Distributing wrapped apps with an enterprise key (Core)

After you have signed all wrapped apps and the Secure Apps Manager with your enterprise private key, you can distribute them to your enterprise’s device users.

The steps in this section are applicable if your UEM is Core or Connected Cloud.

IMPORTANT: If you are upgrading device users to use secure apps signed with your enterprise private key, installing the re-signed Secure Apps Manager on devices deletes all existing secure apps data on the device.

Do the steps in these tasks:

  1. Uploading the apps to the App Catalog.
  2. Configuring the enterprise public key.
  3. Applying labels to the new apps.
  4. Removing labels from the old apps.

Uploading the apps to the App Catalog

Use the Admin Portal to upload the newly signed secure apps to the Core app distribution library just as you would any in-house app. Go to Apps > App Catalog > Add+ > In-House. For details on in-house apps for Android, see “Working with Apps for Android Devices” in the Core [email protected] Guide.

Configuring the enterprise public key

To run secure apps signed with the enterprise private key, configure Connected Cloud or Core to provide the matching public certificate to the devices.

Procedure 

  1. In the Admin Portal, select Policies & Configs > Configurations.

  2. Select Add New > Certificates.

  3. Enter a Name and Description for the new Certificate Setting.

  4. Upload the public certificate that matches your enterprise private key.

    No entries are necessary for the password settings since this is the public certificate.

  5. Click Save.

  6. Select the app configuration for the new Secure Apps Manager.

  7. Click Edit.

  8. In App-specific Configurations, click Add+ .

  9. For the Key, enter AC_PUBLIC_KEY.

  10. For the Value, select the certificate setting that you just create from the drop-down list.

  11. Click Save.

Applying labels to the new apps

Apply the appropriate labels to the newly signed apps, including the Secure Apps Manager. These labels determine to which devices the apps will be downloaded.

IMPORTANT: Installing the re-signed Secure Apps Manager on devices deletes all existing secure apps data on the device.

Procedure 

  1. In the Apps tab of the Admin Portal, select Android for Select Platform.
  2. Select all the newly signed apps, including the Secure Apps Manager.
  3. Select Actions > Apply To Label.
  4. Select the appropriate labels.
  5. Click Apply.

Removing labels from the old apps

If devices already had secure apps signed with the Ivanti private key (or some other enterprise private key), remove the appropriate labels from the old secure apps, including the Secure Apps Manager.

Do the following for the old secure apps, including the Secure Apps Manager:

  1. In the Apps tab of the Admin Portal, select Android for Select Platform.
  2. Select all the old secure apps, including the old Secure Apps Manager.
  3. Select Actions > Remove From Label.
  4. Select the appropriate labels.
  5. Click Remove.

The device user experience when upgrading

After you have completed the steps to upgrade to secure apps signed with a enterprise private key, the device user experiences the following:

  1. [email protected] prompts the device user to update secure apps.
  2. When the user begins the update process, [email protected] warns the user of the consequences of the pending update. Specifically, users are warned that they will lose their secure apps data (including email settings) and will need to create a new secure apps passcode.
  3. If the user continues with the update process, the old secure apps are uninstalled, and the new secure apps are installed. On devices that support silent installation, silent uninstall and install are used.

An uninstall followed by an install is necessary instead of an app upgrade. The reason is because the Android operating system does not allow app upgrades when the signing keys do not match.

Behavior when the device does not have the enterprise public certificate

Using an enterprise private key to sign secure apps and the Secure Apps Manager requires that you configure the Secure Apps Manager’s app configuration with the enterprise public certificate. Consider the following situations relating to this requirement:

  • You do not configure Secure Apps Manager’s app configuration with the enterprise public certificate.

    In this case, the Secure Apps Manager defaults to using the Ivanti private key. Therefore, if secure apps signed with the enterprise private key are on the device, the secure apps cannot run due to a signature mismatch.

  • You later remove the enterprise public certificate.

    Consider the situation when secure apps signed with the enterprise private key are running on the device. Later, you remove the public certificate from the device. For example, you remove the certificates setting from Core, or remove the related key-value pair from the Secure Apps Manager’s app configuration. The secure apps signed with an enterprise private key can no longer run due to a signature mismatch. However, no secure data is lost. When the key-value pair is added back to the Secure Apps Manager’s app configuration, the secure apps can once again run.

  • You configure Secure Apps Manager’s app configuration with the enterprise public certificate, but the installed apps are signed with the Ivanti private key.

    In this case, the secure apps cannot run due to a signature mismatch.