Apperian evaluates most application's policies whenever the user opens the app, brings it to the foreground, or returns to it from a locked screen. (With some policies, Apperian does not count multiple launches within a minute. These exceptions are described in the policy descriptions in Application Policies.) When evaluating policies, Apperian blurs the app screen and displays a spinner. To the user, this looks like part of the process of starting the app, and it is typically quite fast—sometimes the user will not even notice the spinner. Depending on the types of policies you have applied, you may wish to evaluate policies less frequently to improve the user's experience with the application. For instructions, see Set the Policy Evaluation Frequency.
When evaluating some application policies, Apperian will attempt to communicate with the server to fetch the latest settings. If you have an application that is wrapped with policies and connects to the network through a VPN, you should ensure that your VPN gateway can access the Apperian server. To obtain the IP address(es) you need to whitelist for your gateway, contact Customer Support.
To adapt to changing business needs or to take advantage of new application policies, you can modify the policies applied to an application—even after the app is already deployed to users. Most policy changes take effect immediately, but some require you to re-wrap the app and deploy an update to users. This depends on whether the policy you are adding or changing is a dynamic or static policy:
- Dynamic policies are updated on the Apperian server. Once you have applied policies to the app, you can add and modify those dynamic policies “on the fly”—without having to rewrap, re-sign, or deploy an update.
- Static application policies are embedded in the application wrapper. If you add or change a static policy, you must rewrap the app. Whenever an app is rewrapped, you need to re-sign it and then deploy the update.
When you apply policies, you do not need to think about whether a policy is static or dynamic; the Admin Portal guides you through the process and prompts you to sign and deploy an update if needed.
As a best practice, Apperian recommends that you reapply policies to any applications that have not been wrapped in six months or longer. This will ensure that your applications take advantage of any recent enhancements, fixes, and optimizations to the policy wrapper. After you reapply policies to an application, you need to re-sign it and redistribute it to your users. For instructions, see Rewrap an Application.
Apperian supports a universal app distribution model that allows you to securely deploy and manage mobile apps through a variety of distribution methods. With some of these distribution methods, such as the App Catalog, Apperian will know the identity of the app user; that is, the user will be a registered, authenticated user with Apperian. With other methods, such as sending a Direct Install URL, mobile device users can download and install apps even if they are not registered and do not have the App Catalog installed.
If you want to apply policies to an app that you will distribute to unregistered users, you should enable the "No-Registration Policies" setting for your organization. When the "No-Registration Policies" setting is enabled, you will see an option on the Policies tab that, when selected, allows you to apply only those policies that work with unregistered users.
The following policies are currently supported with unregistered users:
- App Usage
- Collect Crash Reports
- Self Updating App
- App Expiration
- Secure Microtunnel
- Local App Authentication
- Encrypted Data at Rest
- Data Sharing
- Client Certificates
- Server Certificates
Some policies will never be supported with unregistered users because they do not make sense in that context. For example, the purpose of the Enterprise SSO policy is to secure an app at launch time by prompting the user to authenticate using the same authentication method used when logging in to the App Catalog; therefore, it doesn't make sense to apply the Enterprise SSO policy to an unregistered user.
If you apply the Self Updating App policy to an application, you must also mark the application for Direct Install in order for an unregistered user to install the update. If the app is not marked for Direct Install, the user will still be prompted when an update is available, but an error will display if the user taps Yes to install it.
For instructions on enabling a document for Direct Install, see Enable Direct Install.
For instructions on enabling no-registration policies for your organization, see Enable No-Registration Policies.
List of Policies
Click on a policy in the table below for more information, including a description of the mobile user's experience when the policy is enabled.
Tracks usage of an app.
When an iOS application crashes, a crash report is stored on the device. The report describes the conditions under which the application terminated, and is useful for debugging issues in the application. Any time an app wrapped with this policy crashes, Apperian collects the crash report from the device and lists it on the Crash Reports tab of the app’s details page. From that list, you can view reports and export reports to send to developers for further analysis.
Authenticating the user is the purpose of the app.
Allows an app to "self-update" at launch time by checking for a new version and prompting the user to install when one is available.
Ensures that an application can be used on a device only when its content is secured using Apple's iOS Data Protection. iOS Data Protection is a built-in capability that encrypts data stored on an iOS device whenever the device is locked.
Blocks users from running apps on jailbroken (iOS) or rooted (Android) devices.
Establishes a pre-configured Pulse Secure® VPN connection and prompts for VPN credentials when the user opens the application. Use this policy to provide apps with access to resources in your secure corporate network. To use this policy, you need access to a Pulse Connect Secure VPN gateway and will need to provide a URL for connecting to that gateway.
Applications with this policy applied can run only on devices running iOS 8 or higher.
(iOS apps only)
The following policies use Blue Cedar Networks Mobile App Protection (MAP); the ability to apply these policies is disabled by default. If you are interested in applying MAP policies, contact your Apperian Account Manager.
All MAP policies are static.
Establishes a secure VPN connection between the application and your enterprise network's Atlas Gateway. You must have the Blue Cedar Networks Atlas Platform to use this platform.
While policies are supported with native iOS and Android apps only, the hybrid apps feature provides a way to also apply policies to web apps. A hybrid app delivers a web app as part of a native iOS or Android app. Therefore, like any other iOS or Android app, you can apply policies to it. For more information, see Hybrid Applications (Delivering a Web App as a Native App).
Application Policies Workflow
The following table describes the typical workflow for implementing app policies within an Apperian implementation.
Define app policies defaults for your Apperian organization. Policy defaults represent your company's standard set of security and usage policies. You and other administrators can alter these settings, as necessary, when applying policies to a specific app.
Optionally, you can configure the frequency at which an application's policies will be evaluated. The default is Always, which evaluates policies whenever the user launches the app, brings it to the foreground, or returns to it from a locked screen.
If you plan to apply the Secure Microtunnel policy to any apps, during this step you will need to create one or more VPN connections.
Apply policies to a specific app. You apply most policies from the Policies tab on the app's Details page.
Depending on which policies you applied, you may need to update the app in the Admin Portal to deploy the new version to your users. Apperian provides a system message indicating whether an update is required.
When an update is required, you need to sign the updated app. For more information, see About Signing.
Use the Policies page of the Admin Portal to perform the following tasks:
- Modify the default settings that display on the Policies tab for an app.
- Create the VPN connections used with the Secure Microtunnel policy.
- List which apps are currently wrapped with each policy