Page tree
Skip to end of metadata
Go to start of metadata

 

Application policies are business logic rules that you can apply to individual iOS and Android apps in your EASE organization. Applying policies—also referred to as wrapping an app—is done post-development, without requiring any code changes or SDKs. Policies provide added layers of security, management, and measurement capabilities to support corporate requirements and enhance your users' mobile experience. For example, the Jailbreak Protection policy protects enterprise data by blocking users from running apps on jailbroken devices and the App Usage policy tracks an app's usage. 

When you wrap an app with policies, your choices are flexible; you can apply one policy or multiple policies.

See the List of Policies below for a description of all available policies.

 

How Policies Work

When you first apply policies to an app, EASE creates an application wrapper that defines its policies. Through the EASE Portal, you can sign the wrapped app and deploy it to your users. 

Because the application wrapper is provided as a layer around the app, it does not alter the functionality or performance of the app, nor does it compromise the user experience in any way.  On the device, EASE evaluates policies whenever the user opens the app. During that evaluation, action is taken as necessary. For example, if an app is wrapped with the Self Updating App policy, EASE checks if there is a new version of the app available and prompts the user to install it if there is. 

 

EASE evaluates most application's policies whenever the user opens the app, brings it to the foreground, or returns to it from a locked screen. (With some policies, EASE does not count multiple launches within a minute. These exceptions are described in the policy descriptions in Application Policies.) When evaluating policies, EASE blurs the app screen and displays a spinner. To the user, this looks like part of the process of starting the app, and it is typically quite fast—sometimes the user will not even notice the spinner. Depending on the types of policies you have applied, you may wish to evaluate policies less frequently to improve the user's experience with the application. For instructions, see Set the Policy Evaluation Frequency.

When evaluating some application policies, EASE will attempt to communicate with the EASE server to fetch the latest settings. If you have an application that is wrapped with policies and connects to the network through a VPN, you should ensure that your VPN gateway can access the EASE server. To obtain the IP address(es) you need to whitelist for your gateway, contact support@apperian.com.

To adapt to changing business needs or to take advantage of new application policies, you can modify the policies applied to an application—even after the app is already deployed to users. Most policy changes take effect immediately, but some require you to re-wrap the app and deploy an update to users. This depends on whether the policy you are adding or changing is a dynamic or static policy:

  • Dynamic policies are updated on the EASE server. Once you have applied policies to the app, you can add and modify those dynamic policies “on the fly”—without having to rewrap, re-sign, or deploy an update. 
      
  • Static application policies are embedded in the application wrapper. If you add or change a static policy, EASE needs to rewrap the app. Whenever an app is rewrapped, you need to re-sign it and then deploy the update. 

When you apply policies, you do not need to think about whether a policy is static or dynamic; EASE guides you through the process and prompts you to sign and deploy an update if needed.

Best Practice

As a best practice, Apperian recommends that you reapply policies to any applications that have not been wrapped in six months or longer. This will ensure that your applications take advantage of any recent enhancements, fixes, and optimizations to the policy wrapper.  After you reapply policies to an application, you need to re-sign it and redistribute it to your users. For instructions, see Rewrap an Application.

Using Policies with Unregistered Users

EASE supports a universal app distribution model that allows you to securely deploy and manage mobile apps through a variety of distribution methods. With some of these distribution methods, such as the App Catalog, EASE will know the identity of the app user; that is, the user will be a registered, authenticated user with EASE. With other methods, such as sending a Direct Install URL, mobile device users can download and install apps even if they are not registered with EASE and do not have the App Catalog installed.

If you want to apply policies to an app that you will distribute to unregistered users, you should enable the "No-Registration Policies" setting for your organization. When the "No-Registration Policies" setting is enabled, you will see an option on the Policies tab that, when selected, allows you to apply only those policies that work with unregistered users. 

The following policies are currently supported with unregistered users:

  • App Usage
  • Collect Crash Reports
  • Self Updating App
  • App Expiration
  • Secure Microtunnel
  • Local App Authentication
  • Encrypted Data at Rest
  • Data Sharing
  • Client Certificates
  • Server Certificates

Some policies will never be supported with unregistered users because they do not make sense in that context. For example, the purpose of the Enterprise SSO policy is to secure an app at launch time by prompting the user to authenticate using the same authentication method used when logging in to the App Catalog; therefore, it doesn't make sense to apply the Enterprise SSO policy to an unregistered user.

If you apply the Self Updating App policy to an application, you must also mark the application for Direct Install in order for an unregistered user to install the update. If the app is not marked for Direct Install, the user will still be prompted when an update is available, but an error will display if the user taps Yes to install it.

For instructions on enabling a document for Direct Install, see Enable Direct Install.

For instructions on enabling no-registration policies for your organization, see Enable No-Registration Policies.

List of Policies

Click on a policy in the table below for more information, including a description of the mobile user's experience when the policy is enabled. 

PolicyDescriptionDynamic/StaticWorks with Unregistered Users
App Usage

Tracks usage of an app.

DynamicYes
Collect Crash Reports

When an iOS application crashes, a crash report is stored on the device. The report describes the conditions under which the application terminated, and is useful for debugging issues in the application. Any time an app wrapped with this policy crashes, EASE collects the crash report from the device and lists it on the Crash Reports tab of the app’s details page. From that list, you can view reports and export reports to send to developers for further analysis.

DynamicYes
Enterprise SSORestricts access to the application using the same authentication method configured for EASE (either EASE built-in authentication or Single Sign-On). This policy is useful when, for example, an employee's device falls into the wrong hands; the unauthorized individual will not have credentials to log in to EASE and will therefore be blocked from using the app.Dynamic

N/A

Authenticating the user is the purpose of the app.

Self Updating App

Allows an app to "self-update" at launch time by checking for a new version and prompting the user to install when one is available.

DynamicYes
Data WipeEnables an EASE Administrator to delete all user data from an application on a selected device.DynamicNo
Runtime Integrity CheckCalculates the checksum of the app at runtime and compares it with the checksum stored in the EASE database for that same version of the app. If the checksums do not match, the app will not open. This policy ensures that a user cannot run an app that was downloaded or installed incorrectly, or compromised in some way after it was installed.DynamicNo
Require MDM Enrollment

Checks if a device is enrolled in (MDM) Mobile Device Management, and blocks the user from opening and using the app if it is not.

DynamicNo
Data Protection Enforcement (iOS apps only)

Ensures that an application can be used on a device only when its content is secured using Apple's iOS Data Protection. iOS Data Protection is a built-in capability that encrypts data stored on an iOS device whenever the device is locked.

DynamicNo
Jailbreak/Root Protection  

Blocks users from running apps on jailbroken (iOS) or rooted (Android) devices.

DynamicNo
App ExpirationBlocks users from running the application outside of a defined access period (start and end date).DynamicYes
Open Web PageOpens a browser window to a specified web page after the user opens the app a predefined number of times. Use this policy, for example, to administer a survey to collect feedback about an app after a user has opened the app 10 times. DynamicNo
Apple On-Demand VPN (iOS apps only)Establishes a pre-configured VPN connection and prompts for VPN credentials whenever the user opens the application. Use this policy to help prevent malicious apps from accessing your corporate network, and to ensure apps are used on a secure network only. To work, the device must be running iOS 8 or higher. Apps using this policy must be signed with a mobile provisioning profile that has the Personal VPN entitlement enabled.DynamicNo
Pulse Secure VPN (iOS apps only)

Establishes a pre-configured Pulse Secure® VPN connection and prompts for VPN credentials when the user opens the application. Use this policy to provide apps with access to resources in your secure corporate network. To use this policy, you need access to a Pulse Connect Secure VPN gateway and will need to provide a URL for connecting to that gateway.

Applications with this policy applied can run only on devices running iOS 8 or higher.

StaticNo
App Password (iOS apps only)Protects the application by requiring the user to enter a user-set password before granting access to the app. To work, the device must be running iOS 8 or higher.StaticNo
Check Location Services
(iOS apps only) 
Checks that Location Services are activated for the device and that Location Access is allowed for the app.DynamicNo

If a user installs an app that is wrapped with any of the above policies, and that user is later disabled or deleted, EASE will block the user from running the app. 

Application Update Compliance

Allows you to define a grace period for applying a mandatory update. EASE considers a user's device to be noncompliant if a mandatory update is not installed within the grace period. EASE automatically disables all noncompliant devices, which means users cannot log in to the App Catalog or open any apps that are wrapped with the Enterprise SSO policy on those devices. If a user has the App Catalog on multiple devices and all the devices are noncompliant, EASE automatically disables the user in addition to disabling the devices. Disabled users have to contact the administrator to be re-enabled.

Note that you apply the Application Update Compliance policy when you edit an app to upload a new version of the binary file.

This policy is not applied as part of the policy wrapper.N/A

The following policies use Blue Cedar Networks Mobile App Protection (MAP); the ability to apply these policies is disabled by default. If you are interested in applying MAP policies, contact your Apperian Account Manager at sales@apperian.com.

All MAP policies are static.

Secure Microtunnel

Establishes a secure VPN connection between the application and your enterprise network's Atlas Gateway. You must have the Blue Cedar Networks Atlas Platform to use this platform.

StaticYes
Local App AuthenticationProtects apps by requiring the user to authenticate before opening the app. The user can authenticate with a user-set passphrase or a fingerprint (if fingerprint authentication is enabled for the policy and supported on the device).StaticYes
Encrypted Data at RestProtects each piece of application data before saving it on the mobile device. When the app needs an encrypted piece of data, the policy decrypts it on the fly.StaticYes
Data SharingPrevents data leakage by prohibiting the user from copying and pasting data between an app protected with this policy and other apps that are not protected with this policy.StaticYes

Client Certificates

Obtains a client certificate from your Atlas Gateway server and stores it on the user's device. The application can then present this certificate to sites it needs to access, thereby allowing the user to skip additional logins and have a smoother mobile experience. You must have the Blue Cedar Networks Atlas Platform to use this policy.StaticYes
Server CertificatesLets you upload one or more trusted SSL (X.509) certificates that the app can then use when establishing an SSL connection with the servers it needs to access. Similar to how browsers have a pre-installed list of trusted SSL certificates, this policy lets you pre-install a list of certificates on a per-app basis. StaticYes

While policies are supported with native iOS and Android apps only, the hybrid apps feature provides a way to also apply policies to web apps. A hybrid app delivers a web app as part of a native iOS or Android app. Therefore, like any other iOS or Android app, you can apply policies to it. For more information, see Hybrid Applications (Delivering a Web App as a Native App).

Application Policies Workflow

The following table describes the typical workflow for implementing app policies within an EASE implementation.

StepFor instructions, see...
1

Define app policies defaults for your EASE organization. Policy defaults represent your company's standard set of security and usage policies. You and other EASE administrators can alter these settings, as necessary, when applying policies to a specific app.

Optionally, you can configure the frequency at which an application's policies will be evaluated. The default is Always, which evaluates policies whenever the user launches the app, brings it to the foreground, or returns to it from a locked screen.

If you plan to apply the Secure Microtunnel policy to any apps, during this step you will need to create one or more VPN connections.

Set Application Policy Defaults

Set the Policy Evaluation Frequency

Create a VPN Connection

2

Apply policies to a specific app. You apply most policies from the Policies tab on the app's Details page. You apply the Application Update Compliance policy on the Edit an Application page when you upload a new version of the application's binary file.

Apply Policies to an Application

Edit or Update an Application

3

Depending on which policies you applied, you may need to update the app in EASE to deploy the new version to your users. EASE provides a system message indicating whether an update is required.

When an update is required, you need to sign the updated app. For more information, see About Signing.

Sign an App (EASE)

Sign an App (Signing Package)

Policies Page

Use the Policies page of the EASE Portal to perform the following tasks:

  • Modify the default settings that display on the Policies tab for an app.
  • Create the VPN connections used with the Secure Microtunnel policy.
  • List which apps are currently wrapped with each policy

For instructions, see Set Application Policy Defaults and Create a VPN Connection.