Global App Config Settings policy
Administrators can create a global policies with different app settings (silent install, auto-update, mandatory, etc.) and can assign it to different labels. By creating a global policy, administrators can avoid editing each app and configuring the settings. When viewing and editing the per-label settings, administrators can set the app to default to the global setting so only the settings that are different for that label need to be changed.
Multiple global App Config Settings policies can be created. The name of the policies should be different; two policies cannot have the same name. Additionally, the exact-same labels should not be applied to them, for example, policy A and policy B cannot have "Android" labels applied to both of them.
- The policy can be prioritized
- The policy will work for both Android and iOS devices
- Applicable to all types of apps
Labels
After setting a basic global policy, administrators can then edit the settings for each label assigned to the app. This is done in the App Catalog, where you can select one or several apps and have the ability to apply this already-created global app configuration to one or more labels.
When viewing and editing the per-label settings, administrators can set the app to default to the global setting so only the settings that are different for that label need to be changed.
If there is an intersection of Policy Labels with App Labels matches, then Ivanti EPMM picks the matching policy as priority. Below are the possible ways to set the appropriate labels to the App Config Settings policy / policies.
Item |
Description |
Apps: |
|
App Config Setting Policies: |
|
Device: |
If device has label_1 and label_2, then the Gmail app will pick Policy_1 and the AnyConnect app will pick Policy_2. |
Item |
Description |
Apps: |
|
App Config Setting Policies: |
|
Device: |
If device has label_1 and label_2, then both the Gmail and AnyConnect apps will pick Policy_1. |
Item |
Description |
Apps: |
|
App Config Setting Policies: |
|
Device: |
If device has label_1 and label_2, then the Gmail app will pick Policy_1 and the AnyConnect app will choose App Catalog settings. |
Item |
Description |
Apps: |
|
App Config Setting Policies: |
|
Device: |
If device has label_1 and label_2, then the Gmail app will choose App Catalog settings. |
Item |
Description |
Apps: |
|
App Config Setting Policies: |
|
Device: |
If device has label_1 and label_2, then the Gmail app will pick Policy_1. The reason is Policy_1 has the highest priority. |
Creating a new App Config Settings policy
This section covers how to set a global App Config Settings policy.
Procedure
- In the Admin Portal, select Policies & Configs > Policies.
- Select Add New > App Config Settings. The Add App Config Settings dialog box opens.
- Enter the policy name in the Name field.
- Select Active to enable the policy.
-
Select Higher than or Lower than in the Priority option, then select the other priority.
This option is available only if you have two or more App Config Setting policies. Use it to select the priority on one policy over the other in cases of conflicts.
- (Optional) Enter a Description of the policy.
- In the General, iOS Settings, and/or Android Settings tabs, make your app configuration selections. For definitions of the fields, see App Config Settings.
- Click Save.
- Edit / Update your labels. See Creating Labels in Getting Started with Ivanti EPMM.
- Apply labels to your new App Config Settings policy / policies. See Applying configurations to labels.
- In the App Catalog, edit your apps and select the Use Global App Config Policy option so the app will default to the App Config Settings policy.
- In the App Catalog, apply labels to apps.
-
In the Device Details > Apps tab, for every app that the global App Config Settings policy is applied to, the name of that policy displays in the Global Policy Name column.
The global policy will not be displayed under Device Details > Policies tab or in the Watchlist and Device Count columns under Policies & Configs > Policies.
App Config Settings
This section covers the field definitions for the global App Config Settings policy.
General tab > Common App Setting section
The General tab applies to both iOS and Android apps.
Field |
Description |
Disable App Delivery Network for this App |
If there is a content delivery network (CDN) enabled in Ivanti EPMM, administrators can choose to disable it for an app. This option displays only if a CDN is enabled. |
iOS Settings tab
The iOS settings are only applicable if MDM setting is enabled.
Field |
Description |
Prevent backup of the app data |
Select to ensure that iTunes will not attempt to back up possibly sensitive data associated with the given app. This setting is not displayed for iOS apps when Ivanti EPMM is configured for MAM-only iOS devices. |
Remove app when device is quarantined or signed out |
Select to enable configured compliance actions to remove the app if a policy violation results in a quarantined device or the device signs out in multi-user mode. To enable this feature, you must also configure a corresponding compliance action, and security policy with that compliance action selected. Once the device is no longer quarantined, the app can be downloaded again.
This option is ignored when "Use Global App Config Policy" and "Send convert unmanaged to managed app request for quarantine devices (iOS 9.0+)" is enabled for a particular app. For more information, see Using Secure Sign-In and Sign-Out. |
Send installation request on device registration or sign in |
Select to send a installation request upon device registration or sign-in. If the app is already installed on the device, Ivanti EPMM will do nothing. Deselected by default. For User Enrollment and Shared iPad devices for Apple Business Manager, this field will only send installation request on device registration or sign-in. Only Apple-licensed apps are sent to Shared iPad devices through registration. Deselected by default. |
Send installation request to quarantine devices |
Select to send an installation request to quarantine devices. Deselected by default. |
Remove app when MDM profile is removed |
Selected by default, this option removes the app from the device when the MDM profile is removed from the device. This setting is not displayed for iOS apps when Ivanti EPMM is configured for MAM-only iOS devices. |
Prevent user from removing and offloading app |
Select this option to prevent device users from removing and uninstalling the managed app (for example, Ivanti Mobile@Work.) It also prevents the OS from automatically offloading apps that are not being used. When the device user tries to uninstall the app, a pop-up will state: "Uninstall Not Allowed - It is not possible to uninstall this app at this time." De-select to allow the device users to remove and uninstall the app. Applicable to iOS 14.0 or newer versions. |
Android Settings tab
- The Android Settings apply to Android and Android Enterprise devices.
- Android Enterprise (all Modes) settings are applicable only if Google JSON is uploaded.
- Delegated Permissions are applicable to Android 8.0 and later.
Field |
Description |
Feature this App in the Apps@Work Catalog |
Select if you want to highlight this app in the Featured apps list. |
Silent install for Mandatory Apps |
The app is installed when the device checks in with Ivanti EPMM. Device user action is not required. This feature only applies to devices that support silent installation. This feature is not supported for MAM-only Android devices. De-selecting the check box means the device user will need to manually install the app. If this check box is selected for Android Enterprise apps, the apps will be installed on the device with a higher priority than the "Silent install for work managed devices" option (irrespective of the constraints set for "Silent install for work managed devices.") This is because Ivanti EPMM will send the request to Google and Google then forwards the request to the Android devices. Administrators will need to disable "Silent install for Mandatory Apps" if they want to configure the apps via the "Silent install for work managed devices" option. For more information, see Silent install and uninstall of mandatory apps in the Ivanti EPMM Apps@Work Guide. If the Android Enterprise public app is rendered as an AOSP in-house app, then use the Silent install for work managed devices option to install the app silently on the AOSP-device owned (DO) device. Applicable to:
|
Enforce this version for Mandatory Apps |
Select to ensure that every version of the same app is installed, including the latest version. The version enforcement feature is supported only with regular (non-AppConnect) in-house apps. It does not apply to AppConnect apps or Google Play apps. Use the version enforcement feature to:
See Enforcement of specific app versions for mandatory in-house apps in the Ivanti EPMM Apps@Work Guide. |
Require the user to install the latest version of the app in order to run it. |
Select to ensure the device user installs the latest version of this app. IMPORTANT: You must select this check box for the entries for each version of this same app in order for this feature to take effect. Clear the check box for all versions of this app to allow users to work with any version of this app. For more information, see Specify latest version required for a secure app in the Ivanti EPMM Apps@Work Guide. |
Silent install for work managed devices |
This feature is specifically for private in-house Android Enterprise apps and applies only to devices that support silent installation. Clearing the check box means the device user will need to manually install the app. If this check box is selected, then the apps will be installed on the device according to the app constraints and time it takes to install. The app is installed when the device checks in with Ivanti EPMM. Device user action is not required. If "Silent install for Mandatory Apps" is enabled along with "Silent install for work managed devices," then "Silent install for Mandatory Apps" will take precedence and the app will be installed on the device irrespective of the constraints set for the "Silent install for work managed devices" option. Administrators will need to disable "Silent install for Mandatory Apps" if they want to configure the apps via the "Silent install for work managed devices" option. Silent install is not supported for MAM-only Android devices. Additional settings can be made for silent installs of work managed devices. These settings are applicable for public and private apps. Prerequisite apps are pushed before dependent apps. Auto Install Mode - Self hosted apps will not be auto installed.
App Download Priority - You can prioritize downloading of specific apps before other apps. For example, prioritizing the download of Tunnel and Email apps before other non-critical apps.
Install only when connected to Wi-Fi - Default is de-selected. Install only when charging - Default is de-selected. Install only when Idle - Default is de-selected. For more information, see Silent install and uninstall of mandatory apps in the Ivanti EPMM Apps@Work Guide. If the Android Enterprise public app is rendered as an AOSP in-house app, then use the Silent install for work managed devices option to install the app silently on the AOSP-device owned (DO) device. |
Silently install Mandatory Apps |
This feature only applies to devices that support silent installation. This feature is not supported for MAM-only Android devices. Selected by default. De-selecting the check box means the device user will need to manually install the app. If this check box is selected for Android Enterprise apps, the apps will be installed on the device with a higher priority than the "Silent install for work managed devices" option (irrespective of the constraints set for "Silent install for work managed devices.") This is because Ivanti EPMM will send the request to Google and Google then forwards the request to the Android devices. Administrators will need to disable "Silent install for Mandatory Apps" if they want to configure the apps via the "Silent install for work managed devices" option. For more information, see Silent install and uninstall of mandatory apps in the Ivanti EPMM Apps@Work Guide. If the Android Enterprise public app is rendered as an AOSP in-house app, then use the Silent install for work managed devices option to install the app silently on the AOSP-device owned (DO) device. |
Block Widget on Home Screen |
If selected, the app cannot place widgets on the home screen on work profile devices. For example, calendar apps are not permitted to place calendar widgets on the home screen. Applicable only to apps installed in the Managed profile. |
Block Uninstall |
Selected by default, this feature prevents the device user from uninstalling the app. |
Quarantine app when device is quarantined |
Required for Work Profile mode, Work Managed Device mode, and Managed Device with Work Profile mode. Selected by default, this enables configured compliance actions to hide the app if a policy violation results in a quarantined device. This is a required selection for Work Profile mode, Work Managed Device mode and Managed Device with Work Profile mode. A second step is required to enable this feature: configure a corresponding compliance action and security policy with that compliance action selected. Once the device is no longer quarantined, the app can be used again. If this option is deselected, the app is available for usage, even when the device is quarantined. If you change the setting after the app is added, the changed setting will be applied to the app. |
Auto Launch Application on Install |
Selected by default. After installation, the Ivanti Mobile@Work app would be in the foreground when launching apps. Applicable to Android devices in:
|
Update Priority |
Select from the drop-down: Default, High Priority, Postpone for 90 days |
Minimum Version Code |
Select from the drop-down the version code number. |
Configure third-party app runtime permissions |
Select this check box to modify runtime permissions for other apps.
|
Hide and suspend third-party apps |
Select this check box to delegate third-parties to have permission to hide and suspend the selected app.
|
Manage certificates |
Select this check box to delegate permission for managing certificates.
|