Web-related DLP policies

The following describes the web-related DLP policies:

Web DLP policy for browser launching

You configure the Web DLP policy for browser launching in the AppConnect global policy. This Web DLP policy specifies whether an unsecured browser can attempt to display a web page when a device user taps the page’s URL in a secure app.

For example, consider a device user who is viewing an email in a secure email app, and the email body contains a URL. The user taps on the URL to view the web page in a browser. The following table describes the behavior for opening browsers from secure apps:

Table 1. Web DLP policy behavior with and without Web@Work


Web@Work installed

Web@Work not installed

Web DLP policy: allowed

The user is prompted to choose between Web@Work and available unsecured browsers to attempt to display the web page.

Unsecured browser attempts to display the web page.

Web DLP policy: not allowed

Web@Work displays the web page.

Web page does not display. An error message is displayed that indicates that a secure browser is required but not installed.

NOTE: If the URL points to a server behind the enterprise’s firewall, an unsecured browser’s attempt to display the web page fails.

DLP allowing links from non-AppConnect apps to open in Web@Work

AppConnect supports a data loss prevention policy (DLP) that determines whether device users can choose to view a web page in Web@Work when they tap a link (URL) in an app that is not AppConnect-enabled. You specify whether to give device users that choice:

  • For MobileIron Core deploymenments, on the AppConnect global policy in the data loss prevention policies section for Android.
  • For MobileIron Cloud deployments, on the AppConnect Device configuration for Android.
NOTE: This DLP also determines whether device users can choose AppConnect-enabled browsers besides Web@Work.

Allowing links from non-AppConnect apps to open in Web@Work benefits device users who use:

  • Apps that are not AppConnect-enabled, especially email apps.
  • Web@Work for viewing enterprise web pages.

Without this feature, links to enterprise web pages in email apps that are not AppConnect-enabled do not give Web@Work as a choice for viewing the web page. To view the web page, device users have to copy the link’s URL from the email into Web@Work. Now, if you allow it, the user can tap on the link and choose to view the resulting web page in Web@Work, which results in a simpler user experience.

Web DLP versus Non-AppConnect apps can open URLs in Web@Work DLP

The AppConnect global policy has two similar sounding data loss prevention policies for Android devices:

  • Web
  • Non-AppConnect apps can open URLs in Web@Work

The following table compares them:

Table 2. Web DLP versus non-AppConnect apps can open URLs in Web@Work DLP

If you allow Web...

You can tap on a link in an AppConnect-enabled app...

and open the web page in an unsecured browser.

Therefore, this option is about data leaving the AppConnect container.

If you allow
Non-AppConnect apps can open URLs in Web@Work....

You can tap on a link in an app that is not AppConnect-enabled....

and open the web page in Web@Work.

Therefore, this option is about data coming into the AppConnect container.

You can allow or not allow these two options in any combination.