App configuration for Android Enterprise apps

App configurations (also referred to as app restrictions) are key-value pair settings that are provided by the app developer. When you select the Install this app for Android enterprise check box when adding a public app, the Configuration Choices section appears in the app wizard. Refer to the app’s documentation and help hints for information on its configuration settings. These settings allow you to configure the app, without involving the device user.

Ivanti EPMM supports multiple bundle definitions in a bundle array for apps that have the capability to use this feature. For example a VPN app may support multiple VPN configurations by clicking the Add New Configuration button and entering the Profile Name and Server for a specific VPN and optionally specify your web log on credentials.

When using Ivanti Mobile@Work 9.6 or newer versions, Ivanti EPMM delivers app configurations using Google Play. Therefore, the app and its app configurations are installed at the same time on the device, avoiding the potential issue of device users launching the app before the app configurations are received.

Creating multiple app configurations

Ivanti EPMM allows you to create multiple app configurations per app:

  • The default app configuration for the app is applied to devices with the same label that you applied to the app.
  • Any additional app configuration that you can create is applied to devices with the labels you specify.

Using multiple app configurations is useful when sets of users of the app require different configuration values. For example, consider a Human Resources app that users throughout the United States use. However, you want the app to connect to a different server depending on a user’s region:

  • Users in the Eastern region must connect to a server in the east.
  • Users in the Western region must connect to a server in the west.
  • Users in the Northern and Southern regions connect to a server in St. Louis.

Therefore, do the following:

  • Label the app with the Human Resources label.
  • Create an app configuration that specifies the server in the east, and label the app configuration with the Eastern Region label.
  • Create an app configuration that specifies the server in the west, and label the app configuration with the Western Region label.
  • In the default configuration, specify the server in St. Louis. Users who do not have the Eastern Region label or the Western Region label will use this server.

App Configuration Choices for Android public apps

Administrators can customize multiple app configurations, apply to different labels, and determine the configuration priorities based on the target device users' app usage needs. This is done by setting the runtime permissions for Android devices within a selected app.


  1. After adding a new app in the App Catalog, Edit the app.

  2. In the Configuration Choices section, click the Add+ button.

    The New App Configuration dialog box opens.

  3. Enter a Configuration Choice Name.

  4. Expand the Runtime Permissions section. These Runtime permissions are available for apps targeting API 23+ and running Android 6.0+.

  5. Make your Runtime Permission selections. The default setting is Not Sent, but you can change it to Use Default, Always Deny and Always Accept.

  6. In the Apply Labels to this App Config section, search for or select your label(s) for this configuration.

  7. When finished, click the Add button.

    The new configuration displays in the Configuration Choices table.

    • If you want to make further changes, clicking on the configuration link will open the App Configuration dialog box.

    • Clicking the Copy icon of the configuration will make a duplicate of the selected configuration with the prefix "Copy of" before the original configuration name.

  8. In the Edit app page, click Save.

Updates to managed app configuration schemas

If Ivanti EPMM detects a new managed app configuration schema update, Administrators will see a notification under the Configuration Choices header in an edited app.


  1. Where it states "New configuration / Runtime Permission is now available," click the Update button.

    WARNING: You could potentially lose existing configuration attribute values when you save the new downloaded configuration. If you need to duplicate the existing schema and use the duplicated managed app configuration to first validate the changes, click Cancel.

  2. Click Download.

  3. Ivanti EPMM checks if there is a change in your new managed app configuration schema and informs you that some of your existing configuration have been translated to the new schema. Ivanti EPMM will also inform you if there were no changes detected between the existing schema and the latest downloaded version. Click OK.

Set managed app config settings that are required to be sent to the device

Administrators can choose the behavior for constructing managed app configurations. By default, Ivanti EPMM only pushes settings with valid values defined to device/app. Now a new option allows administrators to push all settings, irrespective of the value. This allows for apps with different behaviors to be compatible with Ivanti EPMM. It is recommended to only change this setting if defaults are causing issues with app performance. This applies to Ivanti EPMM upgrades and new installations. Applicable to Android Enterprise and Work Managed Device Non-GMS mode (AOSP) mode in-house and public apps.

Before you begin 

Have your managed app configurations created.


  1. In the Configuration Choices section, select the link of the configuration you want to modify. The Edit Configuration dialog box opens.
  2. In Push to device settings, choose an option:

  • Only push settings with values defined - (default) Selecting this option will enable configurations that have a value to be pushed to the device. This means in the Configuration Choices section below, any defined properties, check boxes selected, etc. will be sent to the device. Values are always sent irrespective of whether this check box is selected or not.

  • Push All Settings - Selecting this option will enable all configurations to be pushed to the device, including the ones that do not have a value.

Due to specific app's behavior, if the administrator selects Push All Settings, the app may or may not crash. In this case, the administrator will need to select Only push settings with values defined.

  1. Save your changes.

Priorities of app configurations

Each app configuration you create has a priority. The highest priority has the value 1 and appears at the top of the list of configuration choices. The default configuration always has the lowest priority and appears at the bottom of the list. Ivanti EPMM assigns a device the app configuration with the highest priority that has a label that matches a label on the device.

You can change the priorities of app configurations by dragging and dropping them in the table of configuration choices for the app.

Substitution variables for configuring Android Enterprise apps

Substitution variables can be used for configuring values from LDAP or the Ivanti EPMM devices database, such as $EMAIL$ for the email address. You can prevent deleted default field values from repopulating when editing app configurations by entering the substitution variable $NULL$ for those values.

You may use the following variables when configuring any Android Enterprise app:



























Enable Google Apps Integration for the substitution to work properly.

Substitution variable for certificate aliases in Android Enterprise apps

Some Android Enterprise apps, including Gmail, Tunnel for Android Enterprise, and Pulse Secure, use certificates generated based on a certificate enrollment setting. These apps accept certificate aliases in the app configuration. The substitution variable to provide a certificate alias is:

$CERT_ALIAS:<certificate enrollment setting name>$ where

<certificate enrollmnent setting name> is the name you gave to the certificate enrollment setting.

To use a certificate with apps, in the Ivanti EPMM Admin Portal:

  1. Go to Policies & Configs > Configurations
  2. Locate your certificate enrollment setting. Note its name. You will need the name for the alias variable.

    Note: The certificate enrollment setting must be created before continuing with these steps.

  3. Ensure the certificate enrollment setting is assigned to a label that is also used for distributing the apps that require the certificate.
  4. Go to Apps > App Catalog.
  5. Edit the app by clicking the app name, then clicking Edit.
  6. Ensure that the Android Enterprise check box Install this app for Android enterprise is selected.
  7. In the Configurations section, type in the certificate alias in the field that requires it:

    $CERT_ALIAS:<certificate enrollment setting name>$

  8. Click Finish to save your changes.

Certificate aliases are not supported for user-provided certificate enrollment settings. For more information about Certificate Enrollment Settings, see “Certificate Enrollment Settings” in Ivanti EPMM Device Management Guide for Android and Android Enterprise devices.

For identity certs applied to Android devices, Ivanti Mobile@Work will require a passcode for the device or work profile, if the user has not already created one.

On Android 6.0 devices or higher, and with Ivanti Mobile@Work 9.6, identity certs will be automatically assigned for apps. Users will not be prompted to select a certificate.