AppConnect global policy
The AppConnect global policy applies to all AppConnect apps on devices. These AppConnect apps include:
- third-party and in-house AppConnect apps
- Web@Work
- Docs@Work
- Email+
- other AppConnect apps that Ivanti provides
MobileIron Core applies a default AppConnect global policy automatically to all devices. You can modify the default AppConnect global policy. You can also create custom AppConnect global policies and apply those to specific devices.
IMPORTANT: If you are using AppConnect on iOS devices but not on Android devices, apply a separate AppConnect Global policy to Android devices. Do not use the same AppConnect Global policy for both iOS and Android devices. In the AppConnect Global policy for Android devices, ensure that for AppConnect the Disabled option is selected.
In the AppConnect global policy, you configure:
- whether AppConnect is enabled for the devices
- AppConnect passcode requirements
- out-of-contact timeouts
- the app check-in interval
- the default end-user message for when an app is not authorized
- whether AppConnect apps with no AppConnect container policy are authorized by default
See AppConnect global policy - default settings for data loss prevention policies
AppConnect passcode requirements
On the AppConnect global policy, you specify whether the device user is required to enter an AppConnect passcode to access the AppConnect apps on the device. For the highest possible security when using AppConnect, Ivanti recommends that each device has both a device passcode and an AppConnect passcode. You can also allow users to use Touch ID or Face ID (iOS) or fingerprint (Android) instead of the AppConnect passcode to access secure apps. For more information about whether to require an AppConnect passcode, see:
- The AppConnect passcode
- Data encryption for secure apps for Android
- Data encryption for secure apps for iOS
- Touch ID or Face ID for accessing secure apps
- Fingerprint login for AppConnect apps for Android
For Android, if users create an AppConnect passcode more than 60 minutes after registering the device, they must first enter their MobileIron Core credentials. After users creates the AppConnect passcode, the AppConnect container is created.
When you require an AppConnect passcode, you also specify:
- Passcode Type
- Minimum Passcode Length
- Minimum Number of Complex Characters
- Maximum Passcode Age
- Auto-Lock Time
- Passcode history
- Maximum Number of Failed Attempts
- Passcode strength requirements
If the device user fails to correctly enter the AppConnect passcode after a certain number of attempts, the user cannot access AppConnect apps. Specifically:
- On iOS devices, device users must enter their Core credentials and then create a new AppConnect passcode.
- On Android devices, send an Unlock AppConnect Container command to the device from the Admin Portal. The command removes the secure apps passcode. The user can then create it again.
- Self-service AppConnect passcode recovery
- Mechanism to force all device users to change their AppConnect passcodes
Configuring the AppConnect global policy
You configure the AppConnect global policy on Mobileiron Core in Policies & Configs > Policies.
Procedure
- In the Admin Portal, select Policies & Configs > Policies.
- Edit the default AppConnect global policy, or select Add New > AppConnect to create a new one.
- Enter the requested information.
- Click Save.
- If you created a new policy, apply the appropriate labels to the AppConnect global policy.
If you are using the default AppConnect global policy, it automatically applies to all devices.
For a description of the fields in the AppConnect global policy, see AppConnect global policy field description
AppConnect global policy field description
Use the following guidelines to create or edit an AppConnect global policy:
|
Item |
Description |
Default Value |
||||||
|
Name |
Required. Enter a descriptive name for this policy. This text is displayed to identify this policy throughout the Admin Portal. This name must be unique within this policy type. TIP: Though using the same name for different policy types is allowed (e.g., Executive), consider keeping the names unique to ensure clearer log entries. |
Default AppConnect Global Policy |
||||||
|
Status |
Select Active to turn on this policy. Select Inactive to turn off this policy. |
Active |
||||||
|
Priority |
Specifies the priority of this custom policy relative to the other custom policies of the same type. This priority determines which policy is applied if more than one policy is associated with a specific device. Select Higher than or Lower than, then select an existing policy from the drop-down list. For example, to give Policy A a higher priority than Policy B, you would select Higher than and Policy B. Because this priority applies only to custom policies, this field is not enabled when you create the first custom policy of a given type. For more information about policy priorities, see “Prioritizing policies” in Getting Started with Core. |
|
||||||
|
Description |
Enter an explanation of the purpose of this policy. |
Default AppConnect Global Policy |
||||||
|
AppConnect |
Select Enabled to enable AppConnect on the device. Select Disabled to disable AppConnect on the device. When you select Enabled, the screen displays the rest of its fields. |
Disabled |
||||||
|
AppConnect Passcode |
||||||||
|
Passcode Type |
Specify the type of passcode:
|
Alphanumeric |
||||||
|
Minimum Passcode Length |
Select a number between 1 and 16 to specify the minimum length for the passcode. |
4 |
||||||
|
Minimum Number of Complex Characters |
Select a number between 1 and 10 to specify the minimum number of special characters that must be included in the passcode. Select “-” to require no special characters in the passcode. This option is only applicable when the passcode type is alphanumeric. A special character is any character which is not 0-9, a-z, or A-Z. For example, $, \, and ä are special characters. |
1 |
||||||
|
Maximum Passcode Age |
Enter a value between 1 and 730. Specifies the number of days the secure apps passcode is valid. The value is updated on a device when the next device check-in occurs. After the passcode age is exceeded (that is, the passcode expires), device users see an alert that the passcode has expired after they authenticate.. Device users must create a new passcode before they can access secure apps. If you do not want the passcode to expire, leave the field blank, which is the default. |
None |
||||||
|
Auto-Lock Time |
Select the maximum amount of time to allow as an inactivity timeout. After this period of inactivity in AppConnect apps, the device user is locked out of the apps if an AppConnect passcode is required. The device user must reenter the AppConnect passcode to access AppConnect apps. |
15 minutes |
||||||
|
Passcode history |
Select a value from 1 to 12, or “-”. This value specifies the number of most recently used secure apps passcodes that device users cannot use when changing their passcode. The default value is 1, which means that when users create a new passcode, the only restriction is that they cannot reuse their current passcode. If you do not want a passcode history, select “-”. In this case, the user can reuse any previous passcode, including the current passcode. Case is not considered when passcode reuse is evaluated. This means that device users cannot just change the case for a past passcode and reuse that passcode. Password and passWord are considered the same when a passcode is evaluated for reuse. Passcode history is preserved even after AppConnect is disabled and re-enabled. This requires Mobile@Work 12.11.10 for iOS or Secure Apps Manager 9.2.0 for Android. If you change this field value from none to a value between 1 and 12:
|
1 |
||||||
|
Maximum Number of Failed Attempts |
Select a value between 2 and 10. Select “--” if you do not want to limit failed attempts. Specifies the number of failed authentication attempts after which the option selected for Maximum Number of Failed Attempts Action is applied. iOS Device users must enter their Core credentials and then create a new AppConnect passcode. After the passcode is reset, the Mobile@Work client does not flip back to the AppConnect app. Android Send an Unlock AppConnect Container command to the Android device from the Admin Portal. The command removes the secure apps passcode. Users can then create it again. If the maximum is greater than 5, after the 5th attempt, the user can attempt to reenter the secure apps passcode only after waiting progressively longer time periods. |
10 |
||||||
|
Maximum number of failed attempts action |
Block: Select to block the AppConnect app if the AppConnect passcode retry attempts exceed the configured maximum number of failed attempts. Retire: Select to retire the AppConnect app if the AppConnect passcode retry attempts exceed the configured maximum number of failed attempts. When AppConnect apps are retired, they become unauthorized (blocked), and the secure data is deleted (wiped). The app remains functional with only the unsecure data. On Android devices, fingerprint login does not work if the maximum failed attempts exceeds the configured value. |
Block |
||||||
|
Passcode is required for iOS devices |
Select this field if you require device iOS users to enter an AppConnect passcode to use any AppConnect app. |
Not selected |
||||||
|
Use Touch ID or Face ID when supported |
This option is available only if you selected Passcode is required for iOS devices. Select this field to allowdevice users to enter their Touch ID (fingerprint) or Face ID, if available, to access secure apps. When you select this option, another option appears that begins When using Touch ID or Face ID, fall back to: Most customers keep the default which is Device passcode. Selecting AppConnect passcode is less frequently used. |
Not selected |
||||||
|
When using Touch ID or Face ID, fall back to: |
These options are available only if you selected Use Touch ID or Face ID when supported. Most customers keep the default which is Device passcode. This option gives the device user the convenience of using Touch ID or Face ID rather than an AppConnect passcode to access secure apps. If entering the Touch ID or Face ID fails, the user enters (falls back to) the device passcode to access secure apps. With the AppConnect passcode option, when the auto-lock time for AppConnect apps expires, the device user uses Touch ID or Face ID rather than the AppConnect passcode to re-access AppConnect apps. If entering the Touch ID or Face ID fails, the user enters (falls back to) the AppConnect passcode to access secure apps. The device user also uses the AppConnect passcode for other situations requiring AppConnect authentication such as the first time an AppConnect app is launched or when the user logs out of secure apps in Mobile@Work. IMPORTANT: Use the option AppConnect passcode only if you have a compelling reason to not require your users to have a strong device passcode. |
Device Passcode |
||||||
|
Allow iOS users to recover their passcode |
This option is available only if you selected Passcode is required for iOS devices. Select this option to allow a device users to recovery their AppConnect passcode themselves. This option defaults to allowed. If you disable this option, no method is available to recover a forgotten AppConnect passcode on iOS devices. The device user must delete and reinstall Mobile@Work and each AppConnect app. |
Selected |
||||||
|
Lock AppConnect apps automatically when the screen is off |
This option is available only if you selected Passcode is required for iOS devices. Select this option to automatically log out device users from AppConnect apps when the device screen is turned off due to either inactivity or user action. To access AppConnect apps after unlocking the screen (whether or not unlocking the screen requires user authentication), the device user must re-enter the AppConnect passcode (or Touch ID/Face ID). This setting requires:
Previous versions of these components ignore this setting. |
Not selected |
||||||
|
Passcode is required for Android devices |
Select this field if you require Android device users to enter an AppConnect passcode to use any AppConnect app. |
Selected |
||||||
|
Allow Android users to recover their passcode |
This option is available only if you selected Passcode is required for Android devices. This option defaults to not allowed. |
Not selected |
||||||
|
Use fingerprint authentication when supported |
This option is available only if you selected Passcode is required for Android devices. Select this option to give the device user the convenience of using a fingerprint instead of an AppConnect passcode to access AppConnect apps on Android devices. |
Not selected |
||||||
|
Lock AppConnect apps automatically when the screen is off |
This option is available only if you selected Passcode is required for Android devices. Select this option to automatically log out device users from AppConnect apps when the device screen is turned off due to either inactivity or user action. To access AppConnect apps after unlocking the screen (whether or not unlocking the screen requires user authentication), the device user must re-enter the AppConnect passcode (or fingerprint). This setting is supported with Secure Apps Manager 8.3.0 or supported newer versions. Previous versions of the Secure Apps Manager ignore this setting. |
Not selected |
||||||
|
Check for AppConnect passcode strength |
Select this option if you want to set a required level of AppConnect passcode strength. When you select this option, a slider displays. Use the slider to select the desired AppConnect passcode strength, or enter a value between 0 and 100 in the text field. |
Not selected |
||||||
|
Passcode Strength |
This option is available only if you selected Check for AppConnect passcode strength. Use the slider to select the desired AppConnect passcode strength, or enter a value between 0 and 100 in the text field. |
35 |
||||||
|
End User Terms of Service |
||||||||
|
Enable End User Terms of Service |
When selected, end users must accept the terms of service before they can access AppConnect apps. However, selecting this option does not present users with the terms of service if either of the following are true: •The terms of service is not configured. •The AppConnect passcode is not required. That is:
For details about configuring the terms of service, see "Terms of service" in theCore Device Management Guide. This feature requires:
|
Not selected |
||||||
|
End User Terms of Service Frequency |
Select one of the following:
If the terms of service is updated in the user's language after the user has accepted it, the user will be asked to accept it once again. |
Always |
||||||
|
AppConnect Security Controls On Device |
||||||||
|
Device Out Of Contact |
||||||||
|
Wipe AppConnect Apps After |
Specify a value from 1 through 90 days. Leave the field empty if you do not want to wipe AppConnect apps when the device is out of contact with MobileIron Core. Once the AppConnect global policy is applied to the device, wiping the AppConnect apps occurs on the device after the specified time without reconnecting to MobileIron Core. |
30 days |
||||||
|
Android |
||||||||
|
Device Compromised |
Android only: Select Wipe AppConnect data if you want to retire all secure apps when the device is compromised (rooted). When secure apps are retired, they become unauthorized (blocked), and their data is deleted (wiped). After the device has checked in and received the AppConnect global policy, no further interaction is required from Core. Mobile@Work detects when the device is compromised and retires the secure apps. Select None to cause no action when the device is compromised. Device-initiated security controls for AppConnect for Android |
None |
||||||
|
USB Debug Enabled |
Android only: Select Wipe AppConnect data if you want to retire all secure apps when USB debugging is enabled on the device. When secure apps are retired, they become unauthorized (blocked), and their data is deleted (wiped). After the device has checked in and received the AppConnect global policy, no further interaction is required from Core. Mobile@Work detects when USB debugging is enabled and retires the secure apps. Select None to cause no action when USB debugging is enabled. Device-initiated security controls for AppConnect for Android |
None |
||||||
|
Remove AppConnect apps (and apps data) when device is retired |
Android only: Select this option to remove AppConnect apps and associated apps data when the device is retired. The policy silently removes the apps from Samsung Knox devices, and prompts the user to uninstall the apps from other types of devices. |
None |
||||||
|
iOS |
||||||||
|
Enable mutli-user auto sign-out after X minutes of inactivity |
iOS only: Select this option to configure automatic sign-out on multi-user iOS devices. Valid values are from 5 minutes to 120 minutes. This feature requires Mobile@Work 11.0 for iOS or supported newer versions. "Setting automatic sign-out for multi-user devices" in the Core Device Management Guide for iOS and macOS Devices. |
Not selected |
||||||
|
App Authorization |
||||||||
|
App Check-in Interval |
iOS only: Select the maximum number of minutes until devices running AppConnect apps receive updates of their AppConnect global policy, their AppConnect app configuration, and their AppConnect container policies. Note that these policies and settings are not updated on the device when:
However, in the Mobile@Work for iOS app on the device, the Check for Updates option does sync the policies and settings related to AppConnect.
Regarding Android: The app check-in interval does not apply to Android. However, the AppConnect-related policies and settings are updated on the device when the device checks in. Device check-in occurs:
|
60 minutes |
||||||
|
Unauthorized Message |
Enter the default message that Mobile@Work displays if the app is not authorized on the device. If you do not enter a default message, the system provides one. If AppConnect apps are unauthorized (blocked) due to a security policy violation, the out-of-compliance message is displayed instead of this message. |
None |
||||||
|
Data Loss Prevention Policies |
||||||||
|
Apps without an AppConnect container policy |
Select Authorize if you want AppConnect apps to be authorized by default. If you do not select this option, app authorization is determined by the labels applied to the AppConnect container policy and the device. If you select this option, then you can also select:
|
Not selected |
||||||
|
iOS |
||||||||
|
Copy/Paste To |
iOS only: Select Allow if you want the device user to be able to copy content from AppConnect apps to other apps. You can override this option in each app’s individual AppConnect container policy. When you select this option, then select either:
|
Not selected |
||||||
|
|
iOS only: Select Allow if you want AppConnect apps to be allowed to use print capabilities by default. You can override this option in each app’s individual AppConnect container policy. |
Not selected |
||||||
|
Open In |
iOS only: Select Allow if you want AppConnect apps to be allowed to use the Open In (document interaction) feature by default. You can override this option in each app’s AppConnect container policy. When you select this option, then select either:
|
Not selected |
||||||
|
Open From |
iOS only: Select Allow if you want AppConnect apps to be allowed to use the Open From (document interaction) feature by default. You can override this option in each app’s AppConnect container policy. When you select this option, then select either:
|
Not selected Enabled if Apps without an AppConnect container policy is enabled. |
||||||
|
Drag and Drop |
iOS only: Select Allow if you want the device user to be able to drag content from AppConnect apps to other apps. You can override this option in each app’s individual AppConnect container policy. When you select this option, then select either:
|
Not selected |
||||||
|
Android |
||||||||
|
Copy/Paste |
Android only: Specify one of the following options:
|
No restrictions |
||||||
|
Camera |
Android only: Select Allow to allow camera photo access for all the AppConnect apps on an Android device. When you select this setting, an AppConnect app can, for example, use a camera app to take a photo with the camera and allow the device user to save the photo. Interaction with the lockdown policy regarding Android camera access |
Not selected |
||||||
|
Gallery |
Android only: Select Allow to allow all the AppConnect apps on an Android device to access images from the gallery. When you select this setting, an AppConnect app can, for example, allow a device user to attach images from the gallery to an email. |
Not selected
|
||||||
|
MediaPlayer |
Android only: Select Allow to allow all the AppConnect apps to stream media to media players. When you select Allow, AppConnect apps can stream the following file types to media players:
The supported file size depends on the Android Secure Apps version as well as the device. |
Not selected
|
||||||
|
Screen capture |
Android only: Select Allow if you want AppConnect apps to allow screen capture by default. You can override this option in each app’s AppConnect container policy. |
Not selected |
||||||
|
Web |
Android only: Select Allow to allow an unsecured browser to attempt to display a web page when a device user taps the page’s URL in a secure app. If you do not select Allow, only Web@Work can display the page. |
Not selected |
||||||
|
Non-AppConnect apps can open URLs in Web@Work |
Android only: Select Allow to allow device users to choose to view a web page in Web@Work or other AppConnect-enabled browser when they tap a link (URL) in an app that is not AppConnect-enabled. DLP allowing links from non-AppConnect apps to open in Web@Work |
Not selected |
||||||
Self-service AppConnect passcode recovery
You can allow self-service AppConnect passcode recovery on both iOS and Android devices. Self-service AppConnect passcode recovery allows device users to recover their AppConnect passcode themselves if they forgot it. Device users first enter their MobileIron Core registration credentials before creating a new AppConnect passcode.
Although allowing self-service AppConnect passcode recovery can decrease support calls for passcode assistance and improve the device user experience, your security requirements can be more important to you. Evaluate your priorities for security and device user experience and make the right choice for your enterprise.
However, self-service AppConnect passcode recovery behaves differently on the two platforms, as summarized in the following table:
|
|
iOS |
Android |
|
Default value in AppConnect global policy |
Self-service AppConnect passcode recovery is allowed. |
Self-service AppConnect passcode recovery is not allowed. |
|
What happens when self-service recovery is not allowed? |
No method is available to recover a forgotten AppConnect passcode. The device user must delete and reinstall Mobile@Work and each AppConnect app. Therefore, if you do not allow self-service AppConnect passcode recovery, consider increasing the number of failed passcode attempts on the AppConnect global policy. |
You can send an Unlock AppConnect Container command from the MobileIron Core Admin Portal. This command removes the AppConnect passcode. The device user then creates a new AppConnect passcode. |
|
Touch ID / Face ID impact |
You can choose to use Touch ID or Face ID, when supported on the device, regardless of whether you allow or disable self-service AppConnect passcode recovery. Disabling or allowing AppConnect passcode recovery is not relevant when the device is using Touch ID or Face ID with fallback to device passcode. |
Not applicable. |
|
Fingerprint impact |
Not applicable |
You can choose to use fingerprint, when supported on the device, regardless of whether you allow or disable self-service AppConnect passcode recovery. When the device user creates a new AppConnect passcode, the user must again choose whether to enable fingerprint login. |
|
Maximum number of failed attempts on the AppConnect global policy |
If you allow self-service AppConnect passcode recovery, the device user can create a new AppConnect passcode when reaching the maximum number of failed attempts. If you do not allow self-service AppConnect passcode recovery, no method is available to recover a forgotten AppConnect passcode. Therefore, consider increasing the maximum number of failed passcode attempts. |
If you allow self-service AppConnect passcode recovery, it is not available when the device user reaches the maximum number of failed attempts. You must send an Unlock AppConnect Container command from the MobileIron Core Admin Portal to allow the device user to create a new AppConnect passcode and access AppConnect apps. If you do not allow self-service AppConnect passcode recovery, you also must send an Unlock AppConnect Container command when the device user reaches the maximum number of failed attempts. |
|
Password history on the AppConnect global policy |
When a device user creates a new AppConnect passcode through self-service recovery, the passcode history rule is enforced. |
When a device user creates a new AppConnect passcode, whether due to an Unlock AppConnect Container command or through self-service recovery, the passcode history rule is enforced. |
AppConnect passcode strength
You can set the desired AppConnect passcode strength to enforce how strong an AppConnect passcode must be. Setting the AppConnect passcode strength prevents device users from using AppConnect passcodes that are weak and therefore easy to guess. However, setting the AppConnect passcode strength too high makes using AppConnect apps inconvenient for the device user because they have to enter a more complicated or longer AppConnect passcode. Therefore, when you choose the AppConnect passcode strength requirement, consider both your security needs and your device user convenience.
Note the following:
- Enabling, disabling, or changing the passcode strength requires the device user to reset the AppConnect passcode.
- The AppConnect passcode strength setting has no impact on the device passcode. Even if the device users are using Touch ID or Face ID with fallback to device passcode to access AppConnect apps, the device passcode is not impacted by the AppConnect passcode strength.
- On iOS devices running Mobile@Work prior to version 9.7.0, the AppConnect Passcode Type on the AppConnect global policy must be either Alphanumeric or Don’t Specify. Password strength is not supported on these iOS devices when the passcode type is Numeric. On Android devices, password strength is supported with all AppConnect passcode types.
To set the AppConnect passcode strength, choose a value between 0 and 100 as follows:
|
Strength value |
Description |
Examples |
|
0 - 20 |
Weak: risky password |
|
|
21 - 40 |
Fair: protection from throttled online attacks Throttled online attacks are attacks to guess the passcode which are: •on the device •rate-limited Rate-limited attacks are limited to some number of attempts per time period. |
|
|
41 - 60 |
Good: protection from unthrottled online attacks Unthrottled online attacks are attacks to guess the passcode which are: •on the device •not rate-limited |
|
|
61 - 80 |
Strong: moderate protection from offline slow-hash scenario An offline slow-hash scenario is a sophisticated algorithm for guessing a passcode. The algorithm runs offline from the device after copying passcode-related files from the device. |
|
|
81 - 100 |
Very strong: strong protection from offline slow-hash scenario |
|
Mechanism to force all device users to change their AppConnect passcodes
Device users are prompted to change their AppConnect passcodes when you change any of the following settings on the AppConnect global policy:
- AppConnect passcode type
- AppConnect passcode length
- AppConnect passcode strength settings
The device users must change their AppConnect passcodes regardless whether their passcode already meets the new requirements.
With this mechanism, you have a way to force all devices users to change their AppConnect passcode. This capability is useful if, for example:
- Your security requirements change, and you want to require a more complex passcode, such as a longer passcode.
- You are concerned that some users’ AppConnect passcodes have been compromised, but you do not know exactly which users.
Interaction with the lockdown policy regarding Android camera access
The lockdown policy for the device has an option to enable or disable the camera. The lockdown policy applies to all apps on the device, not just AppConnect apps. The interactions between the lockdown policy and the AppConnect global policy are:
- If the lockdown policy prohibits camera use, AppConnect apps cannot use the camera. Camera use is prohibited even if you allow camera access on the AppConnect global policy.
- If the lockdown policy allows camera use, AppConnect apps can access photos from the camera only if you allow camera access on the AppConnect global policy.
The following table summarizes this interaction of the lockdown policy and the AppConnect global policy:
|
|
AppConnect global policy: Camera access allowed |
AppConnect global policy: Camera access prohibited |
|
Lockdown policy: Camera enabled |
AppConnect apps can use the camera. |
AppConnect apps cannot use the camera. |
|
Lockdown policy: Camera disabled |
AppConnect apps cannot use the camera. |
AppConnect apps cannot use the camera. |