iOS managed app configuration
An iOS managed app can automatically get its app-specific configuration from Core, rather than requiring the device user to enter the values in the app. Some examples of app-specific configuration are:
- user information
- server information
- whether particular features should be enabled
This feature results in easier app deployment and fewer support calls for you, and a better user experience for the device user.
Core supports iOS managed app configuration with two different mechanisms:
- The Managed App Config setting that use plists
- Managed App Configuration settings for iOS apps in the App Catalog
IMPORTANT: Both mechanisms use native iOS capabilities. iOS stores the configuration settings unencrypted on the device. Therefore, do not provide sensitive information such as passwords or private keys in managed app configuration values.
iOS managed app configuration is not supported on MAM-only iOS devices.
The Managed App Config setting that use plists
The Managed App Config setting is one mechanism that Core can use to provide configuration settings to iOS managed apps. You create a Managed App Config setting in Policies & Configs > Configurations > Add New > iOS and macOS > Managed App Config.
Using a Managed App Config setting requires a Core license. For more information on this feature, see “Managed App Config settings that use plists” in the Core Device Management Guide for iOS and macOS Devices.
By default, a legacy Managed App Config setting is ignored if a Managed App Configuration setting is available for the app in its App Catalog entry.
Configuring the plist setting to take precedence over the iOS managed app configuration setting
Managed App Configuration settings for iOS apps in the App Catalog
This mechanism supports the iOS managed app configuration defined in the AppConfig Community at appconfig.org. Working with Core, many registered Ivanti Technology Partners who are deploying their apps to the Apple App Store support this mechanism to make their apps easier to deploy in enterprises. This mechanism works as follows:
Managed app configuration flow
Using this mechanism makes it easy for you to configure an iOS managed app’s configuration on Core. Specifically:
- When you import the app into the App Catalog, Core automatically retrieves the default app configuration for viewing and editing.
- You edit the values for the app configuration in the Admin Portal in a graphical user interface.
- Depending on the app, the user interface includes descriptions about each field.
- You can create multiple app configurations, applying different labels to each app configuration. Multiple app configurations allow different sets of devices to receive different configuration values.
Refer to the app’s documentation to find out:
- whether the app supports managed app configuration
- more details on its specific configuration settings.
Core supports this mechanism only for Apple App Store apps, not for in-house apps.
This topic includes the following sections:
- Multiple app configurations per iOS app
- Priorities of iOS app configurations
- Substitution variables for configuring iOS apps
- Changes to managed app configurations for iOS apps
- App version updates and managed app configuration for iOS apps
- Configuring the plist setting to take precedence over the iOS managed app configuration setting
- Adding a new managed app setting for an app
- Core upgrade and iOS managed app configuration
Multiple app configurations per iOS app
Core allows you to create multiple app configurations per app:
- The default app configuration for the app is applied to devices with the same label that you applied to the app.
- Any additional app configurations that you create are applied to devices with the same labels that you specify for the additional app configuration.
Using multiple app configurations is useful when sets of users of the app require different configuration values. For example, consider a Human Resources app that users throughout the United States use. However, you want the app to connect to a different server depending on a user’s region:
- Users in the Eastern region must connect to a server in the east.
- Users in the Western region must connect to a server in the west.
- Users in the Northern and Southern regions connect to a server in St. Louis.
Therefore, do the following:
- Label the app with the Human Resources label.
- Create an app configuration that specifies the server in the east, and label the app configuration with the Eastern Region label.
- Create an app configuration that specifies the server in the west, and label the app configuration with the Western Region label.
- In the default configuration, specify the server in St. Louis. Users who do not have the Eastern Region label or the Western Region label will use this server.
Priorities of iOS app configurations
Each app configuration you create has a priority. The highest priority has the value 1 and appears at the top of the list of app configurations. The default configuration always has the lowest priority and appears at the bottom of the list. Core assigns a device the app configuration with the highest priority that has a label that matches a label on the device.
You can change the priorities of app configurations by dragging and dropping them in the table of configuration choices for the app.
Substitution variables for configuring iOS apps
Substitution variables can be used for configuring values from LDAP or the Core devices database, such as $EMAIL$ for the email address. You can prevent deleted default field values from repopulating when editing app configurations by entering the substitution variable $NULL$ for those values.
You may use the following variables when configuring app configuration fields:
Substitution variable |
More information |
Sample of substituted value |
$USERID$ |
Login ID (email address format) Use $MANAGED_APPLE_ID$ for Shared iPad devices and User Enrolled devices only. |
|
$EMAIL$ |
Email address Use $MANAGED_APPLE_ID$ for Shared iPad devices and User Enrolled devices only. |
|
$EMAIL_DOMAIN$ |
The domain part of the email address (part after the ‘@’) |
myCompany.com |
$EMAIL_LOCAL$ |
The local part of the email address (part before the ‘@’) |
jdoe |
$PASSWORD$ |
Use not recommended because the managed app configuration values are not encrypted on the device |
|
$FIRST_NAME$ |
First name |
Jane |
$LAST_NAME$ |
Last name |
Doe |
$DISPLAY_NAME$ |
Display name |
Jane Doe, CEO |
$USER_DN$ |
Distinguished Name |
CN=Jane Doe, OU=NA,OU=Users, OU=XY, DC=myCompany, DC=com |
$USER_UPN$ |
The Microsoft userPrincipalName attribute |
|
$USER_LOCALE$ |
Locale |
en_US |
$DEVICE_UUID$ |
iOS Unique Device Identifier |
c752e7052fe5e5ca8166e408c4b48573b5b5bd82 |
$DEVICE_UUID_NO_DASHES$ |
|
|
$DEVICE_IMSI$ |
International Mobile Subscriber Identity |
310150123456789 |
$DEVICE_IMEI$ |
International Mobile Equipment Identity |
01 342300 291808 3 |
$DEVICE_SN$ |
Serial Number |
DNRJVLP7DTTN |
$DEVICE_ID$ |
Mobile Equipment Identifier |
A0123456789012 |
$DEVICE_MAC$ |
Wi-Fi MAC Address |
30:f7:c5:87:e8:78 |
$DEVICE_CLIENT_ID$ |
Unique device identifier |
1073741831 |
$MODEL$ |
Device model |
iPhone 6 |
$PHONE_NUMBER$ |
Device phone number |
888-555-1212 |
$USER_CUSTOM1$ |
Custom field defined for LDAP |
The value of the variable as defined in LDAP settings. |
$USER_CUSTOM2$ |
Custom field defined for LDAP |
The value of the variable as defined in LDAP settings. |
$USER_CUSTOM3$ |
Custom field defined for LDAP |
The value of the variable as defined in LDAP settings. |
$USER_CUSTOM4$ |
Custom field defined for LDAP |
The value of the variable as defined in LDAP settings. |
$CN$ |
Common Name (CN) attribute extracted from the distinguished name |
Jane Doe |
$OU$ |
Organizational Unit (OU) attribute extracted from the distinquished name |
XY |
$ICCID$ |
Integrated Circuit Card Identifier |
89014104254287052057 |
$SAM_ACCOUNT_NAME$ |
The Microsoft sAMAccountName attribute |
jdoe |
$MI_APPSTORE_URL$ |
The URL of the Core app store, as accessed by the Apps@Work web clip |
https://myCore.mycompany.com/mifs/asfV3/ |
$REALM$ |
The domain component of an LDAP entry |
mycompany.com |
$TIMESTAMP_MS$ |
Unix time stamp of when Core sends the managed app configuration to the device |
1485992717498 |
$NULL$ |
An empty string. Use this variable to prevent the re-population of deleted default values. |
<no value> |
Changes to managed app configurations for iOS apps
For iOS apps, when the app data is in View or Edit mode, Core loads the latest managed app schema from the AppConfig repository and displays the latest fields (including any new fields) in the “Managed App Configurations” section in the UI. Ivanti recommends that before saving the changes, you first carefully inspect the updated managed app configuration. Once you select Proceed and click Confirm, the updated managed app configuration settings are saved and the changes are pushed out to all associated devices, including Shared iPad devices.
When you change the values for the app configuration of an app in the App Catalog, either one or two device check-ins are necessary for the device to receive the new values from Core. If the iOS MDM terminates the connection between the device and Core before Core can deliver the update, a second device check-in may be necessary.
App version updates and managed app configuration for iOS apps
When you update an app in the App Catalog on Core to a newer version, the new version sometimes has an updated managed app configuration. However, Core does not push the updated managed app configuration until you edit and save the app in the App Catalog. Until that time, devices that upgrade to the new version of the app still receive the older version of the app configuration. Because a new version of an app is typically backward compatible with the older app configuration, the app will still run successfully. However, the app will not use any new features that the updated app configuration provides.
Configuring the plist setting to take precedence over the iOS managed app configuration setting
Consider the case in which both of the following are true:
- Core has retrieved the managed app configuration for an app.
- A Managed App Config setting with a plist exists for the app.
By default, the managed app configuration included with the app overrides the Managed App Config setting with a plist. However, you can specify that the Managed App Config setting with a plist should override the managed app configuration with the following procedure.
Before you begin
Make sure you have created a Managed App Config setting with a plist and assigned the necessary labels to it. See “Managed App Config settings that use plists” in the Core Device Management Guide for iOS and macOS Devices.
Procedure
- In the Admin Portal, go to Apps > App Catalog.
- Select the app.
- Click Edit.
- In the Managed App Configurations section, select Use the .plist file uploaded in a Managed App Config Setting instead of these Managed App Configurations.
- Click Save.
If no Managed App Config setting is applied to the device, the app still uses the default managed app configuration in the App Catalog entry.
Adding a new managed app setting for an app
In addition to the default managed app configuration, you can add managed app settings from the AppConfig community or by uploading an XML file. The settings in the new managed app configuration can be edited in the Admin Portal. You add new managed app settings for an app by editing the app in the Admin Portal.
Procedure
- In the Admin Portal, go to Apps > App Catalog.
- Select the app.
- Click Edit.
- In the Managed App Configurations section, for Customize and prioritize app configurations based on app usage, click Add.
- Enter a name for the managed app configuration.
-
For Source Type, select one of the following:
-
AppConfig Community: This option is available only if the app has an app configuration available in the AppConfig community repository. If the configuration is available, the option is selected by default.
- Upload .xml spec: Select the option to upload an XML schema to push a particular set of app configurations.
-
- If your source type is Upload .xml spec, do one of the following:
Drag and drop the .xml file into the dotted box.
- Click Choose File to navigate to the location and upload the .xml file.
Ensure that the .xml file contains the version and bundle ID for the app, and that the bundle ID in the .xml file matches the bundle ID for the app. An error message displays if the bundle ID in the file does not match with the bundle ID of the app.
-
Scroll down and select a label to apply the configuration.
-
Click Add.
The new managed app configuration displays in the Managed App Configurations section.
Add managed app configuration
-
Update the configuration fields as needed.
The configuration fields are populated with the values available in the .xml file. If the XML file does not contain any default values, an empty configuration will get pushed to devices. Therefore, check the configuration values and update as needed.
-
Click Save.
Core upgrade and iOS managed app configuration
Consider the case where:
- you upgraded to this version of Core from a version of Core that did not support managed app configuration, and
- an app was already in the App Catalog before the upgrade.
After the upgrade, Core does not immediately retrieve the app’s managed app configuration. Core retrieves it when you edit the app in the App Catalog.