Ivanti EPMM 11.4.0.0 - 11.12.0.0 Apps@Work Guide

Ivanti EPMM 11.4.0.0 - 11.12.0.0 Apps@Work

Guide

November 2023

Privacy and Legal

Revision history

For the complete revision history, see the online version of this document.

Page 2 of 292

Contents

Revision history 2

Apps@Work (iOS) 6

Existing Customers with iOS Apps@Work Webclip 6

Remove iOS Apps@Work Webclip 7

iOS Apps@Work AppStore Features 8

Managing mobile apps with Apps@Work 12

About managing mobile apps 12

Setting up app control 20

Viewing installed apps 31

Managing app inventory 35

App management action workflows 40

Override for in-house app URLs 44

Malware prevention: app reputation 46

Apps@Work branding 49

Managing app reviews in Apps@Work (Android, iOS, macOS) 54

Enabling device users to submit app ideas through Apps@Work 56

Setting the default landing page for Apps@Work 57

Configuring popular apps for display in Apps@Work (Android, iOS, macOS) 57

Managing app categories (Android, iOS, macOS) 58

Managing apps for iOS and macOS 61

Overview of working with apps for iOS devices 61

iOS managed app configuration 66

Setting up Apps@Work for iOS and macOS 78

Populating the iOS and macOS App Catalogs 80

Setting per app VPN priority for iOS and macOS apps 101

Per app VPN and the Tunnel app on iOS and macOS devices 102

Setting DNS proxy for iOS and macOS apps 103

Supporting Associated Domains 104

Removing iOS or macOS apps from the App Catalog 105

Making iOS and macOS apps available to users in Apps@Work 105

Mandatory and optional in-house and secure apps 109

Managing installed iOS and macOS apps 110

Editing iOS and macOS apps and app settings in the App Catalog 115

Notifying users of new iOS and macOS apps or app updates 119

Working with web applications for iOS and macOS 124

Unmanaged to managed app conversion on iOS devices 129

Apps@Work on the iOS or macOS device 138

Using Apple licenses 142

Apple license management with Ivanti EPMM 142

Page 3 of 292

Main steps for setting up Apple licenses 144

Linking Ivanti EPMM to an Apple licensed account 145

Importing licensed apps from an Apple licensed account 146

Importing additional apps from the App Catalog 149

Applying device-based licensing to an app 150

Applying a user-based license 150

Applying an Apple license label to an app 151

Removing an Apple license label from an app 151

Revoking licenses 152

Exporting Apple license app distribution details to a CSV file 153

Managing your Apple license accounts 154

Turning user-paid apps into managed apps 159

Managing mobile apps for Android 162

Types of apps on Android devices 162

Adding Google Play apps for Android 164

Whitelisting public apps for the Samsung Knox container 168

Adding in-house apps for Android 169

Adding secure apps for Android 182

Mandatory and optional in-house and secure apps 189

Enforcement of specific app versions for mandatory in-house apps 192

Apps@Work in Ivanti Mobile@Work for Android 195

On-demand secure apps container setup 199

Specify latest version required for a secure app 206

Secure apps installation order 208

Android app versions and device counts 211

Troubleshooting Android apps 211

Managing mobile apps for Android Enterprise 213

About apps for Android Enterprise 213

Features specific to Android Enterprise apps 214

App configuration for Android Enterprise apps 216

Public and private Android Enterprise app deployment 222

Setting up Chrome with Android Enterprise 242

Managing apps on Windows devices 243

Setting up certificate authentication 243

Distributing apps for Windows 10 Desktop devices 248

Distributing apps for Windows 8.1 Phone devices 251

App inventory on Windows 10 desktop devices 252

Application scheduling 255

Restricting applications on Windows devices 256

Working with apps 262

Adding in-house apps to the App Catalog 264

Adding third-party apps to the App Catalog 266

Deploying apps 268

Editing in-house app information 268

Page 4 of 292

Application dependency deployment 271

Editing third-party app information 272

Updating apps in the App Catalog 272

Deleting apps from Ivanti EPMM 273

Managing apps on MAM-only devices 274

MAM-only device overview 274

MAM-only iOS devices 274

MAM-only Android devices 281

Configuring MAM-only iOS devices 282

Configuring MAM-only Android devices 288

Page 5 of 292

Apps@Work (iOS)

Apps@Work is an enterprise app storefront that facilitates the secure distribution of software and apps.

Apps@Work is available for iOS devices. Apps@Work corporate AppStore is integrated into Ivanti

Mobile@Work for iOS clients.

Before you begin

You need to enable Mutual authentication, a requirement for integrated Apps@Work to work.

Create a new App Catalog configuration and applied labels to it.

Administrators can configure app prerequisites and the device user will have visibility of app

dependencies when installing an app from the Integrated App Catalog. VPP apps cannot be

dependent apps or main apps. For more information, see App management action workflows

The iOSApps@Work native AppStore can be deployed with the Ivanti Mobile@Work client. By default, the

device user notification push frequency is set to Weekly. Once the administrator has enabled Mutual

authentication and applied device labels to the (new) App Catalog configuration, the Apps@Work tab

displays on the Ivanti Mobile@Work task bar. The device user can go to this tab to view and install their

company-approved apps. For more information, see "iOS Apps@Work AppStore Features" on page8.

If you want to change the settings see "Notifying users of new iOS and macOS apps or app updates" on

page119.

Existing Customers with iOS Apps@Work Webclip

Customers who have the legacy iOS Apps@Work webclip deployed will not get the Integrated App Catalog

by default. If you would like to transition to the iOS Apps@Work integrated App Catalog and remove the

Apps@Work webclip from the devices, perform the following steps:

Pushing the configurations

The administrator must push the App Catalog for Native Client configuration to the devices to make

Apps@Work available in a Native AppStore experience from the Ivanti Mobile@Work application. For more

information, see "Managing Device Settings with Configurations" in the Ivanti EPMM Device Management

Guide for iOS and macOS devices.

Page 6 of 292

Apps@Work (iOS)

Before you begin

Make sure that Mutual Authentication is enabled.

Procedure

1. Log in to the Ivanti EPMM Admin Portal.

2. Go to Policies & Configs > Configurations.

3. Select App Catalog Service. The App Catalog Service configuration panel opens.

4. Distribute the App Catalog Service configuration to devices via label.

5. After the configuration is distributed, the device user must upgrade the Ivanti Mobile@Work client

version to 12.11.80 or above. The Apps@Work tab is now visible in Ivanti Mobile@Work.

The configuration cannot be pushed for devices that are registered using iReg because Ivanti

Mobile@Work is unavailable on the device. You must install the Ivanti Mobile@Work client

to get the native App Catalog. For more information, see "Registering Devices" in the Ivanti

EPMM Device Management Guide.

Remove iOS Apps@Work Webclip

For customers who have Apps@Work Webclip distributed to their devices and have already migrated to

Apps@Work Native experience they can remove iOS Apps@Work webclip.

Procedure

1. Go to Policies & Configs > Configurations.

2. Filter to the Configuration – Apple App Catalog.

3. Click Edit.

4. From Distribution select Distribution to No Devices.

5. Click Save.

Page 7 of 292

Apps@Work (iOS)

iOS Apps@Work AppStore Features

The Apps@Work tab has the following features:

" Access Apps@Work tab from the Ivanti Mobile@Work application" below

"Search" on the next page

" Installing an app - Button States" on the next page

"Featured Applications and Banner" on page10

"Application Update Notification" on page10

"Settings-My Devices" on page11

Access Apps@Work tab from the Ivanti Mobile@Work application

Procedure

1. Log in to Ivanti Mobile@Work from your iOS device.

2. Tap the Apps@Work icon. Two default tabs are available-All Apps and Categories.

3. Tap the All Apps tab. The All Apps tab lists all the apps in an alphabetical order.

4. Tap the Categories tab. The Categories tab displays only the categories that have any applications in

it as follows:

Each category displays the number of applications present in it.

The MyApps row under the Categories tab is a list item that contains all the installed applications.

The MyApps row will always be the first category and the rest of the categories are listed

alphabetically.

When no applications are installed the MyApps list displays None.

When you select a category, all the applications that are specific to the category are listed with the

Install option. Click Install to install each application individually or you can click Install All to

install all the applications in the category. You will be prompted to permit the installation for each

application.

Page 8 of 292

iOS Apps@Work AppStore Features

Procedure

1. Log in to Ivanti Mobile@Work from your iOS device.

2. Tap the Apps@Work icon.

3. Tap the search (lens) icon to search for the following:

New Releases-displays a list of newly released apps appears when no text is typed in the search

bar.

Type any text and the search field will dynamically predict and display the matching applications.

The search result count is displayed as a sub-heading

You can also tap the Install button to install an application without navigating to the details page.

Installing an app - Button States

Since the app installation requires the server to process the request and push the application to the device,

the install button will not display the progress in real-time. The install button changes states from Install >

Requested > Installed.

Procedure

1. Log in to Ivanti Mobile@Work from your iOS device.

2. Tap the Apps@Work icon.

3. Tap Install and the status notifications appear as follows:

An alert message appears, for the first time, indicating that an installation is requested.

Tap the Requested button. An alert message appears.

The Installed status is not a button.

Page 9 of 292

iOS Apps@Work AppStore Features

Featured Applications and Banner

The Featured tab is visible based on the configuration pushed by the administrator. The Featured tab is the

default landing page when no updates are available.

Procedure

1. Log in to Ivanti Mobile@Work from your iOS device.

2. Tap the Apps@Work icon.

3. Tap the Featured tab.

The Featured App Banner displays one application in the banner.

The Featured App contains a list of all the featured applications.

Application Update Notification

The device user receives a notification on the device whenever any application updates are available. When

there is an update to an app, Apps@Work will display a notification listing the number of applications that

have updates available. When the device user selects the notification, Apps@Work opens.

Starting in Ivanti EPMM version 11.8.0.0, administrators can set the frequency of the device user notifications

for new updates that are available in the App Catalog. The setting option is once a day or once a week in

Apps > Apps@Work Settings > App Updates Notifications to End User.

Badging (notifications) is only for apps that are already installed and have updates available. Applicable to

in-house and public apps.

Procedure

1. Log in to Ivanti Mobile@Work from your iOS device. The Apps@Work icon displays the count of

applications that have pending updates.

2. Tap the application update notification. You will be redirected to the All Apps tab in Apps@Work.

The following indications are displayed:

The Updates Available sub-section under the All Apps tab displays the count of the applications

that are available for update.

A red dot icon is displayed for every application that requires an update.

Page 10 of 292

iOS Apps@Work AppStore Features

Settings-My Devices

Procedure

1. Log in to Ivanti Mobile@Work from your iOS device.

2. Tap the Settings icon.

The My Devices tab is available under Settings.

My Devices is now listed as a line item under Authenticate.

Page 11 of 292

iOS Apps@Work AppStore Features

Managing mobile apps with Apps@Work

This section addresses Apps@Work and the tools provided for distribution and management of mobile

apps.

"About managing mobile apps" below

"Setting up app control" on page20

"Viewing installed apps" on page31

"Managing app inventory" on page35

"App management action workflows" on page40

"Override for in-house app URLs " on page44

"Malware prevention: app reputation" on page46

" Apps@Work branding" on page49

"Managing app reviews in Apps@Work (Android, iOS, macOS)" on page54

"Enabling device users to submit app ideas through Apps@Work" on page56

"Setting the default landing page for Apps@Work" on page57

"Configuring popular apps for display in Apps@Work (Android, iOS, macOS)" on page57

"Managing app categories (Android, iOS, macOS)" on page58

About managing mobile apps

Apps@Work provides the tools for distributing and managing mobile apps. You can use Apps@Work tools

to facilitate installation of standard corporate apps, as well as to help regulate the apps that your users are

bringing into the enterprise. Apps@Work tools consist of:

App Catalog (previously called “app distribution library”)

App Control

Installed Apps (previously called “device app inventory”)

Page 12 of 292

What is the App Catalog?

The Ivanti Endpoint Manager Mobile (Ivanti EPMM) App Catalog is a centralized location for the business

apps you want to manage for your users. App distribution is customized for each supported platform, and

allows you to set granular policies per app. By uploading apps to the App Catalog, you can make private

apps available for users to download on their devices. You can also add external apps and distribute them to

users, making it clear to employees that the apps are approved for download and supported.

With the App Catalog, you can:

Include apps from the Apple Store, Google Play Store, or Windows Store.

Upload in-house apps to the App Catalog.

If your Ivanti EPMMis enabled for Android Enterprise, include private apps for Android Enterprise

devices that are hosted on Google Play Store for your domain.

You can then make these apps available for users to download with Apps@Work on their devices.

Due to a limitation from Apple, for Business-to-Business (B2B) iOS apps available in the App

Catalog, only the descriptions of the apps are available in the Details tab. Screenshots are not

available.

The Apps@Work home page on the device consists of three rows. Each row is separate section made up of:

New Releases

Featured Apps

Categories of Apps

You can easily identify apps selected by the administrator as a featured app. These apps are displayed in a

banner at the top of the screen. Swipe the banner to scroll through the featured apps. Featured apps are

also displayed in a section listing the apps in a row on the Apps@Work home screen. Tap More to see all

the apps in the that section. you can also tap the search icon at the top to search for an app.

To list an app in the Featured app banner in the Apps@Work home page:

1. Go to Apps > App Catalog, on the Ivanti EPMM Admin Portal and select an app and click on 'Edit',

'Add' or view the app details.

2. Select Feature Banner.

3. Add a Short Description. The description is blank by default.

Page 13 of 292

Managing mobile apps with Apps@Work

4. Select the Light Banner Style option. You can see what your banner will look like in the Preview.

The Dark, Blue, Green and Orange options will work in a later release.

5. Select Finish.

Apps deployed by the Administrator within the last 30 days are displayed in a New Releases section on the

Apps@Work home page.

Select an app to view the Detail screen to see the app’s ratings, size, developer, install status and more. In

this view, click Install to install the app on your device. A Pending install message displays when installation

is in progress.

All apps that users download from Apps@Work are considered managed apps.

FIGURE 1. ALL APPS DOWNLOADED FROM APPS@WORK ARE MANAGED APPS

Page 14 of 292

Managing mobile apps with Apps@Work

FIGURE 2. APP CATALOG PAGE IN IVANTI EPMM

Use the App Catalog to:

Add, configure, update, and remove managed apps

Edit app configurations

Install and upgrade managed apps to devices using labels

Set the prerequisite app for a dependent app

Indicate mandatory installation of prerequisite apps in Apps@Work

Group apps into categories to be displayed in Apps@Work on the device

View app details at a glance, such as the:

App name, size, and version number

Label(s) to which the app is applied

Origins of the app (public or in-house)

Number of devices, and list of devices, to which the app is deployed

New permission status: an icon appears if the app requires new permission

For detailed instructions on working with apps for each platform, see:

Page 15 of 292

Managing mobile apps with Apps@Work

"Managing apps for iOS and macOS" on page61

"Managing mobile apps for Android " on page162

"Managing apps on Windows devices" on page243.

Also, see "Managing apps on MAM-only devices" on page274, if you are working with MAM-only Android

or iOS devices, which are devices for which Ivanti EPMM does not support device management (MDM).

App Catalog Device Details page

The Device Details page for the App Catalog tab displays information about devices, but also allows

administrators to take actions.

Procedure

1. Log in to Ivanti EPMM.

2. Select Apps > App Catalog.

3. Select the Source and the Platform.

4. Locate the app.

5. Use the search box or sort columns to quickly find the app you want.

6. Click the number link in the Devices Installed column.

In addition to viewing the device details, you can take the following actions from this page:

Send a message to a device

Force a device to check-in

Indicate if an app must be installed (mandatory)

Retire a device

Export to device data (from the table) to an Excel .csv file

Ivanti EPMM does not support viewing device information for apps installed on MAM-only iOS

devices.

Exporting App Catalog data

Manage data more easily by exporting app data from the App Catalog to an Excel spreadsheet.

Page 16 of 292

Managing mobile apps with Apps@Work

Procedure

1. Log in to Ivanti EPMM.

2. Select Apps > App Catalog.

3. Select the Source and the Platform.

4. Locate the app.

Use the search box or sort columns to quickly find the app you want.

5. Click the number link in the Devices Installed column to open the Device Details page.

6. Click Export to CSV to create an Excel spreadsheet containing the details of the selected app.

7. Locate the .csv file, open, modify, and save, as necessary.

The exported spreadsheet contains the following information:

Device UUID

User Name

User ID

Platform

Model

Mobile Number

Device Space

App Version

Managed

App Name

App Identifier

Ivanti EPMM does not support exporting App Catalog data for apps installed on MAM-only iOS

devices.

What is App Control?

The App Control feature enables you to exert control over which apps are installed on managed devices.

Page 17 of 292

Managing mobile apps with Apps@Work

Using app control rules, you can define which apps are allowed, disallowed, or required (for iOS, macOS, and

Android only). You can then associate these rules with a security policy that specifies the consequences of

being out of policy. Note that Ivanti EPMM does not support app control rules for MAM-only iOS and

Android devices.

App control is achieved through a collaboration between the app control rules, Security policy, and alerts:

The app control rules define which apps you want to control.

The security policy specifies which devices the rules are applied to and the actions to associate with a

rule violation.

The alert determines the information that is sent as the result of rule violation, and the recipients of

the information.

FIGURE 3. APP CONTROL

Page 18 of 292

Managing mobile apps with Apps@Work

What are Installed Apps?

The Installed Apps feature presents a snapshot of the apps installed across your managed devices. The

Apps > Installed Apps page displays the apps that have been reported as installed on each device. You can

use this list to track new apps coming into the enterprise, determine the popularity of apps, and identify

possibly rogue apps.

FIGURE 4. INSTALLED APPS

Ivanti EPMM does not support viewing installed apps on MAM-only iOS devices.

For more information, see "Managing app inventory" on page35.

Best Practice: label management

If Notes for Audit Logs is enabled, whenever a change is made to a label, a text box displays for the

administrator to provide a reason for the change.

This affects the following label-related activities:

Add/Edit/Delete/Save Label (Both filter and manual)

In Devices & Users > Devices > Advanced Search > Save to Label

Add/Edit/Remove Label to devices

Page 19 of 292

Managing mobile apps with Apps@Work

Add/Edit/Remove Label to configurations

Add/Edit/Remove Label to policies

Add/Edit/Remove Label to apps

Add/Edit/Remove Label to iBooks

Example text to enter would be a change ticket order number. This information then displays in the Audit

logs, in the Details column as "Reason."

The Notes for Audit Logs feature is also applicable to any administrator-made changes to iOSand

macOSrestrictions.

To enable this feature, see "Setup tasks" in Getting Started with Ivanti EPMM.

Setting up app control

You can set up app control to enhance visibility into the apps being installed on managed devices and

enforce corporate app policy.

App control is achieved through a collaboration between the app control rules, Security policy, and alerts:

The app control rules define which apps you want to control.

The security policy specifies which devices the rules are applied to and the actions to associate with a

rule violation.

The alert determines the information that is sent as the result of rule violation, and the recipients of

the information.

Setting up app control involves completing the following tasks, in this order:

1. Configure alerts for when a device violates the app control rules in its security policy.

2. Define app control rules.

3. Editing the default privacy policy.

4. Apply the app control rules to a security policy that is applied to the target devices.

Page 20 of 292

Managing mobile apps with Apps@Work

This order of tasks is strongly recommended to ensure that alerts are generated if devices are

already in violation when they receive the corresponding policy from Ivanti EPMM. Otherwise, these

devices will not generate an alert until one of the following actions occurs:

administrator changes the security policy

administrator edits the app control rule

device updates app inventory

device updates device details.

Ivanti EPMM does not support app control rules for MAM-only iOS and Android devices.

About app control alerts

To create an alert, you configure a Policy Violation Event in Logs > Event Settings.

The security policy specifies whether violating devices should just trigger an alert or also be blocked from

ActiveSync access and AppConnect apps. However, if the associated Policy Violation Event is not yet

defined, no alert is generated.

IMPORTANT:To ensure that the alert is generated in a timely fashion for devices that are already

in violation when the policy is created, you should create the event first.

App control rule types

By creating app control rules, you define lists of apps that are Required, Allowed, or Disallowed on

designated devices. These types are defined as follows:

Page 21 of 292

Managing mobile apps with Apps@Work

TABLE 1. APP CONTROL RULE TYPES

Rule Type Purpose When Policy Violation Occurs

Required

(For iOS, macOS, and Android only)

Specify apps that must be installed.

Required rules take

precedence over Disallowed

rules in case of a conflict.

The absence of a required app is a

policy violation.

Allowed

Specify a small set of apps that are

allowed to be installed.

The presence of an app not on the

Allowed

list is a policy violation.

Disallowed

Specify a set of apps that are forbidden. The presence of a disallowed app is a

policy violation.

You may want to use the rules as described in these examples:

Required rules (iOS, macOS, and Android only) example: since MDM-enabled iOS devices report

inventory even if the Ivanti Mobile@Work has been uninstalled, you can create a Required rule to

ensure that if the device user removes Ivanti Mobile@Work, the appropriate response is triggered.

Allowed rules example: create a set of Allowed rules for use by temporary employees to ensure that

they are not installing any personal apps on a corporate device.

Disallowed rules example: create a set of Disallowed rules to help lower exposure to apps with

known security issues. Note that Required rules take precedence over Disallowed rules in the case

of a conflict.

App control rules applied in security policies

The following figure shows app control rules applied in the Access Control section of a security policy. In

this case, the selected compliance actions are applied if the disallowed apps are detected on a device to

which the security policy is applied.

Page 22 of 292

Managing mobile apps with Apps@Work

FIGURE 1. ACCESS CONTROL SECTION IN A NEW SECURITY POLICY

Setting up App Control

Complete the App Control set up using the following steps in the following order:

"Step 1: Configure App Control alerts" below

"Step 2: Define App Control rules" on the next page

"Step 3: Edit the privacy policy" on page26

"Step 4: Apply the app control rule to a security policy" on page26

Each part of the setup is detailed next.

Step 1: Configure App Control alerts

To enable app control alerts:

1. In the Ivanti EPMM Admin Portal, go to Logs > Event Settings.

2. Select Add New > Policy Violations Event.

Page 23 of 292

Managing mobile apps with Apps@Work

3. Enter a name for the event.

4. In the Security Policy Triggers section, look for the App Control - All Platforms heading.

5. Confirm that the app control alerts you want to generate have been selected. The following table

summarizes these alerts:

Item Description

Disallowed app found

Generate an alert if a disallowed app is found on a

designated device.

App found that is not in Allowed

Apps list

Generate an alert if an app is found that is not on the

Allowed Apps list for the designated device.

Required app not found

Generate an alert if a required app is not found on a

designated device.

6. Disable any other triggers that you do not want to enable.

7. Click Save.

Step 2: Define App Control rules

Procedure

1. In the Ivanti EPMM Admin Portal, go to Apps > App Control.

2. Click Add.

3. Enter a name for this rule.

The name cannot be changed once the app control rule is saved.

4. For the Type option, select the type of rule you want to define:

Required: (iOS, macOS, and Android only) This rule specifies criteria for apps that MUST be

installed. WP8.1 devices ignore this option.

Allowed: This rule specifies criteria for apps that MAY be installed, exclusive of all other apps.

Disallowed: This rule specifies criteria for apps that MUST NOT be installed.

5. Under Rule Entries, provide one or more entries to identify the apps you want to control. Fill out

each entry using the guideline that follow:

Page 24 of 292

Managing mobile apps with Apps@Work

6. For App, select one of the values listed below to indicate if you are providing a partial or exact match

with the app name or identifier, or if you’re providing a MS Store GUID.

If you selected Required, then you must select Identifier Equals or Name Equals. Required is not

supported for Windows.

Operator Value Use for: App Identifier/ Name field must have:

Identifier Contains iOS, macOS, and Android At least a partial match with the app identifier

Identifier Equals iOS, macOS, and Android An exact match with the app identifier.

MS Store GUID Equals Windows Phone 8.1 and

Windows 10 Desktop

An exact match with the application’s MS

Store GUID

Publisher/PFN Equals Windows 10 Desktop Dynamic lookup of the Publisher Product

Family Name (PFN) from the

Windows Store

window. See

"App Control for

Windows 10 Desktop devices " on page28

EXE/Win32 Equals Windows 10 Desktop See

"Identifying the GUID for a Windows

Phone app" on page30

for details.

Name Contains iOS, macOS, and Android At least a partial match with the app name

Name Equals iOS, macOS, and Android An exact match with the app name.

TABLE 1. APP CONTROL RULES

7. In the App Identifier / Name field, you can use the application name, unique application identifier,

or MS Store GUID as follows:

App name: For iOS, macOS, or Android, type in the official app name you want to match. Do not

enter wildcards. If you don’t know the official name, enter text that you will be able to identify with

this app. Once a managed device has installed the app once, the Installed Appspage will display

the app’s official name. You can then change this field to match.

App identifier: For iOS and macOS you can enter the app’s unique bundle ID, or for Android its

package name. Using the unique app identifier instead of the app name helps to ensure that a

security policy doesn’t unexpectedly block access to important apps when or if an app developer

changes the name of an app.

8. For WP8.1 enter the MS Store GUID of the app. (See also: "Identifying the GUID for a Windows Phone

app" on page30.)

9. In the Device Platform list, select the platform to which you want to apply this entry.

10. In the optional Comment field, you can enter a note about the purpose of the entry.

Page 25 of 292

Managing mobile apps with Apps@Work

11. To add another rule entry, click the + icon.

12. Click Save.

When editing the App Control Rules dialog box, upon clicking Save, you will be asked to

confirm your changes.

13. This app control rule is now defined.

14. To put this app control rule into use, select it in the Access Control section of the appropriate

Security Policy dialog, as described next.

Step 3: Edit the privacy policy

App Control does not function unless the administrator changes the default privacy policy setting of "App

Catalog Apps" to "All Apps."

1. In the Ivanti EPMM Admin Portal, go to Policies & Configs > Policies.

2. Select Default Privacy Policy and then select Edit.

The The Modify Privacy Policy dialog box opens.

3. In the Apps field, select All Apps.

4. Click Save.

Step 4: Apply the app control rule to a security policy

Procedure

1. In the Ivanti EPMM Admin Portal, go to Policies & Configs > Policies.

2. Select the security policy you want to work with.

3. In the Policy Details pane, click Edit. The Modify Security Policy dialog box opens.

4. Scroll down to the Access Control section.

5. Under For All Platforms, select the check box when a device violates following App Control

rules:”. The field activates.

Page 26 of 292

Managing mobile apps with Apps@Work

6. In the drop-down list, select the action you want to perform if the app control rule is violated. You

can select from:

Block Email, AppConnect apps, and Send Alert: This option prevents the device from accessing

email via ActiveSync and generates a policy violation alert, if configured. This option also

unauthorizes AppConnect apps, and blocks app tunnels.

Send Alert: This option generates a policy violation alert if you have configured the alert in Logs

> Event Settings page.

Any custom compliance actions you have created, which will appear in this list.

7. Under Rule Type: Required, select the rules you want to apply, if any, and click the arrow button to

move them from the Available list to the Enabled list.

The list of items that appear in the Available column are the App Control Rules you defined in the

previous setup step.

8. To apply allowed-type or disallowed-type rules, select either Rule Type: Allowed or Rule Type:

Disallowed. You may not select both in the same security policy.

9. Select the allowed-type or disallowed-type rules you want to apply and click the arrow button to

move them from the Available list to the Enabled list.

10. Click Save.

11. Apply the security policy to a label that is also applied to the target devices. Click Actions > Apply to

Label.

The app control rules are now defined and applied to the devices through the security policy.

Editing app control rules

To edit an app control rule, click the edit icon next to the rule in the Apps > App Control page. Note that

you cannot change the type of an app control rule if that rule has been applied to a security policy. To delete

it, remove it from the security policy first.

Page 27 of 292

Managing mobile apps with Apps@Work

Viewing app control status

In addition to the alerts you can configure, Ivanti EPMM displays app control status for devices in the

Devices & Users > Devices page. Select the entry for a device in violation to see details in the Device

Details pane.

Click the caret next to the device entry to open the device details pane. Click Compliance to see the app

control status information.

FIGURE 2. VIEWING APP CONTROL COMPLIANCE STATUS

The following table shows the icons that indicate app control violations:

Icon Description

App control violation

Required app violation

Allowed app violation

Disallowed app violation

App Control for Windows 10 Desktop devices

This feature is for Windows 10 Desktop only.

Page 28 of 292

Managing mobile apps with Apps@Work

AppLocker allows administrators to block specific apps from being downloaded or executed. You can block

apps by using one of the following two approaches:

Excluding apps (blacklist) - specifying apps to block.

Including apps (whitelist) - Identifying allowed apps and excluding all other apps not on the list and

all systems not defined by the administrator.

Use the dynamic lookup feature to include Publisher/PFN (Product Family Name) from the Microsoft store

to include or exclude apps to security policies.

Creating a rule to block apps from Windows 10 desktop devices

This section covers how to create an app control rule excluding specified apps using dynamic lookup. This

procedure describes:

Using dynamic lookup to create a rule (called Blacklist) that excludes specified apps.

Applying the Blacklist rule to a security policy.

Procedure

1. In the Ivanti EPMM Admin Portal, go to Apps > App Control > Add. The Add App Control Rule

dialog box opens.

2. Enter Blacklist in the Name field as the name of the rule.

3. Select Disallowed for the Type option.

4. Select Publisher/PFN Equals from the App drop-down.

Leave the App Identifier/Name blank.

5. Select Windows from the Device Platform drop-down.

The Windows icon appears next to the Comment field when you select Windows as the platform.

6. Click the Windows icon to open the Windows Store Search dialog box.

7. Click the Windows option.

8. Locate the app and click the Select button to automatically insert the PFN into the App

Identifier/Name field.

9. (Optional) Click the green plus (+) sign to add more apps to the rule, as necessary.

Page 29 of 292

Managing mobile apps with Apps@Work

10. Click Save.

When editing the App Control Rules dialog box, upon clicking Save, you will be asked to

confirm your changes.

Applying a rule to block apps from Windows 10 desktop devices

When you block an app that is in use and installed from the Microsoft Store, the app will continue to run

until users close it. When users open a blocked app, Windows displays a message informing users that the

app has been blocked by their system administrator. Ivanti EPMM sends instructions to the OS to block the

specified app(s).

When users try to install a blocked app, they will see a message that the app has been blocked due to

company policy.

Procedure

1. In the Ivanti EPMM Admin Portal, go to Policies & Configs > Policies.

2. Select Default Security Policy and click Edit.

3. Scroll to the For Windows Devices section in the Access Control group.

4. Click the box next to Application Restrictions and select Blacklist from the drop-down.

5. Click Save.

Identifying the GUID for a Windows Phone app

The GUID is a unique number that identifies the app in the Microsoft ecosystem. In the Windows Phone

Store, select the app. The URL for the app includes the GUID. The GUID is the alpha numerical section at the

end of the URL.

Example:

http://www.windowsphone.com/en-us/store/app/netflix/c3a509cd-61d6-df11-a844-

00237de2db9e

In the example, the GUID is c3a509cd-61d6-df11-a844-00237de2db9e.

Page 30 of 292

Managing mobile apps with Apps@Work

Viewing installed apps

The Apps > Installed Apps page displays the apps that Ivanti EPMM has detected on managed devices.

Only the apps that were installed on devices after the manufacturer’s image was loaded are listed. The

Ivanti EPMM.

Administrators must have managed apps role in order to see this option.

This section includes the following sub-sections:

"What’s in an app name?" below

"Synchronizing app inventory" below

"Determining which apps devices will report" on the next page

"Filtering the App Catalog inventory view" on the next page

"Displaying the devices on which an app is installed" on page33

"Basic searching in Installed Apps page" on page33

"Export Installed Apps data from the App Catalog" on page33

Ivanti EPMM does not support viewing installed apps for MAM-only iOS devices.

What’s in an app name?

The app names displayed on the Installed Apps page are the names reported by the apps installed on

managed devices, not the name you assigned when you added an app to the App Catalog. Therefore, if you

are looking for an app you know is installed, but you cannot find it, make sure you are looking for the

correct name. Note that any control characters found in the reported app name are converted to spaces in

Ivanti EPMM, and app names are stored without regard to case.

Synchronizing app inventory

App inventory data is updated based on the Sync Interval specified in the Sync policy. Therefore, inventory

changes on the device are not reflected in real time on the Installed Apps page. During testing, you can use

one of the following methods to decrease the amount of time it will take to update the inventory:

Page 31 of 292

Managing mobile apps with Apps@Work

Decrease the Sync Interval in the Sync policy

Use the Force Device Check-in feature in the Ivanti EPMM Admin Portal (for supported platforms).

Go to Devices & Users > Devices; select the device and click Actions > Force Device Check-in.

Use the Connect Now/Check for Updates/Refresh feature in the client (for supported platforms)

Check for updated configurations (for iOS)

Determining which apps devices will report

The Privacy policy assigned to a device determines whether the device reports its installed apps. If the Apps

option in the privacy policy is set to None, then installed apps data for the device do not appear in the App

Catalog.

Also note that changing the setting Apps to None in the Sync policy drops the current inventory data.

Setting Apps back to Sync Inventory re-enables inventory reporting for iOS (with timing governed by the

Sync Interval specified in the sync policy). For all other platforms, you must make a change in the app

distribution or reboot the device in order to restart the inventory process.

App filters for iOS installed apps

The App Filters feature in the Privacy policy allows you to control which iOS apps are reported on the

Installed Apps page. Select a choice in the iOS Installed App Inventory drop-down to set the device to

report only iOS managed apps or a list of apps that the administrator specifies. All other apps on the user’s

device are not reported to Ivanti EPMM, providing additional privacy to the device user.

Filtering the App Catalog inventory view

In the Apps Catalog, you can filter the inventory display by:

Label

Source

Platform

For example, to display iOS apps that are on company-owned devices and contain the letter “A”, you would

select iOS from the Platform list, select Company-Owned from the Labels list, and enter A in the Search

by Name field. Clicking the Search button begins the search.

Click Reset to clear the search results.

Page 32 of 292

Managing mobile apps with Apps@Work

Displaying the devices on which an app is installed

Each app entry on the Installed Apps page includes the number of devices on which the app has been

installed in the Devices Installed column. The displayed number is a link. Click the link to display a list of the

devices on which the app is installed.

Basic searching in Installed Apps page

The Device Details section of the Installed Apps page displays information about devices, but also allows

administrators to take actions.

Procedure

1. In the Ivanti EPMM Admin Portal, select Apps > Installed Apps.

2. Select the Source and the Platform.

3. Locate the app

4. Use the search box or sort columns to quickly find the app you want.

5. Click the number link in the Devices Installed column.

In addition to viewing the device details, you can take the following actions from this page:

Send Message to a device

Force Device check-in

Retire a device

You can also view apps installed on a device by going to the Device Details page and clicking on the Apps

tab.

For Windows 10 devices with more than 100 apps, the App inventory is updated in the database.

Related topics

"Running an advanced search of Installed Apps" on page35

Export Installed Apps data from the App Catalog

You can manage data easier by exporting app data installed on devices to an Excel spreadsheet.

Page 33 of 292

Managing mobile apps with Apps@Work

Procedure

1. In the Ivanti EPMM Admin Portal, select Apps > App Catalog.

2. Select the Source and the Platform.

3. Locate the app.

4. Use the search box or sort columns to quickly find the app you want.

5. Click the number link in the Devices Installed column to open the Device Details page.

6. Click Export to CSV to create an Excel spreadsheet containing the details of the selected app.

7. Locate the .csv file, open, modify, and save, as necessary.

The exported spreadsheet contains the following information:

Device UUID

User Name

User ID

Platform

Model

Mobile Number

Device Space

App Version

Managed

App Name

App Identifier

Related topics

"Managing app inventory" on the next page

Page 34 of 292

Managing mobile apps with Apps@Work

Managing app inventory

You can use the Apps > Installed Apps page to help manage the apps that are appearing in your

enterprise. Note that in order to see the Installed Apps tab, you need to have the Apps Inventory role in the

Admin section.

This section includes the following sub-sections:

"Running an advanced search of Installed Apps" below

"Exporting search results to a CSV" on page37

"Device field definitions" on page38

"What happens when an app is removed?" on page40

Running an advanced search of Installed Apps

As data sets get larger, it is increasingly important to have a powerful search. Besides using the search

capability in the App Catalog, administrators can use the advanced search capability in Installed Apps to

build complex queries using the full set of available criteria (see "Using the query builder" and "Using both

the query builder and manual editing" in the Ivanti EPMM Device Management Guide of your OS.)

Using the Advanced Search feature in Apps > Installed Apps tab, allows administrators to search apps with

specific criteria according to attributes combinations.

Before you begin

Multiple apps need to be installed in the App Catalog.

The Detail View in Advanced Search will display the app rating and app score for each app if you have

set up an app rating service in Settings > System Settings > Additional Products > App

Reputation.

Procedure

1. Log into the Ivanti EPMM Admin Portal.

2. Go to Apps > Installed Apps.

Page 35 of 292

Managing mobile apps with Apps@Work

3. In the left pane, select the level of detail in App Detail section.

The Summary View gives you information about the app, for example, listing the App

Permissions for a specific app.

Ivanti recommends you select Detail View; more information is displayed in this view.

4. In the left pane, select the Platform you wish to search on.

5. In the right pane, select the Advanced Search button located at the top left, above the table.

The query builder displays.

6. Using the query builder, enter search criteria or type the search expression directly. See "Device field

definitions" on page38.

7. Click Search. The results display in the table below.

8. In the search results, select the link in the Devices Installed column of a specific app.

The Device Details dialog box opens.

9. The columns in the Device Details dialog box change according to the field you searched on. For

example, if you searched on Permission Count, the Permissions Count column displays the

information.

If you have set up an app rating service in Settings > System Settings > Additional

Products > App Reputation, then the Device Detail dialog box will display the App Rating

and App Score for the apps listed.

10. If you want to toggle between Summary View and Detail View, close the Advanced Search by

selecting the Advanced Search button.

11. In the left pane, select either Summary View or Detail View.

12. Select the Advanced Search button. Your last search criteria displays.

13. Select the Search button.

Page 36 of 292

Managing mobile apps with Apps@Work

Exporting search results to a CSV

Administrators have the ability to export the results of an advanced search of the App Inventory page to a

CSV. The CSV would include all the fields in Summary View and Detail View. Applicable to all apps in the App

inventory page.

Exporting search results will take several minutes.

Exporting to a CSV results from an advanced search

The exported CSV would include all the fields in Summary View and Detail View.

1. Go to Apps > Installed Apps.

2. Run an Advanced Search. See "Running an advanced search of Installed Apps" on page35.

3. Click the Export to CSV link next to the Advanced Search button.

An Export CSV Spreadsheet dialog box displays, stating "Results from the Advance Search Criteria will

be exported."

4. Confirm by clicking Export.

5. "Export to CSV is in progress" displays while the report is compiled.

6. In the Installed Apps page, to the right of the Export to CSV button, click the Download Report link.

The report downloads.

If you click on the Export to CSV button before selecting the Download Report link, or

while the CSV export is in progress, a new CSV export will start.

Exporting to a CSV without running an advanced search

Export a CSV of the App Inventory data using the Platform selection in the Filters pane.

Procedure

1. Go to Apps > Installed Apps.

2. In the Filters pane on the left, make your selections in the App Detail and Platform sections.

3. In the right pane, click the Export to CSV link next to the Advanced Search button.

Page 37 of 292

Managing mobile apps with Apps@Work

4. The Export CSV Spreadsheet dialog box opens, listing the criteria that will be downloaded to the CSV

file.

5. Confirm by clicking Export.

6. "Export to CSV is in progress" displays while the report is compiled.

7. In the Installed Apps page, to the right of the Export to CSV button, click the Download Report link.

The report downloads.

If you click on the Export to CSV button before selecting the Download Report link, or

while the CSV export is in progress, a new CSV export will start.

Device field definitions

This section covers the device field definitions found in the Advanced Search section of Installed Apps.

These fields also display when exporting to a CSV file.

Field Description

Alt Version Lists the alternate version number of the app in the Alt App

Version column within the Device Details dialog box.

App Rating Provides app reputation data for apps detected on managed

devices. This information helps you protect your organization

from malware. Search options are:Not Rated, OK, Risky,

Malware.

For this to work, you must have the Enable App

Reputation option selected. See "Malware prevention:

app reputation" on page46.

App Score Lists the app score of the selected app. For scoring levels and

definitions, see "Malware prevention: app reputation" on

page46.

Date Found The date an app was first reported by a managed device. This is

important for when investigating possible issues with the app.

Options to search on are last [number] of days and selecting a

custom date.

TABLE 2. DEVICE FIELD DEFINITIONS

Page 38 of 292

Managing mobile apps with Apps@Work

Field Description

The search results Summary View display in the First Found

column. Click the column header to sort the rows by this field.

Display Version Displays the version number defined by the app developer. This

is the version that displays to device users. This field is not

editable.

Identifier Lists the Bundle ID of the app.

Installed Count Lists the total number of devices the specific app is installed on.

Installed Count does not work using the "Any" option

in Advanced Search.

Managed

True = Total Managed Installations of a specific app.

These are Managed Apps that are present in the App

Catalog and in the App Inventory.

False = Unmanaged apps. Apps that are installed in

devices (present in the Installed Apps page) but is not

present in the App Catalog.

Name Name of the app.

Permissions Count Lists apps that have the number of permissions that was

searched on, for example, entering "2" into the search criteria

will bring up all apps that have 2 permissions applied to it.

In Detail View, Ivanti EPMM displays the Permissions Count to

each app in the Permissions column.

Click the number in the Permissions column to display the

permissions.

Platform Type OS platform drop-down with all available options.

Publisher Name of the app publisher.

Source Type Where the app originated from. Options to search on are:

Market, Non Market, Windows System, Windows Desktop,

Unknown.

TABLE 2. DEVICE FIELD DEFINITIONS (CONT.)

Page 39 of 292

Managing mobile apps with Apps@Work

Field Description

Version Displays the version number of the app in the App Version

column within the Device Details dialog box.

TABLE 2. DEVICE FIELD DEFINITIONS (CONT.)

What happens when an app is removed?

Once an app is removed from all managed devices, the entry for that app no longer appears in the Installed

Apps page. If you want to be able to track which apps you have determined to be “bad”, consider adding

the information in the Comment field for an app control rule.

App management action workflows

This section addresses dependent and prerequisite apps and how to manage them.

A "dependent" app is an app / in-house app that has dependencies on one or more app in order to

function correctly. In application associations, a dependent app can have only one level of pre-

requisite app support. This means a prerequisite app cannot be a dependent app for another app.

A "prerequisite" app is an app that is required to be installed so that the dependent app can fully

function.

Overview of the device users' workflow

For Apps@Work users, when a device user taps a (dependent) app to install, the user is informed that

prerequisite app(s) are required to be downloaded first. Once the prerequisite app(s) are downloaded, the

user can then download the main / dependent app. The user is prompted by tapping Install or Install All

prerequisite apps, and then prompted to install the dependent app.

This applies to managed apps, unmanaged apps and in-house apps. For Android devices, the user will need

to manually install each of the prerequisite apps before installing the dependent app.

All apps that users download from Apps@Work are considered managed apps. If a prerequisite app, is

subsequently removed from a label, in Apps@Work the device user will see a "Not Available" text after the

prerequisite app name listed.

Page 40 of 292

Managing mobile apps with Apps@Work

Overview of the administrator's workflow

1. As a convenience to the end user, in Ivanti EPMM, the administrator can associate a prerequisite app

to a dependent app. See "To associate a prerequisite app to a dependent app: " below.

2. The administrator then assigns the dependent app to a label (the prerequisite apps are automatically

assigned to the same label.) See "To assign a label to a dependent / prerequisite app:" on page43.

As long as the administrator has the Enforce this version for Mandatory Apps. check box selected, the

device user will download the latest version of that app.

Manage prerequisite app

The Manage Prerequisite App action item is used by administrators and is applicable for iOS, macOS,

Android, and Android Enterprise platforms. A prerequisite app could be set to mandatory for the specific

label. This ensures that if a user inadvertently removes the app, upon the device's next check in, the app will

be pushed to the device.

To associate a prerequisite app to a dependent app:

Once a prerequisite app has been associated, it cannot be defined as a dependent app and vice versa.

Unless the association is removed, apps deployed by the Administrator within the last 30 days are displayed

in a New Releases section on the Apps@Work home page.

Procedure

1. Log in to Ivanti EPMM.

2. Select Apps > App Catalog.

3. Select the Source and the Platform.

4. Locate and select the dependent app; only one app of the same platform can be selected.

5. Select Actions > Manage Prerequisite App.

6. In the Manage Prerequisite App dialog box, use the search box to quickly find the prerequisite app

you want to assign to the dependent app. You can select one or more prerequisite apps. Whatever

label that is associated to the dependent app will be applied to the prerequisite app, for example,

iOS.

7. Select the app and then select Apply.

Page 41 of 292

Managing mobile apps with Apps@Work

8. The dependent app now has the prerequisite app associated to it and vice versa. In the App Catalog

, this information displays in the App Dependencies column. Hovering over the item in the App

Dependencies column displays the application name, source and version number the prerequisite /

dependent app is associated to.

The audit logs captures the following information: administrator name, date, action, app names, and app

dependencies created.

To make the prerequisite apps a mandatory installation in Apps@Work, see Managing installed iOS

and macOS apps. To send installation requests to users of Apps@Work, see Notifying users of new

iOS and macOS apps or app updates.

To remove the association of a dependent / prerequisite app:

You can remove the association of prerequisite apps to dependent apps.

Procedure

1. Log in to Ivanti EPMM.

2. Select Apps > App Catalog.

3. Select the Source and the Platform.

4. Locate and select the dependent app.

5. Select Actions > Manage Prerequisite App.

6. In the Manage Prerequisite App dialog box, use the search box to quickly find the prerequisite app

you want to remove.

7. Clear the prerequisite app check box and then select Apply.

8. In the App Catalog > App Dependencies column, both the prerequisite app and its associated

dependent app are not displayed.

The audit logs capture the following information: administrator name, date, action, app names, and app

dependencies deleted.

Page 42 of 292

Managing mobile apps with Apps@Work

To assign a label to a dependent / prerequisite app:

After associating the prerequisite app to a dependent app, you need to apply a label to the dependent app.

Once a dependent app is assigned to a label, prerequisite apps are automatically associated to the same

label.

If a prerequisite app is removed from a label, in Apps@Work, device users will see a "Not Available" text

after the listed prerequisite app name.

When a master Apple license app is assigned to non-Apple license labels, the prerequisite apps are auto-

assigned to those labels. However, if a primary Apple license app is assigned to Apple license labels, auto-

assigning to Apple license labels will not occur. Administrators will need to manually apply Apple license

prerequisite apps to Apple license labels.

Procedure

1. Log in to Ivanti EPMM.

2. Select Apps > App Catalog.

3. Select the Source and the Platform.

4. Locate and select the dependent app.

5. Select Actions > Apply to Label.

6. In the Apply to Label dialog box, select the prerequisite app and then select Apply.

7. In the App Catalog > App Dependencies column, both the prerequisite app and its associated

dependent app are displayed.

To remove a label from a dependent / prerequisite app:

Procedure

1. Log in to Ivanti EPMM.

2. Select Apps > App Catalog.

3. Select the Source and the Platform.

4. Locate and select the prerequisite app.

5. Select Actions > Manage Prerequisite App.

Page 43 of 292

Managing mobile apps with Apps@Work

6. In the Manage Prerequisite App dialog box, use the search box to quickly find the prerequisite app

you want to associate.

7. Clear the app's check box and then select Apply.

8. In the App Catalog > App Dependencies column, both the prerequisite app and its associated

dependent app are not displayed.

If the prerequisite app is removed from the label without removing the association, then device

users will see a "Not Available" text after the listed prerequisite app name.

The audit logs capture the following information: administrator name, date, action, app names, and app

dependencies deleted.

To make the prerequisite apps a mandatory installation in Apps@Work, see Managing installed iOS

and macOS apps. To send installation requests to users of Apps@Work, see Notifying users of new

iOS and macOS apps or app updates.

For detailed instructions on working with apps for each platform, see:

"Managing apps for iOS and macOS" on page61

"Managing mobile apps for Android " on page162

"Managing apps on Windows devices" on page243.

Ivanti EPMM does not support viewing device information for apps installed on MAM-only iOS

devices.

Override for in-house app URLs

Ivanti EPMM supports an alternative for off-loading distribution of in-house apps to alternate HTTP servers.

This option is intended only for those customers who meet all of the following criteria:

Numerous internally-developed apps for distribution to thousands of devices

A trusted and secure internal network

Available HTTP servers

Concerns about performance impact on Ivanti EPMM

Ability to manually synchronize apps between Ivanti EPMM and an alternate location

Page 44 of 292

Managing mobile apps with Apps@Work

This alternative enables you to specify an override URL, per app, to be used for in-house app distribution.

Ivanti EPMM routes download requests to this alternate location. The following diagram illustrates a typical

deployment.

FIGURE 1. OVERRIDE FOR IN-HOUSE APP URLS

This feature uses unauthenticated URLs. Therefore, this feature is intended for use behind the firewall, using

a trusted and secure internal network. The URL should use the HTTPS, not HTTP, URL scheme. However, the

feature allows you to use the HTTPURL scheme. Before you use an HTTPURL, make sure you understand

the risks of using an insecure connection.

This section includes the following sub-sections:

"Implementing app source override in Ivanti EPMM" below

"Manual synchronization of apps for override URLs" on the next page

Implementing app source override in Ivanti EPMM

If you have the supporting infrastructure in place, complete the following steps to implement app source

override:

1. In Ivanti EPMM Admin Portal, go to Apps > App Catalog.

2. Select the appropriate OS from the Platforms list.

3. As you complete the forms in app wizard, include an appropriate URL in the Override URL field.

The URL must point to the in-house app in its alternate location.

If you are using the HTTP URLscheme, select Allow app downloads over insecure networks. Make

Page 45 of 292

Managing mobile apps with Apps@Work

sure you understand the risks of using insecure networks.

4. Finish adding the app and assign an appropriate label to the app.

Manual synchronization of apps for override URLs

Ivanti EPMM does not synchronize the apps configured in Apps@Work with those stored on the HTTP

server in this override URL configuration. The administrator must perform this maintenance manually and

develop a process for ensuring proper synchronization.

Malware prevention: app reputation

Integration with App authority provides app reputation data for apps detected on managed devices. This

information helps you protect your organization from malware.

This section includes the following sub-sections:

"Enabling app reputation" below

"Confirming configuration of the app reputation service" on page48

"Viewing app reputation data" on page48

Enabling app reputation

Before using an app reputation service:

Find out whether or not the service supports the Apps@Work APIs and can be used with

Apps@Work

Get a URL for their service

Determine the service’s rating range (for example, 0 to 50)

Determine what the low and high numbers in the service’s rating range indicate (do low numbers

indicate a high or low threat?)

Procedure

1. Consider configuring debug mode for MIFS logs (in System Manager).

Debug logs will capture successful configuration. Otherwise, you will have no indication if you

mistype the license key for the reputation service.

2. Go to Settings > Additional Products.

Page 46 of 292

Managing mobile apps with Apps@Work

3. Click App Reputation.

4. Select the Enable App Reputation option.

5. Use the following guidelines to complete the displayed fields:

Item Description

Reputation Service URL Enter the URL your app reputation service provided.

Authentication Type Select

Basic

Token Authentication

Name/Password Sepcify a username and password when you select

Basic

Authentication

Authentication Key Provide an authentication key when you select

Token

Authentication

Rating Range Low Value Enter the low number of the service’s range.

Rating Range High Value Enter the high number of the service’s range.

Rating Scale Click

Low

to indicate that apps with ratings lower than the

Rating Threshold have the highest threat level (for example, if

the range is 0 to 100, and the Rating Threshold is 60, apps with

a rating of 60 or below have a high threat rating)

Click

High

to indicate that apps with ratings higher than the

Rating Threshold have the highest threat level (for example, if

the range is 0 to 100, and the Rating Threshold is 65, apps with

a rating of 65 or more have a high threat rating)

Rating Threshold Specify the rating you select as the limit for determining

whether an app has a high or low threat rating. It is used in

combination with Rating Scale to determine the app threat risk.

Check Interval Select an interval for contacting the reputation service to

retrieve updated reputation data:

Daily

: Update occurs at midnight each day.

Weekly

: Update occurs at midnight between Saturday and

Sunday.

Monthly

: Update occurs at midnight before the first of the

month.

The reputation data is stored on Apps@Work.

The day of the week and time of the update are not

configurable.

Page 47 of 292

Managing mobile apps with Apps@Work

6. Click Save.

An initial sync begins shortly after initial configuration. Thereafter, the Check Interval setting determines

when Apps@Work contacts the reputation service.

Confirming configuration of the app reputation service

You can use the following keywords to check the logs for successful configuration of the reputation service:

appReputationEnabled=true

Enabling Appthority-Sync-Job with schedule: 0 30 22 * * ?

appReputationServiceOption=Appthority

appRatingThreshold

appReputationIntervalOption

Rescheduling Appthority-Sync-Job with schedule

AppthoritySyncJob.execute

Done with sync job

scores.length

Viewing app reputation data

The Apps > Installed Apps page displays the information about apps detected on managed devices. Select

Detail View to see the app rating and app score columns. Those columns appear if you have enabled app

reputation in Settings > Additional Products > App Reputation.

The values that may appear in the App Rating field are listed in the table below.

Page 48 of 292

Managing mobile apps with Apps@Work

TABLE 1. APP REPUTATION RATINGS

Rating Description

Not Rated With a score of 0 indicates that Apps@Work has not processed the

app yet.

With a blank score indicates that the app is not currently in the

designated service’s database. The app might be new or the service

might provide app data only for specific operating systems.

OK Indicates that the app’s score exceeds the threshold specified in the

App Reputation

settings.

Risky Indicates that the app’s score does not exceed the threshold specified

in the

App Reputation

settings.

Malware Indicates that the app’s score does not exceed the threshold specified

in the App Reputation settings.

Apps@Work branding

You can brand Apps@Work on iOS, macOS, and Android devices with your own enterprise app store

branding. To brand Apps@Work, you specify the branding assets in the Ivanti EPMM Admin Portal in Apps

> Apps@Work Settings. The assets that you specify are:

App Icon

App Name

Text color

On Android devices, Apps@Work is part of Ivanti Mobile@Work. Branding requires Ivanti Mobile@Work

9.5.0 for Android or newer versions.

On iOS and macOS devices, Apps@Work is either:

A web clip provided by Ivanti EPMM

The assets that you specify are applied to the web clip.

the Apps@Work container app, an Ivanti EPMM app which you rebrand and sign (iOS MDM devices

only).

For the Apps@Work container app, only the app name and app color that you specify in the Ivanti

EPMM Admin Portal are applied. The app icon you specify in the Ivanti EPMM Admin Portal is not

used. Instead, the app uses the app icons you provide in the Apps@Work container app package.

This section includes the following sub-sections:

Page 49 of 292

Managing mobile apps with Apps@Work

"Apps@Work custom branding assets" below

"Apps@Work custom icon requirements" on the next page

"Apps@Work custom app color requirements" on the next page

"Relationship of Apps@Work branding with iOS or macOS web clip configuration" on page52

" Ivanti EPMM upgrade impact to Apps@Work branding" on page52

"Configuring Apps@Work branding" on page53

"Android OS limitations to updating the Apps@Work home page icon" on page53

Related topics

The tech note Ivanti Apps@Work Container for iOS

Apps@Work custom branding assets

The following table describes the Apps@Work branding assets that you can provide and how they are used:

Asset Android use iOS use

App Icon

As the home page icon

In the splash screen

As the home page icon

In the splash screen

If you use the Apps@Work

container app for iOS, rather than

the provided web clip, this icon is

not used. See the tech note Ivanti

Apps@Work Container for iOS.

App Name

Below the home page icon

Below the splash screen icon

In the main menu of Ivanti

Mobile@Work

In the navigation bar at the top of

the display

Below the home page icon

Below the splash screen icon

Text color

Splash screen

TABLE 3. APPS@WORK BRANDING ASSETS USAGE

Page 50 of 292

Managing mobile apps with Apps@Work

Asset Android use iOS use

Navigation bar

Home, Categories, and Updates

tabs (lighter shade of selected

color)

Buttons

Selectable text

Search and review text field borders

Carousel pagination dots

Various button text, such as install,

download, and update

Top and bottom borders (lighter

shade of selected color)

TABLE 3. APPS@WORK BRANDING ASSETS USAGE (CONT.)

Apps@Work custom icon requirements

The following table gives the requirements for the custom-branding of Apps@Work app icons.

TABLE 1. REQUIREMENTS FOR APP ICONS

Icon Dimensions Format iOS resolution scale

factor

Android densities

App Icon 1024 x 1024 PNG @1x, @2x, or @3x mdpi, hdpi, xhdpi,

xxhdpi, or xxxhdpi

Apps@Work custom app color requirements

For Apps@Work custom branding, you can provide the app color. You can either click on a color box to

select a color, or enter the color directly as a # symbol following by either three or six of the following

characters:

0 through 9

A through F

Six characters specify a hex color code. A hex color code contains three pairs of hexadecimal numbers, in

which each pair represents the intensity of red, green, or blue (RGB). The characters 00 represent the lowest

intensity of a color, and the characters FF represent the highest intensity.

For example:

Page 51 of 292

Managing mobile apps with Apps@Work

#FF0000 is red

#00FFFF is aqua

#FF00FF is fuchsia

Three-character color codes are shorthand for six-character codes. For example, #84D is the shorthand for

both #8042D1 and #8040D0, although the six-character codes represent different shades.

IMPORTANT: Try your app color code on iOS and Android devices. Make sure you do not choose a

color that is hard to see, or easily confused with typical color usage, such as gray for disabled

buttons.

Relationship of Apps@Work branding with iOS or macOS web clip

configuration

In the Ivanti EPMM Admin Portal, in Policies & Configs > Configurations, Ivanti EPMM provides a default

web clip configuration for Apps@Work named System - iOS Enterprise AppStore. Because you provide

the custom app name and app icon in Apps > Apps@Work Settings, you cannot edit the Name or Icon

fields in the web clip configuration. You also cannot edit the Address/URL field.

Ivanti EPMM upgrade impact to Apps@Work branding

The following table shows how the more limited Apps@Work branding support in Ivanti EPMM versions

prior to 9.5.0.0 are impacted after upgrading to this version of Ivanti EPMM:

Feature prior to Ivanti EPMM 9.5.0.0 Impact after upgrade

For iOS devices, you could upload a banner

icon.

The icon displays as an App Icon in the Ivanti EPMM

Admin Portal in

Apps > Apps@Work Settings

page.

You could modify the Apps@Work name

and app icon in the web clip configuration

for Apps@Work, which is named

System -

iOS Enterprise AppStore

Your modifications to the name and icon display in the

web clip configuration, but cannot be modified. Enter

modifications in

Apps > Apps@Work Settings.

TABLE 4. IVANTI EPMM UPGRADE IMPACT TO BRANDING

After upgrade, iOS devices continue to use existing custom branding settings, if any, until you save

custom branding settings in Apps > Apps@Work Settings. Any new customization will result in

updating the splash screen to white, however, the App Icon and App Text will be preserved.

Page 52 of 292

Managing mobile apps with Apps@Work

Configuring Apps@Work branding

You can brand Apps@Work on devices with your own enterprise app store branding. The changes made

affects the client Home screen, Splash screen, and App Home Screen. "Apps@Work" is the default name for

branding.

Procedure

1. In the Ivanti EPMM Admin Portal, go to Apps > Apps@Work Settings.

2. In the App Storefront Branding section, select Custom Branding.

3. Select the Integrated App Catalog tab.

4. In the Customize App Storefront > App Name section. Enter the custom name you want to display in

the App Catalog tab within Ivanti Mobile@Work. The App Name will display at the top of the screen,

above the "All Apps" tab, and in the small tab at the bottom of the Ivanti Mobile@Work screen.

The App Catalog name you enter applies to iOS only.

5. Select the Standalone App Catalog tab. In the Icon section, click Replace Icon.

6. Navigate to and select your custom image for the app icon and then click Upload.

7. In the Text Color section, click on the color box to select a color, or enter the three or six character

color code for your custom app color.

8. Click Save.

Related topics

"Apps@Work custom icon requirements" on page51

"Apps@Work custom app color requirements" on page51

Android OS limitations to updating the Apps@Work home page icon

When you change the Apps@Work app icon or app name, whether Ivanti Mobile@Work for Android can

automatically update the icon and name on the home page depends on the version of Android running on

the device. The following table summarizes for which Android versions the home page update is automatic.

Page 53 of 292

Managing mobile apps with Apps@Work

Prior to Android 5.0 Android 5.0 - 6.0 Android 7.0 or newer

versions

non-Samsung

devices

Yes, update is automatic. No No

Samsung

devices

Yes, update is automatic. Yes, update is automatic. No

TABLE 5. IS HOME PAGE ICON AND NAME AUTOMATICALLY UPDATED?

Updates to the app name, app color, and app icon inside the Apps@Work app are automatic on all

versions of the Android OS.

When the update is not automatic, the device user can manually update the new home page icon and name

by doing the following steps.

Procedure

1. Manually remove the existing home page icon (shortcut) for Apps@Work.

2. Launch Ivanti Mobile@Work.

3. Tap the menu icon.

4. Tap Settings > Check for Updates.

Managing app reviews in Apps@Work (Android, iOS, macOS)

This feature is available for Apps@Work on Android, iOS, and macOS devices only. You can manage

app reviews in the global device space only.

As long as an app is available for installation from Apps@Work, device users can review the app after they

have installed it. You can manage app reviews so that only the most current reviews for the latest app

version are visible to device users, for example. For any given app in the App Catalog, you can delete

individual reviews, or all reviews.

Managing app reviews involves the following main steps:

"Enabling app review management" on the next page

"Deleting app reviews for a managed app (Android, iOS, macOS)" on the next page

Page 54 of 292

Managing mobile apps with Apps@Work

Enabling app review management

You enable the administrative management of app reviews by adding the Managing reviews option to the

App Management admin role.

This feature is available for Apps@Work on Android, iOS, and macOS devices only. You can manage

app reviews in the global device space only.

Procedure

1. In the Ivanti EPMM Admin Portal, select Admin > Admins.

2. Select the check box next to the name of the administrators for whom you wish to enable app review

management.

3. Select Actions > Edit Roles.

4. In the Edit Roles window, select App Management > Manage reviews.

5. Click Save.

Related topics

"Deleting app reviews for a managed app (Android, iOS, macOS)" below

Deleting app reviews for a managed app (Android, iOS, macOS)

You can delete selected reviews of a managed app available on Apps@Work. For example, you can delete

one individual review, several reviews, or all reviews of a managed app.

This feature is available for Apps@Work on Android, iOS, and macOS devices only. You can manage

app reviews in the global device space only.

Before you begin

Enable app review management for the administrator users in the global space, as described in "Enabling

app review management" above.

Procedure

1. Go to Apps > App Catalog.

2. Select an app whose reviews you want to delete.

Page 55 of 292

Managing mobile apps with Apps@Work

3. Select Actions > Manage Reviews.

A list of reviews for the app is shown in the Manage Reviews window. You can optionally sort the

reviews by date.

4. Select the review you want to delete.

5. Alternatively, select all the reviews for this app.

6. Click Delete.

Related topics

"Enabling app review management" on the previous page

Enabling device users to submit app ideas through

Apps@Work

You can enable device users to submit app ideas through Apps@Work by enabling a feedback icon in

Apps@Work. Tapping the feedback icon in Apps@Work opens a web page where users can enter their

thoughts and ideas about the apps they install through Apps@Work, or new apps they would like to have

available through Apps@Work.

When you enable this feature, you add the URL of the web page you want to display to users on tapping the

feedback icon.

Procedure

1. Select Apps > Apps@Work Settings.

2. Go to the App Storefront Feedback section.

3. Select Enable feedback.

4. In the text field that displays, enter the full URL of the page device users will use to provide feedback.

The URL must include the protocol, such as http:// or https://, for example:

https://www.example.com/appfeedback.

5. Click Save.

Page 56 of 292

Managing mobile apps with Apps@Work

Setting the default landing page for Apps@Work

When opening Apps@Work, Apps@Work defaults to showing the last page visited. Instead, you can

configure Apps@Work to display the home page by default upon launching.

Procedure

1. Select Apps > Apps@Work Settings.

2. Go to the Apps@Work Launch Setting section.

3. Select Default to home screen.

4. Click Save.

Configuring popular apps for display in Apps@Work (Android,

iOS, macOS)

The Popular Apps section in Apps@Work shows up to 25 App Catalog apps with the greatest number of

installations in descending order over the last 30, 60, or 90 days, or all time. Device users only see those

popular apps applied to labels to which they belong, regardless of whether they have installed these apps.

Popular apps are updated in Apps@Work every 60 minutes. Popular apps not available for download to a

given device will not be shown. Uninstalled apps are not counted or shown.

Procedure

1. Select Apps > Apps@Work Settings.

2. Go to the App Storefront Popular Apps section.

3. Select Enable Popular Apps.

4. From the Duration drop-down list, select one of the following options:

All Time

30 days

60 days

90 days

5. Click Save.

Page 57 of 292

Managing mobile apps with Apps@Work

Managing app categories (Android, iOS, macOS)

The Categories page allows you to create and manage app categories that are displayed in Apps@Work.

You can organize App Catalog apps into categories that are displayed in Apps@Work. For example, you can

assign all sales-related apps to the Sales app category, making it easy for salespeople to find the apps they

need to use in Apps@Work.

For each app category, Ivanti EPMM shows the number of apps assigned to that category and the order in

which the categories are displayed in Apps@Work.

Managing app categories involves the following tasks:

"Adding an app category for Apps@Work (Android, iOS, macOS)" below

"Editing or deleting an app category for Apps@Work (Android, iOS, macOS)" on the next page

"Changing the display order of app categories in Apps@Work (Android, iOS, macOS)" on page60

Before you begin

Make sure you have the correct permissions for managing app categories.

Procedure

1. Select Admin > Admins, then select the administrator user whose permissions you want to change.

2. Select Actions > Edit Roles.

3. Select App Management > Import and edit app.

4. Click Save.

Adding an app category for Apps@Work (Android, iOS, macOS)

You can create categories to help organize apps for display in Apps@Work. For each category, you can add

a name, description, and image.

Procedure

1. Select Apps > Categories.

2. Click Add+.

Page 58 of 292

Managing mobile apps with Apps@Work

3. Configure the following:

Name: Enter a meaningful name for the app category.

Description: Enter a meaningful description for the app category.

Category Icon: Click Replace Icon to choose an image for the app category (JPEG, GIF, or PNG

files only).

4. Click Save.

Related topics

"Managing app categories (Android, iOS, macOS)" on the previous page

"Editing or deleting an app category for Apps@Work (Android, iOS, macOS)" below

"Changing the display order of app categories in Apps@Work (Android, iOS, macOS)" on the next

page

Editing or deleting an app category for Apps@Work (Android, iOS,

macOS)

You can edit or delete an existing app category from Apps@Work.

You can only delete an app category if there are no apps assigned to that category.

Procedure

1. Select Apps > Categories.

2. Select the category you want to edit or delete.

3. To edit a category, select Actions > Edit. Make the changes you desire and click Save.

4. To delete a category, select Actions > Delete.

Related topics

"Managing app categories (Android, iOS, macOS)" on the previous page

"Adding an app category for Apps@Work (Android, iOS, macOS)" on the previous page

"Changing the display order of app categories in Apps@Work (Android, iOS, macOS)" on the next

page

Page 59 of 292

Managing mobile apps with Apps@Work

Changing the display order of app categories in Apps@Work (Android,

iOS, macOS)

Given at least two app categories, you can change the order in which app categories are displayed in

Apps@Work.

Procedure

Select Apps > Categories.

Drag and drop a given category in the order you want it to appear.

Related topics

"Managing app categories (Android, iOS, macOS)" on page58

"Adding an app category for Apps@Work (Android, iOS, macOS)" on page58

"Editing or deleting an app category for Apps@Work (Android, iOS, macOS)" on the previous page

Page 60 of 292

Managing mobile apps with Apps@Work

Managing apps for iOS and macOS

This section addresses the management of apps for iOS and macOS devices.

"Overview of working with apps for iOS devices" below

"iOS managed app configuration" on page66

"Setting up Apps@Work for iOS and macOS" on page78

"Populating the iOS and macOS App Catalogs" on page80

"Setting per app VPN priority for iOS and macOS apps" on page101

"Per app VPN and the Tunnel app on iOS and macOS devices" on page102

"Removing iOS or macOS apps from the App Catalog" on page105

"Supporting Associated Domains" on page104

"Making iOS and macOS apps available to users in Apps@Work" on page105

"Mandatory and optional in-house and secure apps" on page189

"Managing installed iOS and macOS apps" on page110

"Editing iOS and macOS apps and app settings in the App Catalog" on page115

"Notifying users of new iOS and macOS apps or app updates" on page119

"Working with web applications for iOS and macOS" on page124

"Unmanaged to managed app conversion on iOS devices" on page129

"Apps@Work on the iOS or macOS device" on page138

Overview of working with apps for iOS devices

If Ivanti EPMM has Apps@Work configured, then Ivanti EPMM installs an Apps@Work web clip on the

user’s device after registration is complete. The user will see the default Apps@Work web clip icon, or your

custom icon if you have customized the app store.

Page 61 of 292

The device user taps this icon to access Apps@Work. Apps@Work shows lists of apps that you have

configured for download from the Apple App Store or Ivanti EPMM. These are called managed apps, as they

are managed by Ivanti EPMM.

The apps appear in these tabbed sections:

Featured: The featured page lists all apps that the administrator designates as featured. These apps

can include in-house, recommended, web, and prepaid apps.

Categories: An app can be featured and listed under multiple categories. Uncategorized apps are

displayed under the Uncategorized category. Only categories that have at least one app will appear

on the user’s device.

Updates: The updates page shows all in-house apps that have an available update. The Update All

button allows the device user to update all apps at the same time.

Device users must use an iTunes account to download apps from the Apple App Store.

iOS managed apps

When iOS apps are managed apps on a device for which Ivanti EPMM is the Mobile Device Management

(MDM) server, the apps are called iOS managed apps. As the Ivanti EPMM administrator, you can control

whether an iOS managed app is backed up and whether the app is deleted when the MDM profile is

removed or the device is quarantined. Existing apps installed on a device can be converted to iOS managed

apps on devices running iOS 9.0 or newer versions. Device users running iOS 8.4 and earlier must delete

existing unmanaged apps on their devices and reinstall them as iOS managed apps.

You can also:

Restrict document interaction between iOS managed apps and unmanaged apps.

See “Restriction settings” in the Ivanti EPMM Device Management Guide.

Provide app-specific configurations to iOS managed apps.

See "iOS managed app configuration" on page66.

Also, per Apple guidelines, Ivanti EPMM periodically checks the validity of iOS managed apps on iOS devices

running iOS 9.2.1 or newer versions.

iOS managed apps are not supported on MAM-only iOS devices.

Page 62 of 292

Managing apps for iOS and macOS

Prerequisites for iOS managed apps

Complete app functionality, including updates to badges resulting from inventory data, requires:

iOS MDM certificate (See “Enabling iOS MDM support” in the On-Premise Installation Guide for Ivanti

EPMM and Enterprise Connector)

iOS MDM profile enabled (Settings > System Settings > iOS > MDM)

If you intend to develop and manage in-house apps, an enterprise-level Apple Developer account is

required. For more information, see the Apple Developer site: https://developer.apple.com/.

AppConnect apps

You upload AppConnect iOSapps created with the AppConnect wrapping technology to the App Catalog as

in-house apps. AppConnect apps created with the SDK can be distributed as either in-house apps or

recommended public apps from the Apple App Store. The process for adding an AppConnect app to the

App Catalog is the same as for any iOS app.

When you upload an AppConnect iOSapp as an in-house app to the App Catalog, in some cases Ivanti

EPMM automatically creates an AppConnect container policy and AppConnect app configuration. Ivanti

EPMM takes this action when the app has specified its desired default values for the policy and

configuration in its IPA file. You can override these values by editing the app’s AppConnect container policy

or AppConnect app configuration. Ivanti EPMM keeps in sync the labels that you apply to the app and the

labels that you apply to the AppConnect container policy and AppConnect app configuration.

For information about AppConnect apps, see the AppConnect Guide for EPMM.

Apps@Work container app for iOS that displays badges for app

updates

An unsigned Apps@Work container app is available for iOS. You can download, re-brand, and sign this app

if you want device users to see badges for app updates. The total number of updates available is shown in a

badge that diesplays on the Apps@Work icon.

Page 63 of 292

Managing apps for iOS and macOS

This number includes updates, new installations, and unmanaged to managed app conversions for iOS

managed apps, featured apps, and in-house apps. Individual apps with new installations available will

display their own badges.

Apps@Work will only be badged if it is being pushed as a container app. The package is available as a

separate file in the Apps@Work Container App article in the Customer Support knowledge base in Ivanti

Community. You will need to click through a separate license agreement before being able to download the

file.

See the Ivanti Apps@Work Container for iOS tech note for information on implementing and distributing

this app.

The Ivanti AppConnect container app is not supported on MAM-only iOS devices.

Authentication options and iOS versions

Certificate-based app authentication is required with Ivanti EPMM 11.3.0.0 and supported newer versions.

Certificate-based app authentication - this is the only available option from Ivanti EPMM 11.3.0.0

and supported newer versions. App downloads proceed without routing end-users to the app page

in iTunes (assuming an iTunes account has been properly configured on the device).

HTTP basic authentication - this option is deprecated in Ivanti EPMM release 11.3.0.0 and newer

versions, but it is still available in older releases. We recommend that you use certificate-based app

authentication for better security. App downloads proceed without routing end-users to the app

page in iTunes (assuming an iTunes account has been properly configured on the device). This

method requires end users to enter their Ivanti EPMM user name and password to download apps.

The App Catalog

The App Catalog is a centralized location for the apps you want to manage for your users. By importing

apps to the App Catalog, you can make the apps available for users to download to their devices.

You can provide device users with links to recommended iOS apps on the Apple App Store, or links to

internally developed apps they can download from Ivanti EPMM using Apps@Work on their device.

Page 64 of 292

Managing apps for iOS and macOS

FIGURE 1. APP CATALOG

You use the App Catalog to:

Add, configure, and remove managed apps

Install and uninstall managed apps to devices using labels

Group apps into categories to be displayed in Apps@Work on the device

Set the prerequisite app for a dependent app

Indicate mandatory installation of prerequisite apps in Apps@Work

Use Apple licenses

The App Catalog also allows you to view app details at a glance, such as the app name, size, the version

number of in-house apps, the labels to which the app is applied, the origins of the app (public or in-house),

and the number of devices to which the app is installed.

Ivanti EPMM shows the version number of an app if the app developer assigned a version number to

the app.

Some App Catalog features are not available for MAM-only iOS devices, as described in "MAM-only

iOS devices" on page274.

Page 65 of 292

Managing apps for iOS and macOS

The iBooks screen for iOS

The iBooks feature allows you to distribute iBooks, Kindle books (ePub), and PDF files to iOS devices

managed by Ivanti EPMM. You can also edit and delete managed books, and search for particular managed

books.

For more information about managing books on iOS devices, see the “Managed iBooks on iOS devices”

section in the Ivanti EPMM Device Management Guide for iOS and macOS devices.

iBooks are not supported on MAM-only iOS devices.

iOS managed app configuration

An iOS managed app can automatically get its app-specific configuration from Ivanti EPMM, rather than

requiring the device user to enter the values in the app. Some examples of app-specific configuration are:

User information

Server information

Whether particular features should be enabled

This feature results in easier app deployment and fewer support calls for you, and a better user experience

for the device user.

Ivanti EPMM supports iOS managed app configuration with two different mechanisms:

"The Managed App Config setting that use plists" on the next page

"Managed App Configuration settings for iOS apps in the App Catalog" on the next page

IMPORTANT: Both mechanisms use native iOS capabilities. iOS stores the configuration settings

unencrypted on the device. Therefore, do not provide sensitive information such as passwords or

private keys in managed app configuration values.

iOS managed app configuration is not supported on MAM-only iOS devices.

Page 66 of 292

Managing apps for iOS and macOS

The Managed App Config setting that use plists

The Managed App Config setting is one mechanism that Ivanti EPMM can use to provide configuration

settings to iOS managed apps. You create a Managed App Config setting in Policies & Configs >

Configurations > Add New > iOS and macOS > Managed App Config.

Using a Managed App Config setting requires an Ivanti EPMM license. For more information on this feature,

see “Managed App Config settings that use plists” in the Ivanti EPMM Device Management Guide for iOS and

macOS devices.

By default, a legacy Managed App Config setting is ignored if a Managed App Configuration setting

is available for the app in its App Catalog entry.

Related topics

"Configuring the plist setting to take precedence over the iOS managed app configuration setting"

on page74

Managed App Configuration settings for iOS apps in the App Catalog

This mechanism supports the iOS managed app configuration defined in the AppConfig Community at

appconfig.org. Working with Ivanti EPMM, many registered Ivanti, Inc Technology Partners who are

deploying their apps to the Apple App Store support this mechanism to make their apps easier to deploy in

enterprises. This mechanism works as follows:

FIGURE 1. MANAGED APP CONFIGURATION FLOW

Page 67 of 292

Managing apps for iOS and macOS

Using this mechanism makes it easy for you to configure an iOS managed app’s configuration on Ivanti

EPMM. Specifically:

When you import the app into the App Catalog, Ivanti EPMM automatically retrieves the default app

configuration for viewing and editing.

You edit the values for the app configuration in the Ivanti EPMM Admin Portal in a graphical user

interface.

Depending on the app, the user interface includes descriptions about each field.

You can create multiple app configurations, applying different labels to each app configuration.

Multiple app configurations allow different sets of devices to receive different configuration values.

Refer to the app’s documentation to find out:

Whether the app supports managed app configuration.

More details on its specific configuration settings.

Ivanti EPMM supports this mechanism only for Apple App Store apps, not for in-house apps.

This topic includes the following sections:

"Multiple app configurations per iOS app" below

"Priorities of iOS app configurations" on page71

"Substitution variables for configuring iOS apps" on page71

"Changes to managed app configurations for iOS apps" on page73

App version updates and managed app configuration for iOS apps

"Configuring the plist setting to take precedence over the iOS managed app configuration setting"

on page74

"Adding a new managed app setting for an app" on page75

" Ivanti EPMM upgrade and iOS managed app configuration" on page77

Multiple app configurations per iOS app

Ivanti EPMM allows you to create multiple app configurations per app:

Page 68 of 292

Managing apps for iOS and macOS

The default app configuration for the app is applied to devices with the same label that you applied

to the app.

Any additional app configurations that you create are applied to devices with the same labels that

you specify for the additional app configuration.

Case study

Using multiple app configurations is useful when sets of users of the app require different configuration

values. For example, consider a Human Resources app that users throughout the United States use.

However, you want the app to connect to a different server depending on a user’s region:

Users in the Eastern region must connect to a server in the east.

Users in the Western region must connect to a server in the west.

Users in the Northern and Southern regions connect to a server in St. Louis.

Therefore, do the following:

Label the app with the Human Resources label.

Create an app configuration that specifies the server in the east, and label the app configuration with

the Eastern Region label.

Create an app configuration that specifies the server in the west, and label the app configuration with

the Western Region label.

In the default configuration, specify the server in St. Louis. Users who do not have the Eastern Region

label or the Western Region label will use this server.

App Configuration Choices for iOS public apps

Administrators can customize multiple app configurations, apply to different labels, and determine the

configuration priorities based on the target device users' app usage needs.

Procedure

1. After adding a new app in the App Catalog, Edit the app.

2. In the Managed App Configuration section, select the Add+ button.

The New App Configuration dialog box opens.

3. Enter an App Configuration Name.

Page 69 of 292

Managing apps for iOS and macOS

4. In the Source Type field, upload a .xml file.

5. In the Apply Labels to this Managed App Configuration section, search for or select your label(s) for

this configuration. See "All-Smartphones label" below.

6. When finished, select the Save button. The new configuration displays in the Managed App

Configuration table. If you want to make further changes, selecting the configuration link will open

the App Configuration dialog box.

7. Repeat the above steps for additional configurations. See "Copying configurations" below and

"Adding a new managed app setting for an app" on page75.

8. In the Edit app page, select Save.

All-Smartphones label

In Edit mode of an app, in the Managed App Configuration section:

In Ivanti EPMM 11.8.0.0 and lower, when the administrator saved the configuration, Ivanti EPMM

added the All-Smartphones label by default. Not all configurations had to have a label, only the

lowest-priority one.

In Ivanti EPMM 11.9.0.0 and later, administrators can change the label. The last/lowest priority

configuration must have a label, thus making it the default configuration. This means that the All-

Smartphones label is not required on all configurations; the administrator can choose the relevant

label.

If the administrator added configurations one by one, always adding at the lowest priority instead of

the highest, then each configuration will automatically have the All-Smartphones label. However, if

the administrator added more than one configuration, the highest priority rows could be blank labels,

and only the lowest priority configuration will be forced to have the All-Smartphones label.

Copying configurations

In the Managed App Configuration section, selecting the Copy icon of the configuration will make a

duplicate of the selected configuration with the prefix "Copy of" before the original configuration

name.

All settings of the copied configuration, including the labels, get copied.

Page 70 of 292

Managing apps for iOS and macOS

Priorities of iOS app configurations

Each app configuration you create has a priority. The highest priority has the value 1 and appears at the top

of the list of app configurations. The default configuration always has the lowest priority and appears at the

bottom of the list. Ivanti EPMM assigns a device the app configuration with the highest priority that has a

label that matches a label on the device.

In the table of configuration choices for the (edited) app, administrators can change the priorities of app

configurations by dragging and dropping the equal icon (=), located to the right of the Copy column. Move

the configuration up or down to change the priority or to reorder the list.

Substitution variables for configuring iOS apps

Substitution variables can be used for configuring values from LDAP or the Ivanti EPMM devices database,

such as $EMAIL$ for the email address. You can prevent deleted default field values from repopulating when

editing app configurations by entering the substitution variable $NULL$ for those values.

You may use the following variables when configuring app configuration fields:

Substitution

variable

More information Sample of substituted value

$USERID$

Use $MANAGED_

APPLE_ID$ for Shared

iPad devices and User

Enrolled devices only.

[email protected]

$EMAIL$

Email address

Use $MANAGED_

APPLE_ID$ for Shared

iPad devices and User

Enrolled devices only.

[email protected]

$EMAIL_DOMAIN$

The domain part of the email

address (part after the ‘@’)

myCompany.com

$EMAIL_LOCAL$

The local part of the email

address (part before the ‘@’)

jdoe

TABLE 6. SUBSTITUION VARIABLES FOR CONFIGURING IOSAPPS

Page 71 of 292

Managing apps for iOS and macOS

Substitution

variable

More information Sample of substituted value

$PASSWORD$

Use not recommended

because the managed app

configuration values are not

encrypted on the device

$FIRST_NAME$

First name

Jane

$LAST_NAME$

Last name

Doe

$DISPLAY_NAME$

Display name

Jane Doe, CEO

$USER_DN$

Distinguished Name

CN=Jane Doe,

OU=NA,OU=Users,

OU=XY,

DC=myCompany,

DC=com

$USER_UPN$

The Microsoft

userPrincipalName attribute

[email protected]

$USER_LOCALE$

Locale

en_US

$DEVICE_UUID$

iOS Unique Device Identifier

c752e7052fe5e5ca8166e408c4b48573b5b5bd82

$DEVICE_UUID_

NO_DASHES$

$DEVICE_IMSI$

International Mobile Subscriber

Identity

310150123456789

$DEVICE_IMEI$

International Mobile

Equipment Identity

01 342300 291808 3

$DEVICE_SN$

Serial Number

DNRJVLP7DTTN

$DEVICE_ID$

Mobile Equipment Identifier

A0123456789012

$DEVICE_MAC$

Wi-Fi MAC Address

30:f7:c5:87:e8:78

$DEVICE_

CLIENT_ID$

Unique device identifier

1073741831

$MODEL$

Device model

iPhone 6

$PHONE_NUMBER$

Device phone number

888-555-1212

$USER_CUSTOM1$

Custom field defined for LDAP

The value of the variable as defined in LDAP

settings.

$USER_CUSTOM2$

Custom field defined for LDAP

The value of the variable as defined in LDAP

settings.

TABLE 6. SUBSTITUION VARIABLES FOR CONFIGURING IOSAPPS (CONT.)

Page 72 of 292

Managing apps for iOS and macOS

Substitution

variable

More information Sample of substituted value

$USER_CUSTOM3$

Custom field defined for LDAP

The value of the variable as defined in LDAP

settings.

$USER_CUSTOM4$

Custom field defined for LDAP

The value of the variable as defined in LDAP

settings.

$CN$

Common Name (CN) attribute

extracted from the

distinguished name

Jane Doe

$OU$

Organizational Unit (OU)

attribute extracted from the

distinquished name

$ICCID$

Integrated Circuit Card

Identifier

89014104254287052057

$SAM_ACCOUNT_

NAME$

The Microsoft

sAMAccountName attribute

jdoe

$MI_APPSTORE_

URL$

The URL of the Ivanti EPMM

app store, as accessed by the

Apps@Work web clip

https://myCore.mycompany.com/mifs/asfV3/

appstore?clientid=$DEVICE_CLIENT_ID

$&vspver=9.3.0.0

$REALM$

The domain component of an

LDAP entry

mycompany.com

$TIMESTAMP_MS$

Unix time stamp of when Ivanti

EPMM sends the managed app

configuration to the device

1485992717498

$NULL$

An empty string. Use this

variable to prevent the re-

population of deleted default

values.

TABLE 6. SUBSTITUION VARIABLES FOR CONFIGURING IOSAPPS (CONT.)

Changes to managed app configurations for iOS apps

For iOS apps, when the app data is in View or Edit mode, Ivanti EPMM loads the latest managed app schema

from the AppConfig repository and displays the latest fields (including any new fields) in the “Managed App

Configurations” section in the UI. Ivanti, Inc recommends that before saving the changes, you first carefully

inspect the updated managed app configuration. Once you select Proceed and select Confirm, the updated

managed app configuration settings are saved and the changes are pushed out to all associated devices,

including Shared iPad devices.

Page 73 of 292

Managing apps for iOS and macOS

When you change the values for the app configuration of an app in the App Catalog, either one or two

device check-ins are necessary for the device to receive the new values from Ivanti EPMM. If the iOS MDM

terminates the connection between the device and Ivanti EPMM before Ivanti EPMM can deliver the update,

a second device check-in may be necessary.

App version updates and managed app configuration for iOS apps

When you update an app in the App Catalog on Ivanti EPMM to a newer version, the new version sometimes

has an updated managed app configuration. However, Ivanti EPMM does not push the updated managed

app configuration until you edit and save the app in the App Catalog. Until that time, devices that upgrade

to the new version of the app still receive the older version of the app configuration. Because a new version

of an app is typically backward compatible with the older app configuration, the app will still run

successfully. However, the app will not use any new features that the updated app configuration provides.

Configuring the plist setting to take precedence over the iOS managed app

configuration setting

Consider the case in which both of the following are true:

Ivanti EPMM has retrieved the managed app configuration for an app.

A Managed App Config setting with a plist exists for the app.

By default, the managed app configuration included with the app overrides the Managed App Config

setting with a plist. However, you can specify that the Managed App Config setting with a plist should

override the managed app configuration with the following procedure.

Before you begin

Make sure you have created a Managed App Config setting with a plist and assigned the necessary labels to

it. See “Managed App Config settings that use plists” in the Ivanti EPMM Device Management Guide for iOS

and macOS devices.

Procedure

1. In the Ivanti EPMM Admin Portal, go to Apps > App Catalog.

2. Select the app.

3. Select Edit.

Page 74 of 292

Managing apps for iOS and macOS

4. In the Managed App Configurations section, select Use the .plist file uploaded in a Managed

App Config Setting instead of these Managed App Configurations.

5. Select Save.

If no Managed App Config setting is applied to the device, the app still uses the default managed

app configuration in the App Catalog entry.

Adding a new managed app setting for an app

In addition to the default managed app configuration, you can add managed app settings from the

AppConfig community or by uploading an XML file. The settings in the new managed app configuration can

be edited in the Ivanti EPMM Admin Portal. You add new managed app settings for an app by editing the

app in the Ivanti EPMM Admin Portal.

Procedure

1. In the Ivanti EPMM Admin Portal, go to Apps > App Catalog.

2. Select the app.

3. Select Edit.

4. In the Managed App Configurations section, for Customize and prioritize app configurations

based on app usage, select Add.

5. Enter a name for the managed app configuration.

6. For Source Type, select one of the following:

AppConfig Community: This option is available only if the app has an app configuration

available in the AppConfig community repository. If the configuration is available, the option is

selected by default.

Upload .xml spec: Select the option to upload an XML schema to push a particular set of app

configurations.

7. If your source type is Upload .xml spec, do one of the following:

Drag and drop the .xml file into the dotted box.

Select Choose File to navigate to the location and upload the .xml file.

Page 75 of 292

Managing apps for iOS and macOS

Ensure that the .xml file contains the version and bundle ID for the app, and that the bundle

ID in the .xml file matches the bundle ID for the app. An error message displays if the bundle

ID in the file does not match with the bundle ID of the app.

8. Scroll down and select a label to apply the configuration.

9. Select Add.

The new managed app configuration displays in the Managed App Configurations section.

FIGURE 2. ADD MANAGED APP CONFIGURATION

Page 76 of 292

Managing apps for iOS and macOS

10. Update the configuration fields as needed.

The configuration fields are populated with the values available in the .xml file. If the XML file does

not contain any default values, an empty configuration will get pushed to devices. Therefore,

check the configuration values and update as needed.

Selecting the Copy icon of the configuration will make a duplicate of the selected configuration

with the prefix "Copy of" before the original configuration name.

In the column to the right of the Copy column, administrators can drag the equal icon (=) and

move it up or down to change the priority or to reorder the list.

To display a notification when the application is terminated by the device user, set the application

to do one of the following:

Default notification - Ensure that device users stay connected with the App to keep their

device secured by setting the following values in the Managed App configuration:

Key - enableAppTerminationNotification

Value - 0 or 1

Type - Boolean

Custom notification - Add the following values to the Managed App configuration:

Key - appTerminationNotificationMessage (The key is ignored if

enableAppTerminationNotification is absent or has a value of 0.)

Value - Custom notification

Type - String

11. Select Save.

Ivanti EPMM upgrade and iOS managed app configuration

Consider the case where:

You upgraded to this version of Ivanti EPMM from a version of Ivanti EPMM that did not support

managed app configuration, and

An app was already in the App Catalog before the upgrade.

Page 77 of 292

Managing apps for iOS and macOS

After the upgrade, Ivanti EPMM does not immediately retrieve the app’s managed app configuration. Ivanti

EPMM retrieves it when you edit the app in the App Catalog.

Setting up Apps@Work for iOS and macOS

iOS device users cannot use Apps@Work by default. You must first set up Apps@Work for iOS by

completing the following tasks:

1. Set authentication options.

See "Setting authentication options for Apps@Work for iOS devices" below.

2. Optionally, customize the icon for Apps@Work.

See " Apps@Work branding" on page49

3. Optionally, enable users to rate Apps@Work apps.

See "Enabling device users to rate and review apps in Apps@Work" on the next page

4. Send the Apps@Work web clip to iOS devices.

5. See "Sending the Apps@Work web clip to iOS and macOS devices" on the next page.

If you do not complete this step, then iOS devices will not have access to Apps@Work.

Note the following:

Because the Apps@Work web clip is deployed like any other configuration, there might be a

considerable lag between device registration and the appearance of the web clip.

As a web clip, Apps@Work is impacted by web content filters, available in supervised devices. Make

sure your web content filters do not block access to Ivanti EPMM. If Ivanti EPMM access is blocked,

Apps@Work cannot work. For more information, see “Web content filter settings” in the Ivanti EPMM

Device Management Guide.

Setting authentication options for Apps@Work for iOS devices

By default, certificate-based authentication is enabled. Releases prior to Ivanti Endpoint Manager Mobile

11.7.0.0 also have HTTP basic authentication available, but enabling it is not recommended. This setting

applies to both the Apps@Work iOS web clip and the Apps@Work container app for iOS.

Page 78 of 292

Managing apps for iOS and macOS

Change the Apps@Work Port setting in the System Manager if all of the following are true:

You are using certificate-based authentication for Apps@Work for iOS.

You have enabled mutual authentication for devices at Settings > System Settings > Security >

Certificate Authentication.

You are using the iOS Apps@Work web clip.

To change the Apps@Work Port setting, see "Port Settings" in the Ivanti EPMM System Manager Guide.

Related topics

“Enabling mutual authentication for Apple and Android devices” in Ivanti EPMM Device Management

Guide for iOS and macOS devices

"Port Settings" in the Ivanti EPMM System Manager Guide.

"Apps@Work in Ivanti Mobile@Work for Android" on page195

Enabling device users to rate and review apps in Apps@Work

You can optionally allow users to rate and review the apps you push to Apps@Work.

Procedure

1. In the Ivanti EPMM Admin Portal, go to Apps > Apps@Work Settings.

2. Under App Storefront Reviews and Ratings, select Enable Ratings and Reviews for iOS, macOS

and Android.

3. Click Save.

Related topics

"Malware prevention: app reputation" on page46

Sending the Apps@Work web clip to iOS and macOS devices

Ivanti EPMM sends the Apps@Work web clip to iOS and macOS devices only after you assign the iOS and

macOS labels to the web clip, respectively.

On iOS and macOS devices, the Apps@Work web clip is only supported on the Safari web browser.

Page 79 of 292

Managing apps for iOS and macOS

Procedure

1. In the Ivanti EPMM Admin Portal, go to Policies & Configs > Configurations.

2. Select the WEBCLIP configuration type called System - iOS Enterprise AppStore.

3. Go to Actions > Apply to Label.

4. Select the iOS or the macOS label, or both.

5. Click Apply.

Ivanti EPMM automatically applies the iOS and macOS labels to the System - iOS Enterprise

AppStore SCEP setting, enabling Apps@Work to authenticate with Ivanti EPMM.

The Target Bundle Identifier in the above configuration is applicable to all other webclips

except Apps@Work.

Populating the iOS and macOS App Catalogs

You can search for iOS apps on the Apple App Store and add them to the App Catalog. You can also add

your own in-house apps for iOS and macOS.

You can add apps to the App Catalog as follows:

Search for and import App Store apps for iOS.

"Manually importing iOS apps from the Apple App Store" on page82

Use the app wizard to add apps from the iOS and macOS App Store.

"Using the wizard to import iOS apps from the Apple App Store" on page84

Add in-house apps for iOS and macOS.

See "Using the wizard to add an in-house iOS or macOS app to the App Catalog" on page96 and

"Using the wizard to add an in-house macOS bundled app to the App Catalog" on page97.

"Adding new versions of an existing iOSor macOS app " on page100

You can also remove iOS and macOS apps from the App Catalog, as described in this section.

Before you begin populating the App Catalog with in-house apps, you may find it useful to understand

provisioning profiles, which allow apps to function (see "Provisioning profiles for in-house iOS apps" on the

next page).

Page 80 of 292

Managing apps for iOS and macOS

macOS apps

Currently, Apple does not support managed applications on macOS devices. You can, however, distribute

Apple Licenses, macOS apps, in-house macOS apps, and web applications to macOS devices.

Related topics

"App management action workflows" on page40

"Working with web applications for iOS and macOS" on page124

"Using Apple licenses" on page142

"Using the wizard to add an in-house iOS or macOS app to the App Catalog" on page96

Provisioning profiles for in-house iOS apps

You can distinguish app-specific provisioning profiles from wildcard provisioning profiles by examining the

application identifier key value in the provisioning profile. App-specific provisioning profiles indicate the

app in particular, whereas wildcard provisioning profiles have an asterisk, indicating a match with more than

one app.

For example, the following application identifier key value indicates the provisioning profile is specific to an

app signed by example.com:

<key>application-identifier</key>

<string>A1B2C3D4E5.com.example.webcontainer</string>

Conversely, the following application identifier key value indicates the provisioning profile is a wildcard

profile, matching more than one app:

<key>application-identifier</key>

When adding in-house iOS apps to the App Catalog, the UI will indicate if the provisioning profile is expired,

and therefore needs replacing.

If you need to update the provisioning profile for an app, keep in mind the following rules:

Page 81 of 292

Managing apps for iOS and macOS

TABLE 1. PROVISIONING PROFILE TYPES FOR APPS

Provisioning

profile type

Action Result

App-specific Update expired profile Profile updated

Wildcard (*) Update expired profile New provisioning profile added

App-specific New profile uploaded to replace

expired profile

Ivanti EPMM removes the label from the app

used with the expired provisioning profile

(using a daily background job configured in

the common.properties file).

Wildcard (*) Profile matches an app name or

UUID

Existing provisioning profile is attached to the

app, and labels applied to the profile are also

applied to the app.

Wildcard (*) Profile does

not

match an app

name or UUID

Ivanti EPMM adds a new provisioning profile

to the app, and applies to the app those

labels applied to the profile.

For information about adding iOS app provisioning profiles to Ivanti EPMM using the Ivanti EPMM Admin

Portal, see “Provisioning profile settings” in the chapter “Managing Device Settings with Configurations” in

the Ivanti EPMM Device Management Guide for iOS and macOS devices.

Manually importing iOS apps from the Apple App Store

You can manually import iOS from the Apple App Store directly into the App Catalog on Ivanti EPMM using

Quick Import. This import configures the app with default app settings. You can later edit the app settings.

Procedure

1. In the Ivanti EPMM Admin Portal, go to Apps > App Catalog.

2. Click the Quick Import button.

3. Select iOS from the drop-down.

4. In the Application Name field, enter search text.

iTunes matches the text against app names, app IDs, app authors, and app descriptions.

5. From the App Store drop-down list, select the country for the App Store you want to search.

6. In the Limit field, enter the number of entries you want to retrieve.

To improve search performance, the default is set to 50. You can enter a number between 0 and 200.

7. Click Search.

The matching apps displays.

Page 82 of 292

Managing apps for iOS and macOS

FIGURE 1. SEARCH RESULTS IN APP STORE SEARCH

8. Click the Import or Re-import link for an app to import the relevant information.

Import indicates an app that does not yet exist in the App Catalog.

Re-import indicates an app that exists in the App Catalog, which can be re-imported. A newer

version may, or may not be available from the Apple App store.

You can import or update more than one app from the search results. Alternatively, you can run

another search in the same dialog and import additional apps that way.

9. Close the dialog box by clicking OK.

The app displays in the App Catalog.

10. Click the application name to view the app details.

11. Click Edit to change the app settings.

12. Make any necessary changes to the default settings. The settings are described in detail in "Using the

wizard to import iOS apps from the Apple App Store" on the next page.

When you import recommended apps from the Apple App Store that use licenses, clear the This

App Store App is Free check box. This allows the device user to successfully download the app

user licenses.

13. To apply a category, see "Creating or changing a category for iOS and macOS apps" on page118.

14. To set per app VPN priority, see "Setting per app VPN priority for iOS and macOS apps" on page101.

Page 83 of 292

Managing apps for iOS and macOS

Per app VPN settings are not supported for iOS apps when Ivanti EPMM is configured for MAM-

only iOS devices.

15. To set managed app configurations, modify the default configuration settings as required by your

environment. This section displays only for apps which support managed app configuration.

Optionally, click Add+ to create alternative configuration settings with different values to apply to

different devices based on labels.

See "Managed App Configuration settings for iOS apps in the App Catalog" on page67.

Managed app configuration settings are not supported for iOS apps when Ivanti EPMM is

configured for MAM-only iOS devices.

16. Click Save.

17. Click the Back to list link to return to the App Catalog.

18. Select the app.

19. Click Actions > Apply To Label to set a label to the app in Apps@Work for devices associated with

the label you select.

Related topics

"Using the wizard to import iOS apps from the Apple App Store" below

Using the wizard to import iOS apps from the Apple App Store

You can use the Add App Wizard to import and configure iOS App Store apps in the App Catalog (rather

than accept the default app settings). When the wizard finishes running, the apps are ready to be applied to

labels and sent to Apps@Work as necessary.

Although some settings listed here are supported by macOS apps, you cannot import public macOS

apps directly into the App Catalog. Instead, use Apple Licenses to import macOS-licensed apps into

Ivanti EPMM. You can also import in-house apps for macOS. However, you can still edit certain

settings for macOS apps in Ivanti EPMM that are managed by Apple Licenses. These settings are

noted in the following procedure.

Procedure

1. In the Ivanti EPMM Admin Portal, go to Apps > App Catalog.

2. Select iOS from the Platform list.

Page 84 of 292

Managing apps for iOS and macOS

3. Click Add+.

4. Click iTunes.

5. To search for an app to import:

a. Enter the name of the app or its iTunes ID. See "Getting the iTunes app ID" on page94 for

detailed instructions for getting the ID.

b. From the App Store drop-down list, select the App Store country.

c. Enter a limit for the number of search results (50 by default).

d. Click Search.

6. Select the app from the search results list.

7. Click Next. The Describe page displays.

8. Use the following guidelines to complete this screen:

Item Description

Application Name Required. Shows the name of the app. You can edit this field only if

you opted to manually provide all app details. The app name can be

up to 255 characters long.

Min. OS Version Indicates the minimum version of iOS the app can support.

This field is only displayed if the .ipa file of the app you are importing

includes a minimum OS version number.

Required.

This field is not displayed for macOS apps.

Display Version Displays the version number defined by the app developer. This is

the version that displays to device users. This field is not editable.

Code Version Displays the version defined for the package. This item is not

editable.

Developer Shows the name of the app developer. You can edit this field only if

you opted to manually provide all app details.

Description Enter any additional text that helps describe what the app is for.

Device users can see this text in Apps@Work.

Page 85 of 292

Managing apps for iOS and macOS

Item Description

iPad Only Indicates whether the app is designed only for iPad devices. This

ensures that the app is not displayed in Apps@Work for other iOS

devices. You can edit this field only if you opted to manually provide

all app details.

This field is not displayed for macOS apps.

Provisioning Profile Auto-populated. A provisioning profile is a file containing

verification information for an app. Apps are not usable on iOS

without a current provisioning profile. There are two types of

provisioning profile: app-specific, and wildcard, which works for

more than one app. Provisioning profiles are required for

distributing in-house apps through the Ivanti EPMM Admin Portal.

For more information, see "Provisioning Profile settings" in the Ivanti

EPMM Device Management Guide for iOS and macOS devices.

Category Select one or more categories to display this app in a category tab in

Apps@Work or add a new category.

a. Click Add New Category to define new categories.

b. Enter a category Name (up to 64 characters).

c. Enter a Description (up to 255 characters).

d. In the Category Icon section, click the Replace Icon button.

Browse and select an icon that will represent this Category.

e. Click Save.

9. Click Next.

10. Use the following guidelines to complete this screen:

Page 86 of 292

Managing apps for iOS and macOS

Item Description

Use Global App Config

Settings Policy

Selecting the check box makes the policy settings take priority over the

app settings if and only if the global policy is created and available for a

particular device. Leaving the check box empty means the app's

configuration settings will be used. For more information, see "Global

App Config Settings policy" in the Ivanti EPMM Device Management

Guide for iOS and macOS devices.

Apps@Work Catalog

This is a Free App Selected by default, this indicates free recommended Apple App Store

apps.

iOS allows Managed App features to be applied to free apps and apps

purchased with Apple License credits, but not to apps paid for by the

user. Specifying whether the app is free ensures successful download of

apps that require user payment.

When importing recommended apps that use licenses, uncheck

the This App Store App is Free option. This allows the device

user to successfully download the app using licenses.

Hide this App from the

Apps@Work catalog

Select to prevent this app from being displayed in Apps@Work. For

example, you might want to hide apps that will be installed upon

registration anyway. Hiding a mandatory app reduces clutter in

Apps@Work, leaving device users with a concise menu of the approved

apps they might find useful.

Feature this App in the

Apps@Work Catalog

Select if you want to highlight this app in the Featured apps list.

Featured Banner Select to add the app to the featured banner at the top of the

Apps@Work home screen on devices. Additional options display:

Short Description

- Enter a short description that will display in the

banner. The Preview will display what it will look like on the client.

Banner Style

- Select the Light Banner Style option. You can see

what your banner will look like in the Preview. The Dark, Blue, Green

and Orange options will work in a later release.

Page 87 of 292

Managing apps for iOS and macOS

Item Description

Allow app downloads over insecure networks

- Select the check

box if you are providing an Override URL (next field) that uses the

HTTP URL scheme instead of HTTPS. Override URLs are intended for

use behind a firewall, using a trusted and secure internal network.

Before you use an HTTPURL, make sure you understand the risks of

using an insecure connection

Override URL - If you are using an alternate source for downloading

in-house apps, enter that URL here. The URL must point to the in-

house app in its alternate location.

Override URLs are intended for use behind a firewall, using a trusted

and secure internal network. Manual synchronization is required with

the alternate HTTP server on which app are stored.

See "Override for in-house app URLs " on page44for the

requirements for this configuration before using it.

When tapping the banner, device users see the details of the featured

app. Add as many apps as you like to the featured banner, but the

featured banner will only display the five most recent apps added to the

featured banner. Apps in the featured banner are rotated every five

seconds.

Disable App Delivery

Network for this App

Selected by default, this field only displays when administrators have

enabled CDN in Ivanti EPMM. Applicable to in-house apps only.

App Icon Required. The app icon is automatically extracted from the IPA file. The

file must be in PNG format. Click

Replace Icon

to replace the icon.

iPhone Screenshots Click

Upload

to add a an iPhone screenshot. Select up to twelve optional

screenshots to display for the app. Screenshots must be in JPG, PNG, or

GIF format, with a minimum size of 320x480 pixels or 480x320 pixels, and

a maximum size of 4096x4096 pixels.

Click

Remove

to delete a screenshot.

The display of rotated screenshots in the Ivanti EPMM Admin

Portal might not be consistent with the display on devices.

Page 88 of 292

Managing apps for iOS and macOS

Item Description

iPad Screenshots Click

Upload

to add a screenshot. Select up to twelve optional

screenshots to display for the app. Screenshots must be in JPG, PNG, or

GIF format. Each file must have a minimum size of 1024x768 or 768x1024

pixels, and a maximum size of 4096x4096 pixels.

Click

Remove

to delete a screenshot.

For macOS apps, follow the instructions for iPad Screenshots.

11. Click Next.

12. Use the following guidelines to complete this screen:

Item Description

Data Protection

Required

Be aware that if Data Protection Required is enabled, users on devices

with no passcode set will not see this or any other lower versions of this

app on Apps@Work. Devices with no passcode sest will not get this app

installed on registration or converted from unmanaged to managed, if

applicable.

Per App VPN Settings

Per App VPN by Label

Only

To apply a Per-App VPN by Label Only for this application, keep this

option checked and then select one of the pre-configured Per-App VPNs

listed in the VPN Selection section below. Ivanti does not recommend

de-selecting Per-App VPN by Label Only, as this field will be deprecated

in future Ivanti EPMM releases and become selected by default.

Ivanti does not recommend using Per App VPN with apps that

utilize device spaces.

This feature is not currently supported on macOS devices.

VPN selection In the left-hand column, select the VPN setting you created for per app

VPN, and click the right arrow to move it to the set of selected VPNs in

the right-hand column. If the app will use Tunnel, select the Tunnel VPN

setting you created. You can select multiple per app VPN settings.

To reorder the selected per app VPN configurations in the right-hand

column, use the up and down arrows to sort the names in the list.

Page 89 of 292

Managing apps for iOS and macOS

Item Description

See VPN settings in the

Ivanti EPMM Device Management Guide for iOS

and macOS devices

for information on creating a per app VPN or Tunnel

VPN setting.

This feature is not currently supported on macOS devices.

Per app VPN settings are not displayed for iOS apps when Ivanti

EPMM is configured for MAM-only iOS devices.

License Required Per-App VPN is supported only in iOS 7.0 and later and macOS 10.9 and

later.

Per-App VPN type IKEv2 (for iOS) is only supported in iOS 9.0 and above.

DNSProxy Filter Setting

As the Ivanti EPMM administrator, you can configure DNS Proxy settings using the DNS Proxy

Configuration for users of iPhone and iPad devices. You can use the DNS Proxy payload to specify

the application that provides the DNS proxy network extension and other vendor-specific values.

See "Setting DNS proxy for iOS and macOS apps" on page103.

See also: Creating DNS Proxy Configurations in the Ivanti EPMM Device Management Guide for

iOS and macOS devices

Associated Domains (Associated Domains (iOS 13 and later)

Applicable to MDM devices only. Connections to servers within one of these domains are

associated with the per-app VPN.

1. Enter the URLof the Associated Domain and any Description.

2. Select the Add+ button.

Managed App Settings

Prevent backup of the

app data

Select to ensure that iTunes will not attempt to back up possibly

sensitive data associated with the given app.

This setting is not displayed for macOS apps. It is also not

displayed for iOS apps when Ivanti EPMM is configured for

MAM-only iOS devices.

Remove app when

device is quarantined

or signed out

Select to enable configured compliance actions to remove the app if a

policy violation results in a quarantined device or the device signs out in

multi-user mode.

Page 90 of 292

Managing apps for iOS and macOS

Item Description

To enable this feature, you must also configure a corresponding

compliance action, and security policy with that compliance action

selected. Once the device is no longer quarantined, the app can be

downloaded again.

If you change the setting after the app is added, the changed setting

will not be applied to the app.

This setting is not displayed for macOS apps. It is also not displayed

for iOS apps when Ivanti EPMM is configured for MAM-only iOS

devices.

For more information, see "Using Secure Sign-In and Sign-Out" in

the

Ivanti EPMM Device Management Guide for iOS and macOS devices.

Send installation

request on device

registration or sign in

Select to send a installation request upon device registration or sign-in. If

the app is already installed on the device, Ivanti EPMM will do nothing.

Deselected by default.

If you selected

Await device configuration during Apple device

enrollment

in the Enrollment profile, then

Select installation request

on device registration or sign in

must also be selected.

For User Enrollment and Shared iPad devices for Apple Business

Manager, this field will only send installation request on device

registration or sign-in. Only Apple-licensed apps are sent to Shared iPad

devices through registration. For more information, see the

Ivanti EPMM

Device Management Guide for iOS and macOS devices.

Send installation

request to quarantine

devices

Select to send an installation request to quarantine devices. Deselected

by default.

Send convert

unmanaged to

managed app request

on device registration

or sign-in (iOS 9 or

later)

Select this option to allow administrators to specify if app can be

converted during installation request sent on device registration or sign-

in, or check-in. Also allows device users to convert app in Apps@Work

from unmanaged to managed without having to uninstall and reinstall

the app. Prompts unsupervised devices to accept the conversion, and

silently updates supervised iOS 9 or later devices.

If the app is already installed as an unmanaged app, the app will be

converted to an iOS managed app.

This setting is not selected by default.

Page 91 of 292

Managing apps for iOS and macOS

Item Description

This setting is not displayed for macOS apps. It is also not displayed

for iOS apps when Ivanti EPMM is configured for MAM-only iOS

devices.

With this setting selected, a MDM profile re-push will cause apps to

be re-installed.

• User Enrollment cannot convert unmanaged to managed apps. See

Ivanti EPMM Device Management Guide for iOS and macOS

devicesfor more information.

Send convert

unmanaged to

managed app request

to quarantine devices

(iOS 9 or later)

Select this option to enable the following on quarantined devices (for

iOSapps only):

Prompt the device user to install the app.

If the app is already installed as an unmanaged app, convert the app

to an iOS managed app.

These settings are applied even if a compliance action blocks new

app downloads for a quarantined device.

This setting is not displayed for iOS apps when Ivanti EPMM is

configured for MAM-only iOS devices.

Enforce conversion

from unmanaged to

managed app (iOS9

or later)

Every hour, Ivanti EPMM reviews the all the devices that had last

checked-in for any unmanaged apps and, if applicable, sends the

unmanaged to managed app conversion request to that device. If there

is an unmanaged app installed on the device, device users will not

immediately get the prompt for change management.

Also applicable if the app is unmanaged on an iOS 9 and later device and

the app is enabled to allow conversion.

Advanced Settings

Remove app when

MDM profile is

removed

Select this option to remove this app from the device when the MDM

profile is removed from the device.

This setting is not displayed for macOS apps. It is also not

displayed for iOS apps when Ivanti EPMM is configured for

MAM-only iOS devices.

Page 92 of 292

Managing apps for iOS and macOS

Item Description

Prevent user from

removing and

offloading app

Select this option to prevent device users from removing and

uninstalling the managed app (for example,

Ivanti Mobile@Work

.) It also

prevents the OS from automatically offloading apps that are not being

used. When the device user tries to uninstall the app, a pop-up will state:

"Uninstall Not Allowed - It is not possible to uninstall this app at this

time."

De-select to allow the device users to remove and uninstall the app.

Applicable to iOS 14.0 or newer versions.

Managed App Configurations

This section displays only for apps that support managed app

configuration.

Modify the default configuration settings as required by your

environment. Optionally, click

Add+

to create alternative configuration

settings with different values to apply to different devices based on

labels.

See

"Managed App Configuration settings for iOS apps in the App

Catalog" on page67

Managed app configurations are not supported for iOS apps

when Ivanti EPMM is configured for MAM-only iOS devices.

13. Click Finish.

The app displays in the App Catalog.

14. Associate the app with a label to list the app on iOS devices.

Related topics

"Editing in-house app information" on page268

"Changing iOS and macOS app information" on page115

"Changing the iOS or macOS app icon and screenshots" on page117

"Creating or changing a category for iOS and macOS apps" on page118

Next steps

Continue on to "Making iOS and macOS apps available to users in Apps@Work" on page105.

Page 93 of 292

Managing apps for iOS and macOS

Getting the iTunes app ID

To manually configure a managed app in the Add App Wizard, you must supply the ID for the app as

defined in iTunes. However, IDs are not always readily available.

Procedure

1. Open iTunes.

2. Navigate to the iTunes Store.

3. Navigate to the App Store.

Page 94 of 292

Managing apps for iOS and macOS

4. Locate the app you want to configure.

5. Open a text editor.

6. Right-click the app icon, and select Copy Link.

7. For example, using Firefox, you can right-click on the icon and select Copy Link.

8. Paste the link into the text editor.

9. In the below example, the URL was pasted into Notepad. The application ID (selected) comprises the

digits following “id” and before “?mt=8”.

Page 95 of 292

Managing apps for iOS and macOS

Using the wizard to add an in-house iOS or macOS app to the App

Catalog

You can use the Add App Wizard to import into the App Catalog in-house iOS and macOS apps developed

by your organization. An enterprise-level Apple Developer account is required for developing in-house iOS

and macOS apps.

Each in-house app for iOS must be no larger than 5 GB. Individual downloads of iOS in-house apps over 3G

are generally limited to 20 MB per device. Use Wi-Fi to download larger in-house apps.

IMPORTANT:When developing an in-house iOS app to be used with Ivanti EPMM, you must

include the following keys in the info .plist file for the in-house app:

CFBundleName or CFBundleDisplayName

CFBundleIdentifier

CFBundleExecutable

CFBundleVersion

CFBundleShortVersionString

If you are adding a new version of an existing app, see "Adding new versions of an existing iOSor macOS

app " on page100.

Procedure

Follow the steps listed in "Using the wizard to import iOS apps from the Apple App Store"

on page84.

Next steps

"Making iOS and macOS apps available to users in Apps@Work" on page105

Related topics

Developing in-house iOS apps, see the Apple enterprise developer site at

Apple Developer Enterprise https://developer.apple.com/enterprise/

Building, signing, uploading, installing, and launching in-house apps, see this knowledge base article:

AppSanity: Troubleshooting In-House iOS App Build, Signing, Upload, Install, and Launch Issues

Page 96 of 292

Managing apps for iOS and macOS

Using the wizard to add an in-house macOS bundled app to the App

Catalog

You can use the Add App Wizard to import into the App Catalog signed, in-house, bundled macOS apps. An

enterprise-level Apple Developer account is required for developing in-house macOS apps.

If you are adding a new version of an existing app, see "Adding new versions of an existing iOSor macOS

app " on page100.

Procedure

1. In the Ivanti EPMM Admin Portal, go to Apps > App Catalog.

2. Select macOS from the Platform list.

3. Click Add+.

4. The Add App Wizard opens.

5. Click In-House.

6. Click Browse and navigate to the in-house bundled macOS app you want to upload.

7. Click Next.

Item Description

Application Name Displays the app name defined for the app bundle (up to 255 characters

long). App names longer than 255 characters will be truncated when

displayed on the device.

A macOS app is packaged as a bundle. A bundle is a directory in

the file system that groups related resources together in one

place. A macOS app bundle contains the app executable file and

supporting resource files such as app icons, image files, and

localized content.

Display Version Shows the version number displayed to users. The value of this field is a

number with or without a period. This value cannot be edited.

Developer Enter the name of the app developer.

Description Enter any additional text that describes the app.

Page 97 of 292

Managing apps for iOS and macOS

Item Description

Category Select one or more categories if you would like this app to be displayed

in a specific group of apps on the device.

a. Click Add New Category to define new categories.

b. Enter a category Name (up to 64 characters).

c. Enter a Description (up to 255 characters).

d. In the Category Icon section, click the Replace Icon button.

e. Browse and select an icon that will represent this Category.

f. Click Save.

See

"Creating or changing a category for iOS and macOS apps" on

page118

for more information.

8. Click Next.

9. Use the following guidelines to complete this screen:

Item Description

Apps@Work Catalog

Hide this App from

the Apps@Work

catalog

Select to prevent this app from being displayed in Apps@Work. For

example, you might want to hide apps that will be installed upon

registration anyway. Hiding a mandatory app reduces clutter in

Apps@Work, leaving device users with a concise menu of the approved

apps they might find useful.

Feature this App in

the Apps@Work

Catalog

Select if you want to highlight this app in the Featured apps list.

Featured Banner Select to add the app to the featured banner at the top of the

Apps@Work home screen on devices. When clicking the banner, device

users see the details of the featured app. Add as many apps as you like to

the featured banner, but the featured banner will only display the five

most recent apps added to the featured banner. Apps in the featured

banner are rotated every five seconds.

Allow app downloads

over insecure

networks

Select this if you are providing an Override URL (next field) that uses the

HTTP URL scheme instead of HTTPS.

Override URLs are intended for use behind a firewall, using a trusted and

secure internal network. Before you use an HTTPURL, make sure you

understand the risks of using an insecure connection.

Page 98 of 292

Managing apps for iOS and macOS

Item Description

Override URL If you are using an alternate source for downloading in-house apps,

enter that URL here. The URL must point to the in-house app in its

alternate location.

Override URLs are intended for use behind a firewall, using a trusted and

secure internal network. Manual synchronization is required with the

alternate HTTP server on which app are stored.

See

"Override for in-house app URLs " on page44

for the requirements

for this configuration before using it.

Disable App Delivery

Network for this App

Selected by default, this field only displays when administrators have

enabled CDN in Ivanti EPMM. Applicable to in-house apps only.

Icon and Screenshots

App Icon Required. The app icon is automatically extracted from the IPA file. The

file must be in PNG format. Click

Replace Icon

to replace the icon.

Screenshots Select up to twelve optional screenshots to display for the app.

Screenshots must be in JPG, PNG, or GIF format. Each file must have a

minimum size of 1024x768 or 768x1024 pixels, and a maximum size of

4096x4096 pixels.

Click

Upload

to add a screenshot.

10. Click Next.

11. Use the following guidelines to complete this page:

Item Description

Send installation

request on device

registration

Select this option to prompt macOS device users to install this app after

device registration is complete.

If you selected

Await device configuration during Apple device

enrollment

in the Enrollment profile, then

Select installation request

on device registration or sign in

must also be selected.

If using Ivanti Mobile@Work 1.4 for macOS, it is recommended

you select this check box.

Per App VPN Settings

Page 99 of 292

Managing apps for iOS and macOS

Item Description

Per App VPN by Label

Only

To apply a Per-App VPN by Label Only for this application, keep this

option checked and then select one of the pre-configured Per-App VPNs

listed in the VPN Selection section below. Ivanti does not recommended

de-selecting Per-App VPN by Label Only, as this field will be deprecated

in future Ivanti EPMM releases and become selected by default.

Ivanti does not recommend using Per App VPN with apps that

utilize device spaces.

See VPN settings in the

Ivanti EPMM Device Management Guide for iOS

and macOS devices

for information on creating a per app VPN or Tunnel

VPN setting.

12. Click Finish.

The app bundle displays in the App Catalog.

13. Associate the app with a label to list the app on macOS devices.

In the Apply to Labels dialog box, select the check box next to the app's name. Click in the

Mandatory field, a drop-down displays. Selecting Yes makes the selected app mandatory;

leaving it to the default No makes the app optional.

Next steps

"Making iOS and macOS apps available to users in Apps@Work" on page105

"App management action workflows" on page40

Adding new versions of an existing iOSor macOS app

When uploading a newer version of an app, an extra page opens to allow you to select whether to keep the

app's old version information or to adopt the information from the app's new version. This feature is

applicable to iOS and macOS in-house / private / self-hosted apps.

Procedure

1. In the App Catalog, click the Add+ button.

The Add App Wizard opens.

2. Click In-House.

Page 100 of 292

Managing apps for iOS and macOS

3. Click Browse and navigate to the in-house iOSor bundled macOS app you want to upload.

4. Click Next.

The An earlier version of this App exists page opens.

5. Select an option:

Another version of this App was previously uploaded. Reuse its description, icon and

screenshot(s). If the Description, Icon or Screenshot fields of the new app are empty, then the

system will populate those fields with information from the previous app version (default).

Upload a new description, icon or screen shot. Information related to the Description, Icon or

Screenshot fields of the new App will be utilized. If those fields are empty, nothing will be copied

from the previous app version.

6. Click Next and finish configuring the new version of your app (see "Using the wizard to add an in-

house iOS or macOS app to the App Catalog" on page96.)

Once finished, the new version displays in the App Catalog.

Setting per app VPN priority for iOS and macOS apps

The per app VPN settings the app uses depends upon:

The label to which the per app VPN setting is applied (if the per app VPN is applied to a label).

The assigned priority of the per app VPN setting in the Per App VPN field of the app.

The first per app VPN listed in the right-hand column of the Per App VPN Settings has the highest

priority; the last per app VPN has the lowest priority.

To rearrange the per app VPN settings’ priorities in the right-hand column (set of selected VPN

settings), drag the setting names to the correct positions in the list. You can also use the up and

down arrows.

The priority of per app VPN settings applied to labels is higher than per app VPN settings that are not

applied to labels. For example, suppose the app lists VPN1, VPN2 and VPN3 as the possible per app VPN

settings in the right-hand column (set of selected VPN settings).

Page 101 of 292

Managing apps for iOS and macOS

If VPN1 and VPN2 are applied to labels and VPN3 is not, then VPN1 is assigned to the app when the

per app VPN list order is:

VPN1 (applied to label)

VPN2 (applied to label)

VPN3

If VPN1 and VPN2 are applied to labels and VPN3 is not, then VPN1 is assigned to the app if the per

app VPN list is:

VPN3

VPN1 (applied to label)

VPN2 (applied to label)

The Apps tab in device details (go to Devices & Users > Devices and click the caret to see the device

details) lists the activated per app VPN for the device so that users and administrators can easily view which

VPN the app is using on that device.

Per app VPN is not supported for iOS apps when Ivanti EPMM is configured for MAM-only iOS

devices.

Per app VPN and the Tunnel app on iOS and macOS devices

Ivanti EPMM pushes per app VPN profiles to devices regardless of whether devices have the VPN client

(Tunnel). Ivanti EPMM will install apps to devices that require Tunnel to function correctly, even if those

devices do not have Tunnel installed or per app VPN enabled. If Tunnel is not installed to devices with these

apps, the apps will not function correctly. To enable the use of apps that require Tunnel type per app VPN to

function, you must ensure devices have Tunnel installed and per app VPN functionality enabled.

Ivanti EPMM makes the following recommendations with regard to apps requiring per app VPN:

When sending app installation messages to devices for apps requiring Tunnel type per app VPN,

Ivanti EPMM installs the apps to devices even if Tunnel or per app VPN is not installed or enabled on

these devices. To send app installation messages only to devices with Tunnel type per app VPN, you

must send the app installation message to a label you create that includes only devices with Tunnel

type per app VPN.

When sending an app installation or conversion request (from unmanaged to managed) on

registration or sign-in, Ivanti EPMM installs to devices apps requiring Tunnel or per app VPN

regardless of whether devices have Tunnel installed or per app VPN enabled. To send app installation

Page 102 of 292

Managing apps for iOS and macOS

or conversion requests only to devices with Tunnel type per app VPN configurations, you must send

the app installation or conversion message to a label you create that includes only devices with

Tunnel type per app VPN.

When signing out of the multi-user web clip for iOS, Ivanti EPMM triggers the removal of the per app

VPN profile from the device twice.

Apply the following dynamic label to the VPN configuration profile you apply to devices:

"common.mi_tunnel_app_installed" = "production"

When configuring per app VPN settings to an app, select Per app VPN by label only, then select the

Tunnel VPN configuration. You must move only the Tunnel VPN configuration to the right side of per

app VPN list, as Ivanti EPMM does not support this functionality if other types of VPN configurations

exist on the device.

Setting DNS proxy for iOS and macOS apps

The DNSproxy settings the app uses depends on:

The label to which the DNSproxy setting is applied (if the DNSproxy is applied to a label).

The assigned priority of the DNSproxy setting in the DNSproxy field of the app.

The first DNSproxy listed in the right-hand column of the DNSproxy Settings has the highest

priority; the last DNSproxy has the lowest priority.

To rearrange the DNSproxy settings’ priorities in the right-hand column (set of selected DNSproxy

settings), drag the setting names to the correct positions in the list. You can also use the up and

down arrows.

The priority of DNSproxy settings applied to labels is higher than DNSproxy settings that are not applied to

labels. For example, suppose the app lists DNS1, DNS2 and DNS3 as the possible DNSproxy settings in the

right-hand column (set of selected DNSproxy settings).

If DNS1 and DNS2 are applied to labels and DNS3 is not, then DNS1 is assigned to the app when the

DNSproxy list order is:

DNS1 (applied to label)

DNS2 (applied to label)

DNS3

Page 103 of 292

Managing apps for iOS and macOS

If DNS1 and DNS2 are applied to labels and DNS3 is not, then DNS1 is assigned to the app if the

DNSproxy list is:

DNS3

DNS1 (applied to label)

DNS2 (applied to label)

The Apps tab in device details (go to Devices & Users > Devices and click the caret to see the device

details) lists the activated DNSproxies for the device so that device users and administrators can easily view

which DNSproxy the app is using on that device.

DNSproxy is not supported for iOS apps when Ivanti EPMM is configured for MAM-only iOS

devices.

For more information, see Creating DNS Proxy Configurations in the Ivanti EPMM Device Management Guide

for iOS and macOS devices.

Supporting Associated Domains

Associated domains establish a secure association between domains and your app so you can share

credentials or provide features in your app from your website.

This is available for IOS 13 and later above and not applicable to MAM devices.

Adding Associated Domains

To add associated domains, you can either:

Click on an existing application, click Edit > APP CONFIGURATIONS > ASSOCIATED DOMAINS.

Select APPS > APPS CATALOG.

A list of Public, In-house, and VPP apps are available as configured by the admin.

In the ASSOCIATED DOMAINS section, click Add, enter a domain name and provide a description.

You can add Associated domains while importing the supported applications.

Click Save

Page 104 of 292

Managing apps for iOS and macOS

Removing iOS or macOS apps from the App Catalog

Removing an app from the App Catalog removes the listing for the app from Apps@Work on iOS and

macOS devices.

WARNING:

Deleting apps from Ivanti EPMM also causes these apps to be uninstalled from devices to which the

apps are installed.

Deleting Apple License apps will cause the Apple Licenses associated with these apps to be

reclaimed.

Unmanaged iOS apps are not deleted from iOS devices.

Removing a macOS app from the App Catalog deletes the app from Ivanti EPMM only, and not from

macOS devices, as macOS apps are not managed apps.

On MAM-only iOS devices, iOS apps are removed from Apps@Work on the device, but not

uninstalled from the device.

Procedure

1. In the Ivanti EPMM Admin Portal, go to Apps> App Catalog.

2. Select iOS or macOS from the Platform list.

3. Select the app you want to remove.

4. Click Delete.

A message displays warning that deleting the app from Ivanti EPMM will delete it from devices.

5. Click Yes to proceed.

6. For in-house apps, the app bundle and the provisioning profile are removed from Ivanti EPMM.

Making iOS and macOS apps available to users in Apps@Work

Note the following:

Making macOS app available to users in Apps@Work involves the use of Apple Licenses. For more

information about publishing macOS apps to macOS devices, see "Using Apple licenses" on

page142.

Page 105 of 292

Managing apps for iOS and macOS

You can also import in-house apps for macOS. See "Using the wizard to add an in-house iOS or

macOS app to the App Catalog" on page96.

Managing iOS apps in Apps@Work involves:

"Publishing iOS and macOS apps to Apps@Work" below

"Updating iOS apps in Apps@Work" below

"Unpublishing iOS apps from Apps@Work" on the next page

Publishing iOS and macOS apps to Apps@Work

After adding any iOS or macOS app to the App Catalog, the app must be made available to the relevant

users through Apps@Work. This is done by applying the app to a relevant label. The label determines the

group of device users who will see the app in Apps@Work on their iOS or macOS devices.

Procedure

1. In the Ivanti EPMM Admin Portal, go to Apps > App Catalog.

2. Select iOS or macOS from the Platform list.

3. Select the app you want to work with.

4. Click Actions > Apply to Label.

5. Select the label that represents the iOS or macOS devices for which you want the selected app to be

displayed.

In the Apply to Labels dialog box, select the check box next to the app's name. Click in the

Mandatory field, a drop-down displays. Selecting Yes makes the selected app mandatory; leaving

it to the default No makes the app optional.

6. Click Apply.

Updating iOS apps in Apps@Work

When an update for an iOS managed app becomes available, you can update the iOS managed app in the

App Catalog, as described in "Manually importing iOS apps from the Apple App Store" on page82. Ivanti

EPMM sends the update information to Apps@Work on devices associated with the same label as the

updated app.

Page 106 of 292

Managing apps for iOS and macOS

When you update a managed app configuration, the changes will be pushed to all associated

devices, including a newer version of that app found in the AppConfig repository. Ivanti, Inc

recommends you first inspect the updated Managed App configuration schema in the AppConfig

repository before proceeding.

Apps@Work includes an Updates category, where it lists iOS managed apps that are available for update.

The list of iOS managed apps with updates displays when the user taps the Updates category.

An Update tag displays on the entry for the app with an update.

Updates to featured apps are published in the same way to all devices in the labels assigned to the apps.

You can also send a message to devices to announce the availability of updates to featured apps (see

"Notifying users of new iOS and macOS apps or app updates" on page119).

Apps have a Re-Import link, allowing you to re-import the app into Ivanti EPMM at any time.

Note, however, that Ivanti EPMM does not:

Contact the Apple App Store to check for updates to unmanaged apps,.

Track the version numbers of public apps.

Control which version a user can install.

Support updating apps on MAM-only iOS devices. Specifically, if you update the app in the App

Catalog, Apps@Work on the device makes the updated app available, but does not indicate that it is

an update. You also cannot send a message to the devices that an update is available.

Ivanti, Inc recommends that device users consult the Apple App Store to confirm the availability of new

versions of apps. Alternatively, you can use the send message feature to inform device users of a new

version of an app. For more information about using the send message feature, see "Informing users of new

apps and updates on iOS and macOS devices" on page119.

Unpublishing iOS apps from Apps@Work

You can unpublish an iOS app from Apps@Work by removing the app from the label to which it was

originally applied.

Removing an app from a label causes that app to be uninstalled from the devices associated with that label,

and removes the apps listed in Apps@Work on devices.

Note the following:

Page 107 of 292

Managing apps for iOS and macOS

On MAM-only iOS devices, iOS apps are removed from Apps@Work on the device, but not

uninstalled from the device.

You cannot unpublish macOS apps from macOS devices, as macOS apps are not managed apps.

When you apply a label to an app, Ivanti EPMM makes that app available to devices associated with that

label. After the label is applied, device users can install the app from Apps@Work. Simply applying the label

to the app does not install the app to devices belonging to the label.

If you want to install an app to all devices in a label, you can do so by sending a message to devices, or

configuring the app to be installed upon sign-in (for multi-user devices).

If you remove an app from a label, and then decide you want to apply the label to the app after all,

the app will still be uninstalled and removed from devices. Re-applying the label to the app causes

the app to be available in Apps@Work on the devices associated with that label. Re-applying the

label to the app will not install the app to devices on that label. To re-install the app to devices on

the label, send a message to devices or configure the app to be installed upon multi-user sign-in.

Procedure

1. In the Ivanti EPMM Admin Portal, go to Apps > App Catalog.

2. Select iOS from the Platform list.

3. Select the app you want to work with.

4. Click Actions > Remove from Label.

5. Select the labels from which you want to remove the app.

6. Click Remove.

The app is immediately removed from the apps list on the devices associated with the given label.

Related topics

"App management action workflows" on page40

"Informing users of new apps and updates on iOS and macOS devices" on page119

"Manually importing iOS apps from the Apple App Store" on page82

Page 108 of 292

Managing apps for iOS and macOS

Mandatory and optional in-house and secure apps

iOS and macOSin-house apps are made available through the App Catalog and can be designated as a

mandatory app, which means that the app is always installed on the devices matching the app’s labels. An

app that is not marked as mandatory is optional, and enables the users to decide whether or not to install

the app on their devices. The in-house app can be either an AppConnect app (secure app) or a regular, non-

AppConnect app.

Designating the Secure Apps Manager as optional and all secure apps as optional means that the

device user sets up the secure apps container on-demand. See "On-demand secure apps container

setup" on page199.

To set the prerequisite app for a dependent app, see "App management action workflows" on

page40.

Install and uninstall of mandatory apps

You can specify that mandatory in-house apps and secure apps are installed and uninstalled on iOSand

macOS devices.

Although a mandatory app is always installed on the device, whether the device user sees a notification to

install the app depends on whether the device is a supervised device.

Whether device users are notified to install a mandatory app

When a iOS or macOS app is set as Mandatory (the Mandatory field is set for the label that is applied to the

app), device users will not immediately get the prompt for app installation if they have do not have that app

installed on the device.

Every hour, Ivanti EPMM reviews the all the devices that had last checked-in for any unmanaged apps and, if

applicable, sends the unmanaged to managed app conversion request to that device. If there is an

unmanaged app installed on these devices, device users will not immediately get the prompt for change

management.

Device user experience with uninstalling a mandatory app

The device user experience when attempting to uninstall a mandatory app depends on the type of device, as

specified by the following table:

Page 109 of 292

Managing apps for iOS and macOS

iOS devices that support

install/uninstall

macOS devices that support

install/uninstall

Can device user uninstall a

mandatory app when the

install/uninstall feature

enabled?

Yes, but the app will be

reinstalled.

Yes, but the app will be

reinstalled.

Can device user uninstall a

mandatory app when the

install/uninstall feature is

not

enabled?

Yes, but the device user will be

notified to re-install the app.

Yes, but the device user will

be notified to re-install the

app.

TABLE 7. DEVICE USER EXPERIENCE WITH UNINSTALLING A MANDATORY APP

Designating an in-house app as optional or mandatory

After you have added the app to the App Catalog, you can designate whether it is an optional or mandatory

app.

The below procedure applies to both iOS and macOS in-house and public apps.

Procedure

1. In the Ivanti EPMM Admin Portal, go to Apps > App Catalog.

2. Select an app and then select Actions > Apply to Labels.

3. In the Apply to Labels dialog box, select the check box next to the app's name.

4. Click in the Mandatory field, a drop-down displays. Selecting Yes makes the selected app

mandatory; leaving it to the default No makes the app optional.

5. Click Apply.

Managing installed iOS and macOS apps

Managing installed iOS apps involves:

"Viewing the status of installed iOS and macOS apps" on the next page

"Selecting which installed iOS apps to track" on page113

When Ivanti EPMM is configured for MAM-only iOS devices, you cannot view installed app status.

Page 110 of 292

Managing apps for iOS and macOS

Viewing the status of installed iOS and macOS apps

The Installed Apps page shows, at a glance, which iOS and macOS apps are installed to managed iOS and

macOS devices, respectively. Managed devices send the status of their apps to Ivanti EPMM, and the

Installed Apps page indicates the number of devices to which the apps are installed. For instance, if an app

has been installed to one managed device, this is indicated by the number 1 and the time stamp for when

Ivanti EPMM received the installation status. If a given app has not been installed to any device, that app is

not displayed on the Installed Apps page.

You can search for apps using the following:

Summary View: This search is based on app ID or bundle ID.

Detailed View: This search is based on the app installation name, meaning the name of the app as

installed on a device (as opposed to the App Catalog name, which may be different).

Procedure

1. In the Ivanti EPMM Admin Portal, go to Apps > Installed Apps.

2. Select iOS or macOS from the Platform list.

3. The list of installed iOS or macOS apps displays the following information in Summary View,

including the following columns:

Item Description

Application Name The name of the application.

Identifier The bundle identifier for the application.

Platform The operating system on which the app is designed to run: iOS or

macOS.

Devices Installed The number of devices to which this app is installed.

First Found The date and time at which a registered device first reported the

app to Ivanti EPMM.

4. To view more details about installed iOS apps, under App Detail, select the Detailed View radio

button. The list of installed iOS apps displays in Detailed View, including the following columns:

Page 111 of 292

Managing apps for iOS and macOS

Item Description

Application Name The name of the application.

Identifier The bundle identifier for the application.

App Version The version number of the installed app.

Platform The operating system on which the app is designed to run: iOS or

macOS.

Devices Installed The number of devices to which this app is installed.

Permissions For Android apps only.

First Found The date and time at which a registered device first reported the

app to Ivanti EPMM.

You can optionally sort the list of apps by any of the available columns.

5. To view details about the devices to which the app is installed, click the number in the Devices

Installed column. The Device Details window displays the following information for each device:

Item Description

Device UUID The unique identifier for the device.

User Name The name of the user to whom the device is registered.

User ID The user ID of the user to whom the device is registered.

Platform The version of the operating system installed to the device.

Model The model name and number of the device.

Mobile Number The mobile phone number associated with the device.

This setting is not displayed for macOS apps.

App Version The version number of the installed app.

6. You can take any of the following actions on the devices shown here, by selecting one or more

devices and then selecting one of the following options:

Send Message

Force Device Check-In

Retire

7. Click Apply.

Page 112 of 292

Managing apps for iOS and macOS

8. Click Export to CSV to export the list of devices to a CSV file.

9. Click Close.

Selecting which installed iOS apps to track

By default, the App Catalog page lists all apps installed to all managed iOS devices. However, you can filter

the types of iOS apps whose installation status you want to log on this page. For example, you can allow

Ivanti EPMM to track the status of all apps, or only iOS managed apps, or certain apps specified by their

bundle IDs.

Procedure

1. In the Ivanti EPMM Admin Portal, go to Policies & Configs > Policies.

2. Select the default Privacy policy.

3. Click Edit. The Modify Privacy Policy dialog box opens.

4. Scroll down to the App Filters section.

5. From the iOS Installed App Inventory drop-down list, select one of the following options:

All Apps: Managed devices will send the status of all iOS managed installed apps and unmanaged

installed apps to Ivanti EPMM.

The administrator should update the Default Privacy Policy with highest priority and set

the "iOS Installed App Inventory" field to "All Apps". This ensures unmanaged apps are

reported to the Ivanti EPMM and the Ivanti EPMM can send MDM commands to convert

unmanaged apps to managed apps. This applies if the app has the option "Enforce

conversion from unmanaged to managed app (iOS 9 or later)" enabled and the

unmanaged version of the same app is reported to the Ivanti EPMM.

Managed Apps Only (iOS 7 and later): Managed devices will only send the status of installed

iOS managed apps to Ivanti EPMM.

Specified Apps Only (iOS 7 and later): Managed devices will send to Ivanti EPMM the status of

installed apps (whether iOS managed apps or unmanaged apps) with the specified identifiers

(bundle IDs).

Page 113 of 292

Managing apps for iOS and macOS

6. If you selected Specified Apps Only (iOS 7 and later), a table called Specific Apps displays.

a. From the Bundle ID drop-down list, select the identifier for the app you want to track.

b. In the Specific Apps table, click the + icon to add the app identifiers whose status you wish to

track.

c. In the Description field, enter a brief description for the app.

d. To remove an entry, click the delete icon.

7. Click Save.

A prompt displays, indicating that users will receive notification of the changes to the privacy policy.

8. Click Yes.

The default policy is applied to the All-smartphones label and labels to which no other policy has

been applied.

Related topics

"Using the wizard to import iOS apps from the Apple App Store" on page84

Changing the iOS or macOS app icon and screenshots

You can edit the app icon and screenshots associated with any app in the App Catalog.

Procedure

1. Obtain the icon or screenshot you want to use.

See "Using the wizard to import iOS apps from the Apple App Store" on page84 for information on

supported formats and dimensions.

2. In the Ivanti EPMM Admin Portal, go to Apps > App Catalog.

3. Select iOS or macOS from the Platform list.

4. Click the name of the app you want to work with.

5. Click Edit.

Page 117 of 292

Managing apps for iOS and macOS

When the app data is in View or Edit mode, Ivanti EPMM loads the latest managed app

schema from the AppConfig repository and displays the latest fields (including any new

fields) in the “Managed App Configurations” section in the UI. Ivanti, Inc recommends that

before saving the changes, you first carefully inspect the updated managed app

configuration. Once you select Proceed and click Confirm, the updated managed app

configuration settings are saved and the changes are pushed out to all associated devices.

6. Click Remove next to the icon or screenshot you want to remove.

A new text field displays in the section from which you deleted the screenshot.

7. Next to the text field, click Browse to select the graphic file you want to use from the file system.

8. Click Save.

Creating or changing a category for iOS and macOS apps

You can create categories for organizing the apps displayed on iOS and macOS devices. The categories

appear as dividers in the app lists.

Procedure

1. In the Ivanti EPMM Admin Portal, go to Apps > Categories.

2. Select iOS or macOS from the Select Platform list.

3. Click the name of the app you want to add to a category.

The app details are displayed.

4. Click Add+.

The Add New Category dialog box opens.

5. Click Add New Category.

Page 118 of 292

Managing apps for iOS and macOS

6. Enter your configurations.

Field name Description

Application Name Enter a category name (up to 64 characters).

Description Enter a description (up to 255 characters) for the

category.

Category Icon

a. Click the Replace Icon button.

b. Browse and select an icon that will represent this

Category.

7. Click Save.

Note the following:

Categories cannot be deleted.

To remove a category and apply a different category, clear the check box next to the app to remove

the category association.

Notifying users of new iOS and macOS apps or app updates

The following options are available for notifying users of new apps or app updates:

"Informing users of new apps and updates on iOS and macOS devices" below

"Editing the app distribution push notification template for iOS and macOS" on page122

"User notification of newly-published iOS apps" on page123

"Copying a direct link to an iOS app" on page124

These features are not supported when Ivanti EPMM is configured for MAM-only iOS devices.

Informing users of new apps and updates on iOS and macOS devices

You can send out a message informing iOS and macOS device users about the availability of a new app or

an update for an installed app. You can also request device users to convert installed, unmanaged apps to

iOS managed apps, without having to uninstall the unmanaged app. You can only convert unmanaged apps

to managed on iOS devices running iOS 9.0 or newer versions.

Page 119 of 292

Managing apps for iOS and macOS

When a user’s device checks in, the Update tab displays a badge number indicating the number of in-house

and public app updates available for the device user to download. Once the user updates the apps, the

badge number will disappear on next device check-in.

Update messages can be sent to a particular label. Ivanti EPMM will not update the app, rather, Ivanti EPMM

sends a message to the device requesting the device user to install the app from the Apple App Store. If the

Apple App Store indicates an update is required, Ivanti EPMM installs the update. If no update is required,

Ivanti EPMM re-installs the app. For in-house apps, Apps@Work indicates whether an update is required,

and Ivanti EPMM provides the updated app.

While you can initiate a Send Message for Update request through MDM, the notification directs the device

user to the public app in Apps@Work, providing an option for re-installing the app. However, the section for

Updates in Apps@Work may not have this public app listed.

Note the following:

Messages sent to iPad-only apps will only be sent to iPad devices.

If data protection is enabled on managed devices, messages will be sent only to those devices with a

passcode.

When sending a message regarding a hidden app, Ivanti EPMM shows a prompt asking whether to

send the message to device users.

Device users may not see a given app in the Apple App Store under the following circumstances: the

app is Apple License device-based or B2B, or device access to the Apple App Store is disabled.

Before you begin

You must first assign Apple Licensed-macOS apps to a label before using this feature.

Procedure

1. In the Ivanti EPMM Admin Portal, go to Apps > App Catalog.

2. Select iOS or macOS from the Platform list.

3. Select the featured app you want to work with.

4. Go to Actions > Send Installation Request.

5. Use the following guidelines to select the app installation option:

Page 120 of 292

Managing apps for iOS and macOS

Item Description

Send request for new

installations

Prompts the device user to install the app, if not already installed.

This applies to those devices to which the app has not yet been installed.

Send request for

updates

Prompts the device user to update the app. For public iOS apps only.

Applies to devices with the app installed, where an update is available.

Select one of the following options:

Use the app install date on device to determine if updates are

required. Ivanti EPMM determines whether to install the app based

on the last installation date as reported to Ivanti EPMM. When

installing an app to a device, the device sends to Ivanti EPMM a list of

all apps installed to the device. Ivanti EPMM stores this time stamp

reported by the device as the date for the installation of that

particular app. When selecting this option, Ivanti EPMM only updates

the app on devices where the last installed date is lower than the

release date of the app.

Ignore the app install date on device. Ivanti EPMM sends an install

command to the device. The app is installed from the Apple App

Store, without checking the install date on the device.

When sending a request to devices to update a public app in

the App Catalog, Ivanti EPMM is unable to use the app install

date on the device to determine whether updates are required,

if the app was recently converted from an unmanaged app to

an iOS managed app. When sending a request to update a

recently converted iOS managed app, select Ignore the app

install date on device.

Send request for both

new installations and

updates

Prompts the device user to install or update the app.

Applies to all devices, regardless of whether the app has been installed

yet.

Send request to

convert the app to

Managed

Prompts the device user to convert the unmanaged app to an iOS

managed app on devices running iOS 9 or newer versions.

Page 121 of 292

Managing apps for iOS and macOS

Item Description

This setting does not display for macOS apps.

Use iOS managed app

install/update action

(iOS 5 and later)

Skip the Apps@Work display and install or update the app.

Users will receive installation or update prompts at the next device

check-in.

Note the following:

Ivanti EPMM will silently install or update the app on supervised

devices, instead of prompting the supervised device user, even when

selecting this option. This is due to changes in Apple’s

implementation of this feature.

This setting does not display for macOS apps.

Send message to all Select this option to send a message to all devices in all labels.

Select labels to send

message

Select this option to send a message to all devices in a selected label.

Select devices to send

message

Select this option to search devices by name, model, platform, phone,

then select the devices you want to send the message. The

Selected

tab

tracks devices selected from the search.

6. To check the content of push notifications prior to sending:

a. Select the App Distribution template from the list.

b. Click View Messages.

7. Click Apply.

Ivanti EPMM only sends the message regarding featured apps.

Related topics

"Applying an Apple license label to an app" on page151

Editing the app distribution push notification template for iOS and

macOS

You can customize the template Ivanti EPMM uses to send app distribution push notifications.

Page 122 of 292

Managing apps for iOS and macOS

Procedure

1. In the Ivanti EPMM Admin Portal, go to Settings > Templates > Others.

2. Click the edit icon for the template you want to edit.

3. The app distribution message displays.

App distribution messages must include the $APPNAME$ variable, which indicates the

application name of the app being distributed.

4. Make changes to the displayed message.

5. Click Save.

User notification of newly-published iOS apps

When a featured app or an update to an installed app is published to device users, those users receive a

notification in Apps@Work. The Updates category shows a number corresponding to the number of

updates available. Tapping the Updates category shows the list of apps that are available for update.

Ivanti EPMM determines the availability of an update by comparing the version number for the installed app

to that of the newly-published app. If the user deletes a published app, that app will not become available

for reinstalling again until the status of the app is updated during the next sync with Ivanti EPMM.

Updates: These include updates for in-house featured apps only. The Updates number shown on the

left hand menu in Apps@Work includes app updates, new installations, and unmanaged to iOS

managed app conversions. Unmanaged public apps (running iOS 9 or newer versions) are also

included in the total number of updates indicated in the Updates badge.

New installations: When an app has a new installation available, a badge indicating the number of

installations per app displays. Both in-house and featured public apps can have badges indicating a

new installation. Note that you can only send an installation request, not an update message, for

apps that are publicly available from the Apple App Store.

Note, however, that Ivanti EPMM does not:

Contact the Apple App Store to check for updates to unmanaged apps,.

Track the version numbers of public apps.

Control which version a user can install.

Page 123 of 292

Managing apps for iOS and macOS

Ivanti, Inc recommends that device users consult the Apple App Store to confirm the availability of new

versions of apps. Alternatively, you can use the send message feature to inform device users of a new

version of an app. For more information about using the send message feature, see "Informing users of new

apps and updates on iOS and macOS devices" on page119.

Copying a direct link to an iOS app

After adding an app to the App Catalog in Ivanti EPMM, a direct link to the app is shown in the app details

page on Ivanti EPMM. You can copy the direct link to the app and include it in an email or notification to

device users, allowing users to install the app directly, rather than searching for it in Apps@Work.

Procedure

1. In the Ivanti EPMM Admin Portal, go to Apps > App Catalog.

2. Scroll for the app whose direct link you want to copy.

3. Click the name of the app to view its details.

4. Scroll down to the Apps@Work Catalog section.

5. Next to App URL, click Copy Link to Clipboard.

Working with web applications for iOS and macOS

This section includes the following sub-sections:

"Enabling installation of web applications to iOS and macOS devices" on the next page

"Adding a web application to the App Catalog on iOS and macOS devices" on the next page

"Taking actions on web applications for iOS and macOS" on page126

"Viewing the number of iOS and macOS devices with web applications installed" on page127

"Confirming web application installation to iOS and macOS devices" on page128

"Allow removal of web application from iOS device" on page128

"Troubleshooting web application installation for iOS" on page129

"Confirming receipt of web clips on iOS devices" on page129

Page 124 of 292

Managing apps for iOS and macOS

Enabling installation of web applications to iOS and macOS devices

You must enable the installation of web applications on managed devices by selecting the relevant options

for iOS and macOS in the Apps@Work settings. These options are enabled by default.

Procedure

1. In the Ivanti EPMM Admin Portal, go to Apps > Apps@Work Settings.

2. Under Web Applications, select the following:

Enable Installation of Web Applications on iOS.

Enable Installation of Web Applications on macOS.

The feature is enabled by default.

Adding a web application to the App Catalog on iOS and macOS

devices

Web applications can be launched from Apps@Work and installed to iOS and macOS devices.

Before you begin

Enable the installation of web applications, as described in "Enabling installation of web applications to iOS

and macOS devices" above.

Procedure

1. In the Ivanti EPMM Admin Portal, go to Apps > App Catalog.

2. Select Add+.

3. Select the Web Application tile.

4. Enter the following information:

Item Description

Application Name Enter a name, no more than 255 characters, for the web application.

This name displays on the device.

App URL Enter the address or URL for the target of the web clip.

The URL must include the prefix http://, https://, or mibrowser://.

Page 125 of 292

Managing apps for iOS and macOS

Item Description

You can enter up to 255 characters.

If you enter the prefix mibrowser://, the URL opens in

Ivanti Web@Work

must be installed on the device.

5. Select Next.

6. Use the following guidelines to complete this page:

Item Description

Developer Enter the name of the developer for this web application.

Description Enter additional information to describe the app.

Feature this App in the

Apps@Work catalog

Select Yes to display the app in the Featured List on the device.

The app will also display in all the categories you selected.

Category Select one or more categories to display this app in a category tab in

Apps@Work or add a new category.

Select Add New Category to define new categories.

Enter a category Name (up to 64 characters).

Enter a Description (up to 255 characters).

In the Category Icon section, select the Replace Icon button.

Browse and select an icon that will represent this Category.

Select Save.

7. Select Next.

8. Use the following guidelines to complete this page:

Item Description

App Icon Select

Browse

to navigate and select a graphic for the web clip.

9. Select Finish.

Taking actions on web applications for iOS and macOS

You can take the following actions on a selected web application:

Page 126 of 292

Managing apps for iOS and macOS

TABLE 1. WEB APPLICATION ACTION ITEMS

Action Description

Delete Select

Delete

to delete the web application from Ivanti EPMM and

remove it from Apps@Work.

Apply To Label Select

Actions > Apply to Label

to select the label to apply.

The web application will be available in Apps@Work for the

devices associated with the label.

Remove From Label Select

Actions > Remove From Label

to deselect the labels.

The web application will be removed from Apps@Work for the

devices associated with the label.

Viewing the number of iOS and macOS devices with web applications

installed

You can view the number of devices to which a given web application is installed.

This feature is not supported for iOS devices when Ivanti EPMM is configured for MAM-only iOS

devices.

Procedure

1. In the Ivanti EPMM Admin Portal, go to Apps > App Catalog.

2. Under Platform, select Web Application.

The web applications in the App Catalog are displayed.

The number in the Devices column indicates the number of devices on which the web application is

installed.

The number in the Devices column will display as 0 if Enable Installation of Web

Applications is disabled.

3. Select on the number to see a list of devices.

Web applications are not tracked in the Installed Apps.

Page 127 of 292

Managing apps for iOS and macOS

Confirming web application installation to iOS and macOS devices

You can confirm a web application has been installed to a given device. You can also confirm that a web

application has been installed to a device by checking that the web application icon is shown in

Apps@Work.

This feature is not supported for iOS devices when Ivanti EPMM is configured for MAM-only iOS

devices.

Procedure

1. In the Ivanti EPMM Admin Portal, go to Devices & Users > Devices.

2. Under Platform, select Web Application.

3. Select the upward arrow (^) next to the relevant device.

4. Select the Configurations tab.

5. Locate the web clip you sent to the devices.

6. Its status should read Applied.

Allow removal of web application from iOS device

You can allow iOS device users to remove web applications from their devices.

Procedure

1. In the Ivanti EPMM Admin Portal, go to Policies & Configs > Configurations.

2. To filter by configuration type, in the Configuration Type field, select from the drop-down WebClip.

3. Select the preferred WebClip and select the Edit button.

The Modify WebClips Setting dialog box opens. Note that the Removable column displays "false" to

indicate device users are not allowed to remove / uninstall Web Clips themselves (default).

4. In the Web Clips field, select the link of the Web Clip name.

The Edit Web Clip dialog box opens.

5. Select Removable and then select Save.

In the Modify Web Clips Setting dialog box, the Removable column now displays "true" for the

selected WebClip. Device users will be able to remove / uninstall the WebClip.

6. Select Save.

Page 128 of 292

Managing apps for iOS and macOS

Troubleshooting web application installation for iOS

Enable Installation of Web Applications on iOS is not checked

When you tap the icon, the details page displays the Launch button. Tapping the Launch button brings up

the web page in a browser.

If the web application points to a mibrowser:// URL, the web page opens in Ivanti Web@Work. You must

have Ivanti Web@Work installed on your device to view a web page with the mibrowser:// prefix.

Enable Installation of Web Applications on iOS is checked

If the feature is enabled, when you tap the web application in Apps@Work, the details page displays the

Request button.

The details page will display the Launch button if Enable Installation of Web Applications is

disabled.

Tapping the Request button installs the web clip to the device. The status of the button changes to

Installed after the web application is installed on the device.

The device user can tap on the web clip to access the link. You do not have to go to the Apps@Work to

access the link.

Confirming receipt of web clips on iOS devices

Device users can confirm that they have received the relevant web clips from Ivanti EPMM by going to

Settings > General > Device management > MobileIron > Web Clips on their iOS devices.

Unmanaged to managed app conversion on iOS devices

You can convert an unmanaged app to an iOS managed app, with little to no device user input. There is no

need to uninstall the unmanaged app. This feature applies to apps installed on devices running iOS 9.0 or

newer versions.

There are two ways to convert unmanaged apps to iOS managed apps:

Page 129 of 292

Managing apps for iOS and macOS

Message: You can convert unmanaged apps to managed by prompting all devices running iOS 9.0 or

newer versions. Device users simply respond by tapping Manage, which automatically converts the

app to managed. On supervised devices, the app is silently converted.

Apps@Work: Alternatively, you can configure an app as convertible to managed, by posting an

update to the app in the Updates section of Apps@Work. This means that if the app is installed and

unmanaged, the app will be listed in the Updates section of Apps@Work. Device users can find the

app under Updates and tap Update to convert the app to managed. The version of the app will stay

the same.

Note the following:

Apps cannot be converted back to unmanaged. If you uninstall an iOS Managed app and re-install it

from the Apple App Store, it still displays as Managed. If an app needs to be converted back to

unmanaged, you need to remove the label associated with it.

Apps that are hidden from view in Apps@Work on the device can still be converted to managed

apps.

When converting Apple-Licensed apps from unmanaged to managed, Apple Licenses are not

consumed.

If you delete a managed app from the device and install an unmanaged app, Ivanti EPMM will convert

the unmanaged app to managed automatically without notifying or prompting the device user.

This feature is not supported when Ivanti EPMM is configured for MAM-only iOS devices.

This section includes the following topics:

"Enabling app inventory synchronization in the privacy policy for iOS" on the next page

"Converting an unmanaged app to a managed app by prompting iOS device users" on page132

"Enabling device users to convert iOS apps from unmanaged to managed in Apps@Work" on

page133

"Viewing the managed status of an iOS app" on page134

"Viewing the status of iOS managed apps for a given device" on page135

"User prompts to convert an app from unmanaged to managed on an iOS device" on page137

"Converting an app to managed on an unsupervised iOS device" on page138

Page 130 of 292

Managing apps for iOS and macOS

Enabling app inventory synchronization in the privacy policy for iOS

Make sure to enable app inventory synchronization in your privacy policy.

Procedure

1. Go to Policies & Configs > Policies.

2. Click the privacy policy that is currently enabled.

3. In the Policy Details pane, click Edit. The Modify Privacy Policy dialog box opens.

4. Select Apps > All Apps, if it has not been selected already.

Page 131 of 292

Managing apps for iOS and macOS

The administrator should update the Default Privacy Policy with highest priority and set the

"iOS Installed App Inventory" field to "All Apps". This ensures unmanaged app are reported

to the Ivanti EPMM and the Ivanti EPMM can send MDM commands to convert unmanaged

app to managed app. This applies if the app has the option "Enforce conversion from

unmanaged to managed app (iOS 9 or later)" enabled and the unmanaged version of the

same app is reported to the Ivanti EPMM.

5. Click Save.

6. Apply the policy to the relevant labels.

Converting an unmanaged app to a managed app by prompting iOS

device users

You can convert an unmanaged app to an iOS managed app by prompting users to accept a request to

convert the app on their devices.

Procedure

1. Go to Apps > App Catalog.

2. From the Platform list, select iOS.

3. Click Search to display a list of iOS apps.

4. Select the check box next to the name of the iOS app you want to convert to managed.

5. Make sure you have applied the app to the relevant labels.

a. From the list of apps, select the app you edited.

b. Go to Actions > Apply to Labels.

c. Select the labels you want to apply.

d. Click Apply.

6. Go to Actions > Send Installation Request.

7. In the Send App Installation Request dialog box, select Send request to convert the app to

Managed.

8. Click Apply.

Page 132 of 292

Managing apps for iOS and macOS

9. The next steps depend on the type of iOS device receiving the message, as described in the following

table:

Unsupervised devices running iOS

9.0 or newer versions

Supervised devices running iOS 9.0

or newer versions

Prompt?

A prompt displays on the device,

indicating that the app will be

converted from unmanaged to

managed.

No prompt appears.

Next steps?

The device user must tap

Manage

The app is then converted to

managed.

If the device user has not yet installed

the app, the app will be installed as

managed.

If the device user taps

Cancel

, the

app is not converted to managed.

No user action required. The app is

silently converted from unmanaged

to managed.

Enabling device users to convert iOS apps from unmanaged to

managed in Apps@Work

You can allow device users to convert an unmanaged app to an iOS managed app in Apps@Work.

Procedure

1. Go to Apps > App Catalog.

2. From the Platform list, select iOS.

3. Click Search.

A list of iOS apps displays.

4. Click the name of the iOS app you want to convert to managed.

The app details are displayed.

5. Click Edit.

Page 133 of 292

Managing apps for iOS and macOS

For iOS apps, when the app data is in View or Edit mode, Ivanti EPMM loads the latest

managed app schema from the AppConfig repository and displays the latest fields (including

any new fields) in the “Managed App Configurations” section in the UI. Ivanti, Inc

recommends that before saving the changes, you first carefully inspect the updated

managed app configuration. Once you select Proceed and click Confirm, the updated

managed app configuration settings are saved and the changes are pushed out to all

associated devices.

6. Select Send convert unmanaged to managed app request on device registration or sign-in

(iOS 9 or later).

7. Click Save.

8. Click Back to List to return to the list of apps.

9. Make sure you have applied the app to the relevant labels.

a. From the list of apps, select the app you edited.

b. Go to Actions > Apply to Labels.

c. Select the labels you want to apply.

d. Click Apply.

The app will be listed in the Updates section of Apps@Work.

10. Device users must tap Update next to the app to convert it to managed.

Viewing the managed status of an iOS app

You can view whether a given app is managed or unmanaged on a device by clicking the number in the

Devices Installed column for that app.

Currently, macOS apps cannot be managed apps. Therefore, macOS apps display as unmanaged.

Procedure

1. Go to Apps > App Catalog.

2. From the Platform list, select iOS.

Page 134 of 292

Managing apps for iOS and macOS

3. Click Search. A list of apps displays.

4. Find the name of the app whose managed status you want to view.

5. In the Devices Installed column, click the number next to the app whose managed status you want

to view.

6. The Device Details window displays. Locate the Managed column.

7. The Managed column indicates whether the app is managed on the devices listed.

8. Click Close.

Viewing the status of iOS managed apps for a given device

You can view the managed status of apps installed on a given device by drilling down to the device details

on the Devices page in Ivanti EPMM.

Procedure

1. Go to Devices & Users > Devices.

2. Click the device to view device details.

3. Click the Managed Apps and iBooks Inventory. A list of apps and iBooks installed on the device

displays.

4. Locate the app whose managed status you want to view.

Page 135 of 292

Managing apps for iOS and macOS

5. In the Status column, check the status of the app.

6. Possible status values are listed in the following table:

Status Notes Status Notes

Managed

Indicates iOS

managed app

status (managed

by MDM), or

successful

conversion from

unmanaged to

managed.

ManagementRejected

Indicates the

device user

tapped Cancel

when prompted

to convert the

app to managed.

Valid status for

devices running

iOS 9.0 or newer

versions.

ManagedButUninstalled

The app was

managed, but the

device user

deleted it. If the

device user

installs the app

again, the app

will be managed.

PromptingForManagement

Indicates the

device user is

being prompted

to convert the

app and has not

yet tapped

Manage

Cancel

Valid status for

devices running

iOS 9.0 or newer

versions.

UpdateRejected

A transient state

indicating the

device user

canceled the

managed app

update.

Installing

UserInstalledApp UserRejected

Indicates the

device user

canceled a

managed app

installation.

Prompting

Prompting for

installation.

PromptingForUpdate

Prompting for

app update.

Page 136 of 292

Managing apps for iOS and macOS

Status Notes Status Notes

PromptingForLogin

Prompting for

App Store

password.

Failed AppAlreadyQueued

AppAlreadyInstalled AppStoreDisabled

NotSupported NeedsRedemption

CouldNotVerifyAppID Redeeming

Queued Unknown

NotAnApp ValidatingPurchase

PromptingForUpdate

Updating

ValidatingUpdate PurchaseMethodNot

Supported

User prompts to convert an app from unmanaged to managed on an

iOS device

If a user has any unmanaged apps installed on the device, the user will be prompted to convert the

unmanaged app to a managed app by selecting Manage. The unmanaged app will be converted to a

managed app.

Supervised devices will silently convert the unmanaged app to an iOS managed app. This applies to devices

running iOS 9.0 or newer versions.

This applies if the app has the option "Enforce conversion from unmanaged to managed app (iOS 9

or later)" enabled and the unmanaged version of the same app is reported to the Ivanti EPMM.

Page 137 of 292

Managing apps for iOS and macOS

On supervised devices, unmanaged apps are also silently converted to managed. The device user will have

no indication that the app successfully converted to managed. You can verify that the app was converted to

managed by checking the status of the app, as described in "Viewing the status of iOS managed apps for a

given device" on page135.

Converting an app to managed on an unsupervised iOS device

On unsupervised devices, the Updates section in Apps@Work indicates a new update for the app that is to

be converted from unmanaged to managed.

To convert an app to an iOS managed app, instruct unsupervised device users to take the actions described

in the following procedure.

Procedure

1. On the user device, tap the Apps@Work web clip.

2. Tap the category for the app, such as Updates or Featured.

The app displays with an indication that it requires an update.

3. Tap Update next to the name of the app in Apps@Work.

The app details page displays.

4. Tap Update on the app details page.

A prompt displays, indicating that the app will be converted to managed.

5. Tap Manage to convert the unmanaged app to managed.

Apps@Work on the iOS or macOS device

Apps@Work as it appears on the device is meant to resemble the Apple App Store. The Apps@Work home

screen includes the following components:

Apps@Work title: By default, the Apps@Work home screen is titled Apps@Work, and bears the

default Apps@Work icon. You can customize the title and icon, however, as described in "

Apps@Work branding" on page49.

Apps@Work icon: The Apps@Work icon moves to different locations, depending upon the action

and the device. Refer to the table below:

Page 138 of 292

Managing apps for iOS and macOS

iOS devices macOSdevices

- Apps@Work is not embedded within

Ivanti

Mobile@Work

- Tapping on the Apps@Work icon on the

iOS device home screen launches

Apps@Work. The icon is always displayed on

the home screen regardless if the app is

running in the background or closed.

- When

Ivanti Mobile@Work

is initially launched,

the Apps@Work icon displays in the system tray.

- Clicking the Apps@Work icon in the system tray

launches Apps@Work.

- When Apps@Work is launched, the Apps@Work

icon displays in the

Ivanti Mobile@Work

menu.

- When Apps@Work is minimized, the

Apps@Work icon displays icon in the Dock.

- When Apps@Work is closed, the Apps@Work

icon disappears from the Dock.

TABLE 8. APPS@WORK ICONS IN IOS AND MACOS DEVICES

Featured banner: The featured banner shows the five latest apps that have been configured to display

in the featured banner, where the featured app rotates every five seconds. When tapping an app in

the featured banner, the app details are displayed. For details, see "Featured Banner" on page87.

New Releases: The New Releases section displays apps imported into the App Catalog in Ivanti EPMM

since the last device synchronization.

Featured Apps: The Featured Apps section shows App Catalog apps that have been configured as

featured apps, to be displayed in the Featured Apps category.

Tap an app to view its details, tap Install to install the app.

Tap Re-install to install an app again.

Tap Update to request an update of the app. The Update option is only shown if a newer version

of the installed app is available in the App Catalog.

Tap View to examine the details of a public app on the Apple App Store.

Apps being installed have a Pending status. Refresh the screen by pulling it down.

For more details about featured apps, see "Feature this App in the Apps@Work Catalog" on

page87.

Popular Apps: The Popular Apps sections shows up to 25 App Catalog apps with the greatest number

of installations in descending order over the last 30, 60, or 90 days. Device users only see those

popular apps applied to labels to which they belong, regardless of whether they have installed these

apps. Popular apps not available for download to a given device will not be shown. Popular apps are

updated once per hour. Uninstalled apps are not counted or shown.

Page 139 of 292

Managing apps for iOS and macOS

For more information about popular apps, see "Configuring popular apps for display in Apps@Work

(Android, iOS, macOS)" on page57.

Categories: The Categories section shows all the categories you defined for apps in the App Catalog

in Ivanti EPMM. For more information about categories, see "Creating or changing a category for iOS

and macOS apps" on page118.

Search: You can search for apps by name or description. The last item searched will be remembered.

App details: When tapping an app, Apps@Work shows an app details page, which includes the

following information:

App name and icon

Description

Version

Date published

Developer

Install status

Free/Prepaid/Price

Size

Compatibility

Ratings

Reviews

Screen shots

Page 140 of 292

Managing apps for iOS and macOS

A series of icons at the bottom of the page allow the device user to more easily navigate Apps@Work. The

icons include:

Home: Tap to return to the Apps@Work home screen.

Categories: Tap See All to browse apps by category, such as Sales, Marketing, Engineering. Tap a

category to view a list of all apps in that category. On each category page, tap the Install All Apps

button (an underlined downward arrow) to send an installation request to Ivanti EPMM and the Apple

App Store. Tapping Install All Apps will also install Apple Licensed apps.

Unsupervised devices will request permission first before installing all apps. On supervised

devices, Ivanti EPMM installs all apps without requesting device user permission.

Search: Tap to search for apps by name.

Updates: Tap to view a list of apps that have updates available. Tap an individual app to update it.

Tap the Update All button (an underlined downward arrow) to update all apps. An update request is

sent for all apps. Apps being updated have a Pending status. Refresh the screen by pulling it down.

Update status is not supported for MAM-only iOS devices.

Page 141 of 292

Managing apps for iOS and macOS

Using Apple licenses

This section addresses using Apple licenses.

"Apple license management with Ivanti EPMM" below

"Main steps for setting up Apple licenses" on page144

"Linking Ivanti EPMM to an Apple licensed account " on page145

"Importing licensed apps from an Apple licensed account" on page146

"Importing additional apps from the App Catalog" on page149

"Applying device-based licensing to an app" on page150

"Applying a user-based license " on page150

"Applying an Apple license label to an app" on page151

"Removing an Apple license label from an app" on page151

"Revoking licenses" on page152

"Exporting Apple license app distribution details to a CSV file" on page153

"Managing your Apple license accounts" on page154

"Turning user-paid apps into managed apps" on page159

Note the following:

Using Apple Licenses is not supported with MAM-only iOS devices.

Apple has renamed "VPP" to "Apps and Books" in the Apple portal.

Apple license management with Ivanti EPMM

Apple licenses allows participating organizations to purchase iOS and macOS apps and distribute these

apps to their users and to multiple devices.

"Before using Apple licenses" on the next page

"Apple license features" on the next page

"Apple license use" on page144

Page 142 of 292

Before using Apple licenses

For information about which port to open on Ivanti EPMM for access to https://vpp.itunes.apple.com,

see the “Changing Firewall Rules” section in the On-Premise Installation Guide for Ivanti EPMM and

Enterprise Connector.

If the Apple license servers are overloaded with requests, it may return a 503 Service Unavailable

status to clients. This response may include a Retry-After header, which indicates the time period

clients must wait before making additional requests. If Apple returns a Retry-After header for a

specific Apple license account, Ivanti EPMM will block any actions for that Apple license account for

the time period specified by the Retry-After header and will then retry appropriately.

For devices running iOS 9 or newer versions, apps can be purchased through Apple licenses in one

country and assigned to devices in other countries, as long as the app is available from the Apple App

Store in the countries where it is used.

Ivanti EPMM supports B2B (Business to Business) Apple licenses globally.

Apple license features

The Apple license management feature provides the following benefits:

Reclaim Apple licenses. Apple licenses are reclaimed in the following instances:

A user is removed from a group applied to an Apple License Label.

A device is retired.

The device user removes the app from the device.

The administrator manually reclaims individual or all licenses for a given app or account.

Sync Apple License usage with Apple. The licenses associated with your Apple license account are

not specific to your Ivanti EPMM; they are specific to the account in the Apple portal. Ivanti EPMM

syncs with the Apple servers once every 30 minutes to reconcile each Apple license account. This

gives the organization up-to-date visibility into app and license inventory for each Apple license

account. The information reconciled includes:

Number of licenses purchased

Number of licenses used

Inventory of purchased apps

The user or the device to which the license is applied

Manage multiple Apple license accounts. You can manage multiple Apple license accounts on

Ivanti EPMM. This allows you to support multiple buying centers that can purchase and distribute

apps. For the same app, each license pool is segmented and managed separately.

Page 143 of 292

Using Apple licenses

Apple license use

Consider the following:

Free applications consume an Apple license. Ivanti EPMM requests an Apple license. Because the

apps are free, the Ivanti EPMM administrator can login to Apple’s license management website and

add more licenses without cost. This is the recommended best practice from Apple.

Converting an app from UNMANAGED to MANAGED consumes an Apple license.

Device-based Apple-licensed apps cannot be updated via the Apple App Store. Admins should

send devices an install/update message for Device-based licensed apps when desired, as described in

"Notifying users of new iOS and macOS apps or app updates" on page119.

Apple licensed device-based apps are not backed up. Due to Apple's design of device-based

licensed apps, when the user backs up a device, the backup does not include Apple licensed device-

based apps. Therefore, if the user resets and restores the device from the backup, licensed device-

based apps will not be restored to the device and will need to be re-installed by the user.

Ivanti EPMM does not assign a device-based license if the app already has user-based license

that was assigned by the current instance.

Shared iPad devices can only install Apps via Apple Licenses and do not have access to

Apps@Work. Apps must belong to an Apple License account and have the appropriate App label

and License label. Apps can be installed two ways. The first is through the Send installation request

on device registration or sign in in the App Catalog Managed App Settings for your Apple Licensed

app. The second way is by sending Actions > Send Installation Request.

For Shared iPad devices, apps are installed using a device-based Apple License. If an

administrator installs an app, all users of the Shared iPad devices will have that app,

including Guest / Temporary users.

Main steps for setting up Apple licenses

This section addresses the main steps involved in setting up Apple Licenses:

1. "Linking Ivanti EPMM to an Apple licensed account " on the next page

2. "Importing licensed apps from an Apple licensed account" on page146

3. "Importing additional apps from the App Catalog" on page149

Page 144 of 292

Using Apple licenses

4. "Applying device-based licensing to an app" on page150

5. "Applying a user-based license " on page150

6. "Applying an Apple license label to an app" on page151

7. "Removing an Apple license label from an app" on page151

Linking Ivanti EPMM to an Apple licensed account

To use Apple licenses with Ivanti EPMM, you must log into your Apple license account to retrieve a managed

distribution token. You will then use the token to link Ivanti EPMM to your Apple license account. Licenses

are automatically available after you link your Apple license account to Ivanti EPMM. Licenses are updated

each time Ivanti EPMM syncs with Apple’s servers.

Before you begin

Be sure to open the relevant HTTPS port for Apple license support. For information about which port to

open on Ivanti EPMM for access to https://vpp.itunes.apple.com, see the “Changing Firewall Rules” section

in the On-Premise Installation Guide for Ivanti EPMM and Enterprise Connector.

Procedure

Some of the instructions in this section describe how to perform a procedure on a third-party website whose

topology may change, affecting the navigation path described here.

1. In the Ivanti EPMM Admin Portal, select Apps > Apple Licenses.

2. Click +Add Server Token.

The Add Server Token dialog box opens.

3. Click on the Apple Business Manager or Apple School Manager link. A browser page opens to the

correct login page on the Apple portal.

4. Click Settings > Apps and Books.

5. Under My Server Tokens, look for the location you want to use and click the Download link to get the

token.

6. Open the token as a .txt file and copy the token string.

7. Return to Ivanti EPMM > Add Server Token dialog box.

Page 145 of 292

Using Apple licenses

8. Paste the token into the Server Token field (required). This field accepts tokens of lengths up to 1024

characters. The License expiration date displays below Server Token field.

If another user logged into the Apple site and has downloaded the same location's token

and added to your Ivanti EPMM, your attempt to add the Apple license will fail. An error

message indicates that an Apple license with the same license already exists on Ivanti EPMM.

9. In the Account Name field, enter a name for the account.

10. Enter an optional Description for your use.

11. Ivanti, Inc recommends that you leave the VPP Account is shared with one of more MobileIron

Ivanti EPMMs field de-selected. This indicates to Ivanti EPMM to only ask Apple for the VPPlicense

information from newly-assigned licenses. For full license sync, see "Importing licensed apps from an

Apple licensed account" below.

12. Click Save.

Importing licensed apps from an Apple licensed account

You can import Apple licensed apps into Ivanti EPMM on the App Licenses page. This is done by refreshing

Ivanti EPMM’s connection to your account, updating the available Apple licenses, and then selecting the

apps you want to import into Ivanti EPMM. Ivanti EPMM refreshes available Apple licenses several times per

day. However, Ivanti, Inc recommends refreshing your licenses before importing Apple licensed-apps.

Ivanti EPMM supports the importation and distribution of macOS Apple licensed apps.

Before you begin

Before proceeding, you must have done the steps in "Linking Ivanti EPMM to an Apple licensed account " on

the previous page

Procedure

1. In the Ivanti EPMM Admin Portal, select Apps > Apple Licenses.

The following information displays for each Apple licensed account:

Page 146 of 292

Using Apple licenses

Field Description

Account Name The account name entered when adding the Apple license

account.

Location The location name as defined in the Apple Business Manager.

The location is empty if the account does not use Apple Business

Manager or Apple School Manager.

Description Additional information that describes this account.

Service Token The credential used to link the Apple license account to Ivanti

EPMM. The Service Token can have up to 1024 characters. This

token has location information when created using Apple Business

Manager.

Expires In Days Number of days before the service token expires.

Before the service token expires, you must download a new service

token from Apple’s license management portal.

Uploaded Date when the service token was last added to Ivanti EPMM.

Details Sync Time The time stamp, including the date, time, and time zone, for the

last synchronization between Ivanti EPMM and the Apple servers.

Count Sync Time The time stamp, including the date, time, and time zone, for the

last time the license count was synced. This is a quick query to get

the number of used / available licenses for each app.

2. Select the account.

3. Click Actions > Update licenses.

4. The Update licenses dialog box opens, displaying a list of licensed apps available from the Apple

License account.

5. Select the apps you want to import into Ivanti EPMM as Apple licensed apps.

Page 147 of 292

Using Apple licenses

6. Click Import. The selected Apple-licensed apps are imported.

7. Click the carat (^) next to the account name to view the Apple-licensed apps you imported.

Page 148 of 292

Using Apple licenses

The table columns are described in the following table:

Item Description

App Name of the app purchased with the Apple license

account.

Added in App Catalog Indicates whether you imported the app into Ivanti

EPMM for distribution.

When you import an app, it is also displayed in the

App Distribution page.

Licenses Used Number of licenses redeemed for the app.

This includes the totals of combined user licenses and

device licenses. It also includes licenses that were

redeemed by other Ivanti EPMM instances.

Licenses Purchased Number of licenses purchased for the app. This

includes the totals of combined user licenses and

device licenses.

Platform Indicates which platform the license is applicable to.

Related topics

"Viewing Apple Licenses in the Audit Logs" on page156

Importing additional apps from the App Catalog

You can import Apple licensed apps from the App Catalog. For more information about importing these

apps, see "Using the wizard to import iOS apps from the Apple App Store" on page84 and "Manually

importing iOS apps from the Apple App Store" on page82.

For an app already listed in the App Catalog, the Licenses Purchased / Used column now displays the

license information.

When you import an app from the App Catalog that uses Apple licenses, deselect the This App

Store App is Free option. This allows the device user to successfully download the app using an

Apple license.

Page 149 of 292

Using Apple licenses

Applying device-based licensing to an app

After you have linked Ivanti EPMM to your Apple license account, you can apply device-based licensing to

your iOS and macOS licensed apps, so that users do not need to enter an Apple ID when installing Apple

licensed apps. This applies to macOS devices and iOS devices running iOS 9.0 or newer versions.

Procedure

1. In the Ivanti EPMM Admin Portal, go to Apps > App Catalog.

You can see the Licenses Used and Licenses Purchased for each app. The totals listed includes the

combined number of user licenses and device licenses.

2. Use the check box to select the app to which to apply device-based licensing.

3. From the Actions menu, select Manage Licenses.

The License Summary page opens, listing the registered Apple licensed accounts for the specified

app. You can see the Available Licenses and Used Licenses information for the selected app.

4. Clicking the desired account opens the Account Detail page.

5. Expand License Type, select Device-based License, and then click Save.

If you have User-based License already applied to existing users/devices, Ivanti EPMM will

not remove those licenses.

6. Expand License Label Management and select the desired labels so that target devices that request

the selected app receive device-based licenses.

Applying a user-based license

Follow the instructions in "Applying device-based licensing to an app" above, but select User-based

License instead.

While Apple supports user-based licensing for macOS apps, currently, there is an Apple issue with

the installation of user-based licensed apps through MDM. As a result, Ivanti, Inc does not

recommend applying user-based licenses to macOS.

Page 150 of 292

Using Apple licenses

For Apple-licensed apps that will be used by both User Enrolled devices and Device Enrolled devices, the

license type should be set to Device-based licenses. Devices enrolled with Device Enrollment (DEP) where

the Apple-licensed app is set to user based licenses will show the app as "Free" instead of "Prepaid" and the

app will fail to install. User enrolled devices will always have the Apple-licensed app assigned as a user based

license regardless of this setting.

Note the following:

In iOS 13+ and supported newer versions, all Apple Device Enrollments are mandatory.

In iOS 13+ and supported later versions, all devices using Apple Device Enrollment will be supervised

and the iOS will ignore the is_supervised flag.

Applying an Apple license label to an app

You must apply an Apple license label to your apps for licenses to be applied. Devices that are only applied

to non-licensed labels cannot redeem an Apple license. These devices are redirected to the Apple App Store

to purchase the app.

Procedure

1. Go to Apps > App Catalog.

2. Select iOS or macOS from the Platform list.

3. Select the check box next to the desired app and then click Actions > Manage Licenses.

4. Select the license account to manage and then select Apply To Labels .

5. In the Apply To Labels dialog box, select the label(s) and then select Apply.

Removing an Apple license label from an app

Remove an Apple license label from an app if you want to free up an Apple license for that app.

Procedure

1. Go to Apps > App Catalog.

2. Select iOS or macOS from the Platform list.

3. Select the Apple license app you want to remove from the Apple license label.

4. Click Actions > Manage Licenses.

Page 151 of 292

Using Apple licenses

5. In the License Summary page, click the link of the label you want to remove.

6. In the License Label Management section, select the label and then click Remove.

Revoking licenses

You can revoke all licenses for a given app. Alternatively, you can revoke a license for a given app from a

specific device.

"Revoking all licenses for an Apple licensed app" below

"Revoking a license for an Apple licensed app from a specific device" below

Revoking all licenses for an Apple licensed app

You can revoke all licenses for a given Apple licensed app.

Procedure

1. Log into In Ivanti EPMM.

2. Select Apps > App Catalog.

3. Use the check box to select the app to apply device-based licensing to.

4. Select Actions > Manage Licenses.

The License Summary page opens, listing the registered Apple licensed accounts for the specified

app.

5. Click the desired account. The License Detail page displays. Note that the number of Available

Licenses and Used Licenses is listed at the top of the page.

6. Click the Revoke All Licenses button.

7. Click Confirm.

Revoking a license for an Apple licensed app from a specific device

You can revoke a license for a given Apple licensed app from a specific device.

Page 152 of 292

Using Apple licenses

Procedure

1. Log into In Ivanti EPMM.

2. Select Apps > App Catalog.

3. Use the check box to select the app that contains the device-based licensing.

4. Select Actions > Manage Licenses.

The License Summary page opens, listing the registered Apple licensed accounts for the specified

app.

5. Click the desired account. The License Detail page displays. Note that the number of Available

Licenses and Used Licenses is listed at the top of the page.

6. Expand the Licenses Distribution Details section.

7. From the list of devices displayed, select the device whose license you want to revoke.

8. Click Revoke.

Exporting Apple license app distribution details to a CSV file

You can export to a CSV file the license distribution details of a given Apple licensed app.

Procedure

1. Log into In Ivanti EPMM.

2. Select Apps > App Catalog.

3. Use the check box to select the app that contains the Apple license.

4. Select Actions > Manage Licenses.

The License Summary page opens, listing the registered Apple licensed accounts for the specified

app.

5. Click the desired account. The License Information page displays.

6. Expand the Licenses Distribution Details section.

Page 153 of 292

Using Apple licenses

7. From the list of devices displayed, select the device whose license you want to revoke.

8. Click Export to CSV.

Managing your Apple license accounts

Managing your Apple license accounts involves the following tasks:

"Viewing Apple license accounts" below

"Viewing Apple license account information" on the next page

"Viewing Apple license app information" on the next page

"Viewing Apple Licenses in the Audit Logs" on page156

"Updating or deleting an Apple license account" on page157

"Full sync of all licenses" on page158

Viewing Apple license accounts

You can add more than one Apple license account to the Ivanti EPMM Admin Portal. You can view and

manage these accounts on the License Summary page. You must have added at least one Apple license

account to the Ivanti EPMM Admin Portal to view the License Summary page.

Procedure

1. Go to Apps > Apple Licenses.

A list of Apple license accounts associated with Ivanti EPMM displays.

2. The following information is shown for each Apple license account:

Item Description

ABM Account name The name you assigned to the Apple license account when you added

it to Ivanti EPMM.

Space Indicates the type of device space, for example, Global.

Location The location name as defined in the Apple Business Manager.

The location is empty if the account does not use Apple Business

Manager.

Page 154 of 292

Using Apple licenses

Item Description

Description A description of the Apple license account.

Server Token The credential used to link the Apple license account to Ivanti EPMM.

You can view the server token for the account by clicking the

Click to

view

link.

This token received location information when it was created using

Apple Business Manager.

Expires In Days Number of days before the server token expires.

Before the server token expires, you must download a new server

token from the Apple license management portal.

Uploaded Date when the server token was last added to Ivanti EPMM.

Details Sync Time The time stamp, including the date, time, and time zone, for the last

synchronization between Ivanti EPMM and the Apple servers.

Count Sync Time The time stamp, including the date, time, and time zone, for the last

time the license count was synced. This is a quick query to get the

number of used / available licenses for each app.

Viewing Apple license account information

You can view the details of a given Apple license account.

Procedure

1. Go to Apps > Apple Licenses.

2. For the desired account, click the inverted V icon.

The following information displays:

Apps purchased with the Apple license account

Whether the app was imported to the App Catalog in the Ivanti EPMM Admin Portal

Licenses Used and Licenses Purchased (includes the totals of combined user licenses and device

licenses)

Whether the target platform for the app is iOS or macOS.

Viewing Apple license app information

You can view details about a given Apple license app.

Page 155 of 292

Using Apple licenses

Procedure

1. In the Ivanti EPMM Admin Portal, go to Apps > App Catalog.

2. Select the app and then select Actions > Manage Licenses.

The License Summary page displays the following information:

Item Description

Name The name of the Apple license account that the app is associated

to. You can click the Name link to change the license type. You

can also apply or remove the selected app to / from a particular

label. A license can be revoked or exported to CSV.

If the Apple license account is expired, it will be highlighted.

License Type The type of Apple license used for this app: User-based or Device-

based.

Available Licenses The number of Apple licenses available for this app. The number

listed represents the total of combined user licenses and device

licenses.

Used Licenses The number of device-based and user-based licenses consumed

for this app.

Location The location name, as defined in the Apple Business Manager.

If the account does not use Apple Business Manager, this field will

be empty.

Applied Labels Lists the labels to that are applied to the selected app.

3. To view the devices a particular app is installed on:

a. In the App Catalog page, locate the app in the list of apps.

b. Click the number in the Devices Installed column.

A window opens, listing the devices the app is installed on and the associated Apple license account.

Viewing Apple Licenses in the Audit Logs

You can view the Apple licenses within the Audit Logs.

Page 156 of 292

Using Apple licenses

Procedure

1. Go to Logs > Audit Logs.

2. In the left column, find VPP and select the following four fields:

Apple License Count Sync Completed

Apple License Count Sync Started

Apple License Sync Completed

Apple License Count Sync Started

3. Run the Search. The search results display in the right pane.

Related topics

If you want to change specific settings for your Apple license app, see the following topics:

"Changing iOS and macOS app information" on page115

"Changing the iOS or macOS app icon and screenshots" on page117

"Creating or changing a category for iOS and macOS apps" on page118

Updating or deleting an Apple license account

You can update or delete an Apple license account from Ivanti EPMM.

Procedure

1. Go to Apps > App Licenses.

2. Select a license and then click Actions.

Page 157 of 292

Using Apple licenses

You can take the following actions on an Apple license account:

Action Description

Update Server Token Select to update the Apple license account into Ivanti

EPMM.

Before you continue, you will need the server token from

Apple Business Manager or Apple School Manager.

Update Licenses Select to edit the Apple license account information or

to import apps.

Sync All Licenses If this location is shared across other Ivanti EPMMs or

any other UEMservers, select to run a full sync of all

licenses.

Ivanti, Inc

recommends leaving this check box

de-selected.

WARNING: Running a fully sync of all licenses

slows down Ivanti EPMM. Ivanti, Inc suggests

you do the full license sync on weekends or

outside of regular office hours. Use this feature

only for remediation of defective license

information; do not do a full sync on a regular

basis.

See

"Full sync of all licenses" below

Delete Server Token Select to delete the Apple license account from Ivanti

EPMM.

When you delete an Apple license account:

All licenses for the apps purchased through the

Apple license account are reclaimed.

Users have a grace period of up to 30 days to

purchase the apps.

Full sync of all licenses

In previous versions, Ivanti EPMM automatically did a full sync of all licenses. With Ivanti EPMM version

10.6.0.0 or newer versions, administrators will need to manually run a full sync of all licenses. This feature is

useful if your license location is shared across other Ivanti EPMMs or any other UEM servers. A full sync of all

licenses gets full details of all new and updated licenses in the system, including across multiple Ivanti

EPMMs.

Page 158 of 292

Using Apple licenses

WARNING: Running a fully sync of all licenses slows down Ivanti EPMM. Ivanti, Inc suggests you do

the full license sync on weekends or outside of regular office hours. Use this feature only for

remediation of defective license information; do not do a full sync on a regular basis.

Procedure

1. In the Ivanti EPMM Admin Portal, select Apps > Apple Licenses.

2. Click Actions > Sync All Licenses. The Update Server Token dialog box opens.

3. Select the VPP Account is shared with one of more Ivanti EPMM check box.

4. Review the information in the Update Server Token dialog box. When finished, click Save.

Depending upon how many licenses you have and the number of users and devices the VPPlicenses are

assigned to, the full sync may take minutes to hours to conduct.

Turning user-paid apps into managed apps

If a user-paid app has been configured on Ivanti EPMM as convertible from an unmanaged app to an iOS

managed app, on devices running iOS 9.0 or newer versions, then:

The iOS managed version of the app is installed on the user’s device, and

An Apple license is consumed for that app.

If a user’s device is running iOS 8.0 through iOS 8.4, and they have installed an app directly from the Apple

App Store, then:

The user must uninstall that app, AND

Install the iOS managed version of the same app from Apps@Work.

For example, if a new employee has already installed a paid app that your organization ordinarily manages

through the Apple licensing program, then the employee must delete the app and reinstall it from the

Prepaid tab in Apps@Work. Otherwise, the app will remain unmanaged.

Page 159 of 292

Using Apple licenses

Installing an Apple licensed app with a prepaid license to an iOS or

macOS device

When tapping or clicking an Apple licensed app in Apps@Work, device users are prompted to enroll in their

company’s Apple licensing program. This applies only to Apple licensed apps with a user-based license.

Procedure

1. Tap or click the prepaid app.

2. Follow the prompts to enroll in your company’s Apple license purchasing program.

3.1. After you successfully enroll in the program, tap or click the app in Apps@Work.

2. The app details page now shows the PREPAID status.

4. Tap or click Request and follow the prompts to install the app.

When launching Apps@Work and selecting a device-based licensed app, the app displays as

PREPAID:

After requesting the iOS app, Apps@Work displays a message indicating that the device user’s iTunes

account will not be charged for the app. The iOS app is then installed without prompting the user for

an iTunes ID.

Page 160 of 292

Using Apple licenses

On supervised iOS devices and macOS devices, the Apple licensed apps are installed silently.

Page 161 of 292

Using Apple licenses

Managing mobile apps for Android

This section addresses how you can manage apps for Android devices using Ivanti EPMM.

"Types of apps on Android devices" below

"Adding Google Play apps for Android" on page164

"Whitelisting public apps for the Samsung Knox container" on page168

"Adding in-house apps for Android" on page169

"Adding secure apps for Android" on page182

"Mandatory and optional in-house and secure apps" on page189

"Enforcement of specific app versions for mandatory in-house apps" on page192

"Apps@Work in Ivanti Mobile@Work for Android" on page195

"On-demand secure apps container setup" on page199

"Specify latest version required for a secure app" on page206

"Secure apps installation order" on page208

"Android app versions and device counts" on page211

"Troubleshooting Android apps" on page211

Related topics

"Managing mobile apps for Android Enterprise" on page213

"App management action workflows" on page40

Types of apps on Android devices

You can add the following kinds of apps for Android devices:

Google Play Store apps

In-house apps

Secure apps (Secure apps are available only if you have configured the device to support

AppConnect.)

Web applications

Page 162 of 292

For information about apps on Android Enterprise devices, see "Managing mobile apps for Android

Enterprise" on page213.

What are Google Play Store apps?

Google Play Store apps are apps available for download from Google Play Store. You can add app

recommendations from the Play Store to the App Catalog. When you apply labels to the apps, the apps are

made available to the devices that have those labels. Device users see the apps made available to them in

Apps@Work on their device.

Ivanti EPMM can upload an Android Google Play Store app that has the same package name as a

private in-house app, such as com.mobileiron.phoneatwork, that is already loaded on Ivanti EPMM.

Also, you can import an in-house app with the same package name as a public app that is already

loaded on Ivanti EPMM. This feature is always on and does not require any configuration in the user

interface.

What are in-house apps?

In-house apps are mobile apps that you develop and distribute internally. Ivanti EPMM enables you to

distribute and track in-house apps. You upload in-house apps to Ivanti EPMM. In-house apps appear in the

Apps@Work list on the device for users to download.

For Android Enterprise, in-house apps are called “private apps” and you make them available after

uploading them to your private Google Play Store for your domain. See also the Ivanti EPMM Device

Management Guide for Android and Android Enterprise devices.

What are secure apps?

Secure apps, also known as AppConnect apps, are apps that are developed internally or by third-party

developers using AppConnect for Android. Secure apps are always in-house apps, but in-house apps are not

always secure apps.

Access to secure apps and their data on Android devices are protected by AppConnect. You distribute

secure apps internally like in-house apps. Device users log in with a single sign-on secure apps passcode to

access these apps, and the data associated with the apps is encrypted. Secure apps can share data only with

other secure apps.

Page 163 of 292

Managing mobile apps for Android

Distributed secure apps appear in the “Secure Apps” menu in Ivanti Mobile@Work for Android. Secure apps

are not supported for Android Enterprise.

For detailed information about AppConnect for Android and secure apps, see AppConnect Guide for EPMM.

Adding Google Play apps for Android

You add a public Google Play app for Android devices to the App Catalog on the Ivanti EPMM Admin Portal.

Procedure

1. In the Ivanti EPMM Admin Portal , go to Apps > App Catalog.

2. Select Add+.

3. Select Google Play to open the app wizard.

4. In the Search field, enter the app name and then select Search. Google Play Store displays app icons

with their names in the search results.

5. Select the app you want to add to the App Catalog.

6. Within the app, choose Select.

7. Select Next. The Describe page displays.

Page 164 of 292

Managing mobile apps for Android

8. Use the following guidelines to complete the remaining options for each app.

Item Description

Application

Name

Displays the app name defined by the app developer. This is the name that displays

to device users. This field is not editable.

Description The app description as retrieved from Google Play displays. You can edit the

description. Users will see this description in Apps@Work on their devices.

Category Select one or more categories to display this app in a category tab in Apps@Work

or add a new category.

a. Click Add New Category to define new categories.

b. Enter a category Name (up to 64 characters).

c. Enter a Description (up to 255 characters).

d. In the Category Icon section, click the Replace Icon button.

e. Browse and select an icon that will represent this Category.

f. Click Save.

9. Click Next.

Item Description

Use Global

App Config

Policy

Selecting the check box makes the policy settings take priority over the app

settings if and only if the global policy is created and available for a particular

device. Leaving the check box empty means the app's configuration settings will

be used. For more information, see "Global App Config Settings policy" in the

Ivanti EPMM Device Management Guide for Android and Android Enterprise

devices.

Feature this

App in the

Apps@Work

catalog

If check box is selected, this app appears in the Featured Apps tab in

Apps@Work.

Featured

Banner

Selecting the check box will display this app as part of the top banner on the

Apps@Work Home page on end users' devices. The latest five apps will be

picked up to be part of Apps@Work Home page.

Per App VPN

by Label Only

Select this check box to require the Per App VPN configuration to be assigned to

a label that matches the device, then select one of the pre-configured Per-App

VPN in the field below. If there is no associated label between the VPN

configuration and the device, Per App VPN will not be installed on the device.

Page 165 of 292

Managing mobile apps for Android

Item Description

De-select this check box to assign the per App VPN based on the selections in

the

Per App VPN

field, ignoring labels. Ivanti does not recommend de-selecting

Per-App VPN by Label Only, as this field will change in future Ivanti EPMM

releases and become selected by default.

Per app VPN is not supported for MAM-only Android devices.

Ivanti does not recommend using Per App VPN with apps that utilize

device spaces.

License

Required

The

Selected VPNs

column lists the VPN configuration that may be installed on

the device, in priority order:

Per App VPN by Label Only

is selected, then the VPN configuration must

be assigned to a label matching the device in order to be installed. The first

VPN in the list that is also assigned to a label associated with the device has

the highest priority.

Per App VPN by Label Only

is not selected, then the VPN configurations

listed are in priority order and do not need to be assigned to a label matching

the device. Ivanti does not recommend de-selecting Per-App VPN by Label

Only, as this field will change in future Ivanti EPMM releases and become

selected by default.

To populate the

Selected VPNs

column, select the VPN configuration you

created for per app VPN in the

All VPNs

column, and click the right arrow. You

can select multiple per app VPN settings.

To reorder the per app VPN configurations in the

Selected VPNs

column, drag

the configuration names to the correct positions in the list.

See “Managing VPN settings” in the

Ivanti EPMM Device Management Guide

for

information on creating a per app VPN.

Per app VPN is not supported for MAM-only Android devices.

Install this app

for Android

enterprise

You must be a Global Space administrator to use this setting. Select to enable

public and private apps available to device users for download to Android

devices. You can change the “Install this app for Android enterprise” setting for

each app in the app’s details page at any time.

10. Click Finish.

Page 166 of 292

Managing mobile apps for Android

The app displays in the App Catalog page when the Platform filter is set to Android.

11. Apply the app to a label to have that app listed in Apps@Work on Android devices.

Delegated permissions for Google Play apps

For Android 8.0 and above devices, Ivanti Mobile@Work allows delegation permissions for apps in Managed

Device with Work Profile (COPE) mode.

For Public or Self Hosted Apps (Google Play Private channel apps) pushed by Managed Google Play or

regular Google Play:

Apps are assigned to device in Managed Device with Work Profile (COPE) mode and will be pushed

and installed silently by Google Play services inside the Managed Device with Work Profile.

After the app is installed in the Managed Device with Work Profile mode, delegated permissions is

applied by Ivanti Mobile@Work.

This feature is supported for Samsung and non-Samsung devices running Android 8.0 or newer

versions.

Adding an app using Quick Import in the Ivanti EPMM Admin Portal

Using Quick Import in the App Catalog is a fast way to add multiple apps using default settings. Options and

configurations can be edited later as needed.

If you have installed Android Enterprise, the Quick Import option is disabled. You can use the

Google Play iFrame to import apps.

Procedure

1. Go to Apps > App Catalog in the Ivanti EPMM Admin Portal.

2. Click Quick Import > Google Play.

3. Enter any part of an application name or package name.

4. Click Search. Search results from the Google Play Store appear.

5. Click Import, at the end of the line, to add the app to the App Catalog.

6. The store import dialog remains open so you can quickly search and add more apps.

7. Click X to close the dialog.

Page 167 of 292

Managing mobile apps for Android

8. Edit the app details for the imported app and select Install this app for Android enterprise.

De-selecting this option does not uninstall the app from devices which already have it

installed.

9. Fill out the Android Enterprise-related restrictions as necessary.

10. Click Save.

All apps that are available to be installed for Android Enterprise (because you have selected Install this app

for Android enterprise) have the “suitcase” badge on their icon. These apps can also be installed on non-

Android Enterprise devices.

You can edit the app’s settings at any time. Select the app in the App Catalog, and click Edit.

The metadata and reviews for an app selected for installation from Google Play may not be displayed

depending on the configuration of the customers firewall.

Whitelisting public apps for the Samsung Knox container

On Samsung Knox devices, you can whitelist public apps for the Samsung Knox container. When you add a

public Android app in the App Catalog to a whitelist, device users can copy the app to the Samsung Knox

container.

Note the following:

This feature is supported for Samsung Knox 2.1 through 2.6.

In-house apps that you specify in the whitelist are automatically installed in the Samsung Knox

container.

Samsung Knox features are not supported on MAM-only Android devices.

Whitelisting a public app for the Samsung Knox container

You whitelist a public app for the Samsung Knox container by adding it to the Samsung Knox container

setting for a device.

Procedure

1. Add Android apps from the Google Play Store in the App Catalog.

2. Edit a Samsung Knox Container configuration in Policies & Configs > Configurations > Android >

Samsung KNOX Container.

Page 168 of 292

Managing mobile apps for Android

3. In the Apps section of the configuration, add the Google Play Store app. The app is now whitelisted.

Adding the public app here does not install it into the Samsung Knox container on the

device automatically. The device user must take action (see below). However, when you add

in-house apps to the Apps section, the in-house apps are automatically installed into the

container.

4. To help users identify the whitelisted apps, Ivanti, Inc recommends that you add the apps to a distinct

category in Apps@Work. For example, you can call the category “Whitelist for Knox”. The user will not

see any distinctions for whitelisted apps.

Adding a whitelisted app into the Samsung Knox container

After you have whitelisted a public app for the Samsung Knox container, the device user takes the following

steps on a Samsung Knox device to copy a whitelisted app into the Knox container.

Procedure

1. Launch Knox Settings.

2. Tap Select apps to install.

The list of available apps appears. Note that the whitelisted apps are not distinguished from other

apps. The user can refer to the special category in Apps@Work (if you set one up) to discover

whitelisted apps.

3. Tap an app to install.

If the app selected is on the whitelist, the app will be installed inside the Knox container.

If the app is not on the whitelist, a notification informs the device user that a security policy prevented the

app from installing.

Adding in-house apps for Android

In-house apps are the internally-developed apps that are uploaded to Ivanti EPMM. Ivanti EPMM makes the

apps available to Android devices based on labels that you assign to the apps and devices. You add in-

house app to the App Catalog in the Ivanti EPMM Admin Portal.

Page 169 of 292

Managing mobile apps for Android

Upon upgrade to Android 11, the Ivanti Mobile@Work client no longer supports in-house apps for devices

that migrate from Company Owned Managed Profile (COMP) mode. This also applies to new Android 11

devices provisioned as Work Profile on Company Owned Device mode.

If your company needs time to figure out the migration plan for changing from Managed Device

with Work Profile (COPE) mode to Work Profile on Company Owned Device mode, you can set the

freeze firmware updates to Android 11 devices for up to 90 days. For more information, see "Setting

the system update policy for Android devices" in the Ivanti EPMM Device Management Guide for

Android and Android Enterprise devices.

If you are adding a new version of an existing app, see "Adding new versions of an existing Android app" on

page181.

App restrictions with in-house applications for Android

In Android Enterprise modes, applications are typically deployed through a channel using i-Frame provided

by Google. In specific scenarios where the Ivanti EPMM deployment is inside closed networks (Airgapped),

there is no access to i-Frames. As a result, Google mobile services (GMS) applications need to be deployed

as in-house applications. For information, see "Setting up Ivanti EPMM with a closed network / AOSP

deployment" in the Ivanti EPMM Device Management Guide for Android and Android Enterprise devices.

When the administrator downloads the app from Google Play Store or from Samsung and then uploads the

app as an in-house app in Ivanti EPMM, the administrator needs to configure the app restrictions that are

available for the app. The administrator can create multiple app restrictions for the same app and distribute

that app as an in-house application directly to Ivanti Mobile@Work without using Google Play. Similar to

multiple app restrictions of the Android Enterprise public app, the multiple app configurations can be

managed via different labels.

This feature applies to any app that support app restrictions, including the Samsung Knox Service Plugin.

After setting the app restrictions, be sure to apply labels.

For Ivanti EPMM 11.7.0.0 and below, in-house apps in Apps@Work are not visible for device users to

see. These apps are only supported with Silent Install and are assigned to devices in Work Managed

Device mode (DO), Managed Device with Work Profile (COPE) mode and Work Managed Device non-

GMS (AOSP) mode.

Page 170 of 292

Managing mobile apps for Android

For Ivanti EPMM 11.8.0.0 +, in-house apps are available on Apps@Work even without the Silent

Install option being selected. Device users can see all apps assigned to them in the Apps@Work

catalog and is able to browse through the apps and download any app manually. Applicable to Work

Managed Device (DO) mode, Managed Device with Work Profile (COPE) mode and Work Managed

Device non-GMS (AOSP) mode.

The administrator must re-upload the In-house apps to have the App Restrictions and

Permissions features available on their apps. It is recommended to delete the existing app

before uploading a new version.

Closed network / AOSP

In closed networks / AOSP deployments, all apps need to be uploaded as in-house apps using their

.apks since there is no access to Google's application bundles.

When importing an in-house app for a closed network / AOSPdeployment, it is mandatory to have

the Install this app for Android enterprise check box selected. Select Enable AOSP app

restrictions to have the configuration settings / app restrictions for in-house apps display in the App

view page in the App Catalog.

You must have AOSP enabled (Services > Google > Enable registration of fully managed

device in Non-GMS mode.)

When an app is associated to a closed network / AOSP (Android Open Source Project), an icon

displays next to the app. For example, as an in-house app, the Ivanti Email+ icon has the closed

network icon added to it:

For Always-On VPN for AOSP for Android Enterprise devices, an additional step is to go into Services

> Sentry, and add a new Standalone Sentry with a public certificate. For more information, see

"Always-On VPN for AOSP for Android Enterprise devices" in Ivanti EPMM Device Management Guide

for Android and Android Enterprise devices.

Page 171 of 292

Managing mobile apps for Android

Adding in-house apps

Procedure

1. Go to Apps > App Catalog.

2. Click to Add+open the app wizard.

3. Click In-house.

4. Click Browse and navigate to the in-house app (.apk) you want to upload.

You cannot upload an in-house app that exceeds 2.15 GB.

5. Click Next.

The app wizard examines the selected package to ensure that it meets requirements for in-house

apps distributed for Android devices. If the package is acceptable, the next screen displays.

6. Use the guidelines in the "App Wizard Screen Information" below section, below, to complete the rest

of the screens in the app wizard, clicking Next where applicable.

7. Click Finish.

The app displays in the App Catalog screen. The Source column displays the app as an in-house

app.

8. In order to distribute your app from Google Play store, you need to download the APKDefinition file

and add the app license key to Ivanti EPMM.

App Wizard Screen Information

Following are the inputs for the App Wizard screens:

TABLE 1. GENERAL

Item Description

Application Name Displays the app name defined by the app developer. This is the name that

displays to device users. This field is not editable.

Display Version Displays the version number defined by the app developer. This is the

version that displays to device users. This field is not editable.

Code Version Displays the version defined for the package. This item is not editable.

Page 172 of 292

Managing mobile apps for Android

Category Select a category if you would like this app to be displayed in a specific

group of apps on the device or add a new category.

1. Click Add New Category to define new categories.

2. Enter a category Name (up to 64 characters).

3. Enter a Description (up to 255 characters).

4. In the Category Icon section, click the Replace Icon button.

5. Browse and select an icon that will represent this Category.

6. Click Save.

TABLE 2. APPS@WORK CATALOG

Item Description

Use Global

App Config

Settings Policy

Selecting the check box makes the policy settings take priority over the app settings if

and only if the global policy is created and available for a particular device. Leaving the

check box empty means the app's configuration settings will be used. For more

information, see "Global App Config Settings policy" in the Ivanti EPMM Device

Management Guide for Android and Android Enterprise devices.

Hide this App

from the

Apps@Work

catalog

If check box is selected, this app will not display in the Featured Apps tab in

Apps@Work.

Feature this

App in the

Apps@Work

catalog

If check box is selected, this app appears in the Featured Apps tab in Apps@Work.

Featured

Banner

Select to add the app to the featured banner at the top of the Apps@Work home

screen on devices. The latest five apps will be picked to be part of Apps@Work Home

page. Additional settings display:

Short Description

- Enter a short description that will display in the banner. The

Preview will display what it will look like on the client.

Banner Style

- Select the Light Banner Style option. You can see what your

banner will look like in the Preview. The Dark, Blue, Green and Orange options

will work in a later release.

When tapping the banner, device users see the details of the featured app. Add as many

apps as you like to the featured banner, but the featured banner will only display the

five most recent apps added to the featured banner. Apps in the featured banner are

rotated every five seconds.

Page 173 of 292

Managing mobile apps for Android

Allow app

downloads

over insecure

networks

Select the check box if you are providing an Override URL (next field) that uses the HTTP

URL scheme instead of HTTPS. Override URLs are intended for use behind a firewall,

using a trusted and secure internal network. Before you use an HTTPURL, make sure

you understand the risks of using an insecure connection

Override URL If you are using an alternate source for downloading in-house apps, enter that URL

here. The URL must point to the in-house app in its alternate location.

Override URLs are intended for use behind a firewall, using a trusted and secure internal

network. Manual synchronization is required with the alternate HTTP server on which

app are stored.

See "Override for in-house app URLs " on page44for the requirements for this

configuration before using it.

When tapping the banner, device users see the details of the featured app. Add as many

apps as you like to the featured banner, but the featured banner will only display the

five most recent apps added to the featured banner. Apps in the featured banner are

rotated every five seconds.

App Icon Click the

Replace Icon

button to replace the icon.

Screenshots

Click Upload to select and upload optional screenshot files in PNG, GIF, or JPG

formats. The supported dimensions are 480x800 pixels and 480x854 pixels. We

recommend PNG for best resizing.

To upload additional screenshots, click Upload.

To clear the field, click Remove.

TABLE 3. APP INSTALLATION SETTINGS

Item Description

Silent install for

Mandatory Apps

This feature only applies to devices that support silent installation. This feature is

not supported for MAM-only Android devices.

De-selecting the check box means the device user will need to manually install

the app.

If this check box is selected for Android Enterprise apps, the apps will be installed

on the device with a higher priority than the "Silent install for work managed

devices" option (irrespective of the constraints set for "Silent install for work

managed devices.") This is because Ivanti EPMM will send the request to Google

and Google then forwards the request to the Android devices.

Page 174 of 292

Managing mobile apps for Android

Administrators will need to disable "Silent install for Mandatory Apps" if

they want to configure the apps via the "Silent install for work managed

devices" option. For more information, see "Silent install and uninstall of

mandatory apps" on page189.

If the Android Enterprise public app is rendered as an AOSP in-house app, then

use the

Silent install for work managed devices

option to install the app

silently on the AOSP-device owned (DO) device.

Enforce conversion

from unmanaged to

managed app

Every hour, Ivanti EPMM reviews the all the devices that had last checked-in for

any unmanaged apps and, if applicable, sends the unmanaged to managed app

conversion request to that device. If there is an unmanaged app installed on the

device, device users will not immediately get the prompt for change

management.

TABLE 4. PER APP VPN SETTINGS

Item Description

Per

App

VPN by

Label

Only

Select this check box to require the Per App VPN configuration to be assigned to a label that

matches the device, then select one of the pre-configured Per-App VPN in the field below. If

there is no associated label between the VPN configuration and the device, Per App VPN will

not be installed on the device.

De-select this check box to assign the per App VPN based on the selections in the

Per App

VPN

field, ignoring labels. Ivanti does not recommend de-selecting Per-App VPN by Label

Only, as this field will change in future Ivanti EPMM releases and become selected by default.

Ivanti does not recommend using Per App VPN with apps that utilize device spaces.

Per app VPN is not supported for MAM-only Android devices.

TABLE 5. ANDROID ENTERPRISE (ALL MODES)

Item Description

Install this app

for Android

enterprise

Selecting this check box displays additional fields for Android Enterprise app settings.

You must be a Global Space administrator to use this setting. Select to enable public

and private apps available to device users for download to Android devices. You can

change the “Install this app for Android enterprise” setting for each app in the app’s

details page at any time.

Page 175 of 292

Managing mobile apps for Android

Silent install

for work

managed

devices

This feature is specifically for private in-house Android Enterprise apps and applies only

to devices that support silent installation.

Clearing the check box means the device user will need to manually install the app.

If this check box is selected, then the apps will be installed on the device according to

the app constraints and time it takes to install. The app is installed when the device

checks in with Ivanti EPMM. User action is not required.

If "Silent install for Mandatory Apps" is enabled along with "Silent install for work

managed devices," then "Silent install for Mandatory Apps" will take precedence and

the app will be installed on the device irrespective of the constraints set for the "Silent

install for work managed devices" option. Administrators will need to disable "Silent

install for Mandatory Apps" if they want to configure the apps via the "Silent install for

work managed devices" option.

Silent install is not supported for MAM-only Android devices.

Additional settings can be made for silent installs of work managed devices. These

settings are applicable for public and private apps. Prerequisite apps are pushed before

dependent apps.

Auto Install Mode - Self hosted apps will not be auto installed.

Do not Auto Install

Auto Install Once - recommended by Ivanti.

Force Install (default)

Install Priority - You can prioritize downloading of specific apps before other apps. For

example, prioritizing the download of Tunnel and Email apps before other non-critical

apps.

Low

Medium (default)

High

Install only when connected to Wi-Fi - Default is de-selected.

Install only when charging - Default is de-selected.

Install only when Idle - Default is de-selected.

For more information, see

"Silent install and uninstall of mandatory apps" on page189

If the Android Enterprise public app is rendered as an AOSP in-house app, then use the

Silent install for work managed devices

option to install the app silently on the

AOSP-device owned (DO) device.

Page 176 of 292

Managing mobile apps for Android

Block Widget

on Home

Screen

If selected, the app cannot place widgets on the home screen on work profile devices.

For example, calendar apps are not permitted to place calendar widgets on the home

screen.

Block Uninstall Select this feature to prevent the device user from uninstalling the app. This is especially

helpful for mandatory apps.

Quarantine

app when

device is

quarantined

Required for:

Work Profile mode

Managed Device with Work Profile (COPE) mode on Android devices versions 8-

Work Profile on Company Owned Devices mode (Android 11 or newer versions)

Selected by default, this field enables configured compliance actions to hide the app if a

policy violation results in a quarantined device.

A second step is required to enable this feature: configure a corresponding compliance

action and security policy with that compliance action selected. Once the device is no

longer quarantined, the app can be used again. If this option is deselected, the app is

available for usage, even when the device is quarantined.

If you change the setting after the app is added, the changed setting will be

applied to the app.

Auto Launch

Application on

Install

Select to have applications auto-launch and come to the foreground when installation

is completed on the device. With registration, every installation of the app opens in the

foreground.

A typical use case would be for a security/VPN app that needs to be configured by the

device user before the device can be protected.

Applicable to :

Any Android Enterprise application in the App Catalog

Android devices 6.0 or newer versions

Device Owner mode - Managed public, private and in-house apps

Managed Device with Work Profile mode - Managed public and private apps

within Work Profile; in-house apps on device.

Work Profile on Company Owned Device mode - Managed public and private

apps within Work Profile.

Page 177 of 292

Managing mobile apps for Android

This functionality requires the Ivanti Mobile@Work app to be in the

foreground and active for Work Profile mode and Work Profile on Company

Owned Devices mode.

Enable app

restrictions

only for AOSP

De-selected by default. Select to enable AOSP app restrictions for in-house apps to

display in the App view page of the App Catalog.

You must have AOSP enabled (Services > Google > Enable registration of fully

managed device in Non-GMS mode.)

Applicable to:

Work Managed Device - non GMS (AOSP) mode

In order to distribute your app from Google Play store, you need to download

APK Definition file and add the app license key to Ivanti EPMM.

Enable app

restrictions for

Android

Enterprise

devices

De-selected by default. Select to enable app restrictions for in-house Android

Enterprise apps to display in the App view page of the App Catalog.

Applicable to:

Work Managed Device mode

Managed Device with Work Profile mode

TABLE 6. DELEGATED PERMISSIONS

Item Description

Delegated

Permissions

Expand this section to apply delegated permissions to this app. Applicable on

managed devices. For more information, see

"Delegated permissions for in-house

apps" on page180

Configure third-

party app

runtime

permissions

Select this check box to modify runtime permissions for other apps.

Applicable to in-house and public / private apps for managed devices and

Managed Devices with Work Profile (COPE) mode starting from Android 8.

Applicable to public / private apps on managed profiles.

Applicable to public / private apps on Work Profile on Company Owned Device

mode starting from Android 11.

Hide and

suspend third-

party apps

Select this check box to delegate access to this app to have permission to hide and

suspend apps.

Applicable to in-house and public / private apps for managed devices and

Managed Devices with Work Profile (COPE) mode starting from Android 8.

Page 178 of 292

Managing mobile apps for Android

Applicable to public / private apps on managed profiles.

Applicable to public / private apps on Work Profile on Company Owned Device

mode starting from Android 11.

Manage

certificates

Select this check box to allow this app to have access to certificate APIs on the device.

Applicable to in-house and public / private apps for managed devices and

Managed Devices with Work Profile (COPE) mode starting from Android 8.

Applicable to public / private apps on managed profiles.

Applicable to public / private apps on Work Profile on Company Owned Device

mode starting from Android 11.

Manage app

configurations

Select this check box to delegate app restrictions management.

Applicable to public, private, and in-house apps.

Manage

blocking app

uninstallation

Select this check box to manage blocking/unblocking uninstallation of other apps.

Applicable to public, private, and in-house apps.

Manage

enabling system

apps

Select this check box to delegate enabling system apps.

Applicable to public, private, and in-house apps.

Manage

certificate

selection

Select this check box to grant key pair to app and revoke key pair to app. Once

granted, the app will receive the private key alias. The Device Owner or Managed

Profile Owner will no longer receive the private key alias. There can be at most one

app that has this delegation. If another app already had delegated certificate selection

access, it will lose the delegation when a new app is delegated.

The delegated app call also grants keychain keys to other apps.

Applicable to public, private, and in-house apps.

This permission can only be granted by Device Owner or Managed Profile Owner.

Example: Allowing apps to control when to prompt the device user to select the

certificates. Useful for if you want to have your own certificate app instead of passing

certificates through Ivanti EPMM.

Manage

retention of

uninstalled apps

Select this check box to keep uninstalled apps.

Applicable to public, private, and in-house apps.

Page 179 of 292

Managing mobile apps for Android

Manage

network log

collection

Select this check box to manage the network log collection. The delegated app will

receive network logs and the device user will no longer receive the callback. There can

be at most, one app that has this delegation. If another app already had delegated

network logging access, it will lose the delegation when a new app is delegated.

Applicable to public, private, and in-house apps.

Device Owner can grant this access from Android 10+. Profile Owner of a managed

profile can grant access from Android 12+.

Example: If your company wants to collect network logs on their own and not through

Ivanti EPMM.

Manage security

log collection

Select this check box to manage the security log collection. The delegated app will

receive security logs and the device user will no longer receive the callback. There can

be at most, one app that has this delegation. If another app already had delegated

security logging access, it will lose the delegation when a new app is delegated.

Applicable to public, private, and in-house apps.

This permission can only be granted by Device Owner or Managed Profile Owner.

Example: If your company wants to collect security logs on their own and not through

Ivanti EPMM.

Manage

installation of

existing apps

Select this check box to manage installation of other existing apps available on the

device.

Applicable to public, private, and in-house apps.

Delegated permissions for in-house apps

For Android 8.0 and above devices, Ivanti Mobile@Work allows delegation permissions for in-house apps in

Managed Device with Work Profile (COPE) mode. See also "Delegated permissions for Google Play apps" on

page167

For in-house Apps (Apps pushed by Ivanti EPMM):

After the app is installed, delegated permissions are applied by Ivanti Mobile@Work.

This is supported for Samsung and non-Samsung devices running Android 8.0 or newer versions.

Page 180 of 292

Managing mobile apps for Android

For In house Apps on Samsung Knox V3 devices (Android 8.0 and above):

Apps are assigned to device in Managed Device with Work Profile (COPE) mode and whitelisted

for Knox V3 workspace.

Apps are silently installed by Ivanti Mobile@Work on the personal (Device Owner) side and then

immediately hidden and moved to the Knox V3 workspace (Managed Device with Work Profile

(COPE) mode.)

At the time the app is moved into the Knox V3 workspace, delegated permissions are applied.

Installing regular in-house apps inside the Managed Device with Work Profile (COPE) mode is not

supported.

Adding new versions of an existing Android app

When uploading a newer version of an app, an extra page opens to allow you to select whether to keep the

app's old version information or to adopt the information from the app's new version. This feature is

applicable to Android in-house / private / self-hosted apps.

Procedure

1. In the App Catalog, click the Add+ button.

The Add App Wizard opens.

2. Click In-House.

3. Click Browse and navigate to the in-house Android or Android Enterprise app you want to upload.

4. Click Next.

The An earlier version of this App exists page opens.

5. Select an option:

Another version of this App was previously uploaded. Reuse its description, icon and

screenshot(s). If the Description, Icon or Screenshot fields of the new app are empty, then the

system will populate those fields with information from the previous app version (default).

Upload a new description, icon or screen shot. Information related to the Description, Icon or

Screenshot fields of the new App will be utilized. If those fields are empty, nothing will be copied

from the previous app version.

Page 181 of 292

Managing mobile apps for Android

6. Click Next and finish configuring the new version of your app (see "Adding your Android Enterprise

private app using the app wizard " on page229.)

Once finished, the new version displays in the App Catalog.

Adding secure apps for Android

Administrators upload all secure apps and the Secure Apps Manager to Ivanti EPMM as in-house apps.

Ivanti EPMM makes the apps available to Android devices based on labels that you assign to the apps and

devices.

The apps that you upload include:

The Secure Apps Manager that Ivanti EPMM provides.

The Secure Apps Manager is required for AppConnect to work. See AppConnect Guide for EPMM for

more information about Secure Apps Manager.

The AppConnect apps that Ivanti EPMM provides that your enterprise uses.

The AppConnect apps that your enterprise wrapped.

See the AppConnect Guide for EPMM for more information about AppConnect and third-party/in-

house secure apps.

Ivanti EPMM has the ability to upload an Android Google Play Store app that has the same package

name as a private in-house app, such as com.mobileiron.phoneatwork, that is already loaded on

Ivanti EPMM. Also, you can import an in-house app with the same package name as a public app

that is already loaded on Ivanti EPMM. This feature is always on and does not require any

configuration in the user interface.

Before you begin: Get the Secure Apps Manager and the other AppConnect apps that Ivanti EPMM

provides from the support.mobileiron.com site. Save them to a location accessible from your Ivanti EPMM.

To add a secure app to the App Catalog:

1. Go to Apps > App Catalog.

2. Click Add + to open the app wizard.

3. Click In-house.

Page 182 of 292

Managing mobile apps for Android

4. Click Browse. Navigate to and select the secure app (.apk) you want to upload.

You cannot upload an in-house app that exceeds 2.15 GB.

5. Click Next.

The app wizard examines the selected package to ensure that it meets requirements for in-house

apps distributed for Android devices. If the package is acceptable, the next screen displays.

6. Use the following guidelines to complete the rest of the screens in the app wizard:

Item Description

Application Name Displays the app name defined by the app developer.

This is the name that displays to device users. This

field is not editable.

Display Version Displays the version number defined by the app

developer. This is the version that displays to device

users. This field is not editable.

The version number for AppConnect apps includes:

The version number defined by the app developer.

Additional numbers provided by the wrapping

process.

Code Version Displays the version defined for the package. This item

is not editable.

Description Enter any additional text that helps describe what the

app is for. This text appears on the target devices

under the app name in the Secure Apps list.

Ivanti, Inc

recommends that you add the following

descriptions for the AppConnect apps that Ivanti

EPMM provides:

The Secure Apps Manager

The Secure Apps Manager works with the Ivanti

Mobile@Work app to secure and manage secure

apps on your device.

TouchDown for SmartPhones

TouchDown for SmartPhones provides secure

access to your company email, contacts, calendar,

and tasks.

Page 183 of 292

Managing mobile apps for Android

Item Description

File Manager

File Manager allows you to securely navigate and

manage your company files.

Ivanti Email+ for Android

Ivanti Email+ for Android provides the native email

client experience with ease of setup and important

other features.

Ivanti Web@Work for Android

Ivanti Web@Work for Android is a secure browser

that allows your device users to easily and securely

access your organization's web content.

Category Select one or more categories to display this app in a

category tab in Apps@Work or add a new category.

a. Click Add New Category to define new

categories.

b. Enter a category Name (up to 64 characters).

c. Enter a Description (up to 255 characters).

d. In the Category Icon section, click the Replace

Icon button.

e. Browse and select an icon that will represent this

Category.

f. Click Save.

Page 184 of 292

Managing mobile apps for Android

7. Click Next.

Item Description

Use Global App Config Policy Selecting the check box makes the policy settings take

priority over the app settings if and only if the global

policy is created and available for a particular device.

Leaving the check box empty means the app's

configuration settings will be used. For more

information, see "Global App Config Settings policy" in

the Ivanti EPMM Device Management Guide for

Android and Android Enterprise devices.

Feature this App in the Apps@Work

catalog

By default, the check box is selected to list the app in

the Featured apps list in Apps@Work. This feature

does not apply to AppConnect apps.

Featured Banner Checking this option will add this app as part of the

top banner on Apps@Work Home screen on end user

devices. The latest five apps will be picked to be part

of Apps@Work Home page.

Allow app downloads over insecure

networks

Select this if you are providing an Override URL (next

field) that uses the HTTP URL scheme instead of

HTTPS.

Override URLs are intended for use behind a firewall,

using a trusted and secure internal network. Before

you use an HTTPURL, make sure you understand the

risks of using an insecure connection.

Override URL If you are using an alternate source for downloading

in-house apps, enter that URL here. The URL must

point to the in-house app in its alternate location.

Override URLs are intended for use behind a firewall,

using a trusted and secure internal network. Manual

synchronization is required with the alternate HTTP

server on which app are stored.

See

"Override for in-house app URLs " on page44

for

the requirements for this configuration before using it.

App Icon

Icon and Screenshots appear when editing an

app entry.

Page 185 of 292

Managing mobile apps for Android

Item Description

The icon retrieved from Google Play displays.

To replace the icon, click

Replace Icon

button. Select

the icon to represent this app. The file must be no

larger than 1024 x 1024 pixels and in JPG, PNG, or GIF

format. We recommend PNG for best resizing results.

Icon height and width must be equal.

Screenshots

Icon and Screenshots appear when editing an

app entry.

The screenshots retrieved from Google Play are

displayed.

Click Upload to select and upload optional

screenshot files in PNG, GIF, or JPG formats. The

supported dimensions are 480x800 pixels and

480x854 pixels. We recommend PNG for best

resizing.

To delete a screenshot, click Remove under the

screenshot.

Page 186 of 292

Managing mobile apps for Android

8. Click Next.

Item Description

Silent install for Mandatory Apps This feature only applies to devices that support silent

installation.

Clearing the check box means the device user will

need to manually install the app.

Selecting the check box will install the app silently.

The app is installed when the device checks in with

Ivanti EPMM. User action is not required.

For more information, see

"Silent install and uninstall

of mandatory apps" on page189

Silent install is not supported for MAM-only

Android devices.

Enforce this version for Mandatory Apps This feature applies only to mandatory in-house apps.

Version enforcement is not available for AppConnect

apps or apps from Google Play.

Select the check box to require this version of the in-

house app on devices, even if newer or older versions

of the same app .apk are uploaded to the App Catalog.

In order for this to take effect, you will need to

set the Mandatoryfield in the Apply to Labels

dialog box to Yes.

See

"Enforcement of specific app versions for

mandatory in-house apps" on page192

for more

information, including how to achieve desired results

when multiple versions of the same app are in the App

Catalog.

Per App VPN by Label Only Select this check box to require the Per App VPN

configuration to be assigned to a label that matches

the device, then select one of the pre-configured Per-

App VPN in the field below. If there is no associated

label between the VPN configuration and the device,

Per App VPN will not be installed on the device.

Page 187 of 292

Managing mobile apps for Android

Item Description

De-select this check box to assign the per App VPN

based on the selections in the

Per App VPN

field,

ignoring labels. Ivanti does not recommend de-

selecting Per-App VPN by Label Only, as this field will

change in future Ivanti EPMM releases and become

selected by default.

Per app VPN is not supported for MAM-only

Android devices.

Ivanti does not recommend using Per App

VPN with apps that utilize device spaces.

License Required The

Selected VPNs

column lists the VPN configuration

that may be installed on the device, in priority order:

If Per App VPN by Label Only is selected, then the

VPN configuration must be assigned to a label

matching the device in order to be installed. The

first VPN in the list that is also assigned to a label

associated with the device has the highest priority.

If Per App VPN by Label Only is not selected, then

the VPN configurations listed are in priority order

and do not need to be assigned to a label matching

the device. Ivanti does not recommend de-

selecting Per-App VPN by Label Only, as this field

will change in future Ivanti EPMM releases and

become selected by default.

To populate the

Selected VPNs

column, select the

VPN configuration you created for per app VPN in the

All VPNs

column, and click the right arrow. You can

select multiple per app VPN settings.

To reorder the per app VPN configurations in the

Selected VPNs

column, drag the configuration names

to the correct positions in the list.

Page 188 of 292

Managing mobile apps for Android

Item Description

See “VPN settings” in the

Ivanti EPMM Device

Management Guide

for information on creating a per

app VPN.

Per app VPN is not supported for MAM-only

Android devices.

9. Click Finish.

The app displays in the App Catalog screen with an icon that identifies the app as an in-house app.

You know the app is an AppConnect app by looking at its version number. The version number for

an AppConnect app is a concatenation of the original app’s version number and a version number

from wrapping the app.

Mandatory and optional in-house and secure apps

An Android in-house app made available through the App Catalog can be designated as a mandatory app,

which means that the app is always installed on the devices matching the app’s labels. An app that is not

marked as mandatory is optional, and enables the users to decide whether or not to install the app on their

devices. The in-house app can be either an AppConnect app (secure app) or a regular, non-AppConnect

app.

Designating the Secure Apps Manager as optional and all secure apps as optional means that the

device user sets up the secure apps container on-demand. See "On-demand secure apps container

setup" on page199.

To set the prerequisite app for a dependent app, see "App management action workflows" on

page40.

Silent install and uninstall of mandatory apps

You can specify that mandatory in-house apps and secure apps are silently installed and uninstalled on:

Samsung Knox devices MDM version 1.0 or newer versions

Zebra MX running version 4.4 or newer versions

Page 189 of 292

Managing mobile apps for Android

LG devices that support silent installation - The LG device must be running:

Android 7.0 or newer versions

Ivanti Mobile@Work 9.7 or newer versions

The Silent install for Mandatory Apps feature eliminates any dependency on the device user to install or

uninstall the app. Also, when you retire a device (when, for example, it is lost or stolen or the employee has

left the company), the silently installed in-house and secure apps are silently uninstalled, thereby protecting

the apps and their data.

Note the following:

Samsung Knox devices prevent the user from uninstalling the app.

Silent install and uninstall are not supported on MAM-only Android devices.

Silent install and uninstall are not supported for apps from the Google Play Store.

AppConnect apps are not supported on devices using the Samsung Knox container. Do not install

AppConnect apps if you are using the Samsung Knox container on the same device.

Uninstall behavior for silently installed apps

Installed apps are silently uninstalled when:

No label maps the in-house or AppConnect app to the device.

You apply labels to in-house and AppConnect apps to make the apps available to devices. Removing

the label from the app or the device causes Ivanti Mobile@Work to uninstall the app.

You retire the device.

You remove the in-house or AppConnect app from Ivanti EPMM.

Whether device users are notified to install a mandatory app

Although a mandatory app is always installed on the device, whether the device user sees a notification to

install the app depends on whether the silent installation feature is enabled. The following table specifies

when a device user sees the notification:

Page 190 of 292

Managing mobile apps for Android

Is app marked for silent

installation?

Samsung Knox, Zebra, and LG

devices that support silent

installation

Devices that do not support

silent installation

Yes Silently installed with no

notification to user

Notification to user to install

No Notification to user to install Notification to user to install

TABLE 9. MANDATORY APP INSTALLATION INTERACTION WITH SILENT INSTALLATION

Device user experience with uninstalling a mandatory app

The device user experience when attempting to uninstall a mandatory app depends on the type of device, as

specified by the following table:

Samsung Knox Zebra devices that

support silent

install/uninstall

LG devices that

support silent

install/uninstall

Devices that do

not support silent

install/uninstall

Can device user

uninstall a

mandatory app

when the silent

install/uninstall

feature

enabled?

No Yes, but the app will

be silently

reinstalled.

Yes, but the app

will be silently

reinstalled.

Yes, but the device

user will be notified

to re-install the

app.

Can device user

uninstall a

mandatory app

when the silent

install/uninstall

feature is

not

enabled?

No Yes, but the device

user will be notified

to re-install the app.

Yes, but the device

user will be notified

to re-install the

app.

Yes, but the device

user will be notified

to re-install the

app.

TABLE 10. DEVICE USER EXPERIENCE WITH UNINSTALLING A MANDATORY APP

Designating an in-house app as optional or mandatory

After you have added the app to the App Catalog, you can designate whether it is an optional or mandatory

app.

The below procedure applies to:

Android in-house apps

iOS in-house and public apps

Page 191 of 292

Managing mobile apps for Android

MacOs in-house and public apps

AppConnect apps

Procedure

1. In the Ivanti EPMM Admin Portal, go to Apps > App Catalog.

2. Select an app and then select Actions > Apply to Labels.

3. In the Apply to Labels dialog box, select the check box next to the app's name.

4. Click in the Mandatory field, a drop-down displays. Selecting Yes makes the selected app

mandatory; leaving it to the default No makes the app optional.

5. Click Apply.

Related topics

"Enforcement of specific app versions for mandatory in-house apps" below

Enforcement of specific app versions for mandatory in-house

apps

You can configure a mandatory in-house app to limit its installation on devices to a specific version of the

app, even if newer or older versions of the same app .ipa are uploaded to the Ivanti EPMM’s app catalog.

You can also ensure that any version of the same app is installed, regardless of which version. The option

called Enforce this version for Mandatory Apps is available in the App Catalog app wizard.

The version enforcement feature is supported only with regular (non-AppConnect) in-house apps. It does

not apply to AppConnect apps or Google Play apps.

Use the version enforcement feature to:

Ensure devices have the in-house app installed, regardless of version number.

Lock users to a particular version of the Ivanti Mobile@Work app. This applies to organizations that

install Ivanti Mobile@Work as an in-house app instead of installing it from Google Play.

Ensure users do not upgrade to a new version of an in-house app while the newer version is still

undergoing testing.

Downgrade users to a previous version of an in-house app.

Page 192 of 292

Managing mobile apps for Android

Setting up version enforcement for an in-house app

You can enable or disable enforcing a specific app version for an in-house app on an Android device when

you upload the app to Ivanti EPMM.

Procedure

1. In the Ivanti EPMM Admin Portal, go to Apps > App Catalog.

2. Click Add+.

3. Click In-House.

4. Click Browse... to select your in-house app. (Must not be an AppConnect app.)

5. Fill out the app wizard as needed; under App Installation Settings, select Enforce this version for

Mandatory Apps. If this check box is not selected, then enforcing a specific app version will not

apply. See: "Enforcing an app version when you have uploaded multiple versions to Ivanti EPMM"

below.

6. Finish filling out the app wizard as needed. Click Finish.

7. Select the app in the App Catalog.

8. Click Actions > Apply to Labels.

9. In the Apply to Labels dialog box, select the check box next to the app's name.

10. Click in the Mandatoryfield, a drop-down displays. Selecting Yes makes the selected app mandatory;

leaving it to the default Nomakes the app optional. If the Mandatory field is not set to Yes, the latest

version of the app will not be enforced.

11. Click Apply.

Enforcing an app version when you have uploaded multiple versions to

Ivanti EPMM

If you have multiple versions of the same mandatory in-house .ipa file uploaded to Ivanti EPMM, you may

wish to ensure one of the following scenarios:

Devices always get the latest version of the app. (App updates are forced)

Devices have the app installed, regardless of the version number. (App updates are not forced)

Page 193 of 292

Managing mobile apps for Android

Devices remain on an older version of the app.

Devices are downgraded to an older version of the app.

Assuming your in-house app has versions 1.0, 2.0, and 3.0 in order from oldest to newest, and all three are

uploaded to Ivanti EPMM, use the settings described in the following table to achieve the desired results.

Note that having a label means that same label is applied both to the device and to the app. If a device is

assigned to many labels, but at least one label has the Mandatory field set to Yes, then the device will have

that app as mandatory.

Desired Result Label and app settings (in App Catalog)

Ensure that

any version

of the app is installed on

the device

For app version 1.0: Enforce this version is

not

selected

For app version 2.0: Enforce this version is

not

selected

For app version 3.0: Enforce this version is

not

selected

Label must be applied to any or all versions of the app.

Allow

only version

2.0 For app version 1.0: Enforce this version: irrelevant

For app version 2.0: Enforce this version is selected

For app version 3.0: Enforce this version: irrelevant

Label must be applied to app version 2.0 only.

Label must not be applied to all other app versions.

Ensure the

latest

version

is always

installed

Enforce this version is selected on the most recent app version (3.0).

Enforce this version is irrelevant on older app versions (1.0, 2.0).

Label must be applied to latest app version (3.0)

Label may be applied to all app versions.

Downgrade

users to

version 1.0

App version 1.0: Enforce this version is selected; Label is applied.

App version 2.0: Label is removed.

App version 3.0: Label is removed.

TABLE 11. APP VERSION SETTINGS

Mandatory apps can be silently installed and uninstalled on some devices. When not silently

installed, the device user is prompted to install or uninstall a mandatory app.

Page 194 of 292

Managing mobile apps for Android

Related topics

"Mandatory and optional in-house and secure apps" on page189

Apps@Work in Ivanti Mobile@Work for Android

Apps@Work enables device users to view, install, update, reinstall, and search for the apps made available

to them by the Ivanti EPMM administrator. On Android, Apps@Work is available to users as a menu item in

the Ivanti Mobile@Work app. Apps@Work authenticates to Ivanti EPMM using either certificate

authentication or token-based authentication.

Apps@Work displays the apps that you make available to the device through labels. In the Ivanti EPMM

Admin Portal, you assign an app to one or more labels. A device that is assigned to the same label as the

app will have access to that app in Apps@Work.

Within Apps@Work, apps are organized into the Featured and Category tabs. If you have enabled ratings

and reviews, the device user sees reviews, and can rate apps and write reviews. You can choose apps to be

displayed as Featured Apps in the Apps@Work home screen.

Apps@Work for Android authentication to Ivanti EPMM

You determine whether Apps@Work authenticates to Ivanti EPMM using:

Token authentication - Apps@Work uses a token to authenticate to Ivanti EPMM. Ivanti EPMM sends

Ivanti Mobile@Work the token when it registers with Ivanti EPMM.

Certificate authentication - Apps@Work authenticates to Ivanti EPMM using an identity certificate.

This certificate is specified by the certificate enrollment setting in the mutual authentication setting in

the Ivanti EPMM Admin Portal at Settings >System Settings > Security >Certificate

Authentication.

Using certificate authentication for Apps@Work on Android devices requires:

mutual authentication is enabled on Ivanti EPMM.

the device is running Ivanti Mobile@Work 10.2.0.0 or newer versions.

the device is running Android 5.0 or newer versions.

Note the following:

Page 195 of 292

Managing mobile apps for Android

If certificate authentication is selected, but some of the requirements for certificate authentication are

not met, token-based authentication is used.

If certificate authentication is selected, and all of the requirements for certificate authentication are

met, if the authentication fails for some reason, the device user cannot use Apps@Work. There is no

fallback to using token-based authentication in this case.

By default, certificate authentication is selected.

Related topics

"Configuring Apps@Work for Android authentication to Ivanti EPMM" below

"Setting up Apps@Work for iOS and macOS" on page78

"Mutual authentication between devices and Ivanti EPMM" section in the Ivanti EPMM Device

Management Guide for Android and Android Enterprise devices.

Configuring Apps@Work for Android authentication to Ivanti EPMM

To configure how Apps@Work authenticates to Ivanti EPMM:

Procedure

1. In the Ivanti EPMM Admin Portal, go to Apps >Apps@Work Settings.

2. To enable certificate authentication to Ivanti EPMM, in the App Storefront Authentication box, select

Certificate Authentication.

Note that requirements for using certificate authentication are listed in "Apps@Work for Android

authentication to Ivanti EPMM" on the previous page. If any of these requirements are not met,

Apps@Work uses token-based authentication to authenticate to Ivanti EPMM, even when Certificate

Authentication is selected.

3. To disable certificate authentication to Ivanti EPMM, and use only token-based authentication, in the

App Storefront Authentication box, deselect Certificate Authentication.

Note that deselecting certificate authentication also means that Apps@Work on iOS devices does not

use certificate authentication.

Related topics

"Apps@Work for Android authentication to Ivanti EPMM" on the previous page

"Setting up Apps@Work for iOS and macOS" on page78

Page 196 of 292

Managing mobile apps for Android

"Mutual authentication between devices and Ivanti EPMM" section in the Ivanti EPMM Device

Management Guide for Android and Android Enterprise devices

Adding apps to Apps@Work for Android devices

Apps in the App Catalog must be assigned to one or more labels to be available in Apps@Work on the

devices.

Procedure

1. In the Ivanti EPMM Admin Portal, select Apps > App Catalog.

2. Select Android from the Platform list.

3. Select the app you want to work with.

4. Click Actions > Apply to Label.

5. Select the label that represents the Android devices on which you want the selected app to be listed.

6. If, during the installation of the selected app, the Enforce this version for Mandatory Apps field

was selected (checked), the Apply to Label dialog box will display Yes in the Mandatory field.

Otherwise, the Mandatory field displays No.

7. Click Apply.

To set the prerequisite app for a dependent app, see "App management action workflows" on

page40.

Device user experience of Apps@Work on an Android device

The device user taps Apps@Work on the menu in Ivanti Mobile@Work to access the app store.

Apps@Work organizes the apps under three main tabs:

Featured tab

The featured screen lists all apps that are designated as featured apps by the administrator.

Categories tab

An app can be listed under Featured as well as under multiple categories.

Uncategorized apps are displayed under Uncategorized in the Categories tab.

Page 197 of 292

Managing mobile apps for Android

Only categories that have at least one app are displayed.

Categories are defined by administrators as they add apps in the App Catalog in Ivanti EPMM.

Updates tab

When a user’s device checks in, the Update tab displays a badge number indicating the number of

in-house and public app updates available for the device user to download. Once the user

updates the apps, the badge number will disappear on next device check-in.

Apps are listed in alphabetical order.

Notification of newly-published apps

When a featured app or an update to an installed app is published to device users, those users receive a

notification in the form of a badge that appears next to the appropriate app list. The number on the badge

indicates the number of apps available.

If the user deletes a published app, that app will not become available for reinstalling again until the next

sync interval causes Ivanti EPMM to be updated. You can address device user concerns by using the Force

Device Check-In command to force Ivanti Mobile@Work to update Ivanti EPMM.

App details in Apps@Work on an Android device

Tap the app to view its details screen. If the administrator enabled ratings and reviews, tap the Reviews tab

to read reviews, or write a review if you have already installed the app.

One of the following buttons appears on the details screen:

View: takes you to view or install the app in the Google Play Store.

Install: installs the app.

Reinstall: downloads and reinstalls the app.

Open: launches the app.

Searching for an app in Apps@Work on an Android device

Tap the search icon on the title bar to initiate a search within Apps@Work. Type any part of an app’s name

and tap the return key. The search results are displayed. Tap Cancel next to the search text entry box to exit

search mode.

Page 198 of 292

Managing mobile apps for Android

Localized Apps@Work on an Android device

Apps@Work is available translated to the languages supported by Ivanti Mobile@Work. The text and

messages in Apps@Work appear in the device’s local language when the language is enabled in the Ivanti

EPMM language preferences.

To enable languages in the Ivanti EPMM Admin Portal:

1. Go to Settings > System Settings > General > Language.

2. In the Language section, select the desired languages.

3. Click the right arrow to move the selection to Enabled Languages.

On-demand secure apps container setup

Sometimes when you configure device users to be able to use secure apps, some users do not immediately

need to use the apps. These users can set up the secure apps container on-demand if all their secure apps

are optional apps.

Recall that you designate an app as optional or mandatory when you upload it to the App Catalog in Ivanti

EPMM. When all the secure apps are optional, the device users install the Secure Apps Manager and create a

secure apps passcode only when they install their first secure app.

To configure Ivanti EPMM to allow on-demand secure apps container setup, you designate the Secure Apps

Manager as optional in Ivanti EPMM’s App Catalog.

The following table summarizes the behavior:

One or more mandatory secure

apps

No mandatory secure apps

Secure Apps Manager is

mandatory

User is prompted to create the

AppConnect container during setup.

User is prompted to create the

AppConnect container during setup.

Secure Apps Manager

is optional

User is prompted to create the

AppConnect container during setup.

User does not create AppConnect

container until he requests a secure

app.

On-demand secure apps container setup improves the device user’s experience. Until the device user needs

a secure app, the device user does not have to set up the AppConnect container. Setting up the AppConnect

container requires the device user to:

Page 199 of 292

Managing mobile apps for Android

Download and install the Secure Apps Manager

Create an AppConnect passcode

Now device users have to go through this process only when they are ready to use a secure app.

Interactions with on-demand secure apps container setup

File Manager interaction

The secure File Manager provides some capabilities that secure apps use. These capabilities include:

An image viewer

An HTML viewer

A text viewer

A ZIP file extractor

A file download manager

If other secure apps require these features, File Manager must be installed.

Do one of the following:

If you make secure apps container setup on-demand, inform device users to always install the File

Manager if they install any other secure app.

Make the File Manager app mandatory, thereby not using on-demand container setup.

Email client interaction

The Exchange setting in the Ivanti EPMM Admin Portal allows you to list a priority order for Android email

apps. This order indicates the preferred app for Ivanti Mobile@Work to set up as the device’s email client. If

you do not specify a list, Ivanti Mobile@Work looks for the following unsecured apps in this order: Ivanti

Email+, TouchDown for SmartPhones, the email app native to the device.

IMPORTANT: Always specify an Exchange setting email app priority list if you are using on-

demand AppConnect container setup. If the list is empty, Ivanti Mobile@Work will set up an

unsecured email app such as the native email app.

To ensure the use of a secure email app, do one of the following:

Page 200 of 292

Managing mobile apps for Android

Make all secure apps optional, and put only secure email apps in the priority list.

In this case, the device user cannot use email until he installs a secure email app, but you ensure the

device user does not use an unsecured email app.

Make a secure email app mandatory, and put it in the Exchange setting list.

In this case, the device user is prompted to set up the AppConnect container, and the secure email

app is installed and set up. However, using this method means the device users do not benefit from

on-demand secure apps container setup.

For MAM-only Android devices, this priority list is not applicable because the Exchange setting is

not supported. For MAM-only Android devices, use the AppConnect-enabled Ivanti Email+ for

Android.

Secure Apps Manager or secure app upgrade interaction

Consider the scenario when:

You add a newer version of the Secure Apps Manager or a secure app to the App Catalog

You designate the newer version as optional.

If the older Secure Apps Manager or secure app is already installed on a device, the device user is prompted

to install the upgraded app, even though it is designated optional. This behavior ensures that the user

installs the upgraded version.

Configuring on-demand secure apps container setup

To configure on-demand secure apps container setup:

Designate all secure apps as optional.

Designate the Secure Apps Manager as optional.

IMPORTANT: If you set the Secure Apps Manager and secure apps as optional, set all versions of

Secure Apps Manager and secure apps in the App Catalog to optional.

Page 201 of 292

Managing mobile apps for Android

Designating the Secure Apps Manager or secure app as optional during upload

You can designate the Secure Apps Manager or secure app as optional when you upload it to the App

Catalog in theIvanti EPMM Admin Portal.

For example, for the Secure Apps Manager:

1. Go to Apps > App Catalog.

2. Click Add + to open the app wizard.

3. Click In-house.

4. Click Browse to select and upload the Secure Apps Manager.

5. Continue through the app wizard filling out fields as needed until you reach Silent install for

Mandatory Apps field. To make the Secure Apps Manager optional, make sure the check box is

cleared.

6. Fill out the remaining fields as needed.

7. Click Finish.

Designating the Secure Apps Manager or secure app as optional after upload

You can change an app to optional in the Ivanti EPMM Admin Portal at any time.

For example, for the Secure Apps Manager:

1. Go to Apps > App Catalog.

2. Under Platform, select Android.

3. Find the Secure Apps Manager and click the app.

4. Click Edit.

5. Find the Silent Install for Mandatory Apps field and clear the check box to make the Secure Apps

Manager optional.

6. Click Save.

Page 202 of 292

Managing mobile apps for Android

Device user view of on-demand secure apps container setup

When you configure on-demand secure apps container setup, Ivanti Mobile@Work does not prompt the

user to set up the AppConnect container until the user requests to download a secure app. On-demand

setup occurs if both of the following are true:

The Secure Apps Manager is optional

All the secure apps assigned to the device are optional.

Designating the Secure Apps Manager as optional impacts what displays in the Secure Apps menu item in

Ivanti Mobile@Work. The Secure Apps menu item shows the Secure Apps Manager only if it is mandatory. It

shows a secure app only if it is mandatory. If the Secure Apps Manager is optional, and all the secure apps

are optional, the Secure Apps menu item does not appear.

The following steps illustrate the process that the device user experiences when he requests a secure app for

the first time.

1. In Ivanti Mobile@Work, the device user taps Apps@Work.

Apps@Work displays the available apps.

2. The device user taps a secure app, such as File Manager.

Page 203 of 292

Managing mobile apps for Android

3. The user taps Install. Ivanti Mobile@Work informs the device user that Secure Apps must be

configured.

4. The device user taps Continue.

The remaining steps are similar to what the user experiences at registration when the Secure

Apps Manager is mandatory.

Page 204 of 292

Managing mobile apps for Android

5. The device user taps Continue.

Page 205 of 292

Managing mobile apps for Android

The Secure Apps Manager is included for installation along with the secure app that the

device user requested.

6. The device user taps Begin, and follows the instructions to install the Secure Apps Manager and the

requested app.

After the apps are installed, the device user is prompted to set up the secure apps passcode.

After the user sets up the secure apps passcode, the AppConnect container is set up. The Secure Apps

Manager and the selected secure app are installed and ready to use.

Specify latest version required for a secure app

You can specify that the latest version of a secure app is required. When you upload a new version of a

secure app to the App Catalog in the Ivanti EPMM Admin Portal, you can specify this requirement. You can

also later edit the app to specify this requirement. This requirement means that the device user can no

longer run the older version of the app. When the device user attempts to run the older version, he is

prompted to install the newer version.

This feature is available only for secure apps, not for unsecured apps.

By requiring that device users upgrade to the latest version of a secure app:

You can ensure that all users have the latest features, fixes, and security upgrades.

You can ensure all users are using the same set of secure apps. This consistent deployment across all

devices simplifies your environment and support needs.

A special case involves the Secure Apps Manager. You can specify that the latest version of the Secure Apps

Manager is required. In this case, the device user cannot run any secure app until he upgrades the Secure

Apps Manager. Normally, you do not select this option for the Secure Apps Manager unless it contains

security fixes that you require.

Do not specify that the latest version of the Secure Apps Manager is required for the typical Secure

Apps Manager upgrade scenario. If a device user installs a secure app that requires the latest

version of the Secure Apps Manager, the latest Secure Apps Manager is automatically installed.

Page 206 of 292

Managing mobile apps for Android

Requiring the latest version of a secure app

First, specify that a secure app’s latest version is required when you upload it to the App Catalog in the Ivanti

EPMM Admin Portal:

1. Go to Apps > App Catalog.

2. For Platform, select Android.

3. Click Add +.

4. Select In-house.

5. Click Browse to select and upload a secure app.

6. Fill out fields as needed until you find Require the user to install the latest version of the app in

order to run it. Select Yes.

7. Fill out the remaining fields as needed.

8. Click Finish.

Next, do the same for each older version of the same app in the App Catalog. Set the field Require the user

to install the latest version of the app in order to run it to Yes. (If you select Yes, select Yes for every

version of the app.) Click Finish.

You can also edit an app at a later time to select the option Require the user to install the latest

version of the app in order to run it.

Device user experience when latest version of an app is required

The device user experiences the following:

If you require the latest version of the Secure Apps Manager, and the device user has an older

version, he cannot run any secure app until he updates the Secure Apps Manager.

The device user cannot run an app if you have required the latest version of the app and the device

user has an older version.

When the user attempts to launch the older version of an app, he is automatically taken to Ivanti

Mobile@Work. A toast message appears briefly over the Ivanti Mobile@Work Secure Apps screen. The toast

message says “Please update this Secure App and wait for sync to complete”. The device user follows the

instructions to install the app.

Page 207 of 292

Managing mobile apps for Android

Similarly, if the device user launches Ivanti Mobile@Work when a newer version of an app must be installed,

Ivanti Mobile@Work prompts the user to configure secure apps:

The device user taps Begin, and follows the instructions to install the updated version of the app.

Now when the device user launches the secure app, he is launching the latest version.

Related topics

"App management action workflows" on page40

Secure apps installation order

You can specify the installation order for AppConnect apps (also called secure apps).

Specifying the installation order is not typically necessary. It is necessary only for a secure app that has a

particular dependency on another secure app, which is not a common situation. Installing such apps in the

wrong order can result in the apps not working properly. The app developers or app vendor will indicate

whether such a dependency exists.

When such a dependency does exist, you configure an installation order only for the interdependent secure

apps, not for all secure apps. Secure apps that are not part of the installation order are installed in

alphabetical order by app name after the configured interdependent apps.

Page 208 of 292

Managing mobile apps for Android

By specifying the installation order for secure apps, you ensure that apps that depend on each other can

work properly.

Secure app installation order with optional secure apps

You can designate an Android secure app as optional. If you list an optional secure app in the installation

order configuration, it is not installed unless the device user specifically chooses to install it.

Therefore, typically, if you list a secure app in the installation order configuration, designate it as a

mandatory app. The reason the app is in the installation order configuration is because other apps depend

on it to work properly, or it depends on other apps. If other apps depend on it, but it is optional and not

installed, the device user will experience functionality issues with the apps that depend on it.

Specifying the installation order for secure apps

You specify that the installation order for secure apps using the AppConnect app configuration of the

Secure Apps Manager in Ivanti EPMM. You create a special key-value pair that lists the secure apps’ package

IDs in the required installation order.

Note the following:

You only specify the order for secure apps that have dependencies on each other.

No action is required for other secure apps. The other secure apps are installed last, in alphabetical

order by application name.

The Secure Apps Manager is always installed first.

Procedure

1. In the Ivanti EPMM Admin Portal, go to Policies & Configs > Configurations.

2. Select the AppConnect app configuration (Setting Type is APPCONFIG) for the Secure Apps

Manager.

3. Click the Edit icon.

Page 209 of 292

Managing mobile apps for Android

4. Click Add+.

5. For the Key, enter AC_APP_INSTALL_ORDER.

6. For the Value, enter a list of app package IDs, separated by semi-colons, in the required installation

order. For example:

forgepond.com.acmesecureapps.financetracker;forgepond.com.acmesecureapps.saleslog

ger

The financetracker app will be installed first, followed by saleslogger.

After the listed apps are installed, all other secure apps will be installed in alphabetical order by

application name, as it appears in the Ivanti EPMM App Catalog in the App Name column. For

example:

Divide PIM

File Manager

ThinkFree Office Viewer

7. Click Save.

Page 210 of 292

Managing mobile apps for Android

Uninstall order when you specify installation order of secure apps

If you change the labels for the device or apps so that the apps no longer apply to the device, the apps are

uninstalled in the following order:

1. Apps that are not part of the AC_APP_INSTALL_ORDER configuration are uninstalled, in reverse

alphabetical order.

2. Apps that are part of the AC_APP_INSTALL_ORDER configuration are uninstalled, in the reverse order

than they are listed.

Upgrading apps when you specify the installation order of secure apps

If you add new versions of secure apps to the App Catalog, the apps are upgraded on the device in the

following order:

1. New versions of apps that are part of the AC_APP_INSTALL_ORDER configuration are upgraded in the

order they are listed.

2. New versions of apps that are not part of the AC_APP_INSTALL_ORDER configuration are upgraded in

alphabetical order.

Related topics

"App management action workflows" on page40

Android app versions and device counts

To see all the versions of an app that are installed throughout all your users’ devices, go to the Apps >

Installed Apps page and select the Details View. The App Version column displays the version number,

and the Devices Installed column shows the number of devices associated to that version of the app.

On the Apps > Apps Catalog page, the Devices Installed column displays the number of devices

associated with the latest version of the app. To see collective information on all installed versions of an app,

go to Apps > Installed Apps page.

Troubleshooting Android apps

Issue: A newly-added app does not display in Apps@Work on the device.

Troubleshooting:

Page 211 of 292

Managing mobile apps for Android

1. Confirm that you have applied the app to a label to which the device has been added.

2. Confirm that the device meets the minimum OS requirement you specified for the app when you

added the app.

3. If Ivanti Mobile@Work app is running, select Force Device Check-in from the Settings menu (or

Connect Now from the main menu in older versions).

Issue: A newly-added app does not display in the in-house apps list on the device.

Troubleshooting:

1. Confirm that you have applied the app to a label to which the device has been added.

2. Confirm that the device meets the minimum OS requirement you specified for the app when you

added the app.

3. Confirm that the device has been configured to accept apps from outside the Google Play Store. (On

the device, select Settings > Applications > Unknown sources).

4. If Ivanti Mobile@Workk app is running, select Force Device Check-in from the Settings menu (or

Connect Now from the main menu in older versions).

Page 212 of 292

Managing mobile apps for Android

Enterprise

You can deploy public and private Android Enterprise apps to devices.

"About apps for Android Enterprise" below

"Features specific to Android Enterprise apps" on the next page

"App configuration for Android Enterprise apps" on page216

"Public and private Android Enterprise app deployment" on page222

"Setting up Chrome with Android Enterprise" on page242

Related topics

"App management action workflows" on page40

About apps for Android Enterprise

Android Enterprise apps are either public apps or private apps:

Public apps are apps that are available to the general public in the Google Play Store.

Private apps are apps developed for your organization in-house or by 3rd party developers that you

distribute privately through Google Play. Only members of your domain have visibility into your

private apps. Your private enterprise apps are available through the Google Play Store to registered

users.

Besides making apps available in Google Play, you can make public and private (in-house) apps available for

download to Android Enterprise devices in the App Catalog on Ivanti EPMM. They can be installed on user

devices and supported for Work Managed Device and Managed Device with Profile modes. You do this by

selecting the Install this app for Android enterprise check box in the app details.

You can select the Install this app for Android enterprise check box only if you are a global

administrator which is an administrator assigned to the global space.

Ivanti EPMM supports various features that are specific to Android Enterprise apps. You specify your choices

for these features when you add an Android Enterprise app to the App Catalog. Otherwise, working with the

Android Enterprise apps in the App Catalog is the same as for any other platform:

Page 213 of 292

Managing mobile apps for Android Enterprise

Mark an app as Featured is available.

Assign an app to one or more Categories is available.

You must apply an app to a label to make it available to users.

You can change the “Install this app for Android enterprise” setting for each app in the app’s details, on

the App Catalog page, at any time.

An app designated as available to Android Enterprise devices can also be available to all Android

devices. The app will install appropriately on Work profiles or non-Android Enterprise devices.

Features specific to Android Enterprise apps

Ivanti EPMM supports the following features for Android Enterprise apps, on all Android Enterprise modes.

You set these features when you add the app to the Ivanti EPMM App Catalog, or later edit it.

Install this app for Android enterprise: Selecting this check box is required for all Android

Enterprise apps. For In-house apps, further options for configuring Android Enterprise display.

Silent Install for work managed devices: (Applicable only to in-house apps) When you select this

feature, the Android Enterprise app is silently installed on devices with a work profile. This is selected

by default.

Auto Update for this App: (Applicable only to public and private apps) When you select this feature,

the app is automatically updated on users’ devices whenever a new version of the app is available on

Google Play.

If you select auto update, but the app fails to update on a user’s device (for example, if the device has

an incompatible Android version), then the app may attempt to update repeatedly. The workaround

is to deselect Auto Update this App for that app.

If you do not select auto update, the Android Enterprise will still be updated if the app is updated on

the personal side of the device.

Silent install for Mandatory Apps: (Applicable only to public and private apps) Select this check

box to silently install the app upon device check-in. De-selected means the device user will need to

manually install the app.

Block Widget on Home Screen: If selected, the app cannot place widgets on the home screen on

work profile devices. For example, calendar apps are not permitted to place calendar widgets on the

home screen.

Page 214 of 292

Managing mobile apps for Android Enterprise

Block Uninstall: Select this feature to prevent the device user from uninstalling the app.

Quarantine app when device is quarantined: Selected by default, this enables configured

compliance actions to hide the app if a policy violation results in a quarantined device. This is a

required selection for Work Profile mode, Work Managed Device mode and Managed Device with

Work Profile mode.

A second step is required to enable this feature: configure a corresponding compliance action and

security policy with that compliance action selected. Once the device is no longer quarantined, the

app can be used again. If this option is deselected, the app is available for usage, even when the

device is quarantined.

Configure third-party app runtime permissionsSelect this check box to modify runtime

permissions for other apps.

Applicable to public / private apps on Work Managed Device mode on Android 8.0 or newer

versions.

Applicable to in-house apps and public / private apps on Managed Device with Work Profile

(COPE) on Android devices versions 8-10.

Applicable to only public / private apps on all managed Work Profiles, including Work Profiles on

Company Owned Devices Android versions 11.0 or newer versions.

Hide and suspend third-party apps: Select this check box to allow this app to hide / unhide,

suspend, and remove suspension for other apps.

Applicable to in-house and public / private apps for managed devices and Managed Devices with

Work Profile (COPE) starting from Android 8.

Applicable to public / private apps on managed profiles.

Applicable to public / private apps on Work profiles Company Owned Devices starting from

Android 11.

Manage certificates: Select this check box to allow this app to have access to certificate APIs on the

device.

Applicable to in-house and public / private apps for managed devices and Managed Devices with

Work Profile (COPE) starting from Android 8.

Applicable to public / private apps on managed profiles.

Applicable to public / private apps on Work Profile on Company Owned Device modes starting

from Android 11.

Note the following:

Run-time permission settings are supported only on Android 6.0 or newer versions.

Page 215 of 292

Managing mobile apps for Android Enterprise

If an app version has new permissions that you have not yet accepted on behalf of users, an icon

appears in the New Permissions column on the App Catalog page. Until you accept new app

permissions on behalf of users, new app installs for newly registered devices and app updates for

currently registered devices will not proceed.

To assign an app as a device owner silent in-house app, you must select both the Install this app for

Android enterpriseand Silent install for Mandatory Apps check boxes. (The Ivanti Mobile@Work

client does not consider "Mandatory" and "Silent install" options as selections for the device owner

silent in-house app.)

App configuration for Android Enterprise apps allows you to provide configurable options to apps.

Details are in "App configuration for Android Enterprise apps" below.

Related topics

“Enabling run-time permissions for Android Enterprise apps” in Ivanti EPMM Device Management

Guide for Android and Android Enterprise devices.

"App configuration for Android Enterprise apps" below

App configuration for Android Enterprise apps

App configurations (also referred to as app restrictions) are key-value pair settings that are provided by the

app developer. When you select the Install this app for Android enterprise check box when adding a

public app, the Configuration Choices section appears in the app wizard. Refer to the app’s documentation

and help hints for information on its configuration settings. These settings allow you to configure the app,

without involving the device user.

Ivanti EPMM supports multiple bundle definitions in a bundle array for apps that have the capability to use

this feature. For example a VPN app may support multiple VPN configurations by clicking the Add New

Configuration button and entering the Profile Name and Server for a specific VPN and optionally specify

your web log on credentials.

When using Ivanti Mobile@Work 9.6 or newer versions, Ivanti EPMM delivers app configurations using

Google Play. Therefore, the app and its app configurations are installed at the same time on the device,

avoiding the potential issue of device users launching the app before the app configurations are received.

Creating multiple app configurations

Ivanti EPMM allows you to create multiple app configurations per app:

Page 216 of 292

Managing mobile apps for Android Enterprise

The default app configuration for the app is applied to devices with the same label that you applied

to the app.

Any additional app configuration that you can create is applied to devices with the labels you specify.

Using multiple app configurations is useful when sets of users of the app require different configuration

values. For example, consider a Human Resources app that users throughout the United States use.

However, you want the app to connect to a different server depending on a user’s region:

Users in the Eastern region must connect to a server in the east.

Users in the Western region must connect to a server in the west.

Users in the Northern and Southern regions connect to a server in St. Louis.

Therefore, do the following:

Label the app with the Human Resources label.

Create an app configuration that specifies the server in the east, and label the app configuration with

the Eastern Region label.

Create an app configuration that specifies the server in the west, and label the app configuration with

the Western Region label.

In the default configuration, specify the server in St. Louis. Users who do not have the Eastern Region

label or the Western Region label will use this server.

App Configuration Choices for Android public apps

Administrators can customize multiple app configurations, apply to different labels, and determine the

configuration priorities based on the target device users' app usage needs. This is done by setting the

runtime permissions for Android devices within a selected app.

Procedure

1. After adding a new app in the App Catalog, Edit the app.

2. In the Configuration Choices section, click the Add+ button.

The New App Configuration dialog box opens.

3. Enter a Configuration Choice Name.

4. Expand the Runtime Permissions section. These Runtime permissions are available for apps targeting

API 23+ and running Android 6.0+.

Page 217 of 292

Managing mobile apps for Android Enterprise

5. Make your Runtime Permission selections. The default setting is Not Sent, but you can change it to

Use Default, Always Deny and Always Accept.

6. In the Apply Labels to this App Config section, search for or select your label(s) for this configuration.

7. When finished, click the Add button.

The new configuration displays in the Configuration Choices table.

If you want to make further changes, clicking on the configuration link will open the App

Configuration dialog box.

Clicking the Copy icon of the configuration will make a duplicate of the selected configuration

with the prefix "Copy of" before the original configuration name.

8. In the Edit app page, click Save.

Updates to managed app configuration schemas

If Ivanti EPMM detects a new managed app configuration schema update, Administrators will see a

notification under the Configuration Choices header in an edited app.

Procedure

1. Where it states "New configuration / Runtime Permission is now available," click the Update button.

WARNING: You could potentially lose existing configuration attribute values when you save

the new downloaded configuration. If you need to duplicate the existing schema and use the

duplicated managed app configuration to first validate the changes, click Cancel.

2. Click Download.

3. Ivanti EPMM checks if there is a change in your new managed app configuration schema and informs

you that some of your existing configuration have been translated to the new schema. Ivanti EPMM

will also inform you if there were no changes detected between the existing schema and the latest

downloaded version. Click OK.

Page 218 of 292

Managing mobile apps for Android Enterprise

Set managed app config settings that are required to be sent to the

device

Administrators can choose the behavior for constructing managed app configurations. By default, Ivanti

EPMM only pushes settings with valid values defined to device/app. Now a new option allows

administrators to push all settings, irrespective of the value. This allows for apps with different behaviors to

be compatible with Ivanti EPMM. It is recommended to only change this setting if defaults are causing issues

with app performance. This applies to Ivanti EPMM upgrades and new installations. Applicable to Android

Enterprise and Work Managed Device Non-GMS mode (AOSP) mode in-house and public apps.

Before you begin

Have your managed app configurations created.

Procedure

1. In the Configuration Choices section, select the link of the configuration you want to modify. The Edit

Configuration dialog box opens.

2. In Push to device settings, choose an option:

Only push settings with values defined - (default) Selecting this option will enable configurations

that have a value to be pushed to the device. This means in the Configuration Choices section below,

any defined properties, check boxes selected, etc. will be sent to the device. Values are always sent

irrespective of whether this check box is selected or not.

Push All Settings - Selecting this option will enable all configurations to be pushed to the device,

including the ones that do not have a value.

Due to specific app's behavior, if the administrator selects Push All Settings, the app may or may

not crash. In this case, the administrator will need to select Only push settings with values

defined.

3. Save your changes.

Page 219 of 292

Managing mobile apps for Android Enterprise

Priorities of app configurations

Each app configuration you create has a priority. The highest priority has the value 1 and appears at the top

of the list of configuration choices. The default configuration always has the lowest priority and appears at

the bottom of the list. Ivanti EPMM assigns a device the app configuration with the highest priority that has

a label that matches a label on the device.

You can change the priorities of app configurations by dragging and dropping them in the table of

configuration choices for the app.

Substitution variables for configuring Android Enterprise apps

Substitution variables can be used for configuring values from LDAP or the Ivanti EPMM devices database,

such as $EMAIL$ for the email address. You can prevent deleted default field values from repopulating when

editing app configurations by entering the substitution variable $NULL$ for those values.

You may use the following variables when configuring any Android Enterprise app:

$USERID$

$EMAIL$

$PASSWORD$

$FIRST_NAME$

$LAST_NAME$

$DISPLAY_NAME$

$USER_DN$

$USER_UPN$

$USER_LOCALE$

$DEVICE_UUID$

$DEVICE_UUID_NO_DASHES$

$DEVICE_IMSI$

$DEVICE_IMEI$

$DEVICE_SN$

$DEVICE_ID$

$DEVICE_MAC$

$DEVICE_CLIENT_ID$

$USER_CUSTOM1$

$USER_CUSTOM2$

$USER_CUSTOM3$

$USER_CUSTOM4$

$MI_APPSTORE_URL$

$REALM$

Page 220 of 292

Managing mobile apps for Android Enterprise

$TIMESTAMP_MS$

$NULL$

$GOOGLE_AUTOGEN_PASSWORD$

Enable Google Apps Integration for the substitution to work properly.

Substitution variable for certificate aliases in Android Enterprise apps

Some Android Enterprise apps, including Gmail, Tunnel for Android Enterprise, and Pulse Secure, use

certificates generated based on a certificate enrollment setting. These apps accept certificate aliases in the

app configuration. The substitution variable to provide a certificate alias is:

$CERT_ALIAS:<certificate enrollment setting name>$ where

<certificate enrollmnent setting name> is the name you gave to the certificate enrollment setting.

To use a certificate with apps, in the Ivanti EPMM Admin Portal:

1. Go to Policies & Configs > Configurations

2. Locate your certificate enrollment setting. Note its name. You will need the name for the alias

variable.

Note: The certificate enrollment setting must be created before continuing with these steps.

3. Ensure the certificate enrollment setting is assigned to a label that is also used for distributing the

apps that require the certificate.

4. Go to Apps > App Catalog.

5. Edit the app by clicking the app name, then clicking Edit.

6. Ensure that the Android Enterprise check box Install this app for Android enterprise is selected.

7. In the Configurations section, type in the certificate alias in the field that requires it:

$CERT_ALIAS:<certificate enrollment setting name>$

8. Click Finish to save your changes.

Certificate aliases are not supported for user-provided certificate enrollment settings. For more information

about Certificate Enrollment Settings, see “Certificate Enrollment Settings” in Ivanti EPMM Device

Management Guide for Android and Android Enterprise devices.

Page 221 of 292

Managing mobile apps for Android Enterprise

For identity certs applied to Android devices, Ivanti Mobile@Work will require a passcode for the device or

work profile, if the user has not already created one.

On Android 6.0 devices or higher, and with Ivanti Mobile@Work 9.6, identity certs will be automatically

assigned for apps. Users will not be prompted to select a certificate.

Public and private Android Enterprise app deployment

Ivanti EPMM provides administrators with the following options for deploying apps to Android Enterprise

device users.

Public apps: These apps are developed outside of your organization and are available to Android

Enterprise device users from the public Google Play store. They are hosted by Google, but

administrators can manage public apps using Ivanti EPMM.

Private apps:These apps are available only to your organization. Private apps are hosted by Google

and available from the Google Play Apps Catalog. They are hosted by Google, but administrators can

manage private apps using Ivanti EPMM.

These apps are available to only users of your domain and can be available in a non-English language

that is supported by Ivanti, Inc. The following private apps are described below.

Private in-house apps: These apps are developed in-house, available only to your organization

and can be available in a non-English language that is supported by Ivanti, Inc. Private in-house

apps are more secure because they are hosted by Ivanti EPMM (not Google), but are available

from the Google Play Apps Catalog. The apps generate an APK definition file you upload to the

Google Play Developer Console to use for installing the apps. These apps not available through

Apps@Work; see "Distributing your enterprise apps in the Google Play App catalog or in

Apps@Work " on page240for details.

When the API connection in Ivanti EPMM's Access Control List is enabled, device attempts to

download private self-hosted apps from an IP address range that is not listed in that Access Control

List will be rejected. This is expected behavior. In order for devices to download private self-hosted

apps, devices must have an IP address that is on Ivanti EPMM's Access Control List.

To deploy apps see:

"Deploying public Android Enterprise apps" on the next page

"Deploying private Android Enterprise apps" on page228

Page 222 of 292

Managing mobile apps for Android Enterprise

"Distributing your enterprise apps in the Google Play App catalog or in Apps@Work " on page240

Related topics

"App management action workflows" on page40

Deploying public Android Enterprise apps

A public app is available in the public Google Play store. You can add public apps to the App Catalog using

the app wizard that helps you through all the options and configurations. You can also add public apps

using the Google Play iFrame. See "Adding an Android Enterprise public app using the app wizard" below.

Adding an Android Enterprise public app using the app wizard

Before you begin

Enable Android Enterprise in Ivanti EPMM. See "Enabling Android Enterprise" in the Ivanti EPMM Device

Management Guide for Android and Android Enterprise devices.

When adding the app, the app wizard guides you through all options and configurations of public and

private apps on Android Enterprise. In-house and self-hosted apps are applicable to Android Enterprise, but

are not configured using the app wizard.

Once Android Enterprise is installed, the Quick Import option for Google Play is disabled.

Procedure

1. In the Ivanti EPMM Admin Portal, go to Services > Google.

2. Use the browse button to navigate to the JSON file you downloaded as part of the Android Enterprise

enrollment and then select Connect.

3. A confirmation displays stating that you have been enrolled in Google Services.

4. Go to Apps > App Catalog.

5. Click Add+.

6. Click Google Play. The Google Play store opens below displaying only Android Enterprise apps.

7. The pop-out sidebar displays three options:

Page 223 of 292

Managing mobile apps for Android Enterprise

Search Play store – search for a specific app in the Google Play store. Only public apps and

enterprise domain / packagename apps can be searched upon. Once a private app has been

uploaded, you can search for the private app.

Private apps – allows you to import private Android apps into Google Play for Android device

users to download and use.

Web app – allows you to create a web app.

This flow is generated by Google Play and may change in the future as Google adds new

features.

8. In the Search field, enter the app name and then select Search. Google Play Store displays app icons

with their names in the search results.

9. Select an app’s icon.

10. You will need to approve the app to be part of the Android Enterprise app collection for device users’

consumption. Select the Approve button. The app’s Approval Settings and Notifications dialog box

opens to the Approval Settings tab.

11. Every app requires permissions to access specific aspects of an Android phone, for example, Contacts.

As an administrator, you will need to review these permissions because you will be accepting or

revoking them on behalf of your organization. Select one of the options:

Keep approved when app requests new permissions – permissions can change due to app

updates. If this option is selected, it means the device user may not know about the access

permission changes.

Revoke app approval when this app requests new permissions – If this option is selected,

when a new update has changed its access permissions, the device user will be notified of the

access permissions when the app is updated. The device user must accept the new permissions

otherwise the app will be disabled for that user.

12. Select Notifications tab.

13. Enter the email address and then select Add to have specific people be notified that an app has been

updated. Repeat for multiple email addresses.

Page 224 of 292

Managing mobile apps for Android Enterprise

14. After you select Done, a confirmation email is sent to the listed person(s). The button in the

confirmation email needs to be clicked to activate the email subscription. Successful subscribers will

list in the Notification tab of the app.

If you selected the “Keep approved when app requests new permissions” option and no

email is entered into the Notification tab, all updates are silent.

15. The app information displays with a check mark next to "Approved". If you want to review the access

permissions or notifications, select the Approval Preferences button.

16. Choose Select.

17. Select Next. Now that you have set the access permissions to the app, you can finish configuring the

app. Configurations are determined by the app developer and are key-value pairs unique to each

app.

You may need to refer to the app's documentation for how to proceed with these configurations. For

example, Ivanti EPMM supports the Knox Service Plugin app. In order to enter the configurations for

this app, you will need to access the Knox Developer documentation for Knox Service Plugin at

https://docs.samsungknox.com/dev/knox-service-plugin/index.htm?Highlight=KSP. A login may be

required to access app documentation.

18. Use the following guidelines to complete the page.

Item Description

Application Name Displays the app name defined by the app developer. This is

the name that displays to device users. This field is not

editable.

Description The app description as retrieved from Google Play displays.

You can edit the description. Users will see this description in

Apps@Work on their devices.

Category Select one or more categories to display this app in a

category tab in Apps@Work or add a new category.

Click Add New Category to define new categories.

Enter a category Name (up to 64 characters).

Enter a Description (up to 255 characters).

Page 225 of 292

Managing mobile apps for Android Enterprise

Item Description

In the Category Icon section, click the Replace Icon button.

Browse and select an icon that will represent this Category.

Click Save.

19. Click Next.

20. Use the following guidelines to complete the page.

Item Description

Use Global App Config Policy Selecting the check box makes the policy settings take priority

over the app settings if and only if the global policy is created

and available for a particular device. Leaving the check box

empty means the app's configuration settings will be used. For

more information, see "Global App Config Settings policy" in

the Ivanti EPMM Device Management Guide of your OS.

Feature this App in the

Apps@Work catalog

If check box is selected, this app appears in the Featured Apps

tab in Apps@Work.

Featured Banner Selecting the check box will display this app as part of the top

banner on the Apps@Work Home page on device users'

devices. The latest five apps will be picked to be part of

Apps@Work Home page.

Per App VPN by Label Only Select this check box to require the Per App VPN

configuration to be assigned to a label that matches the

device. Ivanti does not recommend de-selecting Per-App VPN

by Label Only, as this field will be deprecated in future Ivanti

EPMM releases and become selected by default.

Per app VPN is not supported for MAM-only Android

devices.

Ivanti does not recommend using Per App VPN with

apps that utilize device spaces.

License Required The

Selected VPNs

column lists the VPN configuration that

may be installed on the device, in priority order:

Page 226 of 292

Managing mobile apps for Android Enterprise

Item Description

Per App VPN by Label Only

is selected, then the VPN

configuration must be assigned to a label matching the

device in order to be installed. The first VPN in the list that

is also assigned to a label associated with the device has

the highest priority.

To populate the

Selected VPNs

column, select the VPN

configuration you created for per app VPN in the

All VPNs

column, and click the right arrow. You can select multiple per

app VPN settings.

To reorder the per app VPN configurations in the

Selected

VPNs

column, drag the configuration names to the correct

positions in the list.

See “Managing VPN settings” in the

Ivanti EPMM Device

Management Guide

for information on creating a per app

VPN.

Per app VPN is not supported for MAM-only Android

devices.

Install this app for Android

enterprise

You must be a Global Space administrator to use this setting.

Select to enable public and private apps available to device

users for download to Android devices. You can change the

“Install this app for Android enterprise” setting for each app in

the app’s details page at any time.

21. Select Finish.

22. In the App Catalog, select the newly-added app.

23. Select Actions > Apply to Label.

24. Select the appropriate labels to make the app available to device users.

You can edit the app’s settings at any time. Select the app in the App Catalog, and click Edit.

All apps that are available to be installed for Android Enterprise have the “suitcase” badge on their icon.

These apps can also be installed on non-Android Enterprise devices. For more information about labels for

Android Enterprise, see "Distributing alternate Release Tracks for Android Enterprise apps" on page241.

Note the following:

Page 227 of 292

Managing mobile apps for Android Enterprise

You can edit the app’s settings at any time. Select the app in the App Catalog, and click Edit.

Depending on the configuration of the customers firewall, the metadata and reviews for an app

selected for installation from Google Play may not be displayed.

Related topics

"Features specific to Android Enterprise apps" on page214

"App configuration for Android Enterprise apps" on page216

"Setting up Chrome with Android Enterprise" on page242

“Setting up Gmail with Android Enterprise” in the Ivanti EPMM Device Management Guide for Android

and Android Enterprise devices

Deploying private Android Enterprise apps

The high-level steps to deploy a private Android Enterprise app are:

"Publishing your private app on Google Play to your organization only" below

"Adding your Android Enterprise private app using the app wizard " on the next page

"Deploying a self-hosted app" on page237

"Adding new versions of an existing Android Enterprise app" on page239

Publishing your private app on Google Play to your organization only

Before you begin

These steps are performed on Google’s websites.

1. If you are doing icon customization and plan on sharing the private app with other UEMs, your

Google Enterprise account must be registered as a Google developer.

If you are using iFrame option via Ivanti Neurons for MDM / Ivanti EPMM, you can import

private apps without registering the Enterprise account as a developer.

2. Follow Google’s instructions to publish the app on Google Play.

Page 228 of 292

Managing mobile apps for Android Enterprise

3. To make the app available privately to other UEMs or organizations, please refer to this KB article:

How to share private Android Enterprise Apps with other UEMs.

Adding your Android Enterprise private app using the app wizard

This procedure covers how to add a private Android Enterprise app to the Ivanti EPMM App Catalog. In-

house apps are supported with Android Enterprise but you cannot configure them using the app wizard.

If you are adding a new version of an existing app, see "Adding new versions of an existing Android

Enterprise app" on page239.

Procedure

1. In the Ivanti EPMM Admin Portal, go to Apps > App Catalog .

2. Click Add+.

Click Google Play. The app icons for the private apps you published to Google Play display.

If you need to update the email address associated with the app, click Update.

Select the desired app and then click Next.

4. The Choose page displays the private app's title and APK file name.

5. Click Select and then click Next.

6. The Describe page displays. Use the following guidelines to complete the page.

Item Description

Application Name Displays the app name defined by the app developer.

This is the name that displays to device users. This

field is not editable.

Description The app description as retrieved from Google Play

displays. You can edit the description. Users will see

this description in Apps@Work on their devices.

Category Select one or more categories to display this app in a

category tab in Apps@Work or add a new categor

a. Click Add New Category to define new

categories.

b. Enter a category Name (up to 64 characters).

Page 229 of 292

Managing mobile apps for Android Enterprise

Item Description

c. Enter a Description (up to 255 characters).

d. In the Category Icon section, click the Replace

Icon button.

e. Browse and select an icon that will represent this

Category.

f. Click Save.

7. Click Next.

8. The App Configuration page displays. Use the following guidelines to complete the page.

Item Description

Use Global App Config Policy Selecting the check box makes the policy settings take

priority over the app settings if and only if the global

policy is created and available for a particular device.

Leaving the check box empty means the app's

configuration settings will be used. For more

information, see "Global App Config Settings policy"

in the Ivanti EPMM Device Management Guide of your

OS.

Feature this App in the Apps@Work

catalog

If check box is selected, this app appears in the

Featured Apps tab in Apps@Work.

Featured Banner Selecting the check box will display this app as part of

the top banner on the Apps@Work Home page on

end users' devices. The latest five apps will be picked

to be part of Apps@Work Home page.

Per App VPN by Label Only Select this check box to require the Per App VPN

configuration to be assigned to a label that matches

the device. Ivanti does not recommend de-selecting

Per-App VPN by Label Only, as this field will be

deprecated in future Ivanti EPMM releases and

become selected by default.

Per app VPN is not supported for MAM-only

Android devices.

Page 230 of 292

Managing mobile apps for Android Enterprise

Item Description

Ivanti does not recommend using Per App

VPN with apps that utilize device spaces.

License Required The

Selected VPNs

column lists the VPN

configuration that may be installed on the device, in

priority order:

Per App VPN by Label Only

is selected, then

the VPN configuration must be assigned to a label

matching the device in order to be installed. The

first VPN in the list that is also assigned to a label

associated with the device has the highest priority.

To populate the

Selected VPNs

column, select the

VPN configuration you created for per app VPN in the

All VPNs

column, and click the right arrow. You can

select multiple per app VPN settings.

To reorder the per app VPN configurations in the

Selected VPNs

column, drag the configuration names

to the correct positions in the list.

See “Managing VPN settings” in the

Ivanti EPMM

Device Management Guide

for information on creating

a per app VPN.

Per app VPN is not supported for MAM-only

Android devices.

Install this app for Android enterprise

Selecting enables public and private apps available to

device users for download to Android devices. You

can change the “Install this app for Android

enterprise” setting for each app in the app’s details

page at any time.

9. Click Finish.

10. Select the app in the App Catalog.

11. Click Actions > Apply to Label, and select the appropriate labels to make this app available to

device users.

You can edit the app’s settings at any time. Select the app in the App Catalog, and click Edit.

Page 231 of 292

Managing mobile apps for Android Enterprise

Manually provide an app's package name

You can manually provide the package name of an Android app along with the app details.

1. In the Ivanti EPMM Admin Portal, go to Apps > App Catalog .

2. Click Add+.

3. Click Google Play. The app icons for the private apps you published to Google Play display.

4. Scroll down to the bottom of the page and select the check box for Skip this step and manually

Page 232 of 292

Managing mobile apps for Android Enterprise

provide Bundle ID and all app details.

5. Click Next. The Describe page displays.

Item Description

Package Name You must provide the app’s package name. Ivanti EPMM

can upload an Android Google Play Store app that has

the same package name as a public app, such as

com.mobileiron.phoneatwork, that is already loaded on

Ivanti EPMM. This feature is always on and does not

require any configuration in the user interface.

Application Name Displays the app name defined by the app developer.

This is the name that displays to device users. This field is

not editable.

Min OS Version The minimum OS version as retrieved from Google Play

displays.

Devices that don’t have the minimum OS version

installed will not be able to install the app.

Description The app description as retrieved from Google Play

displays. You can edit the description. Users will see this

description in Apps@Work on their devices.

Category Select one or more categories to display this app in a

category tab in Apps@Work or add a new categor

a. Click Add New Category to define new categories.

b. Enter a category Name (up to 64 characters).

c. Enter a Description (up to 255 characters).

d. In the Category Icon section, click the Replace Icon

button.

e. Browse and select an icon that will represent this

Category.

f. Click Save.

Page 233 of 292

Managing mobile apps for Android Enterprise

6. Click Next. The App Store page displays.

Item Description

Use Global App Config Policy Selecting the check box makes the policy settings take

priority over the app settings if and only if the global

policy is created and available for a particular device.

Leaving the check box empty means the app's

configuration settings will be used. For more

information, see "Global App Config Settings policy"

in the Ivanti EPMM Device Management Guide of your

OS.

Feature this App in the Apps@Work

catalog

If check box is selected, this app appears in the

Featured Apps tab in Apps@Work.

Featured Banner Selecting the check box will display this app as part of

the top banner on the Apps@Work Home page on

end users' devices. The latest five apps will be picked

to be part of Apps@Work Home page.

App Icon

Icon and Screenshots appear when editing an

app entry.

The icon retrieved from Google Play displays.

To replace the icon, click

Replace Icon

button. Select

the icon to represent this app. The file must be no

larger than 1024 x 1024 pixels and in JPG, PNG, or GIF

format. We recommend PNG for best resizing results.

Icon height and width must be equal.

Screenshots

Icon and Screenshots appear when editing an

app entry.

The screenshots retrieved from Google Play are

displayed.

Page 234 of 292

Managing mobile apps for Android Enterprise

Item Description

Click Upload to select and upload optional

screenshot files in PNG, GIF, or JPG formats. The

supported dimensions are 480x800 pixels and

480x854 pixels. We recommend PNG for best

resizing.

To delete a screenshot, click Remove under the

screenshot.

Page 235 of 292

Managing mobile apps for Android Enterprise

7. Click Next. The App Configuration page displays.

Item Description

Per App VPN by Label Only Select this check box to require the Per App VPN

configuration to be assigned to a label that matches

the device. Ivanti does not recommend de-selecting

Per-App VPN by Label Only, as this field will be

deprecated in future Ivanti EPMM releases and

become selected by default.

Per app VPN is not supported for MAM-only

Android devices.

Ivanti does not recommend using Per App

VPN with apps that utilize device spaces.

License Required The

Selected VPNs

column lists the VPN configuration

that may be installed on the device, in priority order:

Per App VPN by Label Only

is selected, then the

VPN configuration must be assigned to a label

matching the device in order to be installed. The

first VPN in the list that is also assigned to a label

associated with the device has the highest priority.

To populate the

Selected VPNs

column, select the

VPN configuration you created for per app VPN in the

All VPNs

column, and click the right arrow. You can

select multiple per app VPN settings.

To reorder the per app VPN configurations in the

Selected VPNs

column, drag the configuration names

to the correct positions in the list.

See “Managing VPN settings” in the

Ivanti EPMM

Device Management Guide

for information on creating

a per app VPN.

Per app VPN is not supported for MAM-only

Android devices.

Page 236 of 292

Managing mobile apps for Android Enterprise

Item Description

Install this app for Android enterprise

Selecting enables public and private apps available to

device users for download to Android devices. You can

change the “Install this app for Android enterprise”

setting for each app in the app’s details page at any

time.

8. Click Finish.

9. Select the app in the App Catalog.

10. Click Actions > Apply to Label, and select the appropriate labels to make this app available to

device users.

You can edit the app’s settings at any time. Select the app in the App Catalog, and click Edit.

Related topics

"Features specific to Android Enterprise apps" on page214

"App configuration for Android Enterprise apps" on page216

Deploying a self-hosted app

Self-hosted apps allow administrators to publish in-house app entries in the Google Play Apps Catalog

without uploading binaries to Google. For security reasons, self-hosted apps are hosted by Ivanti EPMM and

not Google, however they are still available in the Google Play Apps Catalog. Self-hosted apps require the

definition of APK location to be uploaded to Google Play. Revisions are required to be published to Google

Play, which points only to the latest version of Ivanti EPMM.

Silent install of the APK is supported only on work-managed devices. You can manually install self-hosted

apps from Google Play. You can use this feature to block or allow users to show in-house app widgets on

the home screen inside the Work Profile. By enabling the "Block Widget on Home Screen" and "Block

Uninstall" options, you can also block or allow users from uninstalling the app. This feature applies to

managed devices only.

These apps are not available for Android Enterprise devices users to install from Apps@Work.

Procedure

If you are adding a new version of an existing app, see "Adding new versions of an existing Android

Enterprise app" on page239.

Page 237 of 292

Managing mobile apps for Android Enterprise

1. In the Ivanti EPMM Admin Portal, select Apps > App Catalog.

2. To upload a new APK that becomes an in-house / self-hosting app.

a. Select Add+ > In-House > Browse.

b. Locate and select the app, then select Next.

c. Skip to the next step.

If you want to redefine an existing app:

a. Select the app and then select Edit.

b. Continue with the next step.

3. Scroll down to the ANDROID ENTERPRISE (ALL MODES) section.

4. Select the Install this app for Android enterprise check box.

5. Click the Download APK Definition file link. The APKdefinition file downloads automatically.

6. Open a new browser window and log into the Google Play Developer Console site.

7. Follow Google's steps on publishing.

Under Distribution > Managed Google Play, make sure you have the "Privately target this app to a

list of organizations" check box selected. Select Choose Organizations.

When uploading the APK file, be sure to select the "I am uploading a configuration for an APK

hosted outside of Google Play" check box.

Go to Services > API > Licensing &in-app billing section and copy the license key.

8. Return to the Ivanti EPMM App Catalog browser window and paste the key in the App License box

provided.

Every version of that app uses the same License Key.

9. Select one or more of the following check boxes:

Silent install for work managed devices

Block Widget on Home Screen

Block Uninstall

10. Click Save.

Page 238 of 292

Managing mobile apps for Android Enterprise

11. Select the app in the App Catalog.

12. Click Actions > Apply to Label.

13. Select the appropriate labels to make this app available to device users.

Adding new versions of an existing Android Enterprise app

When uploading a newer version of an app, an extra page opens to allow you to select whether to keep the

app's old version information or to adopt the information from the app's new version. This feature is

applicable to Android Enterprise in-house / private / self-hosted apps.

Procedure

1. In the App Catalog, select the Add+ button.

The Add App Wizard opens.

2. Select In-House.

3. Select Browse and navigate to the in-house Android or Android Enterprise app you want to upload.

4.1. Select Next.

The An earlier version of this App exists page opens.

5. Select an option:

Another version of this App was previously uploaded. Reuse its description, icon and

screenshot. If the Description, Icon or Screenshot fields of the new app are empty, then the

system will populate those fields with information from the previous app version (default).

Upload a new description, icon or screen shot. Information related to the Description, Icon or

Screenshot fields of the new App will be utilized. If those fields are empty, nothing will be copied

from the previous app version.

6. Select Next and finish configuring the new version of your app (see "Adding your Android Enterprise

private app using the app wizard " on page229.)

Once finished, the new version displays in the App Catalog.

Page 239 of 292

Managing mobile apps for Android Enterprise

Distributing your enterprise apps in the Google Play App catalog or in

Apps@Work

By default, Android Enterprise apps are distributed from a managed Google Play. However, you can opt to

distribute the apps from Apps@Work.

Use these steps to set up your distribution choice for your enterprise apps:

If you selected Google Play, in Google Play App Catalog section:

Select Yes to use a layout based on the characteristics of apps in this instance of Ivanti EPMM. The

apps are presented in Google Play using the categories and featured apps as you defined for each

app in the App Catalog. Apps added recently to the App Catalog are presented in a “What’s New” list.

Select No (the default) to use a basic layout in Google Play. In this layout, the apps are presented in

alphabetical order in a single list.

Note the following:

If more than one Ivanti EPMM instance is publishing with Google Play, you will be sending

redundant (possibly conflicting) layouts to Google. This does NOT affect the distribution of apps,

only the layout visible in Google Play.

The Google Play layout definition is based on the Android Enterprise apps available on the Ivanti

EPMM that you marked as primary on help.mobileiron.com when setting up your Android

Enterprise enrollment. If you have multiple Ivanti EPMMs that use the same enterprise account,

the devices registered to users in each Ivanti EPMM receive the same layout. This layout can be

consistent only if one Ivanti EPMM is set to publish the layout. If multiple Ivanti EPMMs are

marked as the primary Ivanti EPMM, then they will attempt to publish the layout and cause the

layout to become unstable.

1. Make sure your device is set up for Android Enterprise. See “Enabling Android Enterprise for your

enterprise” in the Ivanti EPMM Device Management Guide for Android and Android Enterprise devices.

2. In the Ivanti EPMM Admin Portal, in Services > Google, in Enterprise Apps Distribution, choose

either Google Play or Apps@Work.

3. If you change the setting, click Apply.

Updates to the Google Play App catalog may take several minutes to take effect.

Page 240 of 292

Managing mobile apps for Android Enterprise

Related topics

"Deploying public Android Enterprise apps" on page223

"Deploying private Android Enterprise apps" on page228

Distributing alternate Release Tracks for Android Enterprise apps

For Android Enterprise 10.4.0.0 or newer versions, this feature works for private and public Android apps,

and Android Enterprise apps. Any public app that the app developer allowed Android Enterprise access to

their tracks will work. You can deploy numerous versions of private apps to allow rapid and flexible

deployment of different builds of the same app to different groups.

In Ivanti EPMM versions below 10.4.0.0, there were three static options (Alpha, Beta, Production) that you

can select from in the list of releases (Track ID) defined by the developer who uploaded the application to

Google Play. Upon upgrade to Ivanti EPMM 10.4.0.0, Ivanti EPMM supports as many tracks as the app

developer published and assigned to the enterprise. This list is dynamically retrieved from Google Play and

displays in the release column of the Add to Label dialog box. Ivanti EPMM uses the Track IDs to specify

which track, but for administrators, Ivanti EPMM displays the track aliases. As the list can include new and

different Track aliases, during the upgrade to 10.4.0.0, Ivanti EPMM will try to match existing Track IDs, but if

there is no Track ID match, Ivanti EPMM will assign the track to Production.

If a device is assigned to multiple Track IDs, all Track IDs will be sent to the device and Google will choose

the highest available track to use. Since the tracks are set by label, it's possible for a device to belong to

multiple labels getting multiple Track IDs for the same app.

Before you begin

Select Android Enterprise apps to be used in the Ivanti EPMM Admin Portal.

Identify one or more private apps administrators want to deploy to users within their organization.

Set up separate labels to include alpha users and beta users.

Verify that your in-house app developers have whitelisted the alpha and beta apps for distribution to

your enterprise using the Google enterprise ID for Ivanti EPMM as the target organization.

Procedure

1. In the Ivanti EPMM Admin Portal, go to Apps > App Catalog.

2. Select one of the Android Enterprise-enabled apps you want to add to an alpha or beta label.

3. Click Actions > Apply to label.

Page 241 of 292

Managing mobile apps for Android Enterprise

4. Select one or more labels.

5. Go to the Release column and click inside the cell to enable the drop down option.

6. Select Alpha, Beta, Production (default) or an alternate option as per Google's dynamically-updated

list.

Ivanti EPMM only displays the track aliases for the tracks that are possible for the app for

that enterprise. It does not have to be Alpha or Beta.

7. Click Apply.

At the next sync the specified track is downloaded to the designated devices. If multiple labels are

applied to a device introduce conflicts, label priority applies the highest version in the following

order: Alpha, Beta, then Production.

Related topics

"Deploying public Android Enterprise apps" on page223

"Deploying private Android Enterprise apps" on page228

Setting up Chrome with Android Enterprise

You can deploy Google Chrome to Android Enterprise devices if you have set up Ivanti EPMM for Android

Enterprise.

Add Chrome to the App Catalog on Ivanti EPMM as you would any Android Enterprise app. That is, in the

Ivanti EPMM Admin Portal, in Apps > App Catalog, add Gmail from Google Play. When adding it, be sure to

select Install this app for Android enterprise.

When you add the Chrome app, its app configurations are displayed in the Configuration Choices section.

Google documents these settings at https://www.chromium.org/administrators/policy-list-3.

The value of the ManagedBookmarks configuration must be in JSON format. For example:

[{“toplevel_name”: “Ivanti bookmarks”}, {“url”: “http://ivanti.com“, “name”:

“Ivanti”},

{“url”: “youtube.com”, “name”: “Youtube”}, {“name”: “Chrome links”,

“children”: [{“url”: “chromium.org”, “name”: “Chromium”},

{“url”: “dev.chromium.org”, “name”: “Chromium Developers”}]}].

Page 242 of 292

Managing mobile apps for Android Enterprise

Managing apps on Windows devices

This chapter provides topics on how to manage apps on Windows devices, including:

"Setting up certificate authentication" below

"Distributing apps for Windows 10 Desktop devices " on page248

"Distributing apps for Windows 8.1 Phone devices" on page251

"App inventory on Windows 10 desktop devices" on page252

"Application scheduling" on page255

"Restricting applications on Windows devices" on page256

"Working with apps" on page262

"Adding in-house apps to the App Catalog" on page264

"Adding third-party apps to the App Catalog" on page266

"Deploying apps" on page268

"Editing in-house app information" on page268

"Application dependency deployment" on page271

"Editing third-party app information" on page272

"Updating apps in the App Catalog" on page272

"Deleting apps from Ivanti EPMM" on page273

Ivanti EPMM does not support Windows MAM-only devices.

Setting up certificate authentication

This section provides the required steps to set up a new dedicated local certification authority (local CA),

provision its public certificate to Windows 10 devices (making it trusted), and configure certificate

enrollment for Windows 10 devices. If Apps@Work finds a suitable device certificate to use for

authentication, Apps@Work uses it instead of asking the user for a password.

Implement the work flow in the following order:

Page 243 of 292

1. "Add a new local certification authority" below

2. "Create a label for all Windows 10 devices" on the next page

3. "Provision the CA certificate to all Windows 10 devices" on page246

4. "Create a label for Windows 10 Desktop devices" on page246

5. "Distribute device certificates to Windows 10 Desktop devices" on page247

6. "Enable use of device certificates for Apps@Work authentication" on page248

This cert is only used for Apps@Work and not for VPN, email, or any other profile. When the cert is

used for Apps@Work the it is converted to a cert that can only be used with the app.

Add a new local certification authority

This section supports a local CA. Other certification authorities such as Entrust, Microsoft NDES or

Symantec Managed PKIare not supported.

To add a new local certification authority:

1. In the Ivanti EPMM Admin Portal, go to Services > Local CA.

2. Select Add > Generate Self-Signed Cert.

3. Enter the following configuration:

Local CA Name: Contoso CA (we are using Contoso as an example in this

documentation;replace Contoso with your company name)

Key Type: RSA

Key Length: 2048

CSR Signature Algorithm: SHA256

Key Lifetime (in days): 3650

Issuer Name: CN=Contoso CA

4. Click Generate.

Page 244 of 292

Managing apps on Windows devices

5. Enter the following configuration:

Hash Algorithm: HA256

Minimum Key Size Allowed: 2048

Key Lifetime (days): 365

6. Keep other default values and click Save.

7. Click the View Certificate link.

8. Copy the base64-encoded public certificate (including the text -----BEGIN CERTIFICATE-----

and -----END CERTIFICATE----- delimiters).

9. Paste it to your text editor and save it to a file named Contoso.cer.

You will use it in "Provision the CA certificate to all Windows 10 devices" on the next page.

10. Click Close.

Create a label for all Windows 10 devices

If you already have a label for all Windows 10 devices, skip this section.

To create a label for all Windows 10 devices:

1. In the Ivanti EPMM Admin Portal, go to Devices & Users > Labels.

2. Click Add Label

3. Select or enter the following values:

Label name: Windows 10

Common fields: Platform Name

Operator: Equals

4. Value: Windows 10

5. Verify that the expression is valid (with a green check mark).

6. It should look like this: "common.platform_name" = "Windows 10"

7. Click Save.

Page 245 of 292

Managing apps on Windows devices

Provision the CA certificate to all Windows 10 devices

After creating a new self-signed (untrusted) CA in "Add a new local certification authority" on page244, you

will provision its public certificate to all Windows 10 to make it trusted in this step. Without it the devices will

not use the provisioned device certificates.

To provision the CA certificate to all Windows 10 devices:

1. In the Ivanti EPMM Admin Portal, go to Policies & Configs > Configurations.

2. Click Add New > Certificate.

3. Enter name Contoso CA.

4. Click Browse next to File Name.

5. Click Save > OK.

6. Select the newly created CERTIFICATE setting and apply it to the Windows 10 label you created

earlier.

7. Click OK to confirm provisioning was successful.

Create a label for Windows 10 Desktop devices

If you already have a label for all Windows 10 Desktop devices, skip this section.

To create a label for Windows 10 Desktop devices:

1. In the Ivanti EPMM Admin Portal, go to Devices & Users > Labels.

2. Click Add Label.

3. Select or enter the following values:

Label name: Windows 10 Desktop

Common fields: Platform Name

Operator: Equals

Value: Windows 10

Phone: False

Page 246 of 292

Managing apps on Windows devices

4. Verify that the expression is valid (with a green check mark).

It should look like this: "common.platform_name" starts with "Windows 10" AND "windows_

phone.wp_phone" = false

5. Click Save.

Distribute device certificates to Windows 10 Desktop devices

Now that the new certification authority is trusted, you can distribute device certificates to Windows 10

Desktop devices. Apps@Work for Windows 10 expects that the certificate subject is the device UUID. The

device UUID value is also provisioned by MDM to Apps@Work to find the certificate.

To distribute device certificates to Windows 10 Desktop devices:

1. In the Ivanti EPMM Admin Portal, go to Policies & Configs > Configurations.

2. Click Add New > Certificate Enrollment > Local.

3. Enter or select the following values for configuration:

Name: Contoso Windows Certificate Authentication

Radio Button: Device Certificate

Local CAs: Contoso CA

Subject: CN=$DEVICE_UUID$

Key Usage: Signing and Encryption (check both)

Key Length: 2048

CSR Signature Algorithm: SHA256

4. Click Issue Test Certificate.

5. Verify that the values in the test certificate are correct.

6. Click OK > Save.

7. Select the newly created SCEP setting and apply it to the Windows 10 Desktop label.

Page 247 of 292

Managing apps on Windows devices

Enable use of device certificates for Apps@Work authentication

The last step is to enable use of certificates for authentication. Under the hood we are changing Apache

configuration by adding the local CA created in the first paragraph to the list of accepted authorities.

To enable use of device certificates for Apps@Work authentication:

1. In the Ivanti EPMM Admin Portal, go to Settings > System Settings > Windows > Certificate

Authentication.

2. Check Enable client certificate authentication.

3. Select Contoso Windows Certificate Authentication certificate enrollment configuration.

4. Click Save.

Distributing apps for Windows 10 Desktop devices

Before you distribute in-house or third-party apps for Windows 10 Desktop devices, ensure that:

Apps are signed with a publicly trusted certificate issued by a CA.

The devices are sideload enabled.

Certificates

We strongly recommend that in-house or third-party apps for Windows devices (8.1) are signed with a

publicly trusted certificate issued by a Certificate Authority (CA). The CA’s root certificate must be supported

by the Windows OS. Signing with a publicly trusted certificate eliminates any additional steps by the device

user.

We do not recommend signing apps with a self-signed certificate, as this will require the device user to

perform additional steps before you can distribute the apps.

Sideloading keys

This feature is supported for Windows Phone 8.1 only.

Page 248 of 292

Managing apps on Windows devices

Typically, apps for Windows devices are signed and available only through the Windows Store. However, in-

house and third-party apps can be made available through a process called sideloading. Each Window

device must be sideload-enabled. You sideload-enable a device with sideload activation keys that you get

directly from Microsoft.

For information about sideloading product activation keys, see

https://licensingapps.microsoft.com/product-activation-results?Category=Applications

For information about sideload enabling devices see

http://technet.microsoft.com/en-us/library/hh852635.aspx

The previous URLs are not controlled by and cannot be guaranteed to work or point to the correct

page. They are provided here as a guide.

Pushing sideload activation keys

You can now push sideload activation keys to Windows devices (8.1) from Ivanti EPMM Version 7.1. Sideload

activation keys are required to sideload enable a Windows devices (8.1). This in turn allows you to sideload

apps to the device.

Before you Begin

You must get the sideload activation key directly from Microsoft.

Configuration tasks

1. Adding the sideloading activation keys to Ivanti EPMM.

2. Applying the sideloading activation keys configuration to a label.

Adding the sideloading activation key to Ivanti EPMM

To add the sideloading activation keys to Ivanti EPMM:

1. In the Ivanti EPMM Admin Portal, go to Policies & Configs > Configurations.

2. Click Add New > Windows > Sideloading Key.

Page 249 of 292

Managing apps on Windows devices

3. Use the following guidelines to fill the form:

Field Description

Name Enter a name for the configuration.

Description Enter a description.

Sideloading key Enter or copy and paste the sideloading key you

received from Microsoft.

4. Click Save.

Applying the sideloading key configuration to a label

To apply the sideloading key configuration to a label:

1. In the Ivanti EPMM Admin Portal, go to Policies & Configs > Configurations.

2. Select the sideloading key configuration.

3. Click Actions > Apply to Label.

4. In the Apply to Label dialog box, select the label.

5. Click Apply. The sideloading key is pushed to the devices in the label when the device checks in with

Ivanti EPMM.

Pushing the AET to Windows 8.1 Phone devices

If you are uploading third-party apps for distribution through Ivanti EPMM, you must also upload the AET

(.aetx file) associated with the Symantec Enterprise Certificate used to sign the app. See "Pushing the AET to

Windows 8.1 Phone devices" above.

Follow these steps to push the token to Windows 8.1 Phone devices:

1. In the Ivanti EPMM Admin Portal, go to Policies & Configs > Configurations.

2. Click Add New > Windows > Enrollment Token (AET) (Windows Phone Only) to open the New

Application Enrollment Token dialog box.

3. Enter a Name and Description for the AET.

4. Click Browse to locate and select the AET file.

Page 250 of 292

Managing apps on Windows devices

This is a .aetx file.

5. Click Save.

6. In the Configurations page, select the AET.

7. Click Actions > Apply to Label and select the appropriate label.

The AET is pushed to the devices to which the label is applied.

Distributing apps for Windows 8.1 Phone devices

This section describes the certificates and tokens required for distributing in-house apps for Windows

Phone (8.1) devices only.

After registration, the Windows Phone device is in Verified state. The device state changes to Active

after the device checks in with Ivanti EPMM for the first time. This may take approximately ten

seconds and up to one minute after registration. If the device user logs into the Apps@Work app

before the device changes to Active state, the user will not be able to sign into Apps@Work

because Ivanti EPMM is not yet associated with the device.

Certificates and tokens for in-house apps for Windows Phone devices

Before you distributing in-house apps for Windows Phone devices, you must do the following:

1. Review the certificates and tokens required for in-house apps for devices at:

http://msdn.microsoft.com/en-us/library/windowsphone/develop/jj206943.aspx

2. Create a Windows Phone Dev Center account at

http://msdn.microsoft.com/en-us/library/windowsphone/help/jj206719.aspx

The next step requires the Publisher ID for your company that is provided when you created the Dev

Center account.

Page 251 of 292

Managing apps on Windows devices

3. Get an enterprise mobile code signing certificate from Symantec at

https://products.websecurity.symantec.com/orders/enrollment/microsoftCert.do

Export the certificate in PFX format and be sure to export the private key with the certificate.

You will sign your in-house app with the Symantec Enterprise Certificate. This is required for WP8

devices.

4. Generate the application enrollment token (AET) using the AETGenerator tool provided by the

Windows Phone SDK 8.0.

For more information see

http://msdn.microsoft.com/en-us/library/windowsphone/develop/jj735576.aspx

You upload the Application Enrollment Token (AET), which is an *.aetx file, to Ivanti EPMM. See "Pushing the

AET to Windows 8.1 Phone devices" on page250.

App file specifications for Windows Phone devices

The following file specifications apply to in-house apps for Windows Phone devices (WP8.1).

TABLE 1. APP FILE SPECIFICATIONS FOR WINDOWS DEVICES

Item Format Size Number

App XAP, APPX,

APPXBUNDLE

100 MB maximum —

Icon PNG 99x99 pixels maximum One per app.

Screen

shots

PNG 480x800 pixels

480x854 pixels

Up to four per app.

App inventory on Windows 10 desktop devices

The inventory interval settings define how often Ivanti EPMM checks the app inventory on secured Windows

10 devices.

Page 252 of 292

Managing apps on Windows devices

By default, you will not see the full apps inventory list in the devices details page (Devices & Users

> Devices > Apps tab). To see the full list, edit the Default Privacy Policy settings in Policy &

Configs > Policies > Add New > Privacy > Apps by changing App Catalog apps to All apps.

Impact of App inventory options

App inventory, for each device, can be 20-40 MB, which can affect performance depending on how this

feature is configured. When intervals do not match up with device check-in settings, the timing for checking

the app inventory is deferred to the next scheduled device check-in time period to avoid excess syncs.

For example, assuming the Device Checkin setting is set to the default of 4 hours and the Inventory

Interval settings are all set to 6 hours. The second app inventory sync will take place when the device check

in next (in 8 hours).

If an administrator initiates a Force Device Check-in, an inventory request is synced, reporting the

installed apps in Ivanti EPMM, independent of the Inventory Interval schedule. Every FDC resets the

timer for the next inventory request.

App inventory intervals

This feature is disabled, by default. When enabled, the default time interval is 12 hours (all intervals are in

hours). Use this feature to configure inventory interval settings for the following applications:

App Store

Non Store

System

Win32

How to configure an inventory intervals for apps

To configure inventory intervals for apps on Windows 10 devices:

1. In the Ivanti EPMM Admin Portal, go to Settings > Preferences.

2. Scroll down to the Windows 10 Inventory Configuration Settings section.

3. Enter a number (in hours) for one or more type of apps for which you want to take inventory.

Page 253 of 292

Managing apps on Windows devices

The options are:

App Store Inventory Interval

Non App Store Inventory Interval

System Inventory Interval

Win32 Inventory Interval

A Non Storeapp is any app that is not a system app or downloaded from the App Store (such

as an in-house app).

4. Click Save.

How to turn on or off inventory intervals for apps

To turn on inventory intervals for apps on Windows 10 devices:

1. In the Ivanti EPMM Admin Portal, go to Policies & Configs > Policy.

2. Select Default Privacy Policy and in the Policy Details pane, click Edit .

3. The Modify Privacy Policy dialog box opens.

4. Scroll to the Windows 10 Inventory group.

5. Click Enabled to check app inventory on the devices or Disabled to turn off the inventory sync.

6. Click Save.

The default policy disables all app types.

How to view the app inventory

To view app inventory on Windows 10 devices:

1. In the Ivanti EPMM Admin Portal, go to Apps > Installed Apps.

2. Select Windows in the left pane and then click Search to see a list of installed apps based on the

configurations you set for secure Windows 10 devices.

Page 254 of 292

Managing apps on Windows devices

3. If you have configured an inventory interval and turned on the feature, you will see a list of apps in

the window.

App inventory is pulled from the device the first time the device is enrolled.

Application scheduling

Windows 10 Desktop applications can be large, adding extra and extended load on networks and servers

during key use times for the enterprise. This feature allows you to schedule a time to install applications,

especially large applications, on devices during a time you choose. You can schedule the following types of

applications:

UWP

MSI Wrapped Win32

Win32

Store

Appx/appx bundle/AET token

.EXE

Note the following:

BSP apps sync to Ivanti EPMM only after 5-6 hours. Then it follows a manual sync or follows the

configured BSP Sync Interval.

If a new application is purchased on BSP portal, it is synced on to Ivanti EPMM only after 24hrs. You

can update the installation schedule for these BSP applications.

Devices should be AAD enrolled for BSP applications and Store applications.

The following procedure describes how to schedule application deployment when adding an

application to the App Catalog. If you want to schedule deployment for an application already in the

App Catalog, open the application, click Edit, then go directly to "Uncheck the Feature this App in the

Apps@Work catalog option." on the next page

Procedure

1. In the Ivanti EPMM Admin Portal, select Apps > App Catalog > Add+ > In-House.

2. Browse for and upload one of the following types of applications:

UWP

MSI Wrapped Win32

Page 255 of 292

Managing apps on Windows devices

Win32

Store

Appx/appx bundle/AET token

.EXE

3. Complete the wizard to add the application to the App Catalog.

4. Uncheck the Feature this App in the Apps@Work catalog option.

5. Check Silent Upgrade/Install and Schedule Installation.

6. Select a Start Time and an End Time.

All times are local to where the device is located.

7. Click Save.

Restricting applications on Windows devices

Ivanti EPMM allows administrators to restrict specified applications on Windows devices using one of the

following two approaches:

Exclude (blacklist) - specifying applications to block, allowing all other applications on devices.

Include (whitelist) - specifying applications and system to allow on devices, blocking all other

applications not on the list.

The following topics describe how to restrict applications on Windows devices:

"Restricting applications on Windows 10 Desktop devices" on the next page

"Restricting applications on Windows 10 Mobile devices" on page260

"Restricting applications on Windows Phone 8.1 devices" on page261

The figure below is an example of setting up a Whitelist App Control rule for Windows 10 Desktop, Windows

10 Mobile, and Windows Phone 8.1 devices.

Page 256 of 292

Managing apps on Windows devices

FIGURE 1. SETTING UP A WHITELIST FOR WINDOWS DEVICES

Restricting applications on Windows 10 Desktop devices

The following procedures create a rule (called Whitelist) that allow device users to use only the specified

applications, and no other applications. To include or exclude apps to security policies for windows 10

Desktop devices, you can select:

Publisher/PFN Equals to use the dynamic lookup feature

PFN is the Product Family Name of the application.

EXE/Win32 Equals to use the application name

This section provides information on:

"Using the dynamic lookup tool to restrict applications on devices" on the next page

"Using the application name to restrict applications on devices" on page259

"Blocking applications from Windows 10 Desktop devices" on page259

Page 257 of 292

Managing apps on Windows devices

Using the dynamic lookup tool to restrict applications on devices

Procedure

1. In the Ivanti EPMM Admin Portal, select Apps > App Control > Add.

2. Enter Whitelist in the Name field as the name of the rule.

3. Select Allowed for the Type option.

Select Disallowed to block an application (blacklist).

4. Select Publisher/PFN Equals from the App drop-down.

PFN is the Product Family Name of the application.

5. Leave the App Identifier/Name field blank.

6. Select Windows from the Device Platform drop-down.

7. Click the Windows icon to open the Windows Store Search window.

The Windows icon is next to the red minus (-) icon to the right of the Rule Entries list.

8. Click the Windows 10 option at the top of the search window.

The Windows 10 option searches applications from the Windows 10 store, which supports both

Windows 10 Phone and Windows 10 Desktops devices.

The Windows Phone option searches applications from the Windows Phone 8.1 store.

9. Enter an application name and click Search.

10. Locate the application and click the Select button to automatically insert the PFN into the App

Identifier/Name field in the Add App Control Rule window.

11. (Optional) Click the green plus (+) icon to add more apps to the rule, as necessary.

12. Click Save.

Page 258 of 292

Managing apps on Windows devices

Using the application name to restrict applications on devices

Procedure

1. In the Ivanti EPMM Admin Portal, select Apps > App Control > Add.

2. Enter Whitelist in the Name field as the name of the rule.

3. Select Allowed for the Type option.

Select Disallowed to block an application (blacklist).

4. Select EXE/Win32 Equals from the App drop-down.

5. Enter the name of the application (Notepad+, for instance) in the App Identifier/Name field.

6. Select Windows from the Device Platform drop-down.

7. (Optional) Click the green plus (+) icon to add more applications to the rule, as necessary.

8. Click Save.

Blocking applications from Windows 10 Desktop devices

When you block an application after it is already in use and installed from the Microsoft Store, the

application will continue to run until users close it. When users open a blocked application, Windows

displays a message on the device informing users that the application has been blocked by their system

administrator. Ivanti EPMM sends instructions to the OS to block the specified application(s).

When users try to install a blocked application from the Microsoft Store, they see a message that the

application has been blocked due to company policy.

Procedure

To apply an App Control rule to a security policy:

1. Go to Policies & Configs > Policies.

2. Select Default Security Policy and in the Policy Details pane, click Edit.

3. In the Modify Security Policy dialog box, scroll to the For Windows Devices section in the Access

Control group.

Page 259 of 292

Managing apps on Windows devices

4. Select the check box next to Application Restrictions and select Blacklist from the drop-down.

5. Click Save.

Restricting applications on Windows 10 Mobile devices

Procedure

1. Go to Apps > App Control.

2. Click Add. The Add App Control Rule dialog box opens.

3. In the Name field, Enter Whitelist as the name of the rule.

4. In the Type field, select Allowed. Select Disallowed to create a Blacklist and block an application.

5. In the App drop-down, select MS Store GUID Equals .

6. Leave the App Identifier/Name field blank.

7. In the Device Platform drop-down, select Windows.

8. Click the Windows icon to open the Windows Store Search dialog box. (The Windows icon is next to

the red minus (-) icon to the right of the Rule Entries list.)

9. Click the Windows 10 option.

The Windows Phone option searches applications from the Windows Phone 8.1 store.

The Windows 10 option searches applications from the Windows 10 store, which supports both

Windows 10 Phone and Windows 10 Desktops devices.

10. Enter an application name (Notepad+, for example) and click Search.

11. Locate the application and click the Select button to automatically insert the GUID into the App

Identifier/Name field in the Add App Control Rule dialog box.

12. (Optional) Click the green plus (+) icon to add more apps to the rule, as necessary.

13. Click Save.

Page 260 of 292

Managing apps on Windows devices

Restricting applications on Windows Phone 8.1 devices

Procedure

1. Go to Apps > App Control.

2. Click Add. The Add App Control Rule dialog box opens.

3. In the Name field, Enter Whitelist as the name of the rule.

4. In the Type field, select Allowed. Select Disallowed to create a Blacklist and block an application.

5. In the App drop-down, select MS Store GUID Equals .

6. Leave the App Identifier/Name field blank.

7. Select Windows Phone from the Device Platform drop-down.

8. Click the Windows icon to open the Windows Store Search dialog box. (The Windows icon is next to

the red minus (-) icon to the right of the Rule Entries list.)

9. Click the Windows Phone option.

10. Enter an application name and click Search.

11. Locate the application and click the Select button to automatically insert the PFN into the App

Identifier/Name field in the Add App Control Rule dialog box.

12. (Optional) Click the green plus (+) icon to add more apps to the rule, as necessary.

13. Click Save.

Page 261 of 292

Managing apps on Windows devices

Upgrading from Windows Phone 8.1 devices to Windows 10 Mobile devices

When using the newer API, not all applications will appear in the store. The applications called

Settings Apps and Inbox or those applications that default applications on the device, will not

display in the store. To look up those applications, visit https://docs.microsoft.com/en-

us/windows/client-management/mdm/applocker-csp#inboxappsandcomponents .

In the link the tool Microsoft provides for golden device reviewing, not all of the GUID’s in the

Microsoft store point to the actual application on the device. Ivanti, Inc and Microsoft recommend

you create a golden device and use that tool to review the actual GUID’s needed.

For customers who are upgrading from Windows 8.1 to Windows 10, it is important to add both the

Windows 10 and Windows 8.1 rules before upgrading. Failing to do so could cause the device to

become unresponsive.

IMPORTANT: Take the following precautions, if you upgrade from Windows Phone 8.1 devices to Windows

10 Mobile devices and you use an application restriction rule on your Windows Phone 8.1 devices:

1. Prior to upgrading, remove your 8.1 based restriction rule.

2. After upgrading, apply an application restriction rule to the device using the new Windows 10 Mobile

Rules.

3. After upgrading, manually create rules for all applications that used PFN to use GUIDs

If you want to whitelist the Apps@Work application, you can find its GUID under the App Catalog

detail page.

Working with apps

Ivanti EPMM allows you to distribute and track in-house and third-party apps to your managed devices. You

can add the apps for Windows Phone devices (WP8.1) from the following sources:

Ivanti EPMM (in-house apps)

Windows Store (third-party apps)

You can distribute and track in-house and third-party apps to your managed devices. These apps are listed

on your managed Windows Phone devices running Apps@Work in the following screens:

Company apps (in-house apps)

Recommended (third-party apps)

Page 262 of 292

Managing apps on Windows devices

Featured apps (in-house and third-party apps)

The App Catalog

The App Catalog is a centralized location for the apps you want to manage for your users. By importing

apps into the App Catalog, you can make the apps available for users to download to their devices.

You can provide device users with links to recommended Windows apps on the Microsoft Store, or links to

internally developed apps they can download from Ivanti EPMM using Apps@Work on their device.

Use the App Catalog to:

Add, configure, and remove managed apps

Install and uninstall managed apps to devices using labels

Group apps into categories to be displayed in Apps@Work on the device

The App Catalog also allows you to view app details at a glance, such as the app name, size, and version

number, the labels to which the app is applied, the origins of the app (public or in-house), and the number

of devices to which the app is installed.

Page 263 of 292

Managing apps on Windows devices

Company apps

In-house apps are installed from Ivanti EPMM and have been developed and distributed by your company.

They are called In-house apps in the Ivanti EPMM Admin Portal and Company apps on your managed

Windows Phone devices running Apps@Work. Upload these apps to the App Catalog from Ivanti EPMM

Admin Portal > Apps > App Catalog > In-house.

In-house apps are removed from the device when the device is un-enrolled from device management.

Recommended apps are not removed.

Recommended apps

Third-party apps are installed from the Microsoft Store for Windows and Windows Phone devices and are

served from public sources. They are imported to the App Catalog from the Windows Store. Import these

apps to the App Catalog from Ivanti EPMM Admin Portal > Apps > App Catalog > Windows.

The Ivanti EPMM administrator adds selected third-party apps to the App Catalog, which are made available

to devices based on the labels applied. An app is downloaded by device users when they select the

Apps@Work app on their devices.

Recommended apps are not removed from the device when the device is un-enrolled from device

management.

If you are uploading third-party apps for distribution through Ivanti EPMM, you must also upload the AET

(.aetx file) associated with the Symantec Enterprise Certificate used to sign the app. See "Pushing the AET to

Windows 8.1 Phone devices" on page250.

Featured apps

When adding apps to the App Catalog, you can designate an in-house or third-party app as a featured app.

These apps are listed on the Apps@Work featured apps screen on managed devices.

Adding in-house apps to the App Catalog

Use the following steps to add apps to the App Catalog with the app wizard.

1. In the Ivanti EPMM Admin Portal, go to Apps > App Catalog.

2. Click the Add+ button.

Page 264 of 292

Managing apps on Windows devices

3. Click In-House then click Browse to navigate to and select the app.

This is a .xap, a .appx or .appx bundle for WP8.1 devices.

4. Click Next.

5. Enter information into the Description section, if necessary, using the following guidelines:

Application Name: The name of the app as defined by the developer displays in Apps@Work on

the device and in the Apps@Work catalog.

Display Version: The version of the app. This field is not editable.

Developer: The author of the app as defined by the developer. This field is not editable.

Category: Select one or more categories if you would like this app to be displayed in a specific

group of apps on the device. Select the category from the drop-down list. The app appears under

the selected category on the device. To add a new category, click the Add New Category link.

Description: Enter a description for the app.

6. Enter information into the Apps@Work Catalog section and use the following guidelines:

Feature this App in the Apps@Work catalog: Select if you want to highlight this app in the

Featured apps list.

Allow app downloads over insecure networks: Select this if you are providing an Override URL

(next field) that uses the HTTP URL scheme instead of HTTPS. Override URLs are intended for use

behind a firewall, using a trusted and secure internal network. Before you use an HTTPURL, make

sure you understand the risks of using an insecure connection.

Override URL: If you are using an alternate source for downloading in-house apps, enter that URL

here. The URL must point to the in-house app in its alternate location. Override URLs are intended

for use behind a firewall, using a trusted and secure internal network. Manual synchronization is

required with the alternate HTTP server on which app are stored.

See "Override for in-house app URLs " on page44 for the requirements for this configuration

before using it.

Page 265 of 292

Managing apps on Windows devices

Application Enrollment Token (AET): The app enrollment token for Apps@Work enables

companies to publish and distribute apps directly to Windows Phone devices (WP8.1) and

bypassing the Windows Store. Companies can install in-house apps after they enroll their phones

for app distribution from their company, then users who are enrolled for app distribution can

install the company apps.

Silent Upgrade/Install: Clearing this check box will require the device user to manually install the

app. Checking this box to install the app silently. The app is installed when the device checks in

with Ivanti EPMM. User action is not required.

Schedule Installation: Click the check box to schedule the installation of the application, then

select a Start Time and End Time. This is especially useful for installing large applications during

times that the network is not busy.

Do not select Feature this App in the Apps@Work catalog if you want to set up a schedule to

install an application.

7. Enter information into the Apps@Work Catalog section to update the information, if necessary,

using the following guidelines:

App Icon: Click Browse... to navigate and select a new graphic. Click OK to add the graphic. You

can upload one icon per app.

Screenshots: Click Browse... to navigate and select a new screenshot. Click OK to add the

screenshot. You can upload up to four screenshots per app.

8. Click Finish.

Related topics

"MAM-only iOS devices" below

"MAM-only Android devices" on page281

MAM-only iOS devices

Ivanti EPMM can support only one of the following types of registered iOS devices:

Page 274 of 292

Devices that support both MAM and MDM

Devices that support only MAM (MAM-only devices)

Ivanti EPMM cannot simultaneously support MAM-only devices and devices that support both MDM and

MAM. You configure your choice by enabling or disabling iOS MDM support in the Ivanti EPMM Admin

Portal. You make this choice before any iOS devices register with Ivanti EPMM. Note that your choice has no

impact on Ivanti EPMM capabilities for other device platforms, such as Android or Windows.

Whether or not you disable iOS MDM on Ivanti EPMM, you use the App Catalog on Ivanti EPMM and

Apps@Work on the device to make apps available to devices. Apps@Work is presented on the device either

in a web clip or in Safari.

However, in the MAM-only case, Ivanti EPMM does not send iOS devices the MDM configurations and

certificates required for MDM activity on a device. These MDM configurations and certificates, as listed in

the Ivanti EPMM Admin Portal in Policies & Configs > Configurations, are:

The System - iOS enrollment CA certificate

The System - iOS enrollment SCEP certificate

The System - iOS MDM configuration

Without these MDM configurations and certificates, Ivanti EPMM does not support any MDM features,

including MDM features relating to apps, such as:

Per-app VPN settings

Managed app settings

Managed app configuration settings

Requiring data protection

Displaying the apps that are installed on devices

Required Ivanti Mobile@Work version for MAM-only iOS devices

MAM-only iOS device support requires Ivanti Mobile@Work 9.7 or newer versions.

Supported features on MAM-only iOS devices

When iOS MDM is disabled, only the following features are supported on iOS devices:

Page 275 of 292

Managing apps on MAM-only devices

In-app registration using Ivanti Mobile@Work for iOS.

No other registration methods are supported for MAM-only iOS devices.

Pushing apps to the devices using the Apps@Work web clip.

All types of apps are supported:

AppConnect apps (in-house or from the Apple App Store)

Non-AppConnect apps (in-house or from the Apple App Store)

Web applications

The following app settings in the App Catalog are not supported for MAM-only iOS apps: per app

VPN settings, managed app settings, managed app configuration settings, and requiring data

protection.

AppTunnel with HTTP/S tunneling

AppConnect-related policies and configurations:

AppConnect global policy

AppConnect container policies

AppConnect app configurations

Ivanti Web@Work settings

Ivanti Docs@Work settings

Standalone Sentry with ActiveSync support, using AppConnect-enabled Ivanti Email+ for iOS

The following subset of actions from the Ivanti EPMM Admin Portal (Devices & Users > Devices >

Actions):

Force Device Check-in

Send Message

Apply to Label

Remove from Label

Retire

Block AppTunnel

Allow AppTunnel

Page 276 of 292

Managing apps on MAM-only devices

Compliance actions for only the following security violations on the security policy:

When a device has been out of contact with Ivanti EPMM too long

When the iOS version is less than a specified version

When the device is compromised (jailbroken)

When particular device models are not allowed

No other iOS features are supported. For example:

Ivanti EPMM does not support applying any configurations or policies (in the Ivanti EPMM Admin

Portal Policies & Configs) that are not related to AppConnect. For example, do not apply iOS

restrictions or Wi-Fi settings.

The self-service user portal and My Devices in Ivanti Email+k are not available.

Ivanti EPMM Admin Portal MDM-related actions cannot be applied to iOS devices. These actions

include wipe, lock, unlock, and locate. The Ivanti EPMM Admin Portal displays an error message when

you attempt to take these actions.

iOS native email is not supported, because it requires the Exchange setting which requires MDM.

Multi-user sign-in is not supported.

Tunnel (AppTunnel with TCP tunneling) is not supported.

Ivanti EPMM does not display the apps installed on MAM-only iOS devices.

Changes you make on Ivanti EPMM do not result in uninstalling an app from an MAM-only iOS

device. For example, the app is not uninstalled if you remove an app from the App Catalog, or

remove its label, or retire the device.

The Apps@Work container app is not supported.

Device check-in on MAM-only iOS devices

The sync interval on the sync policy has no impact on MAM-only iOS devices. Therefore, automated device

check-ins occur only when the AppConnect app check-in interval expires. You configure this value on the

AppConnect global policy. When the AppConnect app check-in interval expires, Ivanti Email+ checks in with

Ivanti EPMM, and receives updates to policies and configurations.

Device check-ins also occur when:

Page 277 of 292

Managing apps on MAM-only devices

When an AppConnect app launches for the first time.

A device user taps Check for Updates in Ivanti Mobile@Work for iOS.

A device user brings Ivanti Mobile@Work to the foreground.

You do a Force Device Check-in from the Ivanti EPMM Admin Portal (Devices & Users > Devices >

Actions).

This action does not update the AppConnect-related policies on the device.

Trusted certificates and MAM-only iOS devices

When you set up Ivanti EPMM, you provide a client TLS certificate. This certificate secures communication

between the mobile device and Ivanti EPMM. Often the client TLS certificate is the same certificate as the

Portal certificate, which secures communication between a web browser and Ivanti EPMM.

If the client TLS certificate or Portal certificate are not ones that are trusted by iOS, on MAM-only iOS

devices, unlike on MDM iOS devices, the device user must manually accept the certificates. To do this, after

completing the Ivanti Mobile@Work registration process, the device user must go to the device’s Settings,

and navigate to Settings > General > About > Certificate Trust Settings, and trust the certificates.

Therefore, if you want to streamline the device user experience, use only certificates trusted by iOS for the

client TLS certificate and the Portal certificate.

For lists of available trusted root certificates in iOS, see Apple documentation at https://support.apple.com.

Related topics

“Types of certificates” in the Ivanti EPMM Device Management Guide for iOS and macOS devices

“Certificate Mgmt” in the Ivanti EPMM System Manager Guide

Configurations and certificates for MAM-only iOS devices

When you use MAM-only iOS devices, Ivanti EPMM supports delivering only certain types of configurations

and certificates to the device. These configurations belong to two categories:

" AppConnect-related configurations and policies on MAM-only iOS devices" on the next page

"Other certificates and configurations that are supported with MAM-only iOS devices" on the next

page

Page 278 of 292

Managing apps on MAM-only devices

You can use the " Ivanti EPMM option to not install profiles on iOS devices" below to not deliver this

category of certificates and configurations to devices.

AppConnect-related configurations and policies on MAM-only iOS devices

The AppConnect-related configurations and policies on MAM-only iOS devices are:

The AppConnect global policy

The AppConnect container policy

The AppConnect app configuration

The Ivanti Docs@Work setting

The Ivanti Web@Work setting

Other certificates and configurations that are supported with MAM-only iOS

devices

The other certificates and configurations supported with MAM-only devices, as listed in the Ivanti EPMM

Admin Portal in Policies & Configs > Configurations, are:

The System - iOS Enterprise AppStore web clip

The System - iOS Enterprise AppStore SCEP certificate

The System - TLS Trust Certificate Chain for Mobile Devices certificate

Note the following regarding configurations and certificates when using MAM-only iOS devices:

Ivanti EPMM does not receive status from the device about whether these non-AppConnect related

certificates and configurations have been applied. Therefore, the status of these configurations in the

device details display remains as Sent.

When you retire a device, the certificates and configurations are not removed. A device user can

manually remove them.

Ivanti EPMM option to not install profiles on iOS devices

With a setting on the Ivanti EPMM, you can instruct Ivanti EPMM to not install profiles on iOS devices. When

you enable this setting, Ivanti EPMM does not send the non-AppConnect related certificates and

configurations to MAM-only iOS devices.

Page 279 of 292

Managing apps on MAM-only devices

Installing these profiles allows device users to use the Apps@Work web clip, which means they can easily

view and install apps without entering any further credentials. Your requirements for user convenience

versus user concerns determine your choice for this setting.

The setting is the Enable Configuration Profiles field on the privacy policy that Ivanti EPMM applies to the

device. The field is selected by default. Because clearing this field means that Ivanti EPMM does not push the

Apps@Work web clip and certificate to the device, the device user needs another way to access

Apps@Work. Therefore, when you clear this field, Ivanti Mobile@Work for iOS displays an Apps@Work

button on its home screen. When the device user taps that button, Apps@Work opens in Safari. The device

user logs into Apps@Work with a user name and password.

Also, when you clear Enable Configuration Profiles:

The Portal HTTPS certificate you configure on the Ivanti System Manager must be trusted by iOS if

you want the device user to download in-house apps from Apps@Work. For lists of available trusted

root certificates in iOS, see Apple documentation at https://support.apple.com.

The setting has no impact on versions of Ivanti Mobile@Work prior to 10.0. That is, the non-

AppConnect related certificates and configurations will be installed on the device.

In-house apps and provisioning profiles for MAM-only iOS devices

In-house iOS apps require a provisioning profile. However, if you replace the provisioning profile, when

Ivanti EPMM delivers the updated provisioning profile to the impacted iOS devices, it also resends all the

non-AppConnect-related policies and configurations to the devices. Ivanti Mobile@Work will prompt the

device user to re-install each certificate and configuration.

The device user experience on MAM-only iOS devices

The device user experience on MAM-only iOS devices is the same as on devices that also support MDM,

with these exceptions:

Device users must register with Ivanti EPMM using the Ivanti Mobile@Work for iOS app. (No other

registration methods are available for MAM-only iOS devices). The registration process in Ivanti

Mobile@Work is shorter than on devices that support MDM because the MDM configurations and

certificates are not installed.

The privacy policy that Ivanti Mobile@Work presents to the device user is shorter on MAM-only

devices. It tells the user only that it will not access personal content. Other statements in the policy in

Page 280 of 292

Managing apps on MAM-only devices

MDM devices, such as statements about providing some device details to the user’s company, are

not applicable on a MAM-only device.

When a device user uses Apps@Work to install an app from the Apple App Store, the behavior is

different on MAM-only devices than on devices with MDM.

On MAM-only devices: Tapping Install for an app in Apps@Work opens Safari to the app’s entry

in the Apple App Store. From there, the device user downloads and opens the app. The app is

installed just as if the device user had gone directly to the Apple App Store.

On MDM devices: tapping Install for an app presents a message that Ivanti EPMM will install the

app from the Apple App Store and manage the app. The device user enters an Apple ID, and the

app is installed. If the device user had gone directly to the Apple App Store to install the app, the

app would not be managed.

MAM-only Android devices

You can specify that Ivanti EPMM provides MAM-only features to some registered Android devices, but

both MAM and MDM features to other Android devices.

Your choice has no impact on the Ivanti EPMM capabilities for other device platforms, such as

Android Enterprise devices, iOS devices, and Windows devices.

To make an Android device MAM-only, you configure an Android quick setup policy in which you disable

device administration. When you apply this policy to Android devices, Ivanti EPMM supports app installation

using Apps@Work and most policies and configurations. However, Ivanti EPMM cannot perform any

features that require the device administrator on the device. Specifically, Ivanti EPMM cannot do the

following on the MAM-only Android devices:

Cannot enforce device password requirements from the security policy.

Cannot enforce device encryption requirements from the security policy.

EXCEPTION: Ivanti EPMM can enforce device log encryption from the security policy.

Page 281 of 292

Managing apps on MAM-only devices

Cannot enforce Android-related lockdown policies from the lockdown policy.

Cannot apply Samsung-specific features, which include:

Samsung Knox features, including per app VPN

Samsung native email

Samsung-related policies: Samsung kiosk policy, Samsung general policy, Android firmware policy

Samsung-related configurations: Samsung APN, Samsung browser, Samsung kiosk, and Samsung

Knox container

Samsung-related VPN configurations: OpenVPN, Samsung Knox IPsec, and Tunnel (Samsung

Knox Workspace)

Silent installation of apps

Cannot apply silent installation of apps on Zebra devices

Does not support silent installation of certificates

The device user is always prompted to accept a certificate.

Cannot enforce blocking smart lock or blocking fingerprint from the security policy.

Cannot enforce common criteria mode from the security policy.

Cannot enforce compliance actions for the following security violations on the security policy:

When data encryption is disabled

When the device administrator is deactivated

When Samsung Knox device attestation fails

Cannot wipe the MAM-only device.

Note the following:

Ivanti Mobile@Work on the device also cannot wipe the device, even if the AppConnect global

policy or the security policy specify wipe as a device-initiated compliance (local compliance) action.

When using Android Custom ROM menus, if you choose wipe as a compliance action, the device is

not wiped if the security violation occurs. Instead, the device is retired.

Related topics

"MAM-only device overview" on page274

"Configuring MAM-only Android devices" on page288

Configuring MAM-only iOS devices

Configuring MAM-only iOS devices requires the following steps:

Page 282 of 292

Managing apps on MAM-only devices

1. "Disabling the MDM profile" below

2. "Configuring the security policy for MAM-only iOS devices" below

3. "Configuring the privacy policy for MAM-only iOS devices" on page285

4. "Configuring the sync policy for MAM-only iOS devices" on page286

5. "Configuring the lockdown policy for MAM-only iOS devices" on page286

6. "Configuring the Apps@Work web clip for MAM-only iOS devices" on page287

7. "Populating the iOS App Catalog for MAM-only iOS devices" on page287

8. "Publishing iOS apps to Apps@Work on MAM-only iOS devices" on page287

9. "Configuring AppConnect and AppTunnel for MAM-only iOS devices" on page287

IMPORTANT - Before configuring Ivanti EPMM for MAM-only iOS devices, make sure no iOS

devices are registered.

Disabling the MDM profile

Disabling the MDM profile for all iOS devices is necessary for configuring Ivanti EPMM to support only

MAM-only iOS devices.

Procedure

1. In the Ivanti EPMM Admin Portal, go to Settings > System Settings > iOS > MDM.

2. Make sure Enable MDM profile is not selected.

3. Click Save.

Configuring the security policy for MAM-only iOS devices

Only a few fields on the security policy apply to MAM-only iOS devices. This procedure explains how to

configure the default security policy. However, the same considerations apply to any security policy that you

label for iOS devices or a subset of iOS devices.

Page 283 of 292

Managing apps on MAM-only devices

If you are applying the default security policy or a custom security policy to both MAM-only iOS

devices and to non-iOS devices, set the appropriate fields for non-iOS devices according to your

requirements

Procedure

1. In the Ivanti EPMM Admin Portal, go to Policies & Configs > Policies.

2. Select the default security policy.

3. Click Edit. The Modify Security Policy dialog box opens.

4. The Password section does not apply to MAM-only iOS devices.

5. The Data Encryption section does not apply to MAM-only iOS devices.

6. The Android, Android enterprise, Windows 8.1, and Windows 10 sections do not apply to MAM-

only iOS devices.

7. In the Access Control section, in For All Platforms, select the compliance action, if any, that you

require for the security violation when a device has not connected to Ivanti EPMM in X days. This

security violation is the only one in this section supported for MAM-only iOS devices.

8. In the Access Control section, in For iOS devices, select the compliance action, if any, that you

require for these security violations, which are the only ones in this section supported for MAM-only

iOS devices:

when iOS version is less than

when a compromised iOS device is detected

for the following disallowed devices

9. Click Save > OK.

Related topics

"MAM-only iOS devices" on page274

“Security policies” in Getting Started with Ivanti EPMM

Page 284 of 292

Managing apps on MAM-only devices

Configuring the privacy policy for MAM-only iOS devices

Only a few fields on the privacy policy apply to MAM-only iOS devices. This procedure explains how to

configure the default privacy policy. However, the same considerations apply to any privacy policy that you

label for iOS devices or a subset of iOS devices.

If you are applying the privacy policy or a custom privacy policy to both MAM-only iOS devices and

to non-iOS devices, set the appropriate fields for non-iOS devices according to your requirements

Procedure

1. In the Ivanti EPMM Admin Portal, go to Policies & Configs > Policies.

2. Select the default privacy policy.

3. Click Edit. The Modify Privacy Policy dialog box opens.

4. Set Apps to the appropriate value for non-iOS devices that this privacy policy applies to.

This field has no impact to MAM-only iOS devices. It applies to iOS devices only if they are MDM

enabled.

5. Set SMS Log and Call Log to the appropriate value for Android devices that this privacy policy

applies to.

These fields apply only to Android devices.

6. Set iOS Location-Based Wakeups to Disabled.

Set this field to Disabled because you should not track the location of MAM-only devices.

7. Set Location to None.

Set this field to None because you should not track the location of MAM-only devices.

8. Set Collect Roaming Status to the appropriate value for Android devices that this privacy policy

applies to.

This field applies only to Android devices.

Page 285 of 292

Managing apps on MAM-only devices

9. Clear Enable Configuration Profiles if you do not want Ivanti EPMM to send non-AppConnect-

related configurations and certificates to MAM-only iOS devices, including the Apps@Work web clip

and certificate.

Clearing this setting impacts only Ivanti Mobile@Work 10.0 or newer versions. Prior versions of Ivanti

Mobile@Work receive the configurations and certificates regardless of this setting.

10. Set iOS Installed App Inventory to All Apps.

However, this field has no impact to MAM-only iOS devices. It applies to iOS devices only if they are

MDM enabled.

11. The Windows 10 Inventory and Android Warning Banner on the Device Reboot sections do not

apply to MAM-only iOS devices.

12. Click Save > OK.

Related topics

" Ivanti EPMM option to not install profiles on iOS devices" on page279

“Privacy policies” in Getting Started with Ivanti EPMM

Configuring the sync policy for MAM-only iOS devices

No sync policy fields apply to MAM-only iOS devices. If your Ivanti EPMM deployment includes only MAM-

only iOS devices, you can skip this step. However, if your deployment includes other device platforms,

configure the sync policy to meet your requirements for the other platforms.

Related topics

“Sync policies” in Getting Started with Ivanti EPMM

Configuring the lockdown policy for MAM-only iOS devices

The lockdown policy does not apply to iOS devices. If your Ivanti EPMM deployment includes only MAM-

only iOS devices, you can ignore the lockdown policy. However, if your deployment includes other device

platforms, configure the lockdown policy to meet your requirements.

Related topics

“Lockdown policies” in Getting Started with Ivanti EPMM

Page 286 of 292

Managing apps on MAM-only devices

Configuring the Apps@Work web clip for MAM-only iOS devices

Configuring the Apps@Work web clip is necessary to support MAM-only iOS devices. For configuration

information, see "Setting up Apps@Work for iOS and macOS" on page78.

The AppConnect container app is not supported on MAM-only iOS devices.

Populating the iOS App Catalog for MAM-only iOS devices

Populating the App Catalog on Ivanti EPMM with iOS apps is necessary to support MAM-only iOS devices.

This task is the same as when iOS devices support MDM. However, the following features, available when

adding or editing an app in the App Catalog, are not supported:

Per App VPN settings

Managed app settings

Managed app configuration settings

Requiring data protection

For configuration information, see "Populating the iOS and macOS App Catalogs" on page80.

Publishing iOS apps to Apps@Work on MAM-only iOS devices

Making iOS apps available to device users in Apps@Work on MAM-only iOS devices is the same as it is with

iOS devices that support MDM.

For configuration information, see "Publishing iOS and macOS apps to Apps@Work" on page106.

Configuring AppConnect and AppTunnel for MAM-only iOS devices

Configuring AppConnect for MAM-only iOS devices is the same as configuring AppConnect for iOS.

Configuring AppTunnel with HTTP/S tunneling is also the same. For information on configuring AppConnect

for iOS, see “Configuration overview” in the AppConnect Guide for EPMM.

When configuring AppConnect for MAM-only iOS devices, consider the following:

Page 287 of 292

Managing apps on MAM-only devices

The app check-in interval on the AppConnect global policy determines when AppConnect apps

receive updates of their AppConnect global policy, their AppConnect app configuration, and their

AppConnect container policy. Because the sync interval on the sync policy has no impact on MAM-

only iOS devices, the app check-in interval determines when Ivanti Mobile@Work does a device

check-in with Ivanti EPMM.

If you configure Touch ID to access AppConnect apps, use Touch ID with fallback to AppConnect

passcode. Touch ID with fallback to device code is not meaningful for MAM-only iOS devices,

because you cannot enforce a strong device passcode on the security policy.

Configuring MAM-only Android devices

Configuring MAM-only Android devices requires the following steps:

"Disabling the device administrator on Android devices" below

"Configuring the security policy for MAM-only Android devices" on the next page

"Configuring the privacy policy for MAM-only Android devices" on page290

"Configuring the sync policy for MAM-only Android devices" on page290

"Configuring the lockdown policy for MAM-only Android devices" on page291

"Making apps available to MAM-only Android devices" on page291

"Using Apps@Work on MAM-only Android devices" on page291

"Configuring AppConnect and AppTunnel for MAM-only Android devices" on page292

Disabling the device administrator on Android devices

Disabling the device administrator on Android devices is necessary for configuring Ivanti EPMM to support

MAM-only Android devices. This setting is on the Android quick setup policy.

Procedure

1. In the Ivanti EPMM Admin Portal, go to Policies & Configs > Policies.

2. Select Add New > Android > Android Quick Setup.

3. In the Name field, enter a descriptive name for the policy.

Page 288 of 292

Managing apps on MAM-only devices

4. De-select Device Administrator.

5. Click Save > OK.

Related topics

“Working with Android Quick Setup policies” in the Ivanti EPMM Device Management Guide for

Android and Android Enterprise devices.

Configuring the security policy for MAM-only Android devices

Only some settings on the security policy apply to MAM-only Android devices. This procedure explains how

to configure the default security policy. However, the same considerations apply to any security policy that

you label for Android devices or a subset of Android devices.

If you are applying the default security policy or a custom security policy to both MAM-only

Android devices and to non-Android devices, including Android Enterprise devices, set the

appropriate fields for non-Android devices according to your requirements

Procedure

1. In the Ivanti EPMM Admin Portal, go to Policies & Configs > Policies.

2. Select the default security policy.

3. Click Edit. The Modify Security Policy dialog box opens.

4. The Password section does not apply to MAM-only Android devices.

5. In the Data Encryption section, set Device Log Encryption to On if you want to encrypt the log files

you email with the Send Log option in Ivanti Mobile@Work for Android.

All other settings in the Data Encryption section do not apply to MAM-only Android

devices.

6. In the Android section, set Require strict TLS for Apps@Work if you require strict TLS between

Apps@Work and other services.

All other settings in the Android section do not apply to MAM-only Android devices.

Page 289 of 292

Managing apps on MAM-only devices

7. The Android enterprise, Windows 8.1, and Windows 10 sections do not apply to MAM-only

Android devices.

8. In the Access Control section, in For All Platforms, select the compliance action, if any, that you

require for each security violation.

9. In the Access Control section, in For Android devices, select the compliance action, if any, that you

require for these security violations, which are the only ones in this section supported for MAM-only

Android devices:

when Android version is less than

when a compromised Android device is detected

10. Click Save > OK.

When selecting a compliance action, keep in mind that wipe is not supported for MAM-only

Android devices.

Related topics

"MAM-only Android devices" on page281

“Security policies” in Getting Started with Ivanti EPMM

“Device Log Encryption” in the Ivanti EPMM Device Management Guide for Android and Android

Enterprise devices.

Configuring the privacy policy for MAM-only Android devices

All Android-related settings on the privacy policy apply to MAM-only Android devices. For information on

configuring the privacy policy, see “Privacy policies” in Getting Started with Ivanti EPMM.

Related topics

"MAM-only Android devices" on page281

Configuring the sync policy for MAM-only Android devices

All Android-related settings on the sync policy apply to MAM-only Android devices. For information on

configuring the privacy policy, see “Sync policies” in Getting Started with Ivanti EPMM.

Page 290 of 292

Managing apps on MAM-only devices

Related topics

"MAM-only Android devices" on page281

Configuring the lockdown policy for MAM-only Android devices

The lockdown policy does not apply to MAM-only Android devices. If your Ivanti EPMM deployment

includes only MAM-only Android devices, you can ignore the lockdown policy. However, if your deployment

includes other device platforms, including Android Enterprise, configure the lockdown policy to meet your

requirements.

Related topics

“Lockdown policies” in Getting Started with Ivanti EPMM

"MAM-only Android devices" on page281

Making apps available to MAM-only Android devices

The procedures for making apps available to MAM-only Android device is the same as when Android

devices support MDM. However, the following features, available when adding or editing an app in the App

Catalog, are not supported:

Per App VPN settings

Silent installation

For configuration information, see "Adding Google Play apps for Android" on page164.

Using Apps@Work on MAM-only Android devices

Using Apps@Work on MAM-only Android devices is the same as it is with Android devices that support

MDM.

For information, see "Android app versions and device counts" on page211.

Page 291 of 292

Managing apps on MAM-only devices

Configuring AppConnect and AppTunnel for MAM-only Android

devices

Configuring AppConnect for MAM-only Android devices is the same as configuring AppConnect for

Android. Configuring AppTunnel with HTTP/S tunneling or TCP tunneling is also the same. For information

on configuring AppConnect and AppTunnel for Android, see “Configuration overview” in the AppConnect

Guide for EPMM.

Page 292 of 292

Managing apps on MAM-only devices