Device-initiated security controls for AppConnect for Android

You can protect corporate data on devices even when the devices are off-line. If the device is compromised (rooted) or USB debugging is enabled, Mobile@Work can retire all secure apps on the device. Retiring secure apps means that they become unauthorized (blocked), and their data is deleted (wiped).

The detection of these two security violations occurs on the device. Furthermore, the decision to retire secure apps because of these violations also occurs on the device. Connectivity with MobileIron Core is not required for these security controls.

Configure the actions on the AppConnect global policy

The AppConnect global policy provides settings to specify whether you want to retire all secure apps when the device is compromised or USB debugging is enabled. However, after the device has checked in and received the AppConnect global policy, no further interaction is required from Core. Mobile@Work detects the non-compliant situation and retires the secure apps.

Because Mobile@Work acts independently of Core when these security violations occur, retiring secure apps occurs before any actions specified on other policies such as the security policy.

To configure that you want the device to detect these security violations and then retire secure apps:

  1. In the Admin Portal, go to Policies & Configs > Policies.
  2. Select the AppConnect global policy that is applied to the devices of interest.
  3. Click Edit.
  4. Scroll to the section AppConnect Security Controls on Device.
  5. In the Android section, select Wipe AppConnect Data for Device Compromised and USB Debug Enabled, according to your security requirements.
  6. Click Save.

Interaction with the Exchange setting

These compliance actions retire all secure apps, which can include email clients. However, the device user can still use lower priority email clients, such as the native Samsung email client, if the device’s Exchange setting allows them.

Therefore, if you do not want to allow any email access when the device is compromised or USB debugging is enabled, modify the Exchange setting:

  1. In the Admin Portal, go to Policies & Configs > Configurations.
  2. Select the Exchange setting that is applied to the devices of interest.
  3. Click Edit.
  4. In the Android section, modify the Exchange App Priority so that only AppConnect-enabled email clients are selected.
1. Click Save.