Configuring iOS 16 compatibility for AppConnect quick start

Complete these additional iOS 16-related tasks to quickly set up AppConnect for iOS on Ivanti EPMM.

Extensible Single Sign-On configuration

In iOS 16, Apple implemented a new "Pasteboard Permission" privacy feature: apps need user's permission before accessing the pasteboard to paste content from another app. iOS developers can avoid displaying pasteboard usage prompt in AppConnect apps by creating an Extensible Single Sign-On configuration. If Extensible Single Sign-On feature is created on the server and pushed to the device, then device users will not see the pop-up, except in specific scenarios.

For apps that do not have the Extensible Single Sign-On configuration or apps that use AppConnect 4.8.1 or older, then the pasteboard will continue to be used as a data channel for AppConnect. After a slight delay of approximately one minute, the SSO extension configuration is pushed.

The pasteboard pop-up will continue to appear on iOS 16+ devices in the following scenarios:

If the device user performs copy or paste.
While generating AppConnect application logs (since the transmission of log files take place through pasteboard).
If Mobile@Work application or AppConnect application does not support the Extensible Single Sign-On configuration.

For more information, see KB article: iOS 16: Don't Allow Paste" / "Allow Paste" pop-ups from AppConnect apps.

Procedure

Once this configuration has been created and pushed to device users, administrators can check the MDM profile to confirm the configuration was received.

In the Ivanti EPMM Admin Portal, go to Policies & Configs > Configurations.
Click Add New > Apple > iOS / macOS / tvOS > Extensible Single Sign-On. The Edit Extensible Sign Sign-On dialog box opens.
Configure as per the Extensible Single Sign-On field description table listed below.
Click Save.
To distribute the configuration, apply it to a label that contains the target devices.

The following table describes the fields and settings in the Extensible Single Sign-On configuration, which will be similar to what you see in Configuring iOS 16 compatibility for AppConnect quick start .

**Table 59.** Extensible Single Sign-On field description
Item	Description
Name	Enter a name that identifies this configuration.
Description	Enter a description that clarifies the purpose of this configuration.
Channel	The Channel options are applicable to macOS only. Select one of the following: User: Select to apply to only specific users on the device. The User option is not supported on macOS 10.15 devices. Device: Select to apply to all users on the device.
Extensible Single Sign-On
Choose SSO Type	Select Redirect. (iOS 15+) This will request the data and transfer it via the SSO Extension from the shared container.
URL	Enter https://appsanity.mobileiron.com/ssoextension/com.mobileiron.phoneatwork
Extension Identifier	Enter com.mobileiron.phoneatwork.ssoextension
Team Identifier	Enter any value. This is not used by iOS devices.
Realm	If you select Credentials as the SSO Type, enter the realm name. The realm name is case sensitive and must be an exact match.
Custom Data	Custom data is not required.

If you are configuring an identity provider (IdP), the IdP must have an app extension. Please refer to the vendor-specific documentation for setup procedures.