Global App Config Settings policy

Administrators can create a global policies with different app settings (silent install, auto-update, mandatory, etc.) and can assign it to different labels. By creating a global policy, administrators can avoid editing each app and configuring the settings. When viewing and editing the per-label settings, administrators can set the app to default to the global setting so only the settings that are different for that label need to be changed.

Multiple global App Config Settings policies can be created. The name of the policies should be different; two policies cannot have the same name. Additionally, the exact-same labels should not be applied to them, for example, policy A and policy B cannot have "Android" labels applied to both of them.

  • The policy can be prioritized
  • The policy will work for both Android and iOS devices
  • Applicable to all types of apps

Labels

After setting a basic global policy, administrators can then edit the settings for each label assigned to the app. This is done in the App Catalog, where you can select one or several apps and have the ability to apply this already-created global app configuration to one or more labels.

When viewing and editing the per-label settings, administrators can set the app to default to the global setting so only the settings that are different for that label need to be changed.

If there is an intersection of Policy Labels with App Labels matches, then Ivanti EPMM picks the matching policy as priority. Below are the possible ways to set the appropriate labels to the App Config Settings policy / policies.

Table 26.  Example A - Label Settings

Item

Description

Apps:

  • Gmail has label_1.
  • AnyConnect has label_2.

App Config Setting Policies:

  • Policy_1 has label_1 with priority 1.
  • Policy_2 has label_2 with priority 2.

Device:

If device has label_1 and label_2, then the Gmail app will pick Policy_1 and the AnyConnect app will pick Policy_2.

 

Table 27.  Example B - Label Settings

Item

Description

Apps:

  • Gmail has label_1.
  • AnyConnect has label_2.

App Config Setting Policies:

  • Policy_1 has label_1 and label_2.

Device:

If device has label_1 and label_2, then both the Gmail and AnyConnect apps will pick Policy_1.

 

Table 28.  Example C - Label Settings

Item

Description

Apps:

  • Gmail has label_1.
  • AnyConnect has label_2.

App Config Setting Policies:

  • Policy_1 has label_1.

Device:

If device has label_1 and label_2, then the Gmail app will pick Policy_1 and the AnyConnect app will choose App Catalog settings.

 

Table 29.  Example D - Label Settings

Item

Description

Apps:

  • Gmail has label_2.

App Config Setting Policies:

  • Policy_1 has label_1.

Device:

If device has label_1 and label_2, then the Gmail app will choose App Catalog settings.

 

Table 30.  Example E - Label Settings

Item

Description

Apps:

  • Gmail has label_1 and label_2.

App Config Setting Policies:

  • Policy_1 has label_1 with priority 1.
  • Policy_1 has label_2 with priority 2.

Device:

If device has label_1 and label_2, then the Gmail app will pick Policy_1. The reason is Policy_1 has the highest priority.

Creating a new App Config Settings policy

This section covers how to set a global App Config Settings policy.

Procedure 

  1. In the Admin Portal, select Policies & Configs > Policies.
  2. Select Add New > App Config Settings. The Add App Config Settings dialog box opens.
  3. Enter the policy name in the Name field.
  4. Select Active to enable the policy.
  5. Select Higher than or Lower than in the Priority option, then select the other priority.

    This option is available only if you have two or more App Config Setting policies. Use it to select the priority on one policy over the other in cases of conflicts.

  6. (Optional) Enter a Description of the policy.
  7. In the General, iOS Settings, and/or Android Settings tabs, make your app configuration selections. For definitions of the fields, see App Config Settings.
  8. Click Save.
  9. Edit / Update your labels. See Creating Labels in Getting Started with Ivanti EPMM.
  10. Apply labels to your new App Config Settings policy / policies. See Applying configurations to labels.
  11. In the App Catalog, edit your apps and select the Use Global App Config Policy option so the app will default to the App Config Settings policy.
  12. In the App Catalog, apply labels to apps.
  13. In the Device Details > Apps tab, for every app that the global App Config Settings policy is applied to, the name of that policy displays in the Global Policy Name column.

    The global policy will not be displayed under Device Details > Policies tab or in the Watchlist and Device Count columns under Policies & Configs > Policies.

App Config Settings

This section covers the field definitions for the global App Config Settings policy.

General tab > Common App Setting section

The General tab applies to both iOS and Android apps.

Table 31.  General tab - Common App Settings

Field

Description

Disable App Delivery Network for this App

If there is a content delivery network (CDN) enabled in Ivanti EPMM, administrators can choose to disable it for an app. This option displays only if a CDN is enabled.

iOS Settings tab

The iOS settings are only applicable if MDM setting is enabled.

Table 32.  iOS settings - Managed App Settings

Field

Description

Prevent backup of the app data

Select to ensure that iTunes will not attempt to back up possibly sensitive data associated with the given app.

This setting is not displayed for iOS apps when Ivanti EPMM is configured for MAM-only iOS devices.

Remove app when device is quarantined or signed out

Select to enable configured compliance actions to remove the app if a policy violation results in a quarantined device or the device signs out in multi-user mode.

To enable this feature, you must also configure a corresponding compliance action, and security policy with that compliance action selected. Once the device is no longer quarantined, the app can be downloaded again.

  • If you change the setting after the app is added, the changed setting will not be applied to the app.
  • This setting is not displayed for iOS apps when Ivanti EPMM is configured for MAM-only iOS devices.

This option is ignored when "Use Global App Config Policy" and "Send convert unmanaged to managed app request for quarantine devices (iOS 9.0+)" is enabled for a particular app.

For more information, see Using Secure Sign-In and Sign-Out.

Send installation request on device registration or sign in

Select to send a installation request upon device registration or sign-in. If the app is already installed on the device, Ivanti EPMM will do nothing. Deselected by default.

For User Enrollment and Shared iPad devices for Apple Business Manager, this field will only send installation request on device registration or sign-in. Only Apple-licensed apps are sent to Shared iPad devices through registration. Deselected by default.

Send installation request to quarantine devices

Select to send an installation request to quarantine devices. Deselected by default.

Remove app when MDM profile is removed

Selected by default, this option removes the app from the device when the MDM profile is removed from the device.

This setting is not displayed for iOS apps when Ivanti EPMM is configured for MAM-only iOS devices.

Prevent user from removing and offloading app

Select this option to prevent device users from removing and uninstalling the managed app (for example, Ivanti Mobile@Work.) It also prevents the OS from automatically offloading apps that are not being used. When the device user tries to uninstall the app, a pop-up will state: "Uninstall Not Allowed - It is not possible to uninstall this app at this time."

De-select to allow the device users to remove and uninstall the app.

Applicable to iOS 14.0 or newer versions.

Android Settings tab

  • The Android Settings apply to Android and Android Enterprise devices.
  • Android Enterprise (all Modes) settings are applicable only if Google JSON is uploaded.
  • Delegated Permissions are applicable to Android 8.0 and later.
Table 33.  Android Settings tab

Field

Description

Feature this App in the Apps@Work Catalog

Select if you want to highlight this app in the Featured apps list.

Silent install for Mandatory Apps

The app is installed when the device checks in with Ivanti EPMM. Device user action is not required. This feature only applies to devices that support silent installation. This feature is not supported for MAM-only Android devices.

De-selecting the check box means the device user will need to manually install the app.

If this check box is selected for Android Enterprise apps, the apps will be installed on the device with a higher priority than the "Silent install for work managed devices" option (irrespective of the constraints set for "Silent install for work managed devices.") This is because Ivanti EPMM will send the request to Google and Google then forwards the request to the Android devices.

Administrators will need to disable "Silent install for Mandatory Apps" if they want to configure the apps via the "Silent install for work managed devices" option. For more information, see Silent install and uninstall of mandatory apps in the Ivanti EPMM Apps@Work Guide.

If the Android Enterprise public app is rendered as an AOSP in-house app, then use the Silent install for work managed devices option to install the app silently on the AOSP-device owned (DO) device.

Applicable to:

  • Samsung SAFE devices MDM version 1.0+
  • Zebra MX 4.4+
  • LG devices

Enforce this version for Mandatory Apps

Select to ensure that every version of the same app is installed, including the latest version.

The version enforcement feature is supported only with regular (non-AppConnect) in-house apps. It does not apply to AppConnect apps or Google Play apps.

Use the version enforcement feature to:

  • Ensure devices have the in-house app installed, regardless of version number.
  • Lock users to a particular version of the Ivanti Mobile@Work app. This applies to organizations that install Ivanti Mobile@Work as an in-house app instead of installing it from Google Play.
  • Ensure users do not upgrade to a new version of an in-house app while the newer version is still undergoing testing.
  • Downgrade users to a previous version of an in-house app.

See Enforcement of specific app versions for mandatory in-house apps in the Ivanti EPMM Apps@Work Guide.

Require the user to install the latest version of the app in order to run it.

Select to ensure the device user installs the latest version of this app.

IMPORTANT: You must select this check box for the entries for each version of this same app in order for this feature to take effect.

Clear the check box for all versions of this app to allow users to work with any version of this app. For more information, see Specify latest version required for a secure app in the Ivanti EPMM Apps@Work Guide.

Silent install for work managed devices

This feature is specifically for private in-house Android Enterprise apps and applies only to devices that support silent installation.

Clearing the check box means the device user will need to manually install the app.

If this check box is selected, then the apps will be installed on the device according to the app constraints and time it takes to install. The app is installed when the device checks in with Ivanti EPMM. Device user action is not required.

If "Silent install for Mandatory Apps" is enabled along with "Silent install for work managed devices," then "Silent install for Mandatory Apps" will take precedence and the app will be installed on the device irrespective of the constraints set for the "Silent install for work managed devices" option. Administrators will need to disable "Silent install for Mandatory Apps" if they want to configure the apps via the "Silent install for work managed devices" option.

Silent install is not supported for MAM-only Android devices.

Additional settings can be made for silent installs of work managed devices. These settings are applicable for public and private apps. Prerequisite apps are pushed before dependent apps.

Auto Install Mode - Self hosted apps will not be auto installed.

  • Force Install (default)
  • Auto Install Once - recommended by Ivanti.

App Download Priority - You can prioritize downloading of specific apps before other apps. For example, prioritizing the download of Tunnel and Email apps before other non-critical apps.

  • Low
  • Medium (default)
  • High

Install only when connected to Wi-Fi - Default is de-selected.

Install only when charging - Default is de-selected.

Install only when Idle - Default is de-selected.

For more information, see Silent install and uninstall of mandatory apps in the Ivanti EPMM Apps@Work Guide.

If the Android Enterprise public app is rendered as an AOSP in-house app, then use the Silent install for work managed devices option to install the app silently on the AOSP-device owned (DO) device.

Silently install Mandatory Apps

This feature only applies to devices that support silent installation. This feature is not supported for MAM-only Android devices. Selected by default.

De-selecting the check box means the device user will need to manually install the app.

If this check box is selected for Android Enterprise apps, the apps will be installed on the device with a higher priority than the "Silent install for work managed devices" option (irrespective of the constraints set for "Silent install for work managed devices.") This is because Ivanti EPMM will send the request to Google and Google then forwards the request to the Android devices.

Administrators will need to disable "Silent install for Mandatory Apps" if they want to configure the apps via the "Silent install for work managed devices" option. For more information, see Silent install and uninstall of mandatory apps in the Ivanti EPMM Apps@Work Guide.

If the Android Enterprise public app is rendered as an AOSP in-house app, then use the Silent install for work managed devices option to install the app silently on the AOSP-device owned (DO) device.

Block Widget on Home Screen

If selected, the app cannot place widgets on the home screen on work profile devices. For example, calendar apps are not permitted to place calendar widgets on the home screen.

Applicable only to apps installed in the Managed profile.

Block Uninstall

Selected by default, this feature prevents the device user from uninstalling the app.

Quarantine app when device is quarantined

Required for Work Profile mode, Work Managed Device mode, and Managed Device with Work Profile mode.

Selected by default, this enables configured compliance actions to hide the app if a policy violation results in a quarantined device. This is a required selection for Work Profile mode, Work Managed Device mode and Managed Device with Work Profile mode.

A second step is required to enable this feature: configure a corresponding compliance action and security policy with that compliance action selected. Once the device is no longer quarantined, the app can be used again. If this option is deselected, the app is available for usage, even when the device is quarantined.

If you change the setting after the app is added, the changed setting will be applied to the app.

Auto Launch Application on Install

Selected by default. After installation, the Ivanti Mobile@Work app would be in the foreground when launching apps.

Applicable to Android devices in:

  • Work Profile mode
  • Work Profile on Company Owned Device mode

Update Priority

Select from the drop-down: Default, High Priority, Postpone for 90 days

Minimum Version Code

Select from the drop-down the version code number.

Configure third-party app runtime permissions

Select this check box to modify runtime permissions for other apps.

  • Applicable to public / private apps on Work Managed Device mode on Android 8.0 or newer versions
  • Applicable to in-house apps and public / private apps on Managed Device with Work Profile (COPE) mode on Android devices versions 8-10.
  • Applicable to only public / private apps on all managed work Profiles, including Work Profiles on Company Owned Devices mode Android versions 11.0 or newer versions.

Hide and suspend third-party apps

Select this check box to delegate third-parties to have permission to hide and suspend the selected app.

  • Applicable to in-house and public / private apps for Work Managed Device mode and Managed Devices with Work Profile (COPE) mode starting from Android 8.
  • Applicable to public / private apps on managed profiles.
  • Applicable to public / private apps on Work Profile on Company Owned Device mode starting from Android 11.

Manage certificates

Select this check box to delegate permission for managing certificates.

  • Applicable to in-house and public / private apps for managed devices and Managed Devices with Work Profile (COPE) mode starting from Android 8.
  • Applicable to public / private apps on managed profiles.
  • Applicable to public / private apps on Work Profile on Company Owned Device mode starting from Android 11.