AppConnect for iOS overview

AppConnect secures and manages enterprise apps on mobile devices. These secure enterprise apps are called AppConnect apps or secure apps.

You can create an AppConnect app for iOS the following ways:

  • Wrapping the app

    The AppConnect wrapping technology creates a secure app without any further app development. You can wrap Cordova apps.

    See the AppConnect for iOS App Wrapping Developers Guide

  • Using the AppConnect for iOS Cordova Plugin (also called the AppConnect Cordova Plugin)

    A Cordova app developer uses the plugin to create a secure Cordova app, or turn an existing Cordova app into a secure app.

    The AppConnect Cordova Plugin is described in this document.

  • Using the AppConnect for iOS SDK (software development kit)

    An app developer uses the SDK to create a secure app, or turn an existing app into a secure app. The AppConnect for iOS SDK is for iOS native development.

    See the AppConnect for iOS SDK App Developers Guide.

  • Using the AppConnect for iOS Xamarin C# binding

    An app developer using the Xamarin development platform can use C# APIs to create a secure app, or turn an existing app into a secure app.

    See the AppConnect for iOS SDK App Developers Guide.

IMPORTANT: Before using the AppConnect Cordova Plugin, determine whether wrapping the app meets your needs. See Choosing Wrapping or SDK Development to Create AppConnect for iOS Apps.

Note the following:

  • If your AppConnect app is to be distributed from the Apple App Store, due to Apple App Store requirements, your app is required to work as a regular app in addition to working as an AppConnect app.

    See Developing third-party dual-mode apps.

  • If your app uses an older version of the AppConnect Cordova Plugin, Ivanti recommends that you always rebuild your app with the current version of the plugin. Using the current version ensures the app contains all new features, improvements, and resolved issues.

An Apple Developer Enterprise Program account is required to distribute in-house apps. See Apple Developer Enterprise Program.

Where to get the AppConnect for iOS Cordova Plugin

Get the latest AppConnect for iOS Cordova Plugin at https://forums.ivanti.com/s/mobile-tools?language=en_US.

AppConnect for iOS documentation is available at AppConnect for iOS Product Documentation.

Legal notices are also available on https://www.ivanti.com/company/legal.

Secure app features

Secure enterprise apps that are built using the AppConnect Cordova Plugin can:

  • Receive app-specific configuration information from the Ivanti server.

    This capability means that device users do not have to manually enter configuration details that the app requires. By automating this process for the device users, each user has a better experience when installing and setting up apps. Also, the enterprise has fewer support calls, and the app is secured from misuse due to configuration. This feature is also useful for apps which do not want to allow the device users to provide certain configuration settings for security reasons.

  • Tunnel network connections to servers behind an enterprise’s firewall.

    This capability means that device users do not have to separately set up VPN access on their devices to use the app.

  • Authenticate an app user to an enterprise service.

    This capability means that AppConnect app users do not have to enter login credentials to access enterprise resources.

  • Handle data loss prevention.

    The Ivanti server administrator decides whether an app can copy content to the iOS pasteboard, use the document interaction feature (Open In and Open From), use drag and drop, or print. The app uses this information to limit its functionality to prevent data loss through these features. The AppConnect library enforces the pasteboard, Open In, Open From, and drag and drop policies. The app enforces the print policy.

  • Control custom keyboard use by your app.

    The Ivanti server administrator can choose whether an app can use custom keyboards, and the AppConnect library enforces the choice. If the administrator does not configure this choice, your app can choose to reject custom keyboard use.

  • Blur the app’s screens when the app is not in the foreground.

    By default, the AppConnect library enforces this behavior, which can be overridden by the Ivanti server administrator.

AppConnect for iOS Cordova Plugin advantages

With the AppConnect for iOS Cordova Plugin:

  • You can focus on application logic.

    The plugin handles low-level, complex work such as authentication to access AppConnect apps, certificate authentication to enterprise resources, tunneling, AppConnect passcode handling, data encryption, and getting app-specific settings and configuration from the Ivanti server.

  • You use a set of simple APIs to develop a secure enterprise app.

    The app does not have to interact directly with web service interfaces to get the information it needs to behave as a secure enterprise app. Using the APIs, the app gets notified of any changes that the administrator makes on the Ivanti server to controls and configuration.

  • You can create one app, with one code base, that can behave as a secure app or a regular app. This behavior is required for secure apps that are distributed from the Apple App Store.

    For more information, see Developing third-party dual-mode apps.

64-bit and 32-bit app support

Using the AppConnect for iOS Cordova Plugin, you can build an app as a 64-bit app or as a 32-bit app.

AppConnect components

The following table describes the Ivanti components that work with he apps that you build with the AppConnect for iOS Cordova Plugin.

Table 2.  Ivanti components that work with iOS Cordova Plugin

Ivanti component

Description

Ivanti Endpoint Manager Mobile

The Ivanti on-premise server which provides security and management for an enterprise’s devices, and for the apps and data on those devices. An administrator configures the security and management features using a web portal.

Ivanti Neurons for MDM

Ivanti’s cloud offering that provides similar functionality as Ivanti Endpoint Manager Mobile. However, it does not support all the AppConnect features that Ivanti Endpoint Manager Mobile supports.

Standalone Sentry

The Ivanti server which provides secure network traffic tunneling from your app to enterprise servers.

Mobile@Work for iOS (client)

An Ivanti app that runs on an iOS device. It interacts with Ivanti Endpoint Manager Mobile to get current security and management information for the device. It interacts with the AppConnect library to communicate necessary information to your app.

Go (client)

An Ivanti app that runs on an iOS device. It interacts with Ivanti Neurons for MDM to get current security and management information for the device. It interacts with the AppConnect library to communicate necessary information to your app.

AppStation

An Ivanti client app that runs on an iOS device. It interacts with Ivanti Neurons for MDM. It can be used on the device instead of Go when the Ivanti Neurons for MDM tenant supports Mobile Apps Management (MAM) but not Mobile Device Management (MDM). It interacts with the AppConnect library to communicate necessary information to your app.

The AppConnect library

The library that your app uses to get AppConnect information. The AppConnect library is part of the AppConnect framework that your app includes.

Note the following:

  • Core and Ivanti Neurons for MDM are each also referred to as an Ivanti server.

  • Mobile@Work, Go, and AppStation are each also referred to as an Ivanti client app.

IMPORTANT: Some AppConnect features depend on the version of Ivanti Endpoint Manager Mobile, Ivanti Neurons for MDM, Standalone Sentry, and the client app.

Using a secure app

A device user can use a secure enterprise app only if:

  • The device user has been authenticated through the Ivanti server.

    The user must use the Ivanti client app to register the device with the Ivanti server. Registration authenticates the device user.

  • The Ivanti server administrator has authorized the device user to use the app.

  • The device user has entered a secure apps passcode or Touch ID/Face ID.

    The Ivanti server administrator configures whether a secure apps passcode, also called the AppConnect passcode, is required, and configures its complexity rules. The administrator also configures whether using Touch ID/Face ID, if available on the device, is allowed instead of the AppConnect passcode.

The AppConnect passcode is not the same as the passcode used to unlock the device.

App responsibilities

Your app is responsible for:

  • enforcing the authorization settings
  • handling the data loss prevention settings
  • using the app-specific configuration

The Ivanti client app and AppConnect library responsibilities

The Ivanti client app app and the AppConnect library are responsible for:

  • authenticating the user to the Ivanti server
  • authenticating to enterprise services using certificates
  • tunneling network connections
  • AppConnect passcode and Touch ID/Face ID handling
  • protecting AppConnect-related data, such as configurations and certificates

Cordova Plugin variants

Due to Apple deprecating the UIWebView class, the AppConnect for iOS SDK is available in two variants: one with UIWebView and WKWebView support, and another another with WKWebView support, but no UIWebView support. The AppConnect SDK without UIWebView support is provided for apps that will be submitted to the App Store. The Cordova plugin included with each variant of the SDK provides the same support as the SDK variant.

AppConnect Cordova Plugin contents

The AppConnect Cordova Plugin is available in the AppConnect for iOS SDK ZIP file. The ZIP file is called AppConnectiOSSDK_V<version>_<build>.zip, where:

  • <version> is the version number of the SDK.
  • <build> is the build number of the SDK.

The AppConnect for iOS ZIP file contains a plugins/cordova folder which contains:

  • AppConnectCordovaPlugin_V<version number_xxx>.zip

    This ZIP file contains all the plugin files, which include:

Table 3.   Cordova plugin contents

Contents

Description

src/ios folder

Contains the AppConnect library files and provides your app management and security capabilities. The AppConnect library facilitates communication between your app and the Ivanti client app, which communicates with the Ivanti server.

www folder

Contains AppConnectCordova.js. This file contains the JavaScript interfaces that your app uses to interact with the AppConnect library.

plugin.xml

Defines the AppConnect Cordova Plugin.

Notices.pdf

Contains license information
  • A Documentation folder containing this document.
    Check for updates to this document as described in Where to get the AppConnect for iOS Cordova Plugin.
  • install_ac_cordova_plugin.sh, which is the script you use to install the AppConnect Cordova Plugin.
  • A Samples folder containing the TestAppConnect example
    This sample Cordova app demonstrates how an app uses the AppConnect Cordova Plugin. It displays its authorization status, its app configuration, and its data loss prevention policies. Note that it only displays the data loss prevention policies and authorization status, but does not enforce them.

Another plugins/cordova folder is available in the SDK_without_UIWebView folder, which contains the SDK variant that does not support UIWebView.

AppConnect for iOS architecture

Your app, using the AppConnect Cordova Plugin, interacts with the Ivanti client app. The Ivanti client app is Mobile@Work for iOS, Gofor iOS, or AppStationfor iOS. Mobile@Work interacts with Ivanti Endpoint Manager Mobileand Go interacts with Ivanti Neurons for MDM. AppStation is used in certain use cases instead of Go to interact with Ivanti Neurons for MDM when a cloud tenant is set up for Mobile Apps Management (MAM) but not Mobile Device Management (MDM). The AppConnect library also interacts with Standalone Sentry for AppTunnel support.

The following diagram illustrates these interactions between an AppConnect app, the AppConnect library, the Ivanti server, the Ivanti client and the Standalone Sentry. The diagram uses Ivanti Endpoint Manager Mobile for the server and Mobile@Work for the client.

Figure 1. AppConnect for iOS architecture

Note the following:

  • Each secure enterprise app communicates with an instance of the AppConnect library.

  • The AppConnect library communicates with the client app.

  • The app uses the AppConnect Cordova JavaScript API to get management and security-related information, such as whether the administrator has authorized the app to run on the device.

  • The client app communicates with the Ivanti server to get management and security-related information.

  • The Ivanti server provides security and management for an enterprise’s devices, and for the apps and data on those devices. An administrator configures the security and management features using a web portal.

  • The AppConnect library interacts with a Standalone Sentry if it is tunneling network connections to an enterprise server behind the firewall.

The Ivanti client app and AppConnect apps

The Ivanti client app supports AppConnect apps, including the following tasks:

  • It communicates with the Ivanti server to get management and security-related information and passes the information to the AppConnect apps.
    The Ivanti client app periodically does an app checkin with Ivanti Endpoint Manager Mobileto get this information. The administrator configures the app checkin interval on the Ivanti server. It is the maximum time between app check-ins while an AppConnect app is running.
  • It enforces the AppConnect passcode or Touch ID/Face ID.
    The client app prompts the device user to create an AppConnect passcode or Touch ID/Face ID when first launching any AppConnect app. You configure an auto-lock timeout in the AppConnect global policy. After this period of inactivity, The client app prompts the device user to reenter his AppConnect passcode or Touch ID/Face ID.

When you run your AppConnect app, the client app sometimes automatically launches to support app checkin and the AppConnect passcode or Touch ID/Face ID. Understanding the client app’s expected behavior can help you when you test your AppConnect app.

App checkin and the Ivanti client app

On each app checkin, the Ivanti client app gets the AppConnect policy updates for all the AppConnect apps that have already run on the device. These updates include changes to data loss prevention policies, password settings, app configurations, and AppTunnel settings.

For example, for Mobile@Work, these updates are due to changes on Ivanti Endpoint Manager Mobile to:

  • the AppConnect global policy for the device.
  • AppConnect container policies for each of the AppConnect apps that have run on the device.
  • AppConnect app configurations for each of the AppConnect apps that have run on the device.
  • the current authorization status for each of the AppConnect apps that have run on the device.

The Ivanti client app does an app check-in in the following situations:

  • The device user launches an AppConnect app for the first time.
    In this situation, the Ivanti client app finds out about the app for the first time, and adds it to the set of AppConnect apps for which it gets updates.
  • The app checkin interval expires while an AppConnect app is running.
  • The app checkin interval expired while no AppConnect apps were running and then the device user launches an AppConnect app.

In each of these situations, the Ivanti client app launches, and the device user sees the Ivanti client app momentarily. Once the client app has completed the app check-in, the device user automatically returns to the AppConnect app.

The AppConnect passcode auto-lock time and the Ivanti client app

The Ivanti client app launches to prompt the device user for the AppConnect passcode or Touch ID/Face ID in the following situations:

  • The auto-lock (inactivity) timeout expires while the device is running an AppConnect app and the AppConnect passcode, or Touch ID/Face ID, is the login mechanism.

    If the device user is interacting with the app, the auto-lock time does not expire. This case occurs only when the device user has not touched the device for the duration of the timeout interval.

  • The device user used the Ivanti client app to log out of AppConnect apps, and then launches an AppConnect app.
  • The Ivanti server administrator has changed the complexity rules of the AppConnect passcode, and an app check-in occurs.

In each of these situations, the Ivanti client app launches, and presents the device user with a screen for entering his AppConnect passcode or Touch ID/Face ID. After the device user enters the passcode or Touch ID/Face ID, the device user automatically returns to the AppConnect app.