Configuring MAM-only iOS devices

Configuring MAM-only iOS devices requires the following steps:

  1. Disabling the MDM profile
  2. Configuring the security policy for MAM-only iOS devices
  3. Configuring the privacy policy for MAM-only iOS devices
  4. Configuring the sync policy for MAM-only iOS devices
  5. Configuring the lockdown policy for MAM-only iOS devices
  6. Configuring the Apps@Work web clip for MAM-only iOS devices
  7. Populating the iOS App Catalog for MAM-only iOS devices
  8. Publishing iOS apps to Apps@Work on MAM-only iOS devices
  9. Configuring AppConnect and AppTunnel for MAM-only iOS devices

IMPORTANT - Before configuring Ivanti EPMM for MAM-only iOS devices, make sure no iOS devices are registered.

Disabling the MDM profile

Disabling the MDM profile for all iOS devices is necessary for configuring Ivanti EPMM to support only MAM-only iOS devices.

Procedure 

  1. In the Ivanti EPMM Admin Portal, go to Settings > System Settings > iOS > MDM.
  2. Make sure Enable MDM profile is not selected.
  3. Click Save.

Configuring the security policy for MAM-only iOS devices

Only a few fields on the security policy apply to MAM-only iOS devices. This procedure explains how to configure the default security policy. However, the same considerations apply to any security policy that you label for iOS devices or a subset of iOS devices.

If you are applying the default security policy or a custom security policy to both MAM-only iOS devices and to non-iOS devices, set the appropriate fields for non-iOS devices according to your requirements

Procedure 

  1. In the Ivanti EPMM Admin Portal, go to Policies & Configs > Policies.
  2. Select the default security policy.
  3. Click Edit. The Modify Security Policy dialog box opens.
  4. The Password section does not apply to MAM-only iOS devices.
  5. The Data Encryption section does not apply to MAM-only iOS devices.
  6. The Android, Android enterprise, Windows 8.1, and Windows 10 sections do not apply to MAM-only iOS devices.
  7. In the Access Control section, in For All Platforms, select the compliance action, if any, that you require for the security violation when a device has not connected to Ivanti EPMM in X days. This security violation is the only one in this section supported for MAM-only iOS devices.
  8. In the Access Control section, in For iOS devices, select the compliance action, if any, that you require for these security violations, which are the only ones in this section supported for MAM-only iOS devices:

    • when iOS version is less than
    • when a compromised iOS device is detected
    • for the following disallowed devices
  9. Click Save > OK.

Configuring the privacy policy for MAM-only iOS devices

Only a few fields on the privacy policy apply to MAM-only iOS devices. This procedure explains how to configure the default privacy policy. However, the same considerations apply to any privacy policy that you label for iOS devices or a subset of iOS devices.

If you are applying the privacy policy or a custom privacy policy to both MAM-only iOS devices and to non-iOS devices, set the appropriate fields for non-iOS devices according to your requirements

Procedure 

  1. In the Ivanti EPMM Admin Portal, go to Policies & Configs > Policies.
  2. Select the default privacy policy.
  3. Click Edit. The Modify Privacy Policy dialog box opens.
  4. Set Apps to the appropriate value for non-iOS devices that this privacy policy applies to.

    This field has no impact to MAM-only iOS devices. It applies to iOS devices only if they are MDM enabled.

  5. Set SMS Log and Call Log to the appropriate value for Android devices that this privacy policy applies to.

    These fields apply only to Android devices.

  6. Set iOS Location-Based Wakeups to Disabled.

    Set this field to Disabled because you should not track the location of MAM-only devices.

  7. Set Location to None.

    Set this field to None because you should not track the location of MAM-only devices.

  8. Set Collect Roaming Status to the appropriate value for Android devices that this privacy policy applies to.

    This field applies only to Android devices.

  9. Clear Enable Configuration Profiles if you do not want Ivanti EPMM to send non-AppConnect-related configurations and certificates to MAM-only iOS devices, including the Apps@Work web clip and certificate.

    Clearing this setting impacts only Ivanti Mobile@Work 10.0 or newer versions. Prior versions of Ivanti Mobile@Work receive the configurations and certificates regardless of this setting.

  10. Set iOS Installed App Inventory to All Apps.

    However, this field has no impact to MAM-only iOS devices. It applies to iOS devices only if they are MDM enabled.

  11. The Windows 10 Inventory and Android Warning Banner on the Device Reboot sections do not apply to MAM-only iOS devices.
  12. Click Save > OK.

Configuring the sync policy for MAM-only iOS devices

No sync policy fields apply to MAM-only iOS devices. If your Ivanti EPMM deployment includes only MAM-only iOS devices, you can skip this step. However, if your deployment includes other device platforms, configure the sync policy to meet your requirements for the other platforms.

  • “Sync policies” in Getting Started with Ivanti EPMM

Configuring the lockdown policy for MAM-only iOS devices

The lockdown policy does not apply to iOS devices. If your Ivanti EPMM deployment includes only MAM-only iOS devices, you can ignore the lockdown policy. However, if your deployment includes other device platforms, configure the lockdown policy to meet your requirements.

  • “Lockdown policies” in Getting Started with Ivanti EPMM

Configuring the Apps@Work web clip for MAM-only iOS devices

Configuring the Apps@Work web clip is necessary to support MAM-only iOS devices. For configuration information, see Setting up Apps@Work for iOS and macOS.

The AppConnect container app is not supported on MAM-only iOS devices.

Populating the iOS App Catalog for MAM-only iOS devices

Populating the App Catalog on Ivanti EPMM with iOS apps is necessary to support MAM-only iOS devices. This task is the same as when iOS devices support MDM. However, the following features, available when adding or editing an app in the App Catalog, are not supported:

  • Per App VPN settings
  • Managed app settings
  • Managed app configuration settings
  • Requiring data protection

For configuration information, see Populating the iOS and macOS App Catalogs.

Publishing iOS apps to Apps@Work on MAM-only iOS devices

Making iOS apps available to device users in Apps@Work on MAM-only iOS devices is the same as it is with iOS devices that support MDM.

For configuration information, see Publishing iOS and macOS apps to Apps@Work.

Configuring AppConnect and AppTunnel for MAM-only iOS devices

Configuring AppConnect for MAM-only iOS devices is the same as configuring AppConnect for iOS. Configuring AppTunnel with HTTP/S tunneling is also the same. For information on configuring AppConnect for iOS, see “Configuration overview” in the AppConnect Guide for EPMM.

When configuring AppConnect for MAM-only iOS devices, consider the following:

  • The app check-in interval on the AppConnect global policy determines when AppConnect apps receive updates of their AppConnect global policy, their AppConnect app configuration, and their AppConnect container policy. Because the sync interval on the sync policy has no impact on MAM-only iOS devices, the app check-in interval determines when Ivanti Mobile@Work does a device check-in with Ivanti EPMM.
  • If you configure Touch ID to access AppConnect apps, use Touch ID with fallback to AppConnect passcode. Touch ID with fallback to device code is not meaningful for MAM-only iOS devices, because you cannot enforce a strong device passcode on the security policy.