Introduction

The AppConfig community streamlines the adoption and deployment of mobile enterprise apps by providing developers a standard approach to app configuration and management, building upon the extensive app security and configuration frameworks available in iOS. Working together, the members of the AppConfig Community are making it simpler for developers to implement a consistent set of controls so that enterprise IT administrators can easily configure and manage apps from any participating EMM platform.

iOS Capabilities Summary

Capability Summary of the AppConfig Community best practices
App Configuration Develop iOS 7+ Managed Configuration into the application.
App Tunnel Leverage the “Per-app VPN” capability available in most commercial VPN solutions, and available in iOS 9+. No development required.
Single Sign-On Implement a standard single sign-on protocol, such as SAML, and invoke the identity provider login page in a web view.
App Security – Passcode / TouchID Use iOS 7+ “Managed Configuration” to set the pincode or TouchID settings on the application.
App Security – Managed Open-In Set the “managed open in” control available by the EMM provider to restrict the native open in capability. No development required.
Applications that may have additional document sharing or syncing capabilities should use the iOS7+ “Managed Configuration” to set the document sharing and syncing policy on the application.
App Security – Prevent App Backup Set the “prevent app backup” security control available by the EMM provider to prevent app data backup in iTunes. No development required.
App Security – Disable Screen Capture Set the “prevent screen capture” security control available by the EMM provider with iOS9+ to restrict the native screenshot capability. No development required.
App Security – Enforce App Encryption Set the device passcode security control available by the EMM provider to enforce the native iOS data protection encryption. No development required.
App Security – Remotely Wipe App Distribute the app to the device as a managed application using the EMM tool to have the ability to remotely wipe the app from the device. No development required.
App Security – Disable Copy-Paste Use iOS 7+ “Managed Configuration” to set the copy/paste policy on the application.

App Configuration

Use Case

Many enterprise applications require users to enter URL, port, email address, and various configurations as part of a one time setup of an  application. These manual configurations can impact the adoption and success of an organization’s mobile app initiatives, increase the burden on a help desk fielding calls from users, and adds the burden of maintaining documentation that needs to be updated frequently as new updates to the application are made available.

By leveraging the native APIs recommended by the AppConfig Community, these configurations can be automatically set remotely by the EMM server. This simplifies the setup process for end users, and alleviates the help desk and documentation burden. An app developer can define a set of configuration keys it accepts from an EMM server. An IT administrator can simply set the keys and values in the EMM provider’s management console and they will be pushed to the app.

Apps commonly implement the following types of configurations:
Backend service configuration: server URL, port, use SSL, group/tenant code
User configuration: username, email, domain
Standard configuration keys for enterprise apps are included in Appendix I of this document.

How it Works
Requirements
  • iOS 7+ device enrolled with Apple’s mobile device management protocol
  • App is developed with iOS “Managed Configuration” capabilities built in
  • Distribute app via an EMM vendor that supports “Managed Configuration
Process Flow
  • App developer adds “Managed Configuration” capability into the app
  • App developer creates XML definition file (See Appendix) documenting the configurations that the app supports
  • App developer makes the app available to the organization. The application can be a public app in the iTunes store, or may be an internally developed app signed for enterprise distribution.
  • Configurations are specified in the EMM admin console (contact your EMM vendor for documentation)
  • App is distributed to devices, along with the configurations specified, via the EMM.
Developer Requirements

Since the release of iOS 7, MDMs have the ability to write to the NSUserDefaults of a managed application. An enterprise developers responsibility is to now build their applications to read these values and implement logic to handle the values received. In order to do this, additional code is needed to read the NSUserDefaults dictionary.

The following 3 steps outline instructions for a developer to implement this capability.

Step 1:

Implement code to read the NSUserDefaults com.apple.configuration.managed dictionary
Apple Developer References:
https://developer.apple.com/library/ios/samplecode/sc2279/Introduction/Intro.htm
Snapshot of sample code for convenience:

  NSString *keyValue = [[[NSUserDefaults standardUserDefaults] dictionaryForKey:@"com.apple.configuration.managed"] objectForKey:@"keyName"];            
Step 2:

Create an XML definition file to document the configurations your app supports
This XML files creates a standard scheme to document the accepted configs and values that your app supports. Many EMM vendors support automatically parsing these files in the EMM admin console.
Developer reference: Visit Appendix
Contact your EMM vendor of choice for additional assistance

Step 3:

Make your app available
Follow the instructions on the AppConfig website to submit your app to be verified and listed online.
The application can be a public app in the iTunes store, or may be an internally developed app signed for enterprise distribution

Note: The app must be distributed as a “managed” application via the EMM provider per the Apple MDM protocol. The EMM provider has direct access via Apple’s MDM protocol to send configurations to the NSUserDefaults managed configuration dictionary.
Note: Sensitive information such as passwords or certificates should not be sent to the device using this approach.

  • Apple iOS provides built in validation of the EMM system writing to the managed configurations, however does not provide encryption of these configuration values. Apple iOS only allows a device to be associated with a single EMM server, and only this EMM server can write to the managed configurations section of the application.
  • The EMM system is responsible for detecting and taking remediation action on a device that has been compromised or jailbroken that may expose the managed configurations.

EMM Setup
Please contact your EMM vendor for documentation specific to their system.

App Tunnel

Use Case

An application may require access to web services residing behind a corporate firewall, which requires a secure app tunnel connection between the app on the device and the backend services. A common use case for cloud based public apps is the ability to federate authentication to an organization’s identity provider (IDP) via SAML or similar standard. Since some organizations deploy the SAML identity providers (IDP) on-premise in a way that is not publically accessible, a secure app tunnel is required to authenticate and login to the app.

Mobile operating systems have addressed this use case by enabling a capability commonly referred to as “Per-App VPN”. Several common commercial VPN providers support the Per-App VPN capabilities. Many EMM vendors offer their own Per-App VPN capability as well. Whichever your preferred Per-App VPN vendor is, the EMM provider typically will have the ability to automatically distribute and enable the Per-App VPN on devices.

How it Works

Requirements:

  • iOS 9+ device enrolled with Apple’s mobile device management protocol. (This capability is available in iOS7+ devices, however Apple made several improvements in iOS 9)
  • VPN infrastructure deployed that supports the per-app VPN capability
  • No code changes are needed in the app to support this capability

Process Flow:

  1. Organization deploys any needed VPN infrastructure (contact your VPN provider for details)
  2. EMM vendor distributes the VPN app along with the per-App VPN configuration profile
  3. The end user opens an app that requires a backend connection, and the VPN will automatically turn on
Developer Requirements

No code change is needed to your enterprise application to take advantage of this capability. The iOS operating system will automatically tunnel any TCP or UDP network calls based on the configuration profile sent from EMM.

Contact your EMM and VPN vendors of choice for specific details on setup and compatibility.

Single Sign-On

Use Case

Organizations want to allow users to log into an application using their existing work credentials, as well as customize the security around the login experience to require various factors of authentication. Once a user has logged into one application successfully, that login process should automatically translate to other applications so users do not have to enter their credentials multiple times.

Many organizations use federated authentication to an identity provider (IDP) to accomplish this. The IDP typically supports a standard (such as SAML) that is implemented by many app developers. The single sign-on capability documented by the AppConfig community specifies the best practice for how an app developer should invoke the IDP from the app in order to facilitate a single sign-on experience.

How it Works

Requirements:

  • iOS 7+ device enrolled with Apple’s mobile device management protocol.
  • App’s backend service must support identity federation to an organization’s identity provider (IDP) via a standard such as SAML.
  • App developer must invoke the identity provider’s login page via an in-app web view

Process Flow:

  1. Organization deploys any needed identity provider (IDP) infrastructure
  2. App developers builds in support for SAML (or equivalent) standard for identity federation into the mobile app and the mobile app’s backend service
  3. The app is distributed to the device via the EMM
  4. When the app is launched, the user will see the identity provider’s login screen in a web view window
  5. The user may optionally have to authenticate to this page (your EMM vendor and Identity vendor may support automatically authenticating to this page without the user needing to enter his/her credentials manually, contact your EMM vendor or Identity vendor for details)
  6. Once the user is authenticated, any future apps that leverage the same identity provider will be able to detect the existing authenticated session and will not need to prompt the user to login again.
Developer Requirements

The following steps outline instructions for a developer to implement this capability.

Step 1: Support SAML or equivalent standard protocol within your app’s backend service

Sample code and documentation for this step is outside the scope of the AppConfig Community. Contact your identity provider (IDP) of choice for recommendations on how to accomplish this step.

Step 2: Invoke a web view window to display the IDP authentication page

Security Policies

Use Case

An organization requires granular security and data loss protection within enterprise applications to prevent sensitive data and documents from leaking outside company control. An app may also contain a capability that an enterprise wants to disable for security reasons, such as the ability to synchronize data with a public cloud file storage service. Some security capabilities are natively provided by the operating system and the EMM vendor without any code changes needed to the app, other capabilities require the implementation of an app configuration to enable a security capability. A summary of some of the capabilities are listed below, and an app developer can choose to implement a custom security policy as well.

Developer Requirements
Capability Summary of the AppConfig Community best practices
App Security – Passcode / TouchID Use iOS 7+ “Managed Configuration” to set the pincode or TouchID settings on the application.
App Security – Managed Open-In Set the “managed open in” control available by the EMM provider to restrict the native open in capability. No development required.

EMM providers have the ability to deliver a configuration profile with a restrictions payload specifying “Allow Open From Managed To Unmanaged” and “Allow Open From Unmanaged To Managed.”

Applications that may have additional document sharing or syncing capabilities should use the iOS7+ “Managed Configuration” to set the document sharing and syncing policy on the application.

App Security – Prevent App Backup Set the “prevent app backup” security control available by the EMM provider to prevent app data backup in iTunes. No development required.

Full Device:
App developers can prevent the backup of app data to cloud or computer storage like iCloud or iTunes. This is accomplished at a full device level through an MDM restriction profile for iOS.

Per-App:
A developer can enforce backup prevention on a per-app basis by using file save and keychain item attributes, which do not permit the resource to be backed up such as NSURLIsExcludedFromBackupKey and kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly. Reference  the file save and keychain item attributes for additional implementation details.

App Security – Disable Screen Capture Set the “prevent screen capture” security control available by the EMM provider with iOS9+ to restrict the native screenshot capability. No development required.
App Security – Enforce App Encryption Set the device passcode security control available by the EMM provider to enforce the native iOS data protection encryption. No development required. To learn more about iOS encryption and security, reference the iOS Security Guide.
App Security – Remotely Wipe App Distribute the app to the device as a managed application using the EMM tool to have the ability to remotely wipe the app from the device. No development required.
App Security – Disable Copy-Paste Use iOS 7+ “Managed Configuration” to set the copy/paste policy on the application.

Appendix – Developer Tools