Test authorization status handling

You can make changes to the Ivanti EPMM configuration to test your app’s handling of the different authorization statuses: authorized, unauthorized, and retired.

Change the status to authorized or unauthorized

A security policy on Ivanti EPMM specifies the requirements for a device. If a device is not compliant with a requirement, the security policy specifies a compliance action. One compliance action is to block AppConnect apps on the device, which means that the apps become unauthorized.

The list of requirements that can impact authorization is long, but for testing your app, you need to work with only one requirement. The requirement involves a list of device models that are not allowed to use AppConnect apps.

Therefore, to unauthorize the app on the device:

1. In the Admin Portal, select Policies & Configs > Policies.
2. Select Add New > Security.
3. Enter a name.

For example: AppConnect test security policy

4. Scroll down to the section called Access Control, under For iOS Devices.
5. Select Block Email, AppConnect Apps, And Send Alert For The Following Disallowed Devices.
6. Move the model of your test device to the Disallowed area.
7. Click Save.

Ivanti EPMM creates the new security policy.

8. Select the row listing the new security policy.
9. Select More Actions > Apply To Label.
10. Select the test label that you created in Create a label for testing your app.
11. Click Apply.
12. Click OK.

Push the change to your device immediately, by doing the following steps on the device:

1. Launch Mobile@Work.
2. Tap Settings.
3. Tap Check for Updates.
4. Tap Force Device Check-in.

If your app is running, it receives the notification that it is unauthorized. Otherwise, it receives the notification the next time it runs.

Verify that your app correctly handles the change to the unauthorized state. Specifically, verify that your app:

exits any sensitive part of the application.

stops allowing the user to access sensitive data and views.

displays the message received in the callback method that explains the authorization status change.

calls the -authStateApplied:message: method.

To re-authorize the app on the device:

1. In the Admin Portal, select Policies & Configs > Policies.
2. Select the security policy that you created.
3. Click Edit in the right-hand pane.
4. In the section called Access Control, under For iOS Devices, uncheck Block Email, AppConnect Apps, And Send Alert For The Following Disallowed Devices.
5. Click Save.

Push the change to your device immediately, by doing the following steps on the device:

1. Launch Mobile@Work.
2. Tap Settings.
3. Tap Check for Updates.
4. Tap Force Device Check-in.

If your app is running, it receives the notification that it is authorized. Otherwise, it receives the notification the next time it runs.

Verify that your app correctly handles the change to the authorized state. Specifically, verify that your app:

allows the user to access sensitive data and views.

calls the -authStateApplied:message: method.

Change the status to retired

An app is authorized only if an AppConnect container policy for the app is present on the device. If you remove the AppConnect container policy from the device, the app becomes retired.

To retire the app on the device:

1. In the Admin Portal, select Policies & Configs > Configurations.
2. Select the AppConnect container policy for your app.
3. Select Actions > Remove From Label.
4. Select the label that you created in Create a label for testing your app.
5. Click Remove.

Push the change to your device immediately, by doing the following steps on the device:

1. Launch Mobile@Work.
2. Tap Settings.
3. Tap Check for Updates.
4. Tap Force Device Check-in.

If your app is running, it receives the notification that it is retired. Otherwise, it receives the notification the next time it runs. The message string in the notification is the default unauthorized message:

“Your administrator has not authorized this app.”

Verify that your app correctly handles the change to the retired state. Specifically, verify that your app:

exits any sensitive part of the application.

deletes all sensitive data, including any stored authentication credentials, data in files, keychain items, pasteboard data, and any other persistent storage.

displays the message received in the callback method that explains the authorization status change.

calls the -authStateApplied:message: method.

Reauthorize a retired app

A retired app is sometimes re-authorized at a later time.

To reauthorize the retired app on the device:

1. In the Admin Portal, select Policies & Configs > Configurations.
2. Select the AppConnect container policy for your app.
3. Select Actions > Apply To Label.
4. Select the label that you created in Create a label for testing your app.
5. Click Apply.
6. Click OK.

Push the change to your device immediately, by doing the following steps on the device:

1. Launch Mobile@Work.
2. Tap Settings.
3. Tap Check for Updates.
4. Tap Force Device Check-in.

If your app is running, it receives the notification that it is authorized. Otherwise, it receives the notification the next time it runs.

Verify that your app correctly handles the change to the authorized state. Specifically, verify that your app:

dismisses any user interface that displays that the user is not authorized to use the app.

allows the user to access sensitive data and views.

calls the -authStateApplied:message: method.