Page tree
Skip to end of metadata
Go to start of metadata

From the Policies page, you can modify the default settings that display on the Policies tab for an app (available when you display an app's Details page) before any changes are applied to that app. These defaults represent your organization's standard set of security policies. You and other EASE administrators can alter policy settings, as necessary, when applying policies to a specific app.

You can also modify the default settings for the Application Update Compliance policy that you can apply when you edit an application to upload a new version of the app binary.

For a description of each app policy, including an overview of the mobile user's experience, see Application Policies.

If you or another administrator changes the default settings at a later time, it has no effect on policies that have already been applied to an app.

 
To set the application policy defaults for your organization:

  1. On the EASE Portal navigation bar, click Policies.
      

  2. Click the right arrow by each policy to expand the list of options and then select the desired defaults. Note the behavior described in the following table. Defaults are set as soon as you select them; you do not need to apply your changes.

    The default options that you select will display on the Policies tab for an app only when the policy is enabled by default. For example, if you enter a minimum length and maximum age rule for the Local App Authentication policy, you will see those entries on the Policies tab only if you selected the Enabled by Default check box for the Local App Authentication policy on the Policies page.

    Defaults set on the Policies page will not display on the Policies tab for an app that already has policies applied to it.

    If you enable this policy by default...Then...
    Open Web Page
    1. Select the number of times the user needs to open the application before a browser window will automatically open to a specified URL.
       
    2. Enter the URL for the web page that will open. Enter the URL in this form: Scheme://Domain/Path. The Scheme can be http or https.

    For example, the following settings specify that the https://www.example.com/appsurvey.html page will display after a user opens the app 10 times.

    When you apply this policy to an app, you can override one or both of these default settings.

    Apple On-Demand VPN (for iOS apps only)

    You cannot enable both this policy and the Pulse Secure VPN or Secure Microtunnel policy.

    If this policy is not listed, it means the feature is disabled for your organization. If you are interested in using this policy, contact Apperian Customer Support at support@apperian.com.

    Optionally define a default VPN configuration profile that will be added to the device when the user launches an app wrapped with this policy for the first time. For details, see Apple On-Demand VPN Configuration Profile Settings. You will be able to modify this default connection when you apply the policy to a specific apps.

    Pulse Secure VPN (for iOS apps only)

    You cannot enable both this policy and the Apple On-Demand VPN or Secure Microtunnel policy for the same app.

    In the Connection URL field, modify or enter the URL for your Pulse Connect Secure VPN gateway.

    App Password (for iOS apps only)
    1. Select the minimum number of characters required for the password. (Valid Values: 6-16)

    2. Select password complexity requirements. Password complexity requirements are shown in the image below. (Valid Values: 0-10)

      When you apply this policy to an app, you can override these default settings.

    Application Update Compliance

    If this policy is not listed, it means the feature is disabled for your organization. If you are interested in using this policy, contact Apperian Customer Support.
    1. Choose the number of days for the update compliance grace period: 1, 2, 3, 7, 15, 30, 60, or 90. The default is 30 days.

      The grace period starts after the update becomes mandatory. For example, if an application must be updated by June 1, 2014 and you define a grace period of 30 days, the grace period will start on June 1, 2014 and end at 12:00 a.m. GMT on July 1, 2014. Every day at 12:00 a.m. GMT, EASE checks that all mandatory updates have been installed within the grace period. On devices where updates have not been installed within the grace period, EASE automatically revokes access to the App Catalog and any apps wrapped with the Enterprise SSO policy. If all devices for a user are noncompliant, EASE also disables the user.
       
    2. Select the number of days before the end of the grace period that EASE will start sending email notifications to warn users of pending mandatory updates: 1, 2, 3, 7, 15, 30, 60, or 90. The default is 30 days.
       
    3. Select the frequency that EASE will send email notifications: 1, 2, 3, 7, 10, or 15 days. The default is 7 days.

    When you edit an app to upload a new version, you can override these defaults to enable/disable the policy and change the grace period for a specific application update. You cannot override the email notification settings; they will apply to all updates for which you enable mandatory update enforcement.

    Secure Microtunnel

    You cannot enable both this policy and the Apple On-Demand VPN or Pulse Secure VPN policy.
    You cannot enable this policy until you have created one or more VPN connections. For instructions, see Create a VPN Connection. Add all the VPN connections you want administrators to be able to choose from when applying this policy to an application. The first VPN connection in the list will be selected by default when applying this policy on the Policies tab. Use the control buttons to move a connection up or down in the list.

    Local App AuthenticationModify the default passphrase settings as desired. Optionally, enable/disable Allow fingerprint authentication. See Local App Authentication Policy Options for details.
    Client CertificatesWhen this policy is applied to an application, it obtains a client certificate from your Atlas Gateway server and stores it on the user's device. Enter URL Matching Rules to define which sites are presented with client certificates and which are not. If you do not specify URL Matching Rules, a certificate will be presented to any site that the app attempts to access. White List Exceptions rules are processed before any White List rules.
    1. Under White List Exceptions, add one or more exception rules. The client certificate will not be presented to any sites that match the exception rules.
    2. Under White List, add one or more white list rules. The client certificate will be presented to a site that matches a white list rule, unless that site also matches a white list exception rule. 

    When adding rules, follow these guidelines:

      • In the Host Pattern field, specify a matching pattern for the host name. The pattern must start with http:// or https:// and can include a wildcard (*) anyplace else in the pattern. 

        Example: http://*.example.com matches http://www.example.com and http://email.example.com

      • In the Port field, specify a port number. Use a wildcard (*) anyplace in the port number, or use * alone to specify any port on the host. If empty, Port defaults to port 443 (HTTPS).

    Server CertificatesClick the Upload New Certificate button to upload one or more X.509 certificates. Be sure to upload all the root certificates and any intermediate CA certificates your apps will need to trust accessed site(s). When you apply this policy to a specific application, you can then choose from the list of uploaded certificates to select the certificates that app will need. Use the checkboxes to identify which certificates will be selected by default on the Policies tab when applying this policy.


Apple On-Demand VPN Configuration Profile Settings

Fill in the form to define a default VPN configuration profile that will display on the Policies tab when you select the Apple On-Demand VPN policy. When applying the policy to a specific app, you can use the default configuration profile as is, or modify fields as necessary.

FieldDescription

Profile Name

Enter a name for the VPN configuration profile. This name will display on the Settings->General->VPN page of the device when the VPN configuration is added.

Profile DescriptionEnter a brief description of the VPN profile.
VPN ServerEnter the address of the VPN server. The address can be a numeric IP address or a fully-qualified host name.
Pre-shared KeyEnter the IPsec PSK (shared secret) to be used by IKE during the authentication phase.
Key Id/VPN Group

Enter the IPsec identifier or VPN group name.

IKE VersionSelect the IKE (Internet Key Exchange) version: 1 or 2. IKE version 1 or 2 is the protocol used to set up a security association in the IPsec protocol suite.

Local App Authentication Policy Options

For the Local App Authentication policy, set the following options to define the criteria of the user-set passphrase.

OptionRequired/
Optional
Description
Passphrase Settings

Minimum Length

Required

Specify the minimum number of characters required for the passphrase.

Valid values: 6 to 16

Re-authentication

 

Optional

If you want the app session to time out after a period of inactivity, select this option and select a number of minutes of inactivity. If the app is inactive for a period of time greater than this setting, the app times out and the user is prompted to re-enter the passphrase to re-open the app.  

Valid values: 1, 2, 3, 4, 5 - 60 (in increments of 5)

ComplexityOptional

Select any of the following passphrase requirements:

  • At least one alpha character
  • At least one number
  • At least one special character
Maximum Age RuleOptional

Specify the interval at which the user must change the passphrase.

Valid values: once a day, every other day, once a week, once a month, every other month, every six months, once a year.

Optionally, set a reminder for a number of days before expiration.

Valid values: 0 to 7

HistoryOptional

Specify the number of previously-used passphrases that the system will remember. A user cannot repeat a passphrase stored in this passphrase history.

Valid values: 3 to 10

Fingerprint Authentication Settings
Allow fingerprint authenticationOptional

Select this option to allow a user to authenticate with a fingerprint. The first time the user launches the app, the user will need to set a passphrase, but on subsequent launches he/she will be able to authenticate with a fingerprint. If the user cancels the fingerprint authentication dialog, then the user will be prompted to enter the passphrase.

Authentication using a fingerprint is supported only on devices that allow for fingerprint scanning.

  • No labels