcode when reaching the maximum number of failed attempts.

If you do not allow self-service AppConnect passcode recovery, no method is available to recover a forgotten AppConnect passcode. Therefore, consider increasing the maximum number of failed passcode attempts.

If you allow self-service AppConnect passcode recovery, it is not available when the device user reaches the maximum number of failed attempts.

You must send an Unlock AppConnect Container command from the MobileIron Core Admin Portal to allow the device user to create a new AppConnect passcode and access AppConnect apps.

If you do not allow self-service AppConnect passcode recovery, you also must send an Unlock AppConnect Container command when the device user reaches the maximum number of failed attempts.

Password history on the AppConnect global policy

When a device user creates a new AppConnect passcode through self-service recovery, the passcode history rule is enforced.

When a device user creates a new AppConnect passcode, whether due to an Unlock AppConnect Container command or through self-service recovery, the passcode history rule is enforced.

AppConnect passcode strength

You can set the desired AppConnect passcode strength to enforce how strong an AppConnect passcode must be. Setting the AppConnect passcode strength prevents device users from using AppConnect passcodes that are weak and therefore easy to guess. However, setting the AppConnect passcode strength too high makes using AppConnect apps inconvenient for the device user because they have to enter a more complicated or longer AppConnect passcode. Therefore, when you choose the AppConnect passcode strength requirement, consider both your security needs and your device user convenience.

Note the following:

  • Enabling, disabling, or changing the passcode strength requires the device user to reset the AppConnect passcode.
  • The AppConnect passcode strength setting has no impact on the device passcode. Even if the device users are using Touch ID or Face ID with fallback to device passcode to access AppConnect apps, the device passcode is not impacted by the AppConnect passcode strength.
  • On iOS devices running [email protected] prior to version 9.7.0, the AppConnect Passcode Type on the AppConnect global policy must be either Alphanumeric or Don’t Specify. Password strength is not supported on these iOS devices when the passcode type is Numeric. On Android devices, password strength is supported with all AppConnect passcode types.

To set the AppConnect passcode strength, choose a value between 0 and 100 as follows:

Table 6.   AppConnect passcode strength values

Strength value

Description

Examples

0 - 20

Weak: risky password

  • Few characters: zxcvbn
  • Sequences: abcdefghijk987654321
  • Names: briansmith4mayor
  • Words: viking
  • Words with number substitutions: ScoRpi0ns

21 - 40

Fair: protection from throttled online attacks

Throttled online attacks are attacks to guess the passcode which are:

on the device

rate-limited

Rate-limited attacks are limited to some number of attempts per time period.

  • Few characters but with special characters: [email protected]!
  • Words plus numbers: temppass22
  • Names plus numbers: ryanhunter2000
  • Words with special character and number substitutions: R0$38uD99
  • Names with capitalization: verlineVANDERMARK

41 - 60

Good: protection from unthrottled online attacks

Unthrottled online attacks are attacks to guess the passcode which are:

on the device

not rate-limited

  • Longer words with special character and number substitutions: Tr0ub4dour&3
  • Longer phrases with numbers and special characters:
    neverforget13/3/1997
  • Longer letter, number, and special character combinations:
    asdfghju7654rewq
    OEUIDHG&*()LS_

61 - 80

Strong: moderate protection from offline slow-hash scenario

An offline slow-hash scenario is a sophisticated algorithm for guessing a passcode. The algorithm runs offline from the device after copying passcode-related files from the device.

  • Longer random letters and numbers:
    zevusqr3
    esqu3Wil
    tgbvdnjuk
  • Longer phrases with numbers and special characters:
    Compl3xChar$

81 - 100

Very strong: strong protection from offline slow-hash scenario

  • Very long random characters:
    eheuczkqyq
    rWibMFACxAUGZmxhVncy
    Ba9ZyWABu99[BK#6MBgbH88Tofv)vs$w
  • Long phrases:
    correcthorsebatterystaple
  • Long phrases with substitutions:
    coRrecth0rseba++ery9.23.2007staple$

Mechanism to force all device users to change their AppConnect passcodes

Device users are prompted to change their AppConnect passcodes when you change any of the following settings on the AppConnect global policy:

  • AppConnect passcode type
  • AppConnect passcode length
  • AppConnect passcode strength settings

The device users must change their AppConnect passcodes regardless whether their passcode already meets the new requirements.

With this mechanism, you have a way to force all devices users to change their AppConnect passcode. This capability is useful if, for example:

  • Your security requirements change, and you want to require a more complex passcode, such as a longer passcode.
  • You are concerned that some users’ AppConnect passcodes have been compromised, but you do not know exactly which users.

Interaction with the lockdown policy regarding Android camera access

The lockdown policy for the device has an option to enable or disable the camera. The lockdown policy applies to all apps on the device, not just AppConnect apps. The interactions between the lockdown policy and the AppConnect global policy are:

  • If the lockdown policy prohibits camera use, AppConnect apps cannot use the camera. Camera use is prohibited even if you allow camera access on the AppConnect global policy.
  • If the lockdown policy allows camera use, AppConnect apps can access photos from the camera only if you allow camera access on the AppConnect global policy.

The following table summarizes this interaction of the lockdown policy and the AppConnect global policy:

Table 7.   Camera options interactions in lockdown policy and AppConnect global policy

 

AppConnect global policy:

Camera access allowed

AppConnect global policy:

Camera access prohibited

Lockdown policy:

Camera enabled

AppConnect apps can use the camera.

AppConnect apps cannot use the camera.

Lockdown policy:

Camera disabled

AppConnect apps cannot use the camera.

AppConnect apps cannot use the camera.