MAM-only iOS devices

Ivanti EPMM can support only one of the following types of registered iOS devices:

  • Devices that support both MAM and MDM
  • Devices that support only MAM (MAM-only devices)

Ivanti EPMM cannot simultaneously support MAM-only devices and devices that support both MDM and MAM. You configure your choice by enabling or disabling iOS MDM support in the Ivanti EPMM Admin Portal. You make this choice before any iOS devices register with Ivanti EPMM. Note that your choice has no impact on Ivanti EPMM capabilities for other device platforms, such as Android or Windows.

Whether or not you disable iOS MDM on Ivanti EPMM, you use the App Catalog on Ivanti EPMM and Apps@Work on the device to make apps available to devices. Apps@Work is presented on the device either in a web clip or in Safari.

However, in the MAM-only case, Ivanti EPMM does not send iOS devices the MDM configurations and certificates required for MDM activity on a device. These MDM configurations and certificates, as listed in the Ivanti EPMM Admin Portal in Policies & Configs > Configurations, are:

  • The System - iOS enrollment CA certificate
  • The System - iOS enrollment SCEP certificate
  • The System - iOS MDM configuration

Without these MDM configurations and certificates, Ivanti EPMM does not support any MDM features, including MDM features relating to apps, such as:

  • Per-app VPN settings
  • Managed app settings
  • Managed app configuration settings
  • Requiring data protection
  • Displaying the apps that are installed on devices

Required Ivanti Mobile@Work version for MAM-only iOS devices

MAM-only iOS device support requires Ivanti Mobile@Work 9.7 or newer versions.

Supported features on MAM-only iOS devices

When iOS MDM is disabled, only the following features are supported on iOS devices:

  • In-app registration using Ivanti Mobile@Work for iOS.

    No other registration methods are supported for MAM-only iOS devices.

  • Pushing apps to the devices using the Apps@Work web clip.
  •  All types of apps are supported:
    • AppConnect apps (in-house or from the Apple App Store)
    • Non-AppConnect apps (in-house or from the Apple App Store)
    • Web applications

The following app settings in the App Catalog are not supported for MAM-only iOS apps: per app VPN settings, managed app settings, managed app configuration settings, and requiring data protection.

  • AppTunnel with HTTP/S tunneling
  • AppConnect-related policies and configurations:
    • AppConnect global policy
    • AppConnect container policies
    • AppConnect app configurations
    • Ivanti Web@Work settings
    • Ivanti Docs@Work settings
  • Standalone Sentry with ActiveSync support, using AppConnect-enabled Ivanti Email+ for iOS
  • The following subset of actions from the Ivanti EPMM Admin Portal (Devices & Users > Devices > Actions):
    • Force Device Check-in
    • Send Message
    • Apply to Label
    • Remove from Label
    • Retire
    • Block AppTunnel
    • Allow AppTunnel
  • Compliance actions for only the following security violations on the security policy:
    • When a device has been out of contact with Ivanti EPMM too long
    • When the iOS version is less than a specified version
    • When the device is compromised (jailbroken)
    • When particular device models are not allowed

No other iOS features are supported. For example:

  • Ivanti EPMM does not support applying any configurations or policies (in the Ivanti EPMM Admin Portal Policies & Configs) that are not related to AppConnect. For example, do not apply iOS restrictions or Wi-Fi settings.
  • The self-service user portal and My Devices in Ivanti Email+k are not available.
  • Ivanti EPMM Admin Portal MDM-related actions cannot be applied to iOS devices. These actions include wipe, lock, unlock, and locate. The Ivanti EPMM Admin Portal displays an error message when you attempt to take these actions.
  • iOS native email is not supported, because it requires the Exchange setting which requires MDM.
  • Multi-user sign-in is not supported.
  • Tunnel (AppTunnel with TCP tunneling) is not supported.
  • Ivanti EPMM does not display the apps installed on MAM-only iOS devices.
  • Changes you make on Ivanti EPMM do not result in uninstalling an app from an MAM-only iOS device. For example, the app is not uninstalled if you remove an app from the App Catalog, or remove its label, or retire the device.
  • The Apps@Work container app is not supported.

Device check-in on MAM-only iOS devices

The sync interval on the sync policy has no impact on MAM-only iOS devices. Therefore, automated device check-ins occur only when the AppConnect app check-in interval expires. You configure this value on the AppConnect global policy. When the AppConnect app check-in interval expires, Ivanti Email+ checks in with Ivanti EPMM, and receives updates to policies and configurations.

Device check-ins also occur when:

  • When an AppConnect app launches for the first time.
  • A device user taps Check for Updates in Ivanti Mobile@Work for iOS.
  • A device user brings Ivanti Mobile@Work to the foreground.
  • You do a Force Device Check-in from the Ivanti EPMM Admin Portal (Devices & Users > Devices > Actions).

This action does not update the AppConnect-related policies on the device.

Trusted certificates and MAM-only iOS devices

When you set up Ivanti EPMM, you provide a client TLS certificate. This certificate secures communication between the mobile device and Ivanti EPMM. Often the client TLS certificate is the same certificate as the Portal certificate, which secures communication between a web browser and Ivanti EPMM.

If the client TLS certificate or Portal certificate are not ones that are trusted by iOS, on MAM-only iOS devices, unlike on MDM iOS devices, the device user must manually accept the certificates. To do this, after completing the Ivanti Mobile@Work registration process, the device user must go to the device’s Settings, and navigate to Settings > General > About > Certificate Trust Settings, and trust the certificates. Therefore, if you want to streamline the device user experience, use only certificates trusted by iOS for the client TLS certificate and the Portal certificate.

For lists of available trusted root certificates in iOS, see Apple documentation at https://support.apple.com.

Related topics 

  • “Types of certificates” in the Ivanti EPMM Device Management Guide for iOS and macOS devices
  • “Certificate Mgmt” in the Ivanti EPMM System Manager Guide

Configurations and certificates for MAM-only iOS devices

When you use MAM-only iOS devices, Ivanti EPMM supports delivering only certain types of configurations and certificates to the device. These configurations belong to two categories:

You can use the Ivanti EPMM option to not install profiles on iOS devices to not deliver this category of certificates and configurations to devices.

AppConnect-related configurations and policies on MAM-only iOS devices

The AppConnect-related configurations and policies on MAM-only iOS devices are:

  • The AppConnect global policy
  • The AppConnect container policy
  • The AppConnect app configuration
  • The Ivanti Docs@Work setting
  • The Ivanti Web@Work setting

Other certificates and configurations that are supported with MAM-only iOS devices

The other certificates and configurations supported with MAM-only devices, as listed in the Ivanti EPMM Admin Portal in Policies & Configs > Configurations, are:

  • The System - iOS Enterprise AppStore web clip
  • The System - iOS Enterprise AppStore SCEP certificate
  • The System - TLS Trust Certificate Chain for Mobile Devices certificate

Note the following regarding configurations and certificates when using MAM-only iOS devices:

  • Ivanti EPMM does not receive status from the device about whether these non-AppConnect related certificates and configurations have been applied. Therefore, the status of these configurations in the device details display remains as Sent.
  • When you retire a device, the certificates and configurations are not removed. A device user can manually remove them.

Ivanti EPMM option to not install profiles on iOS devices

With a setting on the Ivanti EPMM, you can instruct Ivanti EPMM to not install profiles on iOS devices. When you enable this setting, Ivanti EPMM does not send the non-AppConnect related certificates and configurations to MAM-only iOS devices.

Installing these profiles allows device users to use the Apps@Work web clip, which means they can easily view and install apps without entering any further credentials. Your requirements for user convenience versus user concerns determine your choice for this setting.

The setting is the Enable Configuration Profiles field on the privacy policy that Ivanti EPMM applies to the device. The field is selected by default. Because clearing this field means that Ivanti EPMM does not push the Apps@Work web clip and certificate to the device, the device user needs another way to access Apps@Work. Therefore, when you clear this field, Ivanti Mobile@Work for iOS displays an Apps@Work button on its home screen. When the device user taps that button, Apps@Work opens in Safari. The device user logs into Apps@Work with a user name and password.

Also, when you clear Enable Configuration Profiles:

  • The Portal HTTPS certificate you configure on the Ivanti System Manager must be trusted by iOS if you want the device user to download in-house apps from Apps@Work. For lists of available trusted root certificates in iOS, see Apple documentation at https://support.apple.com.
  • The setting has no impact on versions of Ivanti Mobile@Work prior to 10.0. That is, the non-AppConnect related certificates and configurations will be installed on the device.

In-house apps and provisioning profiles for MAM-only iOS devices

In-house iOS apps require a provisioning profile. However, if you replace the provisioning profile, when Ivanti EPMM delivers the updated provisioning profile to the impacted iOS devices, it also resends all the non-AppConnect-related policies and configurations to the devices. Ivanti Mobile@Work will prompt the device user to re-install each certificate and configuration.

The device user experience on MAM-only iOS devices

The device user experience on MAM-only iOS devices is the same as on devices that also support MDM, with these exceptions:

  • Device users must register with Ivanti EPMM using the Ivanti Mobile@Work for iOS app. (No other registration methods are available for MAM-only iOS devices). The registration process in Ivanti Mobile@Work is shorter than on devices that support MDM because the MDM configurations and certificates are not installed.
  • The privacy policy that Ivanti Mobile@Work presents to the device user is shorter on MAM-only devices. It tells the user only that it will not access personal content. Other statements in the policy in MDM devices, such as statements about providing some device details to the user’s company, are not applicable on a MAM-only device.
  • When a device user uses Apps@Work to install an app from the Apple App Store, the behavior is different on MAM-only devices than on devices with MDM.
    • On MAM-only devices: Tapping Install for an app in Apps@Work opens Safari to the app’s entry in the Apple App Store. From there, the device user downloads and opens the app. The app is installed just as if the device user had gone directly to the Apple App Store.
    • On MDM devices: tapping Install for an app presents a message that Ivanti EPMM will install the app from the Apple App Store and manage the app. The device user enters an Apple ID, and the app is installed. If the device user had gone directly to the Apple App Store to install the app, the app would not be managed.