AppConnect for Android overview

Ivanti supports AppConnect for Android by wrapping Android apps. The following sections provide an overview.

Wrapping modes

Two modes of wrapping are available:

  • Generation 2
  • Generation 1

Generation 2 wrapping is the default mode, and is required for a number of Android features. Generation 1 wrapping should only be used for features not supported by Generation 2. For information about the features supported by Generation 2 and Generation 1 wrapping modes, see "Wrapping support of commonly used app capabilities" in the AppConnect for Android App Developers Guide available on the AppConnect Landing Page.

AppConnect apps are supported only in multiple-app kiosk mode. They are not supported in single-app kiosk mode. Kiosk mode information is in “Android Kiosk Support” in the Core Device Management Guide for Android and Android Enterprise Devices.

The Ivanti client app, the Secure Apps Manager, and the AppConnect wrapper

Two Ivanti apps work together on the Android device to support AppConnect. Together, they provide the security and management of all the AppConnect apps.

These Ivanti apps are:

  • the Ivanti client app for Android ( Go or Mobile@Work)
  • the Secure Apps Manager

Each AppConnect app is wrapped with the AppConnect wrapper, which enforces security along with the Ivanti client app and the Secure Apps Manager. On the device, the apps are called secure apps.

The Secure Apps Manager performs the following tasks to support AppConnect apps on Android devices:

  • manages the data encryption key.
  • handles the AppConnect passcode login for all AppConnect apps.
  • provides a list of all the AppConnect apps on the device.

When a new Secure Apps Manager becomes available, you do not need to re-wrap all your apps. Secure Apps Manager is backward compatible. A wrapped app requires the corresponding or newer version of Secure Apps Manager. For example, an app wrapped with Wrapper 8.5.0.0 requires Secure Apps Manager 8.5.0.0 or later version that supports apps wrapped with Wrapper 8.5.0.0.

Therefore, for MobileIron Core deployments, upgrade devices to the corresponding version of Secure Apps Manager if you upgrade an app on the device to use a new wrapper version.

For the AppConnect app compatibility with the latest version of Secure Apps Manager, see the AppConnect for Android release notes available in the AppConnect Landing Page.

Support for various AppConnect for Android features sometimes require minimum versions of the Ivanti client app, Secure Apps Manager, and the wrapper, as specified in each feature’s description.

Supported Android device processors

AppConnect on Android is supported on devices with:

  • 32-bit ARM processors
  • 64-bit ARM processors

Supported Android operating systems

For Android versions that AppConnect for Android supports, see the AppConnect Secure Apps for Android Release Notes and Upgrade Guide.

For Android versions that Core supports, see the Core Device Management Guide for Android and Android Enterprise Devices guide.

However, some AppConnect for Android features require one of the more recent Android versions. These exceptions are noted in specific feature descriptions.

Samsung Knox container (Knox Workspace) and AppConnect apps

The Samsung Knox container, known as the Knox Workspace, is not supported with AppConnect apps. Specifically:

  • The Samsung Knox container does not support any AppConnect apps running inside the Knox container.
  • Ivanti does not support using both a Knox container and AppConnect container on the same device.

In a feature called AppConnect for Knox, Mobile@Work for Android uses Samsung Knox Platform features to provide an added layer of security. Note that AppConnect for Knox uses only the AppConnect container. The device cannot have the Samsung Knox container. For information about AppConnect for Knox, see “AppConnect for Samsung Knox devices” in the Core Device Management Guide for Android and Android Enterprise Devices

AppConnect for Android component support and compatibility

For the list of Secure Apps Manager versions that Core supports, see the Core and Connector Release Notes.

For the list of Mobile@Work versions supported with a particular Secure Apps Manager version, see the AppConnect for Android Release Nots for the Secure Apps Manager version.

Regarding support of Secure Apps Manager versions with wrapper versions:

  • When you upgrade to a new Secure Apps Manager, you do not need to re-wrap all your apps. A new Secure Apps Manager is supported with apps wrapped with the newest wrapper plus the two most recent older wrappers. That is, Secure Apps Manager is backward compatible.
  • An app wrapped with a newer wrapper requires the corresponding or newer version of Secure Apps Manager. For example, an app wrapped with Wrapper 8.5.0.0 requires Secure Apps Manager 8.5.0.0 or later version that supports apps wrapped with Wrapper 8.5.0.0.
    Therefore, upgrade devices to the corresponding version of Secure Apps Manager if you upgrade an app on the device to use a new wrapper version.

Support for various AppConnect for Android features sometimes require minimum versions of Mobile@Work, Secure Apps Manager, and the wrapper, as specified in each feature’s description.

Data loss prevention for secure apps for Android

Data loss prevention policies for secure apps allow you to secure the sensitive data in AppConnect apps. With data loss prevention policies, you determine whether:

  • device users can take screen captures of protected data.
  • AppConnect apps can access camera photos or gallery images.
  • AppConnect apps can stream media to media players.
  • AppConnect apps have copy/paste restrictions.
  • tapping a web link in an AppConnect app can open the web page in an unsecured browser.
  • tapping a web link in a non-AppConnect app can open the web page in Web@Work.

Document interaction (Open In) is always restricted to all AppConnect apps for Android.

Data encryption for secure apps for Android

App data for AppConnect apps on the device is encrypted. AES-256 encryption (which uses a key size of 256 bits) is used.

The encryption key is not stored on the device. It is programmatically derived. If an AppConnect passcode is required, it is used in the encryption key’s derivation, making the application data secure even on a device that becomes compromised. (When a device is compromised, it is “rooted”, meaning an app has root access).

Special badging for secure apps for Android

An Android device user recognizes that an app is a secure app because its icon is overlaid with a special badge.