iOS managed app configuration

An iOS managed app can automatically get its app-specific configuration from MobileIron Core, rather than requiring the device user to enter the values in the app. Some examples of app-specific configuration are:

  • user information
  • server information
  • whether particular features should be enabled

This feature results in easier app deployment and fewer support calls for you, and a better user experience for the device user.

MobileIron Core supports iOS managed app configuration with two different mechanisms:

IMPORTANT: Both mechanisms use native iOS capabilities. iOS stores the configuration settings unencrypted on the device. Therefore, do not provide sensitive information such as passwords or private keys in managed app configuration values.

NOTE: iOS managed app configuration is not supported on MAM-only iOS devices.

The Managed App Config setting that use plists

The Managed App Config setting is one mechanism that MobileIron Core can use to provide configuration settings to iOS managed apps. You create a Managed App Config setting in Policies & Configs > Configurations > Add New > iOS and macOS > Managed App Config.

Using a Managed App Config setting requires a MobileIron license. For more information on this feature, see “Managed App Config settings that use plists” in the MobileIron Core Device Management Guide for iOS and macOS Devices.

NOTE: By default, a legacy Managed App Config setting is ignored if a Managed App Configuration setting is available for the app in its App Catalog entry.

Related topics 

Precedence of the iOS managed app configuration in the App Catalog versus the plist setting

Managed App Configuration settings for iOS apps in the App Catalog

This mechanism supports the iOS managed app configuration defined in the AppConfig Community at appconfig.org. Working with MobileIron, many registered MobileIron Technology Partners who are deploying their apps to the Apple App Store support this mechanism to make their apps easier to deploy in enterprises. This mechanism works as follows:

Figure 1. Managed app configuration flow

Using this mechanism makes it easy for you to configure an iOS managed app’s configuration on MobileIron Core. Specifically:

  • When you import the app into the App Catalog, Core automatically retrieves the default app configuration for viewing and editing.
  • You edit the values for the app configuration in the Admin Portal in a graphical user interface.
  • Depending on the app, the user interface includes descriptions about each field.
  • You can create multiple app configurations, applying different labels to each app configuration. Multiple app configurations allow different sets of devices to receive different configuration values.

Refer to the app’s documentation to find out:

  • whether the app supports managed app configuration
  • more details on its specific configuration settings.
NOTE: MobileIron Core supports this mechanism only for Apple App Store apps, not for in-house apps.

This topic includes the following sections:

Multiple app configurations per iOS app

Core allows you to create multiple app configurations per app:

  • The default app configuration for the app is applied to devices with the same label that you applied to the app.
  • Any additional app configurations that you create are applied to devices with the same labels that you specify for the additional app configuration.

Using multiple app configurations is useful when sets of users of the app require different configuration values. For example, consider a Human Resources app that users throughout the United States use. However, you want the app to connect to a different server depending on a user’s region:

  • Users in the Eastern region must connect to a server in the east.
  • Users in the Western region must connect to a server in the west.
  • Users in the Northern and Southern regions connect to a server in St. Louis.

Therefore, do the following:

  • Label the app with the Human Resources label.
  • Create an app configuration that specifies the server in the east, and label the app configuration with the Eastern Region label.
  • Create an app configuration that specifies the server in the west, and label the app configuration with the Western Region label.
  • In the default configuration, specify the server in St. Louis. Users who do not have the Eastern Region label or the Western Region label will use this server.

Priorities of iOS app configurations

Each app configuration you create has a priority. The highest priority has the value 1 and appears at the top of the list of app configurations. The default configuration always has the lowest priority and appears at the bottom of the list. Core assigns a device the app configuration with the highest priority that has a label that matches a label on the device.

You can change the priorities of app configurations by dragging and dropping them in the table of configuration choices for the app.

Substitution variables for configuring iOS apps

Substitution variables can be used for configuring values from LDAP or the MobileIron Core devices database, such as $EMAIL$ for the email address. You can prevent deleted default field values from repopulating when editing app configurations by entering the substitution variable $NULL$ for those values.

You may use the following variables when configuring app configuration fields:

Table 1. Substituion variables for configuring iOS apps

Substitution variable

More information

Sample of substituted value

$USERID$

Login ID (email address format)

[email protected]

$EMAIL$

Email address

[email protected]

$EMAIL_DOMAIN$

The domain part of the email address (part after the ‘@’)

myCompany.com

$EMAIL_LOCAL$

The local part of the email address (part before the ‘@’)

jdoe

$PASSWORD$

Use not recommended because the managed app configuration values are not encrypted on the device

 

$FIRST_NAME$

First name

Jane

$LAST_NAME$

Last name

Doe

$DISPLAY_NAME$

Display name

Jane Doe, CEO

$USER_DN$

Distinguished Name

CN=Jane Doe,

OU=NA,OU=Users,

OU=XY,

DC=myCompany,

DC=com

$USER_UPN$

The Microsoft userPrincipalName attribute

[email protected]

$USER_LOCALE$

Locale

en_US

$DEVICE_UUID$

iOS Unique Device Identifier

c752e7052fe5e5ca8166e408c4b48573b5b5bd82

$DEVICE_UUID_NO_DASHES$

 

 

$DEVICE_IMSI$

International Mobile Subscriber Identity

310150123456789

$DEVICE_IMEI$

International Mobile Equipment Identity

01 342300 291808 3

$DEVICE_SN$

Serial Number

DNRJVLP7DTTN

$DEVICE_ID$

Mobile Equipment Identifier

A0123456789012

$DEVICE_MAC$

Wi-Fi MAC Address

30:f7:c5:87:e8:78

$DEVICE_CLIENT_ID$

Unique device identifier

1073741831

$MODEL$

Device model

iPhone 6

$PHONE_NUMBER$

Device phone number

888-555-1212

$USER_CUSTOM1$

Custom field defined for LDAP

The value of the variable as defined in LDAP settings.

$USER_CUSTOM2$

Custom field defined for LDAP

The value of the variable as defined in LDAP settings.

$USER_CUSTOM3$

Custom field defined for LDAP

The value of the variable as defined in LDAP settings.

$USER_CUSTOM4$

Custom field defined for LDAP

The value of the variable as defined in LDAP settings.

$CN$

Common Name (CN) attribute extracted from the distinguished name

Jane Doe

$OU$

Organizational Unit (OU) attribute extracted from the distinquished name

XY

$ICCID$

Integrated Circuit Card Identifier

89014104254287052057

$SAM_ACCOUNT_NAME$

The Microsoft sAMAccountName attribute

jdoe

$MI_APPSTORE_URL$

The URL of the MobileIron Core app store, as accessed by the Apps@Work web clip

https://myCore.mycompany.com/mifs/asfV3/
appstore?clientid=$DEVICE_CLIENT_ID
$&vspver=9.3.0.0

$REALM$

The domain component of an LDAP entry

mycompany.com

$TIMESTAMP_MS$

Unix time stamp of when Core sends the managed app configuration to the device

1485992717498

$NULL$

An empty string. Use this variable to prevent the re-population of deleted default values.

<no value>

Changes to managed app configurations for iOS apps

For iOS apps, when the app data is in View or Edit mode, Core loads the latest managed app schema from the AppConfig repository and displays the latest fields (including any new fields) in the “Managed App Configurations” section in the UI. MobileIron recommends that before saving the changes, you first carefully inspect the updated managed app configuration. Once you select Proceed and click Confirm, the updated managed app configuration settings are saved and the changes are pushed out to all associated devices.

When you change the values for the app configuration of an app in the App Catalog, either one or two device check-ins are necessary for the device to receive the new values from Core. If the iOS MDM terminates the connection between the device and Core before Core can deliver the update, a second device check-in may be necessary.

App version updates and managed app configuration for iOS apps

When you update an app in the App Catalog on Core to a newer version, the new version sometimes has an updated managed app configuration. However, Core does not push the updated managed app configuration until you edit and save the app in the App Catalog. Until that time, devices that upgrade to the new version of the app still receive the older version of the app configuration. Because a new version of an app is typically backward compatible with the older app configuration, the app will still run successfully. However, the app will not use any new features that the updated app configuration provides.

Precedence of the iOS managed app configuration in the App Catalog versus the plist setting

Consider the case in which both of the following are true:

  • Core has retrieved the managed app configuration for an app.
  • A Managed App Config setting with a plist exists for the app.

By default, the managed app configuration included with the app overrides the Managed App Config setting with a plist. However, you can specify that the Managed App Config setting with a plist should override the managed app configuration with the following procedure.

Before you begin 

Make sure you have created a Managed App Config setting with a plist and assigned the necessary labels to it. See “Managed App Config settings that use plists” in the MobileIron Core Device Management Guide for iOS and macOS Devices.

Procedure 

  1. In the Admin Portal, go to Apps > App Catalog.
  2. Select the app.
  3. Click Edit.
  4. In the Managed App Configurations section, select Use the .plist file uploaded in a Managed App Config Setting instead of these Managed App Configurations.
  5. Click Save.
NOTE: If no Managed App Config setting is applied to the device, the app still uses the managed app configuration in the App Catalog entry.

Core upgrade and iOS managed app configuration

Consider the case where:

  • you upgraded to this version of MobileIron Core from a version of Core that did not support managed app configuration, and
  • an app was already in the App Catalog before the upgrade.

After the upgrade, Core does not immediately retrieve the app’s managed app configuration. Core retrieves it when you edit the app in the App Catalog.