iOS managed app configuration

An iOS managed app can automatically get its app-specific configuration from Ivanti EPMM, rather than requiring the device user to enter the values in the app. Some examples of app-specific configuration are:

  • User information
  • Server information
  • Whether particular features should be enabled

This feature results in easier app deployment and fewer support calls for you, and a better user experience for the device user.

Ivanti EPMM supports iOS managed app configuration with two different mechanisms:

IMPORTANT: Both mechanisms use native iOS capabilities. iOS stores the configuration settings unencrypted on the device. Therefore, do not provide sensitive information such as passwords or private keys in managed app configuration values.

iOS managed app configuration is not supported on MAM-only iOS devices.

The Managed App Config setting that use plists

The Managed App Config setting is one mechanism that Ivanti EPMM can use to provide configuration settings to iOS managed apps. You create a Managed App Config setting in Policies & Configs > Configurations > Add New > iOS and macOS > Managed App Config.

Using a Managed App Config setting requires an Ivanti EPMM license. For more information on this feature, see “Managed App Config settings that use plists” in the Ivanti EPMM Device Management Guide for iOS and macOS devices.

By default, a legacy Managed App Config setting is ignored if a Managed App Configuration setting is available for the app in its App Catalog entry.

Related topics 

Managed App Configuration settings for iOS apps in the App Catalog

This mechanism supports the iOS managed app configuration defined in the AppConfig Community at appconfig.org. Working with Ivanti EPMM, many registered Ivanti, Inc Technology Partners who are deploying their apps to the Apple App Store support this mechanism to make their apps easier to deploy in enterprises. This mechanism works as follows:

Figure 1. Managed app configuration flow

Explains the flow of managed app configuration

Using this mechanism makes it easy for you to configure an iOS managed app’s configuration on Ivanti EPMM. Specifically:

  • When you import the app into the App Catalog, Ivanti EPMM automatically retrieves the default app configuration for viewing and editing.
  • You edit the values for the app configuration in the Ivanti EPMM Admin Portal in a graphical user interface.
  • Depending on the app, the user interface includes descriptions about each field.
  • You can create multiple app configurations, applying different labels to each app configuration. Multiple app configurations allow different sets of devices to receive different configuration values.

Refer to the app’s documentation to find out:

  • Whether the app supports managed app configuration.
  • More details on its specific configuration settings.

Ivanti EPMM supports this mechanism only for Apple App Store apps, not for in-house apps.

This topic includes the following sections:

Multiple app configurations per iOS app

Ivanti EPMM allows you to create multiple app configurations per app:

  • The default app configuration for the app is applied to devices with the same label that you applied to the app.
  • Any additional app configurations that you create are applied to devices with the same labels that you specify for the additional app configuration.

Case study

Using multiple app configurations is useful when sets of users of the app require different configuration values. For example, consider a Human Resources app that users throughout the United States use. However, you want the app to connect to a different server depending on a user’s region:

  • Users in the Eastern region must connect to a server in the east.
  • Users in the Western region must connect to a server in the west.
  • Users in the Northern and Southern regions connect to a server in St. Louis.

Therefore, do the following:

  • Label the app with the Human Resources label.
  • Create an app configuration that specifies the server in the east, and label the app configuration with the Eastern Region label.
  • Create an app configuration that specifies the server in the west, and label the app configuration with the Western Region label.
  • In the default configuration, specify the server in St. Louis. Users who do not have the Eastern Region label or the Western Region label will use this server.

App Configuration Choices for iOS public apps

Administrators can customize multiple app configurations, apply to different labels, and determine the configuration priorities based on the target device users' app usage needs.

Procedure 

  1. After adding a new app in the App Catalog, Edit the app.

  2. In the Managed App Configuration section, select the Add+ button.

    The New App Configuration dialog box opens.

  3. Enter an App Configuration Name.

  4. In the Source Type field, upload a .xml file.

  5. In the Apply Labels to this Managed App Configuration section, search for or select your label(s) for this configuration. See All-Smartphones label.

  6. When finished, select the Save button. The new configuration displays in the Managed App Configuration table. If you want to make further changes, selecting the configuration link will open the App Configuration dialog box.

  7. Repeat the above steps for additional configurations. See Copying configurations and Adding a new managed app setting for an app.

  8. In the Edit app page, select Save.

All-Smartphones label

In Edit mode of an app, in the Managed App Configuration section:

  • In Ivanti EPMM 11.8.0.0 and lower, when the administrator saved the configuration, Ivanti EPMM added the All-Smartphones label by default. Not all configurations had to have a label, only the lowest-priority one.

  • In Ivanti EPMM 11.9.0.0 and later, administrators can change the label. The last/lowest priority configuration must have a label, thus making it the default configuration. This means that the All-Smartphones label is not required on all configurations; the administrator can choose the relevant label.

    If the administrator added configurations one by one, always adding at the lowest priority instead of the highest, then each configuration will automatically have the All-Smartphones label. However, if the administrator added more than one configuration, the highest priority rows could be blank labels, and only the lowest priority configuration will be forced to have the All-Smartphones label.

Copying configurations

  • In the Managed App Configuration section, selecting the Copy icon of the configuration will make a duplicate of the selected configuration with the prefix "Copy of" before the original configuration name.

  • All settings of the copied configuration, including the labels, get copied.

Priorities of iOS app configurations

Each app configuration you create has a priority. The highest priority has the value 1 and appears at the top of the list of app configurations. The default configuration always has the lowest priority and appears at the bottom of the list. Ivanti EPMM assigns a device the app configuration with the highest priority that has a label that matches a label on the device.

In the table of configuration choices for the (edited) app, administrators can change the priorities of app configurations by dragging and dropping the equal icon (=), located to the right of the Copy column. Move the configuration up or down to change the priority or to reorder the list.

Substitution variables for configuring iOS apps

Substitution variables can be used for configuring values from LDAP or the Ivanti EPMM devices database, such as $EMAIL$ for the email address. You can prevent deleted default field values from repopulating when editing app configurations by entering the substitution variable $NULL$ for those values.

You may use the following variables when configuring app configuration fields:

Table 7.  Substituion variables for configuring iOS apps

Substitution variable

More information

Sample of substituted value

$USERID$

Login ID (email address format)

Use $MANAGED_APPLE_ID$ for Shared iPad devices and User Enrolled devices only.

[email protected]

$EMAIL$

Email address

Use $MANAGED_APPLE_ID$ for Shared iPad devices and User Enrolled devices only.

[email protected]

$EMAIL_DOMAIN$

The domain part of the email address (part after the ‘@’)

myCompany.com

$EMAIL_LOCAL$

The local part of the email address (part before the ‘@’)

jdoe

$PASSWORD$

Use not recommended because the managed app configuration values are not encrypted on the device

 

$FIRST_NAME$

First name

Jane

$LAST_NAME$

Last name

Doe

$DISPLAY_NAME$

Display name

Jane Doe, CEO

$USER_DN$

Distinguished Name

CN=Jane Doe,

OU=NA,OU=Users,

OU=XY,

DC=myCompany,

DC=com

$USER_UPN$

The Microsoft userPrincipalName attribute

[email protected]

$USER_LOCALE$

Locale

en_US

$DEVICE_UUID$

iOS Unique Device Identifier

c752e7052fe5e5ca8166e408c4b48573b5b5bd82

$DEVICE_UUID_NO_DASHES$

 

 

$DEVICE_IMSI$

International Mobile Subscriber Identity

310150123456789

$DEVICE_IMEI$

International Mobile Equipment Identity

01 342300 291808 3

$DEVICE_SN$

Serial Number

DNRJVLP7DTTN

$DEVICE_ID$

Mobile Equipment Identifier

A0123456789012

$DEVICE_MAC$

Wi-Fi MAC Address

30:f7:c5:87:e8:78

$DEVICE_CLIENT_ID$

Unique device identifier

1073741831

$MODEL$

Device model

iPhone 6

$PHONE_NUMBER$

Device phone number

888-555-1212

$USER_CUSTOM1$

Custom field defined for LDAP

The value of the variable as defined in LDAP settings.

$USER_CUSTOM2$

Custom field defined for LDAP

The value of the variable as defined in LDAP settings.

$USER_CUSTOM3$

Custom field defined for LDAP

The value of the variable as defined in LDAP settings.

$USER_CUSTOM4$

Custom field defined for LDAP

The value of the variable as defined in LDAP settings.

$CN$

Common Name (CN) attribute extracted from the distinguished name

Jane Doe

$OU$

Organizational Unit (OU) attribute extracted from the distinquished name

XY

$ICCID$

Integrated Circuit Card Identifier

89014104254287052057

$SAM_ACCOUNT_NAME$

The Microsoft sAMAccountName attribute

jdoe

$MI_APPSTORE_URL$

The URL of the Ivanti EPMM app store, as accessed by the Apps@Work web clip

https://myCore.mycompany.com/mifs/asfV3/
appstore?clientid=$DEVICE_CLIENT_ID
$&vspver=9.3.0.0

$REALM$

The domain component of an LDAP entry

mycompany.com

$TIMESTAMP_MS$

Unix time stamp of when Ivanti EPMM sends the managed app configuration to the device

1485992717498

$NULL$

An empty string. Use this variable to prevent the re-population of deleted default values.

<no value>

Changes to managed app configurations for iOS apps

For iOS apps, when the app data is in View or Edit mode, Ivanti EPMM loads the latest managed app schema from the AppConfig repository and displays the latest fields (including any new fields) in the “Managed App Configurations” section in the UI. Ivanti, Inc recommends that before saving the changes, you first carefully inspect the updated managed app configuration. Once you select Proceed and select Confirm, the updated managed app configuration settings are saved and the changes are pushed out to all associated devices, including Shared iPad devices.

When you change the values for the app configuration of an app in the App Catalog, either one or two device check-ins are necessary for the device to receive the new values from Ivanti EPMM. If the iOS MDM terminates the connection between the device and Ivanti EPMM before Ivanti EPMM can deliver the update, a second device check-in may be necessary.

App version updates and managed app configuration for iOS apps

When you update an app in the App Catalog on Ivanti EPMM to a newer version, the new version sometimes has an updated managed app configuration. However, Ivanti EPMM does not push the updated managed app configuration until you edit and save the app in the App Catalog. Until that time, devices that upgrade to the new version of the app still receive the older version of the app configuration. Because a new version of an app is typically backward compatible with the older app configuration, the app will still run successfully. However, the app will not use any new features that the updated app configuration provides.

Configuring the plist setting to take precedence over the iOS managed app configuration setting

Consider the case in which both of the following are true:

  • Ivanti EPMM has retrieved the managed app configuration for an app.
  • A Managed App Config setting with a plist exists for the app.

By default, the managed app configuration included with the app overrides the Managed App Config setting with a plist. However, you can specify that the Managed App Config setting with a plist should override the managed app configuration with the following procedure.

Before you begin 

Make sure you have created a Managed App Config setting with a plist and assigned the necessary labels to it. See “Managed App Config settings that use plists” in the Ivanti EPMM Device Management Guide for iOS and macOS devices.

Procedure 

  1. In the Ivanti EPMM Admin Portal, go to Apps > App Catalog.
  2. Select the app.
  3. Select Edit.
  4. In the Managed App Configurations section, select Use the .plist file uploaded in a Managed App Config Setting instead of these Managed App Configurations.
  5. Select Save.

If no Managed App Config setting is applied to the device, the app still uses the default managed app configuration in the App Catalog entry.

Adding a new managed app setting for an app

In addition to the default managed app configuration, you can add managed app settings from the AppConfig community or by uploading an XML file. The settings in the new managed app configuration can be edited in the Ivanti EPMM Admin Portal. You add new managed app settings for an app by editing the app in the Ivanti EPMM Admin Portal.

Procedure 

  1. In the Ivanti EPMM Admin Portal, go to Apps > App Catalog.
  2. Select the app.
  3. Select Edit.
  4. In the Managed App Configurations section, for Customize and prioritize app configurations based on app usage, select Add.
  5. Enter a name for the managed app configuration.

  6. For Source Type, select one of the following:

    • AppConfig Community: This option is available only if the app has an app configuration available in the AppConfig community repository. If the configuration is available, the option is selected by default.
    • Upload .xml spec: Select the option to upload an XML schema to push a particular set of app configurations.
  7. If your source type is Upload .xml spec, do one of the following:
    • Drag and drop the .xml file into the dotted box.
    • Select Choose File to navigate to the location and upload the .xml file.

    Ensure that the .xml file contains the version and bundle ID for the app, and that the bundle ID in the .xml file matches the bundle ID for the app. An error message displays if the bundle ID in the file does not match with the bundle ID of the app.

  8. Scroll down and select a label to apply the configuration.

  9. Select Add.

    The new managed app configuration displays in the Managed App Configurations section.

    Figure 2. Add managed app configuration

    Screen shot of Adding a Managed App Configuration

  10. Update the configuration fields as needed.

    • The configuration fields are populated with the values available in the .xml file. If the XML file does not contain any default values, an empty configuration will get pushed to devices. Therefore, check the configuration values and update as needed.

    • Selecting the Copy icon of the configuration will make a duplicate of the selected configuration with the prefix "Copy of" before the original configuration name.

    • In the column to the right of the Copy column, administrators can drag the equal icon (=) and move it up or down to change the priority or to reorder the list.

    • To display a notification when the application is terminated by the device user, set the application to do one of the following:

      • Default notification - Ensure that device users stay connected with the App to keep their device secured by setting the following values in the Managed App configuration:

        • Key - enableAppTerminationNotification

        • Value - 0 or 1

        • Type - Boolean

      • Custom notification - Add the following values to the Managed App configuration: 

        • Key - appTerminationNotificationMessage (The key is ignored if enableAppTerminationNotification is absent or has a value of 0.)

        • Value - Custom notification

        • Type - String

  11. Select Save.

Ivanti EPMM upgrade and iOS managed app configuration

Consider the case where:

  • You upgraded to this version of Ivanti EPMM from a version of Ivanti EPMM that did not support managed app configuration, and
  • An app was already in the App Catalog before the upgrade.

After the upgrade, Ivanti EPMM does not immediately retrieve the app’s managed app configuration. Ivanti EPMM retrieves it when you edit the app in the App Catalog.