This chapter describes the AppConfig Community that provides tools and best practices to manage mobile applications, the MAF approach to enterprise mobile applications, and the management of MAF applications with Airwatch’s EMM solution.
This chapter includes the following sections:
The AppConfig Community provides tools and best practices to secure, configure, deploy, and manage mobile enterprise applications.
The AppConfig Community was formed, and is maintained, by Enterprise Mobile Management (EMM) organizations: VMware AirWatch, MobileIron, IBM MaaS360, and JAMF Software. The community works to streamline the development and deployment of mobile enterprise applications.
The tools and best practices of the community are defined by the following:
Use of native frameworks that are made available through operating systems (OS)
Absence of EMM - specific integrations
The AppConfig approach to developing enterprise mobile application provides a standard approach to application configuration and management because it builds upon the application security and configuration frameworks within the native OS functionality of the iOS and Android platforms. The AppConfig approach has been defined by The App Configuration for Enterprise (ACE). See About the MAF Approach to Enterprise Mobile Applications.
MAF applications support ACE capabilities such as app tunnelling, application configuration, and implementations of security polices and access control. MAF supports application integration with the EMM solution from AirWatch and compatible solutions from other vendors.
More information about the AppConfig Community is available at: http://appconfig.org/.
MAF adopts the AppConfig approach to enterprise mobile applications as it helps application developers build EMM vendor neutral applications that neither require proprietary Software Development Kit (SDK) nor application wrapping tools.
MAF supports application integration with third-party EMM solutions. The integration focuses on using the capabilities of the mobile operating systems to configure and secure MAF applications. MAF aims at providing the capabilities that have been defined by ACE. ACE is an initiative that defines standards for enterprise application management. ACE provides an application development framework that defines common standards for mobile application management so that an application could be managed by any vendor. More information about ACE is available at: http://www.appconfigforenterprise.org/.
MAF applications support the following ACE capabilities:
App tunnel: An application may need to access services behind a firewall. Device level IPsec VPNs come with concerns pertaining to connectivity and security. To address these concerns, mobile operating systems provide a Per-App-VPN capability so that individual applications can tunnel their way into networks. An application tunnel is a Secure Sockets Layer (SSL) connection from an application through a gateway to backend resources. As the tunnel is provided on a Per-App basis, no rogue application can worm its way into the network.
Application configuration: Users enter URL, port, email address, port numbers, tenant ids, skin configurations and other configurations when they set up applications. An EMM server can automatically and remotely set these configurations using the native APIs recommended by the AppConfig Community. Administrators use web consoles to enter configurations which are then pushed to applications. Developers define a set of configuration keys within their applications. EMM administrators set the same keys and values in the management console of the EMM provider, and they will be pushed to the application. See Configuring Properties in MAF Applications for Use by EMM Solutions.
Single Sign-On: Users may need to sign-on to multiple systems, each of which may involve different user names and authentication techniques. A single sign-on (SSO) solution lets users authenticate themselves just once to access information on any of several systems. With SSO, the user is authenticated once and the authenticated identity is securely carried across the network to access resources. The application developer implements the Security Assertion Markup Language (SAML) standard to federate authentication to an Identity Provider (IDP). This SAML IDP is configured to use either Kerberos authentication or certificate authentication. The EMM solution will distribute the appropriate Kerberos credentials and, or certificates based on the standard built in operating system API calls available to the EMM providers.
Security policies and access control: Access control ensures that applications run only on approved devices. The capability enforces security policies at the application level. An organization requires security and data loss protection within enterprise applications to prevent sensitive data from moving outside company control.
Encryption: EMM vendors provide data protection for enterprise applications by enforcing a passcode policy on the device. Administrators can enable device level encryption by setting a passcode policy on the device.
Managed Open In: This is a mobile application management feature that restricts the flow of corporate data on iOS devices to only those applications that are under IT control.
Enterprises may also want to disable application capabilities for security reasons.
Common implementations of custom security polices include:
Disable copy and paste – the ability to disable the copy and paste capability from within the application
Default email settings – the ability to specify the default email application to be used to send email messages within the application
Disable use of camera - the ability to disable the use of camera
Disable capture of screenshots - the ability to disable the capture of screenshots
MAF uses the SSO certificate, application tunnel, and application configuration methods to enforce access control on MAF devices that are managed by a compatible EMM solution.
Access control prevents users from logging into applications which are downloaded directly from iTunes and Google Play stores. Access control may be enforced in three ways:
Using SSO certificate: SSO authentication can use certificates. Access is controlled by provisioning a certificate for single sign on, which will only be made available to compliant applications on managed devices. A user who tries to download an application from the iTunes store or the Google Play store as a personal application on an unmanaged device will be unable to authenticate and log into the application.
Using Application Tunnel: Access control can be enforced using the Application Tunnel capability. An enterprise can configure the authentication page of an application so that it only accepts connections from users who come through the secure Application Tunnel, based on IP address. The Application Tunnel capability is only available for compliant applications on managed devices. A user who tries to download the applications from the iTunes store or the Google Play store as a personal application on an unmanaged device will not be able to authenticate and log into the application.
Using application configuration: Leverage application configurations defined within MAF applications to allow or deny access to an application. The application will use the value it received in the configuration key, and grant access to the application if it is set to true.
Integration with EMM solutions from AirWatch and other vendors that provide compatible solutions give MAF applications the capability to set application-level configurations remotely on the EMM server, which can then be accessed by the MAF applications.
Application configurations can simplify the setup process for users. The EMM server sends a set of configuration keys which are then defined by developers. An organization administrator sets the keys and values in the EMM administrative web console from where they will be sent to MAF applications.
MAF applications implement backend service configurations such as URL, port, use SSL, group or tenant code, and user configurations such as user name, email, and domain.
Custom security policies can be enforced using application configurations. These custom security policies are commonly implemented:
Disable Public Cloud Sync: the ability to disable the syncing of application data with public clouds such as Dropbox
Disable Copy and Paste: the ability to disable the copy and paste capability from within the application
Integration with the AirWatch EMM solution helps MAF applications implement data leak protection by means of security policies.
AirWatch provides an EMM solution to secure and manage applications. AirWatch has three development approaches to provide core application feature sets: the SDK, app wrapping, and the approach that follows the AppConfig Community. When integrated with AirWatch, MAF follows the AppConfig approach. MAF does not support SDK and App Wrapping from AirWatch. MAF only supports the AirWatch ability to leverage native standards to manage applications.
MAF applications can be managed by means of the AirWatch Administrative Console. The console allows the EMM administrators to create iOS configuration profiles, and Android for Work configuration profiles, and apply them to various managed devices which are enrolled into the AirWatch Administrative Console. When users enroll their devices into AirWatch Agent App, all the configuration profiles which are assigned to their device get downloaded, and get applied. The configuration profile contain the restrictions which allow EMM administrators to enable or disable a specific functionality such as camera or Managed Open In within the application. The configuration profiles also contain Per App level configuration information which allow secure tunneling between MAF applications and various backend services, which are hosted behind the firewall, and are used by MAF applications .
MAF uses the EMM from AirWatch technologies to secure its applications. MAF uses the ACE to integrate MAF applications with AirWatch. Devices may be enrolled in AirWatch, applications may be installed from the AirWatch App Catalog, or internal or public applications may be uploaded to the AirWatch Administrative Console. Integration with AirWatch helps MAF implement data leak protection through the following security policies.
Encryption: MAF applications on the iOS platform, Android 5.0, and higher platform versions provide the ability to enable encryption. When encryption is enabled, MAF uses the native OS encryption to encrypt the content of the entire device, including applications.
Managed Open-In: The ability to open the documents stored in managed applications in other unmanaged applications like Dropbox or Box is available on the iOS platform, Android 5.0, and higher platform versions. On the iOS platform, when this restriction is enabled, it is applicable to all the applications on the device. When you set this restriction, you turn off the ability to share documents through email. In MAF, the Email Device Service is turned off. When you enable the Open In restriction on the Android platform, the restriction is applicable to each application and not to the whole device.
Camera: The capability to enable or disable the camera on the device is available on the iOS platform, Android 5.0, and higher platform versions. On the iOS platform, the camera restriction, when enabled, is applicable to all the applications on the device. This restriction is not applied to each application. On the Android platform, the camera restriction is applied to each application and not to the device.
Email: An iOS profile has no restriction which directly controls the email access at the device or application level. Setting the Open In restriction turns off the ability to share documents by means of email. In MAF, the Open In restriction turns off the Email Device Service.
App Tunnelling with AirWatch Tunnel: MAF applications on the iOS platform, Android 5, and higher platform versions are provided the Per App VPN mode capability, an OS-level capability available for individual applications on a mobile device. AirWatch Tunnel is a server component that is installed and configured with the AirWatch Administrative Console. AirWatch Tunnel uses native operating system APIs to secure data-in-transit between MAF applications and the secure enterprise network. The secure tunnel isolates the application when it communicates with the network.
Secure browser integration: Users who want to access web content from MAF applications are redirected from the application to the AirWatch Secure Browser. Tapping on a GoLink within a MAF application launches the AirWatch Secure Browser client. The EMM administrator sets policies in the AirWatch console. When the secure browser client is launched, the policies are applied to the application, and depending on compliance with the set policies, content is either blocked or displayed.
Secure email integration: Users who want to compose new email or perform tasks such as attach a document are redirected from the MAF application to the AirWatch Secure Browser. AirWatch provides URL schemes to launch the secure email client. Tapping on a GoLink within a MAF application launches the AirWatch Secure Email client. The EMM administrator sets policies in the AirWatch console. When the secure email client is launched, the policies are applied to the application, and compliance with the policies decides whether the user is allowed to attach files or blocked from doing so.
Information about the AirWatch EMM platform is available at https://www.vmware.com/products/enterprise-mobility-management.html and AirWatch documentation is available at https://resources.air-watch.com/category/Documentation.
Configure the properties in the maf-application.xml file of your application using the <adfmf:emmAppConfig> element. Administrators of EMM software configure values for these properties that the EMM software sends to the application it is deployed to users..
The following sample maf-application.xml file shows a number of properties that are defined.
<adfmf:emmAppConfig> <adfmf:property name="serverURL" type="String" description=“URL to connect the backend service"/> <adfmf:property name="port" type="Integer" description=“Port number of the backend service”/> <adfmf:property name=“enableEncryption" type=“Boolean" description=“Turn on app level encryption”/> <adfmf:property name=“refreshDate" type=“Date" description=“Date on which application will be refreshed”/> </adfmf:emmAppConfig>
An EMM administrator configures values for these properties in an EMM console. The EMM software then pushes the values to the devices on which your MAF application is installed. This feature is only supported for MAF applications that are deployed to the Android and iOS platforms. Make sure that the EMM software supports the data types that you specify in the <adfmf:emmAppConfig> element. In the example above, the specified properties have the following data types: String, Integer, Boolean, and Date.
See the documentation of the EMM vendor for information about how to configure the corresponding property values in the EMM console and the data types that the EMM software supports.
You can read the property values in the application lifecycle of your MAF application using the #{EMMConfigProperties}EL expression. For example, write an EL expression as follows to read the value of the serverURL property: #{EMMConfigProperties.serverURL}
EMMAppConfigScope.getInstance().addPropertyChangeListener(this);