EASE evaluates most application's policies whenever the user opens the app, brings it to the foreground, or returns to it from a locked screen. (With some policies, EASE does not count multiple launches within a minute. These exceptions are described in the policy descriptions in Application Policies.) When evaluating policies, EASE blurs the app screen and displays a spinner. To the user, this looks like part of the process of starting the app, and it is typically quite fast—sometimes the user will not even notice the spinner. Depending on the types of policies you have applied, you may wish to evaluate policies less frequently to improve the user's experience with the application. For instructions, see Set the Policy Evaluation Frequency.
When evaluating some application policies, EASE will attempt to communicate with the EASE server to fetch the latest settings. If you have an application that is wrapped with policies and connects to the network through a VPN, you should ensure that your VPN gateway can access the EASE server. To obtain the IP address(es) you need to whitelist for your gateway, contact email@example.com.
To adapt to changing business needs or to take advantage of new application policies, you can modify the policies applied to an application—even after the app is already deployed to users. Most policy changes take effect immediately, but some require you to re-wrap the app and deploy an update to users. This depends on whether the policy you are adding or changing is a dynamic or static policy:
- Dynamic policies are updated on the EASE server. Once you have applied policies to the app, you can add and modify those dynamic policies “on the fly”—without having to rewrap, re-sign, or deploy an update.
- Static application policies are embedded in the application wrapper. If you add or change a static policy, EASE needs to rewrap the app. Whenever an app is rewrapped, you need to re-sign it and then deploy the update.
As a best practice, Apperian recommends that you reapply policies to any applications that have not been wrapped in six months or longer. This will ensure that your applications take advantage of any recent enhancements, fixes, and optimizations to the policy wrapper. After you reapply policies to an application, you need to re-sign it and redistribute it to your users. For instructions, see Rewrap an Application.
Using Policies with Unregistered Users
EASE supports a universal app distribution model that allows you to securely deploy and manage mobile apps through a variety of distribution methods. With some of these distribution methods, such as the App Catalog, EASE will know the identity of the app user; that is, the user will be a registered, authenticated user with EASE. With other methods, such as sending a Direct Install URL, mobile device users can download and install apps even if they are not registered with EASE and do not have the App Catalog installed.
If you want to apply policies to an app that you will distribute to unregistered users, you should enable the "No-Registration Policies" setting for your organization. When the "No-Registration Policies" setting is enabled, you will see an option on the Policies tab that, when selected, allows you to apply only those policies that work with unregistered users.
The following policies are currently supported with unregistered users:
- App Usage
- Collect Crash Reports
- Self Updating App
- App Expiration
- Secure Microtunnel
- Local App Authentication
- Encrypted Data at Rest
- Data Sharing
- Client Certificates
- Server Certificates
Some policies will never be supported with unregistered users because they do not make sense in that context. For example, the purpose of the Enterprise SSO policy is to secure an app at launch time by prompting the user to authenticate using the same authentication method used when logging in to the App Catalog; therefore, it doesn't make sense to apply the Enterprise SSO policy to an unregistered user.
If you apply the Self Updating App policy to an application, you must also mark the application for Direct Install in order for an unregistered user to install the update. If the app is not marked for Direct Install, the user will still be prompted when an update is available, but an error will display if the user taps Yes to install it.
For instructions on enabling a document for Direct Install, see Enable Direct Install.
For instructions on enabling no-registration policies for your organization, see Enable No-Registration Policies.
List of Policies
Click on a policy in the table below for more information, including a description of the mobile user's experience when the policy is enabled.
|Policy||Description||Dynamic/Static||Works with Unregistered Users|
Tracks usage of an app.
|Collect Crash Reports|
When an iOS application crashes, a crash report is stored on the device. The report describes the conditions under which the application terminated, and is useful for debugging issues in the application. Any time an app wrapped with this policy crashes, EASE collects the crash report from the device and lists it on the Crash Reports tab of the app’s details page. From that list, you can view reports and export reports to send to developers for further analysis.
|Restricts access to the application using the same authentication method configured for EASE (either EASE built-in authentication orSingle Sign-On). This policy is useful when, for example, an employee's device falls into the wrong hands; the unauthorized individual will not have credentials to log in to EASE and will therefore be blocked from using the app.||Dynamic|
Authenticating the user is the purpose of the app.
|Self Updating App|
Allows an app to "self-update" at launch time by checking for a new version and prompting the user to install when one is available.
|Data Wipe||Enables an EASE Administrator to delete all user data from an application on a selected device.||Dynamic||No|
|Runtime Integrity Check||Calculates the checksum of the app at runtime and compares it with the checksum stored in the EASE database for that same version of the app. If the checksums do not match, the app will not open. This policy ensures that a user cannot run an app that was downloaded or installed incorrectly, or compromised in some way after it was installed.||Dynamic||No|
|Require MDM Enrollment|
Checks if a device is enrolled in (MDM) Mobile Device Management, and blocks the user from opening and using the app if it is not.
|Data Protection Enforcement (iOS apps only)|
Ensures that an application can be used on a device only when its content is secured using Apple's iOS Data Protection. iOS Data Protection is a built-in capability that encrypts data stored on an iOS device whenever the device is locked.
Blocks users from running apps on jailbroken (iOS) or rooted (Android) devices.
|App Expiration||Blocks users from running the application outside of a defined access period (start and end date).||Dynamic||Yes|
|Open Web Page||Opens a browser window to a specified web page after the user opens the app a predefined number of times. Use this policy, for example, to administer a survey to collect feedback about an app after a user has opened the app 10 times.||Dynamic||No|
|Apple On-Demand VPN (iOS apps only)||Establishes a pre-configured VPN connection and prompts for VPN credentials whenever the user opens the application. Use this policy to help prevent malicious apps from accessing your corporate network, and to ensure apps are used on a secure network only. To work, the device must be running iOS 8 or higher. Apps using this policy must be signed with a mobile provisioning profile that has the Personal VPN entitlement enabled.||Dynamic||No|
|Pulse Secure VPN (iOS apps only)|
Establishes a pre-configured Pulse Secure® VPN connection and prompts for VPN credentials when the user opens the application. Use this policy to provide apps with access to resources in your secure corporate network. To use this policy, you need access to a Pulse Connect Secure VPN gateway and will need to provide a URL for connecting to that gateway.
Applications with this policy applied can run only on devices running iOS 8 or higher.
|App Password (iOS apps only)||Protects the application by requiring the user to enter a user-set password before granting access to the app. To work, the device must be running iOS 8 or higher.||Static||No|
|Check Location Services|
(iOS apps only)
|Checks that Location Services are activated for the device and that Location Access is allowed for the app.||Dynamic||No|
Allows you to define a grace period for applying a mandatory update. EASE considers a user's device to be noncompliant if a mandatory update is not installed within the grace period. EASE automatically disables all noncompliant devices, which means users cannot log in to the App Catalog or open any apps that are wrapped with the Enterprise SSO policy on those devices. If a user has the App Catalog on multiple devices and all the devices are noncompliant, EASE automatically disables the user in addition to disabling the devices. Disabled users have to contact the administrator to be re-enabled.
Note that you apply the Application Update Compliance policy when you edit an app to upload a new version of the binary file.
|This policy is not applied as part of the policy wrapper.||N/A|
Establishes a secure VPN connection between the application and your enterprise network's Atlas Gateway. You must have the Blue Cedar Networks Atlas Platform to use this platform.
|Local App Authentication||Protects apps by requiring the user to authenticate before opening the app. The user can authenticate with a user-set passphrase or a fingerprint (if fingerprint authentication is enabled for the policy and supported on the device).||Static||Yes|
|Encrypted Data at Rest||Protects each piece of application data before saving it on the mobile device. When the app needs an encrypted piece of data, the policy decrypts it on the fly.||Static||Yes|
|Data Sharing||Prevents data leakage by prohibiting the user from copying and pasting data between an app protected with this policy and other apps that are not protected with this policy.||Static||Yes|
|Obtains a client certificate from your Atlas Gateway server and stores it on the user's device. The application can then present this certificate to sites it needs to access, thereby allowing the user to skip additional logins and have a smoother mobile experience. You must have the Blue Cedar Networks Atlas Platform to use this policy.||Static||Yes|
|Server Certificates||Lets you upload one or more trusted SSL (X.509) certificates that the app can then use when establishing an SSL connection with the servers it needs to access. Similar to how browsers have a pre-installed list of trusted SSL certificates, this policy lets you pre-install a list of certificates on a per-app basis.||Static||Yes|
While policies are supported with native iOS and Android apps only, the hybrid apps feature provides a way to also apply policies to web apps. A hybrid app delivers a web app as part of a native iOS or Android app. Therefore, like any other iOS or Android app, you can apply policies to it. For more information, see Hybrid Applications (Delivering a Web App as a Native App).
Application Policies Workflow
The following table describes the typical workflow for implementing app policies within an EASE implementation.
|Step||For instructions, see...|
Define app policies defaults for your EASE organization. Policy defaults represent your company's standard set of security and usage policies. You and other EASE administrators can alter these settings, as necessary, when applying policies to a specific app.
Optionally, you can configure the frequency at which an application's policies will be evaluated. The default is Always, which evaluates policies whenever the user launches the app, brings it to the foreground, or returns to it from a locked screen.
If you plan to apply the Secure Microtunnel policy to any apps, during this step you will need to create one or more VPN connections.
Apply policies to a specific app. You apply most policies from the Policies tab on the app's Details page. You apply the Application Update Compliance policy on the Edit an Application page when you upload a new version of the application's binary file.
Depending on which policies you applied, you may need to update the app in EASE to deploy the new version to your users. EASE provides a system message indicating whether an update is required.
When an update is required, you need to sign the updated app. EASE provides two methods for signing the wrapped app:
When you use the signing server, you are given options to automatically enable the app and notify users about the update after signing is complete.
When you use the signing script, you will need to edit the app to upload the new version, enable it, and notify users of the update.
Use the Policies page of the EASE Portal to perform the following tasks:
- Modify the default settings that display on the Policies tab for an app.
- Create the VPN connections used with the Secure Microtunnel policy.
- List which apps are currently wrapped with each policy