AppConnect 4.0 for iOS SDK revision history
New features
| • | iOS 8 no longer supported |
| • | Dynamic frameworks |
| • | Swift support |
| • | Secure file sharing from an extension |
| • | Drag and Drop data loss prevention policy support |
| • | Native email control using the Open In DLP policy |
| • | App extension control using the Open In DLP policy |
| • | Custom keyboard use controlled by MobileIron server |
| • | Screen blurring |
| • | Requirement for Face ID usage Info.plist entry |
| • | Support for sending AppConnect logs from Mobile@Work |
| • | Securing sensitive data such as encryption keys |
| • | New category ACFileHandle (ACSharedSecureData) |
| • | New custom cryptography methods |
| • | Automatic policy status updates sent to MobileIron server |
iOS 8 no longer supported
AppConnect 4.0 for iOS is not supported on iOS 8 devices.
See Product versions required .
Dynamic frameworks
The AppConnect 4.0 for iOS SDK changes the AppConnect.framework from a static to dynamic framework. Therefore, to upgrade an app that used a previous AppConnect SDK, or to incorporate the SDK for the first time into your app, see Getting Started with the AppConnect for iOS SDK.
One of the necessary steps in using the dynamic AppConnect.framework is to remove extra architectures from the AppConnect app’s binary. Removing desktop architectures is required before submitting your app to the Apple App Store. The AppConnect for iOS SDK provides a script for this purpose. The script is called post_embed_actions.sh.
Also, as part of the reorganization relating to dynamic frameworks, AppConnect.h is now an umbrella header which imports all the AppConnect.framework headers. AppConnectInterface.h now contains the definitions of the AppConnect interface and the AppConnectDelegate protocol. See Header files in AppConnect.framework.
Swift support
The AppConnect 4.0 for iOS SDK supports Swift apps. See Using the AppConnect framework in a Swift app.
Secure file sharing from an extension
An AppConnect app can now provide an app extension, specifically a Document View Controller extension, to share secure files with other AppConnect apps. A file can be shared with all AppConnect apps or with only specific AppConnect apps. The files that the extension shares must be secure files, written with the secure file I/O APIs.
See Sharing secure files from an extension.
Drag and Drop data loss prevention policy support
MobileIron server administrators can set a drag and drop policy for each AppConnect app. It specifies whether AppConnect apps can drag content to all other apps, to only other AppConnect apps, or not at all.
The AppConnect library enforces this policy. When the policy allows dragging content to only other AppConnect apps, the AppConnect library notifies your app when the device user attempts to drag content to a non-AppConnect app. Your app can then notify the device user of the situation. Your app provides no other code to support the drag and drop policy.
| NOTE: | This feature is not supported with MobileIron Cloud. |
See:
| • | Drag and drop policy API details |
| • | Test data loss prevention policy handling |
New callback method -openURLAttemptedWhenUnauthorizedForURL:
A new callback method -openURLAttemptedWhenUnauthorizedForURL: is provided. This method is called when the app attempts to call -openURL: with the mailto scheme but no app that can handle the scheme is allowed by the Open In DLP policy.
See Open In policy API details .
Native email control using the Open In DLP policy
The Open In Data Loss Prevention policy now includes controlling whether an app can share documents with the native iOS mail app. Opening a document with the native iOS mail app is allowed only if one of the following is true:
| • | Open In is allowed for all apps |
| • | Open In is allowed for only whitelisted apps, and the native iOS mail app is in the whitelist. The whitelist must contain both of these bundle IDs: com.apple.UIKit.activity.Mail and com.apple.mobilemail. |
Additionally, the new callback method -openURLAttemptedWhenUnauthorizedForURL: is called when the app attempts to call openURL: with the mailto: scheme, and one of the following is true:
| • | Open In is not allowed, and Email+ for iOS is not installed on the device. |
| • | Open In is allowed only for Secure Apps, and Email+ is not installed on the device. |
| NOTE: | In both of the above cases, if Email+ for iOS is installed on the device, it is launched. |
See Open In policy API details .
App extension control using the Open In DLP policy
The Open in data loss protection policy now includes restricting access to the iOS extensions that apps provide. Specifically:
|
Open In DLP for host app (the app using the extension) |
Extension behavior |
|
All apps allowed |
The host app can use any app’s extension for Open In. |
|
Only AppConnect apps allowed |
The host app can use only extensions provided by AppConnect apps for Open In. |
|
Whitelist |
The host app can use only extensions of apps in the whitelist for Open In. |
This addition has no impact on your app’s implementation of the Open In DLP APIs.
Custom keyboard use controlled by MobileIron server
The MobileIron server can now control custom keyboard use by your AppConnect app. If the administrator does not configure this choice, your app can choose to reject custom keyboard use.
Screen blurring
AppConnect 4.0 for iOS adds support for blurring screens when the app becomes inactive. If your app provided its own screen blurring, remove that code. By using the AppConnect library’s screen blurring capability, all AppConnect apps behave consistently.
To enable screen blurring, add the key MI_AC_PROVIDE_SCREEN_BLUR to your app’s Info.plist as a Boolean. Set the value to YES.
When you set the Info.plist key MI_AC_PROVIDE_SCREEN_BLUR to YES, the MobileIron server administrators can disable screen blurring by setting a key-value pair on the server for your app’s configuration. The server key is MI_AC_ENABLE_SCREEN_BLURRING with the value false.
See Add AppConnect-related entries to your Info.plist.
Requirement for Face ID usage Info.plist entry
Include Privacy - Face ID Usage Description to your app’s info.plist, with a string value indicating the purpose of Face ID use. For example, add the value AppConnect. If you manually add this key, its name is NSFaceIDUsageDescription.
Server administrators can allow the use of Touch ID or Face ID instead of an AppConnect passcode. Therefore, this Info.plist entry is required on iOS 11 through the most recently released version as supported by MobileIron.
Support for sending AppConnect logs from Mobile@Work
AppConnect apps using AppConnect 4.0 for iOS support the feature in Mobile@Work for iOS that sends AppConnect logs to an email address of your choice, such as a company’s helpdesk. This feature requires Mobile@Work 9.8 for iOS through the most recently released version as supported by MobileIron.
Mobile@Work displays the option to send logs on the app’s status details screen, available in Mobile@Work at Settings > Secure Apps > <app name>. The option is at the bottom of the screen with this text: Send <app name> Logs.
The option is displayed only for AppConnect apps using AppConnect 4.0 for iOS However, the displayed option is disabled if the app’s AppConnect authorization status is not authorized.
When the option is displayed and enabled, tapping it brings up the list of apps able to share the log files, such as email apps, if you included the following key-value pair for the app in its AppConnect app configuration:
| • | MI_AC_ENABLE_LOGGING_TO_FILE set to Yes |
Securing sensitive data such as encryption keys
AppConnect 4.0 for iOS adds classes to provide heightened security for especially sensitive data, such as encryption keys and passwords. These classes use hardware capabilities (Apple’s Secure Enclave) to reduce the sensitive data’s attack surface, because the data is never stored in plain-text in memory.
See Securing sensitive data such as encryption keys.
New category ACFileHandle (ACSharedSecureData)
Use the new category ACFileHandle (ACSharedSecureData) in addition to the existing category NSData (ACSharedSecureData) if you want to encrypt the data that your app stores and you want the app to share the data with another AppConnect app.
See Secure file I/O API details.
New custom cryptography methods
The AppConnect 4.0 for iOS SDK has deprecated the following methods:
-(NSError *)derivedAppKey:(uint8_t *)pKey withIndex:(NSString *)index;
-(NSError *)derivedSharedKey:(uint8_t *)pKey withIndex:(NSString *)index;
New methods are available that each return an ACSensitiveData object. If you are upgrading your app to use the AppConnect 4.0 for iOS SDK, MobileIron recommends you use the new methods to take advantage of the features of ACSensitiveData class.
See Encryption keys for custom cryptography and Securing sensitive data such as encryption keys.
Automatic policy status updates sent to MobileIron server
The AppConnect library now automatically sends a status update to the MobileIron server when it receives the following changes:
|
Change |
Status update that AppConnect library sends to MobileIron server |
|
Open In policy |
Informs server that the policy change has been applied. |
|
Pasteboard policy |
Informs server that the policy change has been applied. |
|
Print policy |
Informs server that the policy change has been passed to the app. |
|
Configuration values |
Informs server that the configuration change has been passed to the app. |
|
Authentication status |
Informs server that the authentication change has been passed to the app. |
This change has no impact on your app’s implementation. Your app should continue to always call the appropriate notification acknowledgment method:
-authStateApplied:message:
-configApplied:message:
-openInPolicyApplied:message:
-pasteboardPolicyApplied:message:
-printPolicyApplied:message:
-secureFileIOPolicyApplied:message:
Resolved issues
| • | AP-4324: The following methods now return an empty NSData object, instead of nil, if EOF was reached: |
- (NSData *)availableData; - (NSData *)availableDataWithError:(NSError *__autoreleasing *)error; - (NSData *)readDataToEndOfFile; - (NSData *)readDataToEndOfFileWithError:(NSError *__autoreleasing *)error; - (NSData *)readDataOfLength:(NSUInteger)length; - (NSData *)readDataOfLength:(NSUInteger)length error:(NSError *__autoreleasing *)error;
| • | AP-4202: Custom protocol classes set to NSURLSessionConfiguration were previously ignored in AppConnect apps. This issue has been fixed. |
| • | AP-4133: Added ability to use NSURLConnection with NSURLSession networking with AppTunnel. |
Known issues
| • | AP-4657: The "unauthorized message" screen is blurred. It continues to be blurred until the next time the app switches to the MobileIron client app. After the next AppConnect checkin, the screen is no longer blurred. |
Limitations
| • | AP-4720: On some devices, screen blurring does not occur when going to the Task Switcher. |