Adding secure apps for Android

Administrators upload all secure apps and the Secure Apps Manager to Ivanti EPMM as in-house apps. Ivanti EPMM makes the apps available to Android devices based on labels that you assign to the apps and devices.

The apps that you upload include:

  • The Secure Apps Manager that Ivanti EPMM provides.
  • The Secure Apps Manager is required for AppConnect to work. See AppConnect Guide for EPMM for more information about Secure Apps Manager.
  • The AppConnect apps that Ivanti EPMM provides that your enterprise uses.
  • The AppConnect apps that your enterprise wrapped.
  • See the AppConnect Guide for EPMM for more information about AppConnect and third-party/in-house secure apps.

Ivanti EPMM has the ability to upload an Android Google Play Store app that has the same package name as a private in-house app, such as com.mobileiron.phoneatwork, that is already loaded on Ivanti EPMM. Also, you can import an in-house app with the same package name as a public app that is already loaded on Ivanti EPMM. This feature is always on and does not require any configuration in the user interface.

Before you begin: Get the Secure Apps Manager and the other AppConnect apps that Ivanti EPMM provides from the support.mobileiron.com site. Save them to a location accessible from your Ivanti EPMM.

To add a secure app to the App Catalog:

  1. Go to Apps > App Catalog.
  2. Click Add + to open the app wizard.
  3. Click In-house.
  4. Click Browse. Navigate to and select the secure app (.apk) you want to upload.

    You cannot upload an in-house app that exceeds 2.15 GB.

  5. Click Next.

    The app wizard examines the selected package to ensure that it meets requirements for in-house apps distributed for Android devices. If the package is acceptable, the next screen displays.

  6. Use the following guidelines to complete the rest of the screens in the app wizard:

    Item

    Description

    Application Name

    Displays the app name defined by the app developer. This is the name that displays to device users. This field is not editable.

    Display Version

    Displays the version number defined by the app developer. This is the version that displays to device users. This field is not editable.

    The version number for AppConnect apps includes:

    • The version number defined by the app developer.
    • Additional numbers provided by the wrapping process.

    Code Version

    Displays the version defined for the package. This item is not editable.

    Description

    Enter any additional text that helps describe what the app is for. This text appears on the target devices under the app name in the Secure Apps list.

    Ivanti, Inc recommends that you add the following descriptions for the AppConnect apps that Ivanti EPMM provides:

    • The Secure Apps Manager

    The Secure Apps Manager works with the Ivanti Mobile@Work app to secure and manage secure apps on your device.

    • TouchDown for SmartPhones

    TouchDown for SmartPhones provides secure access to your company email, contacts, calendar, and tasks.

    • File Manager

    File Manager allows you to securely navigate and manage your company files.

    • Ivanti Email+ for Android

    Ivanti Email+ for Android provides the native email client experience with ease of setup and important other features.

    • Ivanti Web@Work for Android

    Ivanti Web@Work for Android is a secure browser that allows your device users to easily and securely access your organization's web content.

    Category

    Select one or more categories to display this app in a category tab in Apps@Work or add a new category.

    1. Click Add New Category to define new categories.
    2. Enter a category Name (up to 64 characters).
    3. Enter a Description (up to 255 characters).
    4. In the Category Icon section, click the Replace Icon button.
    5. Browse and select an icon that will represent this Category.
    6. Click Save.

  7. Click Next.

    Item

    Description
    Use Global App Config Policy Selecting the check box makes the policy settings take priority over the app settings if and only if the global policy is created and available for a particular device. Leaving the check box empty means the app's configuration settings will be used. For more information, see "Global App Config Settings policy" in the Ivanti EPMM Device Management Guide for Android and Android Enterprise devices.

    Feature this App in the Apps@Work catalog

    By default, the check box is selected to list the app in the Featured apps list in Apps@Work. This feature does not apply to AppConnect apps.

    Featured Banner

    Checking this option will add this app as part of the top banner on Apps@Work Home screen on end user devices. The latest five apps will be picked to be part of Apps@Work Home page.

    Allow app downloads over insecure networks

    Select this if you are providing an Override URL (next field) that uses the HTTP URL scheme instead of HTTPS.

    Override URLs are intended for use behind a firewall, using a trusted and secure internal network. Before you use an HTTP URL, make sure you understand the risks of using an insecure connection.

    Override URL

    If you are using an alternate source for downloading in-house apps, enter that URL here. The URL must point to the in-house app in its alternate location.

    Override URLs are intended for use behind a firewall, using a trusted and secure internal network. Manual synchronization is required with the alternate HTTP server on which app are stored.

    See Override for in-house app URLs for the requirements for this configuration before using it.

    App Icon

    Icon and Screenshots appear when editing an app entry.

    The icon retrieved from Google Play displays.

    To replace the icon, click Replace Icon button. Select the icon to represent this app. The file must be no larger than 1024 x 1024 pixels and in JPG, PNG, or GIF format. We recommend PNG for best resizing results. Icon height and width must be equal.

    Screenshots

    Icon and Screenshots appear when editing an app entry.

    The screenshots retrieved from Google Play are displayed.

    • Click Upload to select and upload optional screenshot files in PNG, GIF, or JPG formats. The supported dimensions are 480x800 pixels and 480x854 pixels. We recommend PNG for best resizing.
    • To delete a screenshot, click Remove under the screenshot.

  8. Click Next.

    Item

    Description

    Silent install for Mandatory Apps

    This feature only applies to devices that support silent installation.

    • Clearing the check box means the device user will need to manually install the app.
    • Selecting the check box will install the app silently. The app is installed when the device checks in with Ivanti EPMM. User action is not required.

    For more information, see Silent install and uninstall of mandatory apps.

    Silent install is not supported for MAM-only Android devices.

    Enforce this version for Mandatory Apps

    This feature applies only to mandatory in-house apps. Version enforcement is not available for AppConnect apps or apps from Google Play.

    Select the check box to require this version of the in-house app on devices, even if newer or older versions of the same app .apk are uploaded to the App Catalog.

    In order for this to take effect, you will need to set the Mandatoryfield in the Apply to Labels dialog box to Yes.

    See Enforcement of specific app versions for mandatory in-house apps for more information, including how to achieve desired results when multiple versions of the same app are in the App Catalog.

    Per App VPN by Label Only

    Select this check box to require the Per App VPN configuration to be assigned to a label that matches the device, then select one of the pre-configured Per-App VPN in the field below. If there is no associated label between the VPN configuration and the device, Per App VPN will not be installed on the device.

     

    De-select this check box to assign the per App VPN based on the selections in the Per App VPN field, ignoring labels. Ivanti does not recommend de-selecting Per-App VPN by Label Only, as this field will change in future Ivanti EPMM releases and become selected by default.

    Per app VPN is not supported for MAM-only Android devices.

    Ivanti does not recommend using Per App VPN with apps that utilize device spaces.

    License Required

    The Selected VPNs column lists the VPN configuration that may be installed on the device, in priority order:

    • If Per App VPN by Label Only is selected, then the VPN configuration must be assigned to a label matching the device in order to be installed. The first VPN in the list that is also assigned to a label associated with the device has the highest priority.
    • If Per App VPN by Label Only is not selected, then the VPN configurations listed are in priority order and do not need to be assigned to a label matching the device. Ivanti does not recommend de-selecting Per-App VPN by Label Only, as this field will change in future Ivanti EPMM releases and become selected by default.

    To populate the Selected VPNs column, select the VPN configuration you created for per app VPN in the All VPNs column, and click the right arrow. You can select multiple per app VPN settings.

    To reorder the per app VPN configurations in the Selected VPNs column, drag the configuration names to the correct positions in the list.

    See “VPN settings” in the Ivanti EPMM Device Management Guide for information on creating a per app VPN.

    Per app VPN is not supported for MAM-only Android devices.
  9. Click Finish.

The app displays in the App Catalog screen with an icon that identifies the app as an in-house app.

You know the app is an AppConnect app by looking at its version number. The version number for an AppConnect app is a concatenation of the original app’s version number and a version number from wrapping the app.