Open-In data loss prevention policy details
- Open In behavior in wrapped apps versus SDK apps
- iOS native email use and the Open In DLP policy
- AirDrop use and the Open In DLP policy
- App extension use and the Open In DLP policy
- Whitelisting services integrated into iOS in the Open In DLP policy
- Overriding the Open In policy for an app
Open In behavior in wrapped apps versus SDK apps
You select an app’s Open In data loss prevention policy:
- MobileIron Core: on the AppConnect global policy or the AppConnect container policy.
When Open In is allowed, an AppConnect app’s Open In behavior is the same as the behavior of a regular, non-AppConnect app. However, if Open In is not allowed to some or all apps, the AppConnect app’s behavior depends on the following:
- whether the AppConnect app requesting Open In is a wrapped app or an SDK app
- the iOS version on which a wrapped app is running
- the AppConnect for iOS SDK version of an SDK app
|
Open In Not allowed |
Open In is allowed only to AppConnect apps or Open In only to apps on whitelist |
||||||||||||
Wrapped apps |
||||||||||||||
Wrapped apps running on iOS versions prior to iOS 11 |
Open In policy enforced by: AppConnect wrapper in the app. What if the app initiates Open In? |
Open In policy enforced by: What if the app initiates Open In? |
||||||||||||
Wrapped apps running iOS 11 through the most recently released version as supported by MobileIron |
Open In policy enforced by: AppConnect wrapper in the app. What if the app initiates Open In? |
Open In policy enforced by: What if the app initiates Open In? |
||||||||||||
SDK apps |
||||||||||||||
Apps built with AppConnect 3.0 for iOS and earlier |
Open In policy enforced by: The app.
|
Open In policy enforced by: |
||||||||||||
Apps built with AppConnect 3.1 through 3.1.3 for iOS |
Open In policy enforced by: The AppConnect library, contained in the AppConnect app. App is responsible for: What if the app initiates Open In anyway? |
Open In policy enforced by: The AppConnect library, contained in the AppConnect app. App is responsible for: What happens when the app initiates Open In? |
||||||||||||
Apps built with AppConnect 3.5 for iOS through the most recently released version as supported by MobileIron |
Open In policy enforced by: The AppConnect library, contained in the AppConnect app. App is responsible for: What if the app initiates Open In anyway?
|
Open In policy enforced by: The AppConnect library, contained in the AppConnect app. App is responsible for: What happens when the app initiates Open In?
Special case for iOS native email app: |
iOS native email use and the Open In DLP policy
Apps have various ways to launch the iOS native email app, including:
- using the iOS Open In menu in which the native email app is an option
- specifically launching the iOS native email app
- displaying a standard native email interface inside the app
- requesting to launch any app that handles email
The first way, using the iOS Open In menu, is part of the handling described in Open In behavior in wrapped apps versus SDK apps.
The other ways of invoking the iOS native email app are also impacted by the Open In Data Loss Prevention (DLP) policy. The impact depends on whether the AppConnect app uses:
- Open In and native email with an AppConnect version prior to AppConnect 4.0 for iOS
- Open In and native email with AppConnect 4.0 for iOS through most recently released version
If you want to include iOS native email in the Open In whitelist, seePutting iOS native email into the Open In Whitelist .
Open In and native email with an AppConnect version prior to AppConnect 4.0 for iOS
For apps using AppConnect versions prior to AppConnect 4.0 for iOS, the Open In DLP policy does not impact launching the iOS native email app from an AppConnect app. That is, launching the iOS native email app is always allowed. However, one exception exists to this rule. Launching the native email app is not allowed when:
- the Open In policy specifies a whitelist, and
- the iOS native email app is not in the whitelist
Therefore, even when you set the Open In policy to, for example, not allowed, launching the iOS native email app is allowed when the device user taps the app to:
- specifically launch the iOS native email app
- display a standard native email interface inside the app
- launch any app that handles email
Open In and native email with AppConnect 4.0 for iOS through most recently released version
For apps using AppConnect 4.0 for iOS through the most recently released version as supported by MobileIron, the Open In DLP policy impacts launching the iOS native email app from an AppConnect app. If Open In is allowed for all apps, then iOS native email can be launched. However, the behavior for the other Open In policy settings is described in the following table:
Device user action |
Open In Not Allowed |
Open In is allowed only to AppConnect apps |
Open In is allowed only to whitelisted apps, and iOS native email is NOT in the whitelist |
Open In is allowed only to whitelisted apps, and iOS native email is in the whitelist |
Taps to specifically launch the iOS native email app |
iOS native email is not launched. |
iOS native email is not launched. |
iOS native email is not launched. |
iOS native email is launched. |
Taps to display a standard native email interface inside the app |
iOS native email is not launched. |
iOS native email is not launched.
|
iOS native email is not launched. |
iOS native email is launched. |
Taps to launch any app that handles email |
iOS native email is not launched. |
iOS native email is not launched. Email+ for iOS is launched if it is installed on the device. |
iOS native email is not launched. Email+ for iOS is launched if it is installed on the device. |
iOS native email is launched. |
For apps built or wrapped with AppConnect 4.1 through the most recently released version supported by MobileIron, you can override the behavior for the scenario when the user taps to launch any app that handles email. Specifically, if the Open In policy blocks launching the iOS native email app in this scenario, you can allow iOS native email to launch. To allow iOS native email to launch, add the key MI_AC_DISABLE_SCHEME_BLOCKING with the value true to the app’s AppConnect app configuration.
AppConnect apps can also override the Open In policy for this scenario, allowing the iOS native email app to launch. Contact the application vendor or developer to find out if the app overrides the policy.
Putting iOS native email into the Open In Whitelist
To put the native iOS mail app is in the whitelist, put both of these bundle IDs in the whitelist:
- com.apple.UIKit.activity.Mail
- com.apple.mobilemail
However, include iOS native email in a whitelist for an AppConnect app only if you understand the potential impact of leaking secure data.
AirDrop use and the Open In DLP policy
The Open In DLP policy impacts the use of AirDrop as follows:
- A wrapped AppConnect app’s use of AirDrop is behaves according to the Open In DLP policy.
- An AppConnect app built with the AppConnect 3.1 for iOS SDK through the most recently supported version behaves according to the Open In policy.
- An AppConnect app built with AppConnect 3.0 for iOS SDK or earlier is not impacted by the Open In policy. Regardless of how you set the policy, AirDrop is allowed.
App extension use and the Open In DLP policy
For apps using AppConnect 4.0 for iOS through the most recently released version as supported by MobileIron, the Open in data loss protection policy includes restricting access to the iOS extensions that apps provide. Specifically:
Open In DLP for host app (the app using the extension) |
Extension behavior |
All apps allowed |
The host app can use any app’s extension for Open In. |
Only AppConnect apps allowed |
The host app can use only extensions provided by AppConnect apps for Open In. |
Whitelist |
The host app can use only extensions of apps in the whitelist for Open In. |
Whitelisting services integrated into iOS in the Open In DLP policy
When you whitelist apps for the Open In DLP setting, you provide the bundle ID of each whitelisted app in the AppConnect global policy or AppConnect container policy. Although the bundle ID of apps in the Apple App Store or your own in-house apps are readily available, the bundle IDs for services integrated into iOS are not well known.
The following list gives the bundle IDs of some common services integrated into iOS. However, include them in a whitelist for an AppConnect app only if you understand the potential impact of leaking secure data.
- com.apple.UIKit.activity.PostToFacebook
- com.apple.UIKit.activity.PostToTwitter
- com.apple.UIKit.activity.PostToWeibo
- com.apple.UIKit.activity.AssignToContact
- com.apple.UIKit.activity.AddToReadingList
- com.apple.UIKit.activity.Quicklook
- com.apple.UIKit.activity.Message
Overriding the Open In policy for an app
In the AppConnect global policy, you can specify that you want to authorize AppConnect apps that do not have an AppConnect container policy. When an app does not have an AppConnect container policy, the data loss prevention (DLP) settings in the AppConnect global policy, including the Open In setting are applied to the app.
If you do not want the app to have the same Open In setting as the AppConnect global policy, you have two choices to override the setting:
- Create an AppConnect container policy for the app and label it appropriately. In it, specify the Open In and other DLP settings that you want for the app. These DLP settings override the settings in the AppConnect global policy.
- Create or modify an AppConnect app configuration for the app, and add this key-value pair to its App-specific Configurations section:
Key: MI_AC_DISABLE_OPEN_IN_ENFORCEMENT
Value: YES
This key-value pair disables Open In enforcement in the AppConnect library of an AppConnect app, which means that Open In is allowed to all apps.
In both cases, make sure you understand the potential impact of leaking secure data. This leak can happen:
- directly by an app for which you have configured one of the override choices.
- indirectly by an app that shares a document with an app for which you have configured one of the override choices.
For the indirect case, consider this scenario:
- The AppConnect global policy authorizes AppConnect apps that do not have an AppConnect container policy.
- The AppConnect global policy specifies Open In only to AppConnect apps.
- AppConnect App 1 and AppConnect App 2 do not have AppConnect container policies.
- You add the key MI_AC_DISABLE_OPEN_IN_ENFORCEMENT with the value YES to the AppConnect app configuration of App 2.
In this case, App 1 can share a document with App 2, and App 2 can share the document with non-AppConnect apps. Therefore, App 1 can indirectly share secure data with unsecured apps.