App configuration for Android enterprise apps

App configurations (also referred to as app restrictions) are key-value pair settings that are provided by the app developer. When you select the Install this app for Android enterprise check box when adding a public app, the Configuration Choices section appears in the app wizard. Refer to the app’s documentation and help hints for information on its configuration settings. These settings allow you to configure the app, without involving the device user.

MobileIron Core supports multiple bundle definitions in a bundle array for apps that have the capability to use this feature. For example a VPN app may support multiple VPN configurations by clicking the Add New Configuration button and entering the Profile Name and Server for a specific VPN and optionally specify your web log on credentials.

When using Mobile@Work 9.6 through the most recently version as supported by MobileIron, MobileIron Core delivers app configurations using Google Play. Therefore, the app and its app configurations are installed at the same time on the device, avoiding the potential issue of device users launching the app before the app configurations are received.

Creating multiple app configurations

Core allows you to create multiple app configurations per app:

  • The default app configuration for the app is applied to devices with the same label that you applied to the app.
  • Any additional app configuration that you can create is applied to devices with the labels you specify.

Using multiple app configurations is useful when sets of users of the app require different configuration values. For example, consider a Human Resources app that users throughout the United States use. However, you want the app to connect to a different server depending on a user’s region:

  • Users in the Eastern region must connect to a server in the east.
  • Users in the Western region must connect to a server in the west.
  • Users in the Northern and Southern regions connect to a server in St. Louis.

Therefore, do the following:

  • Label the app with the Human Resources label.
  • Create an app configuration that specifies the server in the east, and label the app configuration with the Eastern Region label.
  • Create an app configuration that specifies the server in the west, and label the app configuration with the Western Region label.
  • In the default configuration, specify the server in St. Louis. Users who do not have the Eastern Region label or the Western Region label will use this server.

Priorities of app configurations

Each app configuration you create has a priority. The highest priority has the value 1 and appears at the top of the list of configuration choices. The default configuration always has the lowest priority and appears at the bottom of the list. Core assigns a device the app configuration with the highest priority that has a label that matches a label on the device.

You can change the priorities of app configurations by dragging and dropping them in the table of configuration choices for the app.

Substitution variables for configuring Android enterprise apps

Substitution variables can be used for configuring values from LDAP or the MobileIron Core devices database, such as $EMAIL$ for the email address. You can prevent deleted default field values from repopulating when editing app configurations by entering the substitution variable $NULL$ for those values.

You may use the following variables when configuring any Android enterprise app:

$USERID$

$EMAIL$

$PASSWORD$

$FIRST_NAME$

$LAST_NAME$

$DISPLAY_NAME$

$USER_DN$

$USER_UPN$

$USER_LOCALE$

$DEVICE_UUID$

$DEVICE_UUID_NO_DASHES$

$DEVICE_IMSI$

$DEVICE_IMEI$

$DEVICE_SN$

$DEVICE_ID$

$DEVICE_MAC$

$DEVICE_CLIENT_ID$

$USER_CUSTOM1$

$USER_CUSTOM2$

$USER_CUSTOM3$

$USER_CUSTOM4$

$MI_APPSTORE_URL$

$REALM$

$TIMESTAMP_MS$

$NULL$

$GOOGLE_AUTOGEN_PASSWORD$

NOTE: Enable Google Apps Integration for the substitution to work properly.

Substitution variable for certificate aliases in Android enterprise apps

Some Android enterprise apps, including Gmail, MobileIron Tunnel for Android enterprise, and Pulse Secure, use certificates generated based on a certificate enrollment setting. These apps accept certificate aliases in the app configuration. The substitution variable to provide a certificate alias is:

$CERT_ALIAS:<certificate enrollment setting name>$ where

<certificate enrollmnent setting name> is the name you gave to the certificate enrollment setting.

To use a certificate with apps, in the Core Admin Portal:

  1. Go to Policies & Configs > Configurations

  2. Locate your certificate enrollment setting. Note its name. You will need the name for the alias variable.

    Note: The certificate enrollment setting must be created before continuing with these steps.

  3. Ensure the certificate enrollment setting is assigned to a label that is also used for distributing the apps that require the certificate.
  4. Go to Apps > App Catalog.
  5. Edit the app by clicking the app name, then clicking Edit.
  6. Ensure that the Android enterprise check box Install this app for Android enterprise is selected.

  7. In the Configurations section, type in the certificate alias in the field that requires it:

    $CERT_ALIAS:<certificate enrollment setting name>$

  8. Click Finish to save your changes.

Note The Following:  

  • Certificate aliases are not supported for user-provided certificate enrollment settings. For more information about Certificate Enrollment Settings, see “Certificate Enrollment Settings” in MobileIron Core Device Management Guide for Android and Android enterprise Devices.
  • For identity certs applied to Android devices, Mobile@Work will require a passcode for the device or work profile, if the user has not already created one.
  • On Android 6.0 devices or higher, and with Mobile@Work 9.6, identity certs will be automatically assigned for apps. Users will not be prompted to select a certificate.