Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

 

Apperian lets you apply security and usage policies to native iOS and Android apps in your Apperian account. Applying policies—also referred to as "wrapping an app"—enables you to add multiple layers of protection to any app that needs more security. For example, the Encrypted DAR policy uses FIPS 140-2 certified encryption to encrypt the data stored by an app. Policies can also enhance and support a mobile user's app experience. 

You can apply policies to an app that is not yet wrapped, or you can change the policies applied to an app that was previously wrapped. For instructions, see the procedure below. If you want to remove all policies from an app, see Remove Policies from an ApplicationApp.

Info
iconfalse
titleNotes:
  • The Apple On-Demand VPN and Pulse Secure VPN policies are not available by default. If you are interested in applying either of these to any of your iOS applications, contact support@apperian Customer Support.com.
     
  • A user who is deleted or disabled in Apperian will be blocked from running apps wrapped with any of the Apperian policies that are part of the base Apperian platform (see the list to the right).
     
  • You can deliver a web app as a native iOS or Android app by creating a hybrid app. Because a hybrid app is delivered as a native app, you can apply policies to it. For more information on hybrid apps, see Hybrid Apps (Delivering a Web App as a Native App).

  • If you or another administrator changes the policy defaults on the Policies page, it has no effect on policies you have already applied to an app. For instructions on modifying the policy defaults, see Set Application Policy Defaults.
     
  • If you update the version of an app that is wrapped (that is, if you upload a new binary file for the app), you need to reapply the application policies and re-sign the app if you want the policies to continue working with the new version. For instructions on updating an app, see Edit or Update an Application.
     
  • Note that applying policies to an app increases the size of the app.

Tip
titleBest Practice

Apperian recommends that you reapply policies to any applications that have not been wrapped in six months or longer. This will ensure that your applications take advantage of any recent enhancements, fixes, and optimizations to the policy wrapper.  After you reapply policies to an application, you need to re-sign it and redistribute it to your users. For instructions, see Rewrap Reapply Policies to an ApplicationApp.



Warning

If you use the signing package to sign an app that is wrapped with policies, and then upload that newly signed version to Apperian, you should not re-apply policies to the app. If you do, the app will no longer function properly. If you need to modify an app's policies or apply new policies, you need to first upload the original version of the app.

 

Anchor
procedure
procedure
To apply policies to an app
  1. On the Apperian Portal navigation bar, click Applications. Status tags indicate the status of app policies for the app.  

  2. Click the Policies link by the app to display the Policies page for the application.

    A message above the list of policies indicates the current status of policies for the app. The first time you display the Policies page for an app, it displays the default policy settings defined for your organization on the Policies settings page. After you apply policies to the app, the tab displays the applied policy settings. If you upload a new version of the app, you need to reapply policies to the app if you want them to continue working; in this case, the Policies page displays the previously applied policy settings so that you can easily re-apply them.

    In the following example, there are no policies applied to the app. 

     

     

  3. (Optional) If you want to apply policies to apps that you may distribute to to users who are not registered with Apperian and do not need the App Catalog on their device, select the Enable policies that don't require user registration option at the bottom of the page. This option displays only if your organization is enabled for No-Registration Policies. For instructions on enabling no-registration policies, see Enable No-Registration Policies.

    If the Enable policies that don't require user registration option is selected, the list of policies will include only those policies that work with unregistered users. For more information on using policies with unregistered users, see Using Policies with Unregistered Users. Note that if you apply the Self Updating App policy to an application, you must also mark the application for Direct Install in order for an unregistered user to install the update. For instructions on enabling a document for Direct Install, see Enable Direct Install.
      

    Expand
    titleClick here for an example of the Policies tab with and without no-registration policies enabled...

     

  4. Select and modify policy options. Note the behavior described in the following table. For a description of each app policy, including an overview of the mobile user's experience, see Application Policies.

    If you select...Then...
    App Expiration

    After you select App Expiration:

    1. (Optional) In the Message for user field, you can modify the message that will display when a user attempts to launch an app outside of the application access period. If you modify the message and want the default user message to be displayed again, click the Revert to Default Message link under the Message for user field.

      Info

      Only the default user message is internationalized. If you change the default message, note that it will display only in the language that you entered it, regardless of the language setting on the user's device.


    2. In the Start date field, click and select the date on which you want the app to start working. If you want the app to start working immediately, enter the current date.
       
    3. In the End date field, click and select the last date on which you want the app to work. Note that you cannot select the End date until you have selected a Start date.

      A user will be able to use the app from 12:00:01 AM UTC on the start date until 11:59:59 PM UTC on the end date. If you want users to be able to use the app for a single day only, set both the start and end dates to the same date.

    Open Web Page
    After you select Open Web Page:
    1. Select the number of times the user needs to open the application before a browser window will automatically open to a specified URL.
       
    2. Enter the URL for the web page that will open. Enter the URL in this form: Scheme://Domain/Path. The Scheme can be http or https.

    For example, the following settings specify that the https://www.example.com/appsurvey.html page will display after a user opens the app 10 times.

    Apple On-Demand VPN  

    You cannot enable both this policy and the Pulse Secure VPN policy or Secure Microtunnel policy for the same app.

    Info

    By default, this This policy is not available for an EASE organizationby default. If it does not display appear when you are applying policies to an iOS app and you are interested in using it, contact Apperian Customer Support at support@apperian.com.


    Modify the default profile or enter a new profile to define the VPN configuration that will be added to the device when a user launches an app wrapped with this policy. For details, see Apple On-Demand VPN Configuration Profile Settings.

     

    Pulse Secure VPN

    You cannot enable both this policy and the Apple On-Demand VPN or Secure Microtunnel policy for the same app.

    In the Connection URL field, modify or enter the URL for your Pulse Connect Secure VPN gateway.

    App Password 

     

    If you select App Password:

    1. Select the minimum number of characters required for the password. (Valid Values: 6-16)

    2. Select password complexity requirements. Password complexity requirements are shown in the image below. (Valid Values: 0-10)
       
    Info

    If you make changes to the password requirements of the policy, those changes will not affect users who have already installed an app with this policy applied unless they update the app and attempt to change their password.


    Secure Microtunnel

    You cannot enable this policy until you have created one or more VPN connections. For instructions, see Create a VPN Connection.

    After you select Secure Microtunnel, select a VPN connection from the VPN Profile list. This list corresponds to the list of VPN Connections created on the Policies page. When you select a connection in the list, it displays the specifications for the VPN so that you can confirm it is the correct one.

    Local App Authentication

    If you select Local App Authentication, modify the default passphrase settings as desired and optionally enable Allow fingerprint authentication. See Local App Authentication Policy Passphrase Options for details.

    Client Certificates

    If you select Client Certificates, modify the URL Matching Rules as desired:

    1. Under White List Exceptions, add or modify the exception rules. The client certificate will not be presented to any sites that match the exception rules.
    2. Under White List, add or modify the white list rules. The client certificate will be presented to a site that matches a white list rule, unless that site also matches a white list exception rule. 
    Info
    iconfalse

    When adding or modifying rules, follow these guidelines:

      • In the Host Pattern field, specify a matching pattern for the host name. The pattern must start with http:// or https:// and can include a wildcard (*) anyplace else in the pattern. 

        Example: http://*.example.com matches http://www.example.com/ and http://email.example.com/

      • In the Port field, specify a port number. Use a wildcard (*) anyplace in the port number, or use * alone to specify an port on the host. If empty, Port defaults to port 443 (HTTPS).

    Server Certificates
    If you select Server Certificates, select all the server certificates from the list that the application may need to trust the site(s) it needs to access. You cannot upload additional certificates from this page. If you need additional certificates that are not listed, you must first upload them on the Policies page. For instructions, see Set Application Define Policy DefaultsPresets. In this example, only one server certificate is selected.

    As you select and clear check boxes, a message indciates whether the changes are effective immediately or require users to update the app. If the changes require an app update, Apperian displays a Pending Signing status after you click Apply; you need to re-sign the wrapped app before you can enable it for your App Catalog users.

  5. Click Apply. Note that if you clear the check box for all policies, the Apply button remains disabled (grayed out); to remove all policies, use the Remove button

    See the following table to identify the steps you should take next based on the status message. 

    Status MessageDescriptionNext Steps
    In ProgressThis message displays until the policies are applied or an error occurs. The size of the app may impact how long the process takes.
    Wait until the status changes to one of the other messages listed in this table.
    Error Applying PoliciesAn error occurred while policies were being applied. There may have been a problem accessing the MAP server.

    Wait a few minutes and click Apply again. If you continue to receive an error, click the Roll Back button to the right of the status message to roll back to the previous version of the app that either did not have any policies applied or had been wrapped successfully. If you do not want to roll back to a previously wrapped version of the app, click Remove to remove all policies from the app.

    Info

    After you click Roll Back or Remove, note that the app will still be disabled. You must enable it if you want users to access it in the App Catalog. For instructions, see the steps for the Policies Applied status message below.


    Anchor
    pendingsigning
    pendingsigning
    Pending Signing

    Policies were successfully applied to the app and the wrapped version of the app must be signed and uploaded to Apperian.

    When signing is pending, Apperian automatically disables the app so that users cannot access it in the App Catalog. You can re-enable it once the app is signed.  

    Sign the wrapped app. For more information, see About Signing.

    Policies Applied

    Policies were successfully applied to the app.

     

    Look at the Enabled/Disabled status of the app listed at the top of the page.

    If you signed the app after wrapping and did not enable it during the signing process, follow these steps to enable the app and notify users about the update:

    1. On the Admin Portal navigation bar, click Applications.
    2. Click the Edit link next to the application.
    3. Expand the Application field.
    4. Select the Enabled check box.
    5. (for iOS apps only) Under Notify Users, select Send push notification to App Catalog. If you are updating an app signed for Ad Hoc distribution, there are different options for sending the push notification. For more information, see Update an Application.
    6. Complete the Application Update Settings to select the date by which users must install the new version of the app:
       
      • Click Set to today to force users to update the application today. Users will not be allowed to log in to the App Catalog until they install the update.
         
      • Click Set to never to allow the user to decide when to update.
         
        or
         
      • Select a specific date in the calendar field.
         
    7. Click OK.


Anchor
ondemandvpnsettings
ondemandvpnsettings

Apple On-Demand VPN Configuration Profile Settings

Fill in the form to define a VPN configuration profile.

FieldDescription

Profile Name

Enter a name for the VPN configuration profile. This name will display on the Settings->General->VPN page of the device when the VPN configuration is added.

Profile DescriptionEnter a brief description of the VPN profile.
VPN ServerEnter the address of the VPN server. The address can be a numeric IP address or a fully-qualified host name.
Pre-shared KeyEnter the IPsec PSK (shared secret) to be used by IKE during the authentication phase.
Key Id/VPN Group

Enter the IPsec identifier or VPN group name.

IKE VersionSelect the IKE (Internet Key Exchange) version: 1 or 2. IKE version 1 or 2 is the protocol used to set up a security association in the IPsec protocol suite.

Anchor
passphraseoptions
passphraseoptions
Local App Authentication Policy Options

For the  policy, set the following options to define the criteria of the user-set passphrase.

OptionRequired/
Optional
Description
Passphrase Settings

Minimum Length

Required

Specify the minimum number of characters required for the passphrase.

Valid values: 6 to 16

Re-authentication

 

Optional

If you want the app session to time out after a period of inactivity, select this option and select a number of minutes of inactivity. If the app is inactive for a period of time greater than this setting, the app times out and the user is prompted to re-enter the passphrase to re-open the app.  

Valid values: 1, 2, 3, 4, 5 - 60 (in increments of 5)

ComplexityOptional

Select any of the following passphrase requirements:

  • At least one alpha character
  • At least one number
  • At least one special character
Maximum Age RuleOptional

Specify the interval at which the user must change the passphrase.

Valid values: once a day, every other day, once a week, once a month, every other month, every six months, once a year.

Optionally, set a reminder for a number of days before expiration.

Valid values: 0 to 7

HistoryOptional

Specify the number of previously-used passphrases that the system will remember. A user cannot repeat a passphrase stored in this passphrase history.

Valid values: 3 to 10

Fingerprint Authentication Settings
Allow fingerprint authenticationOptional

Select this option to allow a user to authenticate with a fingerprint. The first time the user launches the app, the user will need to set a passphrase, but on subsequent launches he/she will be able to authenticate with a fingerprint. If the user cancels the fingerprint authentication dialog, then the user will be prompted to enter the passphrase.

Authentication using a fingerprint is supported only on devices that allow for fingerprint scanning.