AppConnect for iOS overview

MobileIron AppConnect secures and manages enterprise apps on mobile devices. These secure enterprise apps are called AppConnect apps or secure apps.

You can create an AppConnect app for iOS the following ways:

  • Wrapping the app

    The MobileIron AppConnect wrapping technology creates a secure app without any further app development. You can wrap Cordova (or PhoneGap) apps.

    See the AppConnect for iOS App Wrapping Developers Guide

  • Using the AppConnect for iOS Cordova Plugin (also called the AppConnect Cordova Plugin)

    A Cordova (or PhoneGap) app developer uses the plugin to create a secure Cordova app, or turn an existing Cordova app into a secure app.

    The AppConnect Cordova Plugin is described in this document.

  • Using the AppConnect for iOS SDK (software development kit)

    An app developer uses the SDK to create a secure app, or turn an existing app into a secure app. The AppConnect for iOS SDK is for iOS native development.

    See the AppConnect for iOS SDK Developers Guide.

  • Using the AppConnect for iOS Xamarin C# binding

    An app developer using the Xamarin development platform can use C# APIs to create a secure app, or turn an existing app into a secure app.

    See the AppConnect for iOS SDK Developers Guide

IMPORTANT: Before using the AppConnect Cordova Plugin, determine whether wrapping the app meets your needs. See Choosing Wrapping or SDK Development to Create AppConnect for iOS Apps.

Note The Following:  

  • If your AppConnect app is to be distributed from the Apple App Store, due to Apple App Store requirements, your app is required to work as a regular app in addition to working as an AppConnect app.

    See Developing third-party dual-mode apps.

  • If your app uses an older version of the AppConnect Cordova Plugin, MobileIron recommends that you always rebuild your app with the current version of the plugin. Using the current version ensures the app contains all new features, improvements, and resolved issues.

  • An Apple Developer Enterprise Program account is required to distribute in-house apps. See Apple Developer Enterprise Program.

Where to get the AppConnect for iOS Cordova Plugin

Get the latest AppConnect for iOS Cordova Plugin at https://help.mobileiron.com/s/software.

AppConnect for iOS documentation is available at MobileIron AppConnect for iOS Product Documentation.

Legal notices are also available on https://support.mobileiron.com/copyrights/ACe.

Secure app features

Secure enterprise apps that are built using the AppConnect Cordova Plugin can:

  • Receive app-specific configuration information from the MobileIron server.

    This capability means that device users do not have to manually enter configuration details that the app requires. By automating this process for the device users, each user has a better experience when installing and setting up apps. Also, the enterprise has fewer support calls, and the app is secured from misuse due to configuration. This feature is also useful for apps which do not want to allow the device users to provide certain configuration settings for security reasons.

  • Tunnel network connections to servers behind an enterprise’s firewall.

    This capability means that device users do not have to separately set up VPN access on their devices to use the app.

  • Authenticate an app user to an enterprise service.

    This capability means that AppConnect app users do not have to enter login credentials to access enterprise resources.

  • Handle data loss prevention.

    The MobileIron server administrator decides whether an app can copy content to the iOS pasteboard, use the document interaction feature (Open In and Open From), use drag and drop, or print. The app uses this information to limit its functionality to prevent data loss through these features. The AppConnect library enforces the pasteboard, Open In, Open From, and drag and drop policies. The app enforces the print policy.

  • Control custom keyboard use by your app.

    The MobileIron server administrator can choose whether an app can use custom keyboards, and the AppConnect library enforces the choice.. If the administrator does not configure this choice, your app can choose to reject custom keyboard use.

  • Blur the app’s screens when the app is not in the foreground.

    By default, the AppConnect library enforces this behavior, which can be overridden by the MobileIron server administrator.

AppConnect for iOS Cordova Plugin advantages

With the AppConnect for iOS Cordova Plugin:

  • You can focus on application logic.

    The plugin handles low-level, complex work such as authentication to access AppConnect apps, certificate authentication to enterprise resources, tunneling, AppConnect passcode handling, data encryption, and getting app-specific settings and configuration from the MobileIron server.

  • You use a set of simple APIs to develop a secure enterprise app.

    The app does not have to interact directly with web service interfaces to get the information it needs to behave as a secure enterprise app. Using the APIs, the app gets notified of any changes that the administrator makes on the MobileIron server to controls and configuration.

  • You can create one app, with one code base, that can behave as a secure app or a regular app. This behavior is required for secure apps that are distributed from the Apple App Store.

    For more information, see Developing third-party dual-mode apps.

64-bit and 32-bit app support

Using the AppConnect for iOS Cordova Plugin, you can build an app as a 64-bit app or as a 32-bit app.

MobileIron AppConnect components

The following table describes the MobileIron components that work with he apps that you build with the AppConnect for iOS Cordova Plugin.

Table 1. MobileIron components that work with iOS Cordova Plugin

MobileIron component

Description

MobileIron Core

The MobileIron on-premise server which provides security and management for an enterprise’s devices, and for the apps and data on those devices. An administrator configures the security and management features using a web portal.

MobileIron Connected Cloud

MobileIron’s cloud offering that has the same functionality as MobileIron Core.

MobileIron Cloud

MobileIron’s cloud offering that provides similar functionality as MobileIron Core. However, it does not support all the AppConnect features that MobileIron Core supports.

Standalone Sentry

The MobileIron server which provides secure network traffic tunneling from your app to enterprise servers.

The Mobile@Work for iOS app

A MobileIron app that runs on an iOS device. It interacts with MobileIron Core or Connected Cloud to get current security and management information for the device. It interacts with the AppConnect library to communicate necessary information to your app.

The MobileIron Go app

A MobileIron app that runs on an iOS device. It interacts with MobileIron Cloud to get current security and management information for the device. It interacts with the AppConnect library to communicate necessary information to your app.

The MobileIron AppStation app

A MobileIron client app that runs on an iOS device. It interacts with MobileIron Cloud. It can be used on the device instead of MobileIron Go when the MobileIron Cloud tenant supports Mobile Apps Management (MAM) but not Mobile Device Management (MDM). It interacts with the AppConnect library to communicate necessary information to your app.

The AppConnect library

The MobileIron library that your app uses to get AppConnect information. The AppConnect library is part of the AppConnect framework that your app includes.

Note The Following:  

  • MobileIron Core, MobileIron Connected Cloud, and MobileIron Cloud are each also referred to as a MobileIron server.
  • Mobile@Work, MobileIron Go, and MobileIron AppStation are each also referred to as a MobileIron client app.
IMPORTANT: Some AppConnect features depend on the version of MobileIron Core, MobileIron Cloud, Standalone Sentry, and the MobileIron client app.

Using a secure app

A device user can use a secure enterprise app only if:

  • The device user has been authenticated through the MobileIron server.

    The user must use the MobileIron client app to register the device with the MobileIron server. Registration authenticates the device user.

  • The MobileIron server administrator has authorized the device user to use the app.

  • The device user has entered a secure apps passcode or Touch ID/Face ID.

    The MobileIron server administrator configures whether a secure apps passcode, also called the AppConnect passcode, is required, and configures its complexity rules. The administrator also configures whether using Touch ID/Face ID, if available on the device, is allowed instead of the AppConnect passcode.

The AppConnect passcode is not the same as the passcode used to unlock the device.

App responsibilities

Your app is responsible for:

  • enforcing the authorization settings
  • handling the data loss prevention settings
  • using the app-specific configuration

The MobileIron client app and AppConnect library responsibilities

The MobileIron client app app and the AppConnect library are responsible for:

  • authenticating the user to the MobileIron server
  • authenticating to enterprise services using certificates
  • tunneling network connections
  • AppConnect passcode and Touch ID/Face ID handling
  • protecting AppConnect-related data, such as configurations and certificates

Cordova Plugin variants

Due to Apple deprecating the UIWebView class, the AppConnect for iOS SDK is available in two variants: one with UIWebView and WKWebView support, and another another with WKWebView support, but no UIWebView support. The AppConnect SDK without UIWebView support is provided for apps that will be submitted to the App Store. The Cordova plugin included with each variant of the SDK provides the same support as the SDK variant.

AppConnect Cordova Plugin contents

The AppConnect Cordova Plugin is available in the AppConnect for iOS SDK ZIP file. The ZIP file is called AppConnectiOSSDK_V<version>_<build>.zip, where:

  • <version> is the version number of the SDK.
  • <build> is the build number of the SDK.

The AppConnect for iOS ZIP file contains a plugins/cordova folder which contains:

  • AppConnectCordovaPlugin_V<version number_xxx>.zip

    This ZIP file contains all the plugin files, which include:

Table 2. Cordova plugin contents

Contents

Description

src/ios folder

Contains the AppConnect library files. The AppConnect library provides your app management and security capabilities. The AppConnect library facilitates communication between your app and the MobileIron client app, which communicates with the MobileIron server.

www folder

Contains AppConnectCordova.js. This file contains the JavaScript interfaces that your app uses to interact with the AppConnect library.

plugin.xml

Defines the AppConnect Cordova Plugin.

Notices.pdf

Contains license information
  • A Documentation folder containing this document.
    Check for updates to this document as described in Where to get the AppConnect for iOS Cordova Plugin.
  • install_ac_cordova_plugin.sh, which is the script you use to install the AppConnect Cordova Plugin.
  • A Samples folder containing the TestAppConnect example
    This sample Cordova app demonstrates how an app uses the AppConnect Cordova Plugin. It displays its authorization status, its app configuration, and its data loss prevention policies. Note that it only displays the data loss prevention policies and authorization status, but does not enforce them.

Another plugins/cordova folder is available in the SDK_without_UIWebView folder, which contains the SDK variant that does not support UIWebView.

AppConnect for iOS architecture

You app, using the AppConnect Cordova Plugin, interacts with the MobileIron client app. The MobileIron client app is Mobile@Work for iOS, MobileIron Go for iOS, or MobileIron AppStation for iOS. Mobile@Work interacts with Core and MobileIron Go interacts with MobileIron Cloud. AppStation is used in certain use cases instead of MobileIron Go to interact with MobileIron Cloud when a MobileIron Cloud tenant is set up for Mobile Apps Management (MAM) but not Mobile Device Management (MDM). The AppConnect library also interacts with Standalone Sentry for AppTunnel support.

The following diagram illustrates these interactions between an AppConnect app, the AppConnect library, the MobileIron server, the MobileIron client and the Standalone Sentry. The diagram uses MobileIron Core for the server and Mobile@Work for the client.

Figure 1. AppConnect for iOS architecture

Note The Following:  

  • Each secure enterprise app communicates with an instance of the AppConnect library.
  • The AppConnect library communicates with the MobileIron client app.
  • The app uses the AppConnect Cordova JavaScript API to get management and security-related information, such as whether the administrator has authorized the app to run on the device.
  • The MobileIron client app communicates with the MobileIron server to get management and security-related information.
  • The MobileIron server which provides security and management for an enterprise’s devices, and for the apps and data on those devices. An administrator configures the security and management features using a web portal.
  • The AppConnect library interacts with a Standalone Sentry if it is tunneling network connections to an enterprise server behind the firewall.

The MobileIron client app and AppConnect apps

The MobileIron client app supports AppConnect apps, including the following tasks:

  • It communicates with the MobileIron server to get management and security-related information and passes the information to the AppConnect apps.
    The MobileIron client app periodically does an app checkin with the MobileIron server to get this information. The administrator configures the app checkin interval on the MobileIron server. It is the maximum time between app checkins while an AppConnect app is running.
  • It enforces the AppConnect passcode or Touch ID/Face ID.
    The MobileIron client app prompts the device user to create an AppConnect passcode or Touch ID/Face ID when first launching any AppConnect app. You configure an auto-lock timeout in the AppConnect global policy. After this period of inactivity, The MobileIron client app prompts the device user to reenter his AppConnect passcode or Touch ID/Face ID.

When you run your AppConnect app, the MobileIron client app sometimes automatically launches to support app checkin and the AppConnect passcode or Touch ID/Face ID. Understanding the MobileIron client app’s expected behavior can help you when you test your AppConnect app.

App checkin and the MobileIron client app

On each app checkin, the MobileIron client app gets AppConnect policy updates for all the AppConnect apps that have already run on the device. These updates include changes to data loss prevention policies, password settings, app configurations, and AppTunnel settings.

For example, for Mobile@Work, these updates are due to changes on MobileIron Core to:

  • the AppConnect global policy for the device.
  • AppConnect container policies for each of the AppConnect apps that have run on the device.
  • AppConnect app configurations for each of the AppConnect apps that have run on the device.
  • the current authorization status for each of the AppConnect apps that have run on the device.

The MobileIron client app does an app checkin in the following situations:

  • The device user launches an AppConnect app for the first time.
    In this situation, the MobileIron client app finds out about the app for the first time, and adds it to the set of AppConnect apps for which it gets updates.
  • The app checkin interval expires while an AppConnect app is running.
  • The app checkin interval expired while no AppConnect apps were running and then the device user launches an AppConnect app.

In each of these situations, the MobileIron client app launches, and the device user sees the the MobileIron client app app momentarily. Once the MobileIron client app has completed the app checkin, the device user automatically returns to the AppConnect app.

The AppConnect passcode auto-lock time and the MobileIron client app

The MobileIron client app launches to prompt the device user for the AppConnect passcode or Touch ID/Face ID in the following situations:

  • The auto-lock (inactivity) timeout expires while the device is running an AppConnect app and the AppConnect passcode, or Touch ID/Face ID, is the login mechanism.

    NOTE: If the device user is interacting with the app, the auto-lock time does not expire. This case occurs only when the device user has not touched the device for the duration of the timeout interval.

  • The device user used the MobileIron client app to log out of AppConnect apps, and then launches an AppConnect app.
  • The MobileIron server administrator has changed the complexity rules of the AppConnect passcode, and an app checkin occurs.

In each of these situations, the MobileIron client app launches, and presents the device user with a screen for entering his AppConnect passcode or Touch ID/Face ID. After the device user enters the passcode or Touch ID/Face ID, the device user automatically returns to the AppConnect app.