AppConnect for Android overview

MobileIron supports AppConnect for Android by wrapping Android apps. The following sections provide an overview.

• Wrapping modes
• The MobileIron client app, the Secure Apps Manager, and the AppConnect wrapper
• Supported Android device processors
• Supported Android operating systems
• Samsung Knox container (Knox Workspace) and AppConnect apps
• AppConnect for Android component support and compatibility
• Data loss prevention for secure apps for Android
• Data encryption for secure apps for Android
• Special badging for secure apps for Android

Wrapping modes

Two modes of wrapping are available:

• Generation 2
• Generation 1

Generation 2 wrapping is the default mode, and is required for a number of Android features. Generation 1 wrapping should only be used for features not supported by Generation 2. For information about the features supported by Generation 2 and Generation 1 wrapping modes, see "Wrapping support of commonly used app capabilities" in the MobileIron AppConnect for Android App Developers Guide available on the MobileIron AppConnect for Android Product Documentation Home Page.

NOTE:

AppConnect apps are supported only in multiple-app kiosk mode. They are not supported in single-app kiosk mode. For Kiosk mode information, see the MobileIron Cloud Administrator Guideon the MobileIron Cloud Product Documentation Home Page.

The MobileIron client app, the Secure Apps Manager, and the AppConnect wrapper

Two MobileIron apps work together on the Android device to support AppConnect. Together, they provide the security and management of all the AppConnect apps.

These MobileIron apps are:

• MobileIron Go
• Secure Apps Manager

Each AppConnect app is wrapped with the AppConnect wrapper, which enforces security along with the MobileIron client app and the Secure Apps Manager. On the device, the AppConnect apps are called secure apps.

The Secure Apps Manager performs the following tasks to support AppConnect apps on Android devices:

• manages the data encryption key.
• handles the AppConnect passcode login for all AppConnect apps.
• provides a list of all the AppConnect apps on the device.

When a new Secure Apps Manager becomes available, you do not need to re-wrap all your apps. Secure Apps Manager is backward compatible. A wrapped app requires the corresponding or newer version of Secure Apps Manager. For example, an app wrapped with Wrapper 8.5.0.0 requires Secure Apps Manager 8.5.0.0 or later version that supports apps wrapped with Wrapper 8.5.0.0.

For MobileIron Cloud deployments, the Secure Apps Manager is bundled with MobileIron Go. The Secure Apps Manager is automatically installed on a device when you distribute an AppConnect app for Android to a device. The Secure Apps Manager is automatically updated to the latest version of Secure Apps Manager that MobileIron Cloud supports.

For the AppConnect app compatibility with the latest version of Secure Apps Manager, see the AppConnect for Android release notes available in the MobileIron AppConnect for Android Product Documentation Home Page.

NOTE:

Support for various AppConnect for Android features sometimes require minimum versions of the MobileIron client app, Secure Apps Manager, and the wrapper, as specified in each feature’s description.

Supported Android device processors

AppConnect on Android is supported on devices with:

• 32-bit ARM processors
• 64-bit ARM processors

Supported Android operating systems

For Android versions that AppConnect for Android supports, see the AppConnect Secure Apps for Android Release Notes and Upgrade Guide.

For Android versions that the MobileIron Cloud supports, see the release note for MobileIron Cloud.

However, some AppConnect for Android features require one of the more recent Android versions. These exceptions are noted in specific feature descriptions.

Samsung Knox container (Knox Workspace) and AppConnect apps

The Samsung Knox container, known as the Knox Workspace, is not supported with AppConnect apps. Specifically:

• The Samsung Knox container does not support any AppConnect apps running inside the Knox container.
• MobileIron does not support using both a Knox container and AppConnect container on the same device.

AppConnect for Android component support and compatibility

For the supported versions of the various components in an AppConnect deployment, including the Secure Apps Manager, MobileIron Go, and MobileIron Cloud, see the MobileIron AppConnect for Android Release Notes and Upgrade Guide in the MobileIron AppConnect for Android Product Documentation Landing Page.

Data loss prevention for secure apps for Android

Data loss prevention policies for secure apps allow you to secure the sensitive data in AppConnect apps. With data loss prevention policies, you determine whether:

• device users can take screen captures of protected data.
• AppConnect apps can access camera photos or gallery images.
• AppConnect apps can stream media to media players.
• AppConnect apps have copy/paste restrictions.
• tapping a web link in an AppConnect app can open the web page in an unsecured browser.
• tapping a web link in a non-AppConnect app can open the web page in Web@Work.

NOTE:

Document interaction (Open In) is always restricted to all AppConnect apps for Android.

Data encryption for secure apps for Android

App data for AppConnect apps on the device is encrypted. AES-256 encryption (which uses a key size of 256 bits) is used.

The encryption key is not stored on the device. It is programmatically derived. If an AppConnect passcode is required, it is used in the encryption key’s derivation, making the application data secure even on a device that becomes compromised. When a device is compromised, it is rooted.

Special badging for secure apps for Android

An Android device user recognizes that an app is a secure app because its icon is overlaid with a special badge.