Ivanti UEM client for iOS and AppConnect apps

The Ivanti UEM client for iOS supports AppConnect apps, including the following:

  • Periodically does an app check-in with the Ivanti UEM to get management and security-related information and passes the information to the AppConnect app.
  • Enforces the AppConnect passcode and Touch ID / Face ID for accessing AppConnect apps.

The Ivanti UEM clients are, Go for Ivanti Neurons for MDM deployments and Mobile@Work for MobileIron Core deployments

App check-in and Ivanti UEM client

On each app check-in, The Ivanti UEM client gets AppConnect policy updates for all the AppConnect apps that have already run on the device. These updates include changes to:

  • the AppConnect global policy for the device.
  • AppConnect container policies for each of the AppConnect apps that have run on the device.
  • AppConnect app configurations for each of the AppConnect apps that have run on the device.
  • the current authorization status for each of the AppConnect apps that have run on the device.

The Ivanti UEM client does an app check-in in the following situations:

  • The device user launches an AppConnect app for the first time.
    • In this situation, the Ivanti UEM client finds out about the app for the first time, and adds it to the set of AppConnect apps for which it gets updates.
  • The app check-in interval expires while an AppConnect app is running.
  • The app check-in interval expired while no AppConnect apps were running and then the device user launches an AppConnect app.

On iOS devices, when the UEM client does an app check-in, the UEM client comes to the foreground and the AppConnect app goes to the background momentarily. Once the UEM client has completed the app check-in, the AppConnect app returns to the foreground.

Note the following:

  • The Force Device Check-in feature on the Ivanti UEM does not sync the policies and settings related to AppConnect for iOS. The app check-in interval in the AppConnect global policy on MobileIron Core and in the AppConnect Device configuration on Ivanti Neurons for MDM controls these updates. However, in the Ivanti UEM client for iOS on the device, the Check for Updates option does sync the policies and settings related to AppConnect.

  • When control switches to Mobile@Work due to an app check-in, Mobile@Work gets AppConnect policy updates from Core. However, Core indicates in the device details display that the policies are only “sent” or “pending” until the next app check-in. At the next app check-in, Core finds out whether an AppConnect app has applied the policies. If it has, Core indicates the policies are “applied” at that time.

The AppConnect passcode auto-lock time and Ivanti UEM client

The Ivanti UEM client (Go or Mobile@Work) launches to prompt the device user for the AppConnect passcode or Touch ID / Face ID in the following situations:

  • The device user launched or switched to an AppConnect app after the auto-lock time expired. You configure the auto-lock time in the AppConnect global policy.

  • The AppConnect passcode auto-lock time expires while the device is running an AppConnect app.

    If the device user is interacting with the app, the auto-lock time does not expire. This case occurs only when the device user has not touched the device for the duration of the timeout interval.

  • After the device is powered on and the device user first launches an AppConnect app.
  • The device user used Mobile@Work to log out of AppConnect apps, and then launches an AppConnect app.
  • You have changed the complexity rules of the AppConnect passcode, and an app check-in occurs.

In each of these situations, the Ivanti UEM client launches, and presents the device user with a screen for entering his AppConnect passcode or Touch ID / Face ID. After the device user enters the passcode or Touch ID / Face ID, the device user automatically returns to the AppConnect app.

Related topics 

Touch ID or Face ID for accessing secure apps