Page tree

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


Apperian lets you apply security and usage policies to native iOS and Android apps in your Apperian account. Applying policies—also referred to as "wrapping an app"—enables policies enables you to add multiple layers of protection to any app that needs more security. For example, the Encrypted DAR policy uses FIPS 140-2 certified encryption to encrypt the data stored by an app. Policies can also enhance and support a mobile user's app experience. of security, management, and measurement capabilities to any iOS or Android app. For more information, see About Policies.

You can apply policies to an app that is not yet wrappedhas never had policies applied, or you can change the policies already applied to an app that was previously wrapped. For instructions, see the procedure below. If you want to remove all policies from an app, see Remove Policies from an App

For a description of each policy, including an overview of the mobile user's experience, see Available Policies

For information about applying policies to an app using Apperian's API, see Policies API Guide.

  • The Apple On-Demand VPN and Pulse Secure VPN policies are not available by default. If you are interested in applying either of these to any of your iOS applications, contact Customer Support.
  • A user who is deleted or disabled in Apperian will be blocked from running apps wrapped with that use any of the Apperian policies that are part of the base Apperian platform (see the list to the right). 
  • You can deliver a web app as a native iOS or Android app by creating a hybrid app. Because a hybrid app is delivered as a native app, you can apply policies to it. For more information on hybrid apps, see Hybrid Apps (Delivering a Web App as a Native App).
  • If you or another administrator changes the policy defaults on the Policies page, it has no effect on policies you have already applied to an app. For instructions on modifying the policy defaults, see Set Application Policy Defaults.
  • If you update the version of an app that is wrapped (that is, if you upload a new binary file for the app), you need to reapply the application policies and re-sign the app if you want the policies to continue working with the new version. For instructions on updating an app, see Edit or Update an Application.
  • Note that applying policies to an app Applying policies to an app increases the size of the app.

titleBest Practice

As a best practice, Apperian recommends that you reapply policies to any


apps that have not

been wrapped

had policies reapplied in six months or longer. This will ensure that your


apps take advantage of any recent enhancements, fixes, and optimizations to the policy




After you reapply policies to an application, you need to re-sign it and redistribute it to your users. For instructions, see Reapply Policies to an App.


If you use the signing package to sign an app that is wrapped with already has policies applied, and then upload that newly signed version to Apperian, you should not re-apply reapply policies to the app. If you do, the app will no longer function properly. If you need to modify an app's policies or apply new policies, you need to first upload the original version of the app.


titleRelated Pages

Image Removed



AnchorprocedureprocedureTo apply policies to an app
  • On the Apperian Portal navigation bar, click Applications. Status tags indicate the status of app policies for the app.  

    Image Removed

  • Click the Policies link by the app to display the Policies page for the application.
    A message above the list of policies indicates the current status of policies for the app. The first time you display the Policies page for an app, it displays the default policy settings defined for your organization on the Policies settings page. After you apply policies to the app, the tab displays the applied policy settings. If you upload a new version of the app, you need to reapply policies to the app if you want them to continue working; in this case, the Policies page displays the previously applied policy settings so that you can easily re-apply them.In the following example, there are no policies applied to the app. 
    Image Removed 


    (Optional) If you want to apply policies to

    The Policies Tab

    You will apply policies to individual apps on the app's Policies tab. The Policies tab includes the following sections:

    No-Registration Mode

    This section appears at the top of the page if No-Registration Policies are enabled for your organization. Using No-Registration policies is optional, and only matters if you want to apply policies to apps that you may distribute to to users who are not registered with Apperian and do not need the App Catalog on their device,

    select the Enable policies that don't require user registration option at the bottom of

    click On in the No-Registration Policies section at the top o the page. This

    option displays

    section appears only if your organization is enabled for No-Registration Policies. For instructions on enabling no-registration policies, see 

    Enable No-Registration Policies the Enable policies that don't require user registration option is selected, the

    this option is On, the list of policies

    will include

    includes only those policies that work with unregistered users. For more information on using policies with unregistered users, see Using Policies with Unregistered Users.

    Note that if you apply the Self Updating App policy to an application, you must also mark the application for Direct Install in order for an unregistered user to install the update. For instructions on enabling a document for Direct Install, see Enable Direct Install.
    titleClick here for an example of the Policies tab with and without no-registration policies enabled...

    Image Removed


    Select and modify policy options. Note the behavior described in the following table. For a description of each app policy, including an overview of the mobile user's experience, see Application Policies.

    If you select...Then...App Expiration

    After you select App Expiration:

    (Optional) In the Message for user field, you can modify the message that will display when a user attempts to launch an app outside of the application access period. If you modify the message and want the default user message to be displayed again, click the Revert to Default Message link under the Message for user field.


    Only the default user message is internationalized. If you change the default message, note that it will display only in the language that you entered it, regardless of the language setting on the user's device.

  • In the Start date field, click and select the date on which you want the app to start working. If you want the app to start working immediately, enter the current date.
  • In the End date field, click and select the last date on which you want the app to work. Note that you cannot select the End date until you have selected a Start date.
    A user will be able to use the app from 12:00:01 AM UTC on the start date until 11:59:59 PM UTC on the end date. If you want users to be able to use the app for a single day only, set both the start and end dates to the same date.

    Image Removed

    Open Web Page
    After you select Open Web Page:
    1. Select the number of times the user needs to open the application before a browser window will automatically open to a specified URL.
    2. Enter the URL for the web page that will open. Enter the URL in this form: Scheme://Domain/Path. The Scheme can be http or https.

    For example, the following settings specify that the page will display after a user opens the app 10 times.

    Image Removed

    Apple On-Demand VPN  

    You cannot enable both this policy and the Pulse Secure VPN policy or Secure Microtunnel policy for the same app.


    This policy is not available by default. If it does not appear when you are applying policies to an iOS app and you are interested in using it, contact Customer Support.

    Modify the default profile or enter a new profile to define the VPN configuration that will be added to the device when a user launches an app wrapped with this policy. For details, see Apple On-Demand VPN Configuration Profile Settings.

    Image Removed 

    Pulse Secure VPN

    You cannot enable both this policy and the Apple On-Demand VPN or Secure Microtunnel policy for the same app.

    In the Connection URL field, modify or enter the URL for your Pulse Connect Secure VPN gateway.

    Image Removed

    App Password 


    If you select App Password:

    Select the minimum number of characters required for the password. (Valid Values: 6-16)
  • Select password complexity requirements. Password complexity requirements are shown in the image below. (Valid Values: 0-10)
    Image Removed 
  • Info

    If you make changes to the password requirements of the policy, those changes will not affect users who have already installed an app with this policy applied unless they update the app and attempt to change their password.

    Secure Microtunnel
    You cannot enable this policy until you have created one or more VPN connections. For instructions, see Create a VPN Connection.

    After you select Secure Microtunnel, select a VPN connection from the VPN Profile list. This list corresponds to the list of VPN Connections created on the Policies page. When you select a connection in the list, it displays the specifications for the VPN so that you can confirm it is the correct one.

    Local App Authentication

    If you select Local App Authentication, modify the default passphrase settings as desired and optionally enable Allow fingerprint authentication. See Local App Authentication Policy Passphrase Options for details.

    Image Removed

    Client Certificates

    If you select Client Certificates, modify the URL Matching Rules as desired:

    1. Under White List Exceptions, add or modify the exception rules. The client certificate will not be presented to any sites that match the exception rules.
    2. Under White List, add or modify the white list rules. The client certificate will be presented to a site that matches a white list rule, unless that site also matches a white list exception rule. 

    When adding or modifying rules, follow these guidelines:

    In the Host Pattern field, specify a matching pattern for the host name. The pattern must start with http:// or https:// and can include a wildcard (*) anyplace else in the pattern. 
    Example: http://* matches and
  • In the Port field, specify a port number. Use a wildcard (*) anyplace in the port number, or use * alone to specify an port on the host. If empty, Port defaults to port 443 (HTTPS).
  • Image Removed

    Server Certificates
    If you select Server Certificates, select all the server certificates from the list that the application may need to trust the site(s) it needs to access. You cannot upload additional certificates from this page. If you need additional certificates that are not listed, you must first upload them on the Policies page. For instructions, see Define Policy Presets. In this example, only one server certificate is selected. Image Removed

    As you select and clear check boxes, a message indciates whether the changes are effective immediately or require users to update the app. If the changes require an app update, Apperian displays a Pending Signing status after you click Apply; you need to re-sign the wrapped app before you can enable it for your App Catalog users.
    Image Removed

    Click Apply. Note that if


    Policy Status

    This section appears at the top of the page and includes the app's policy status and the Apply Policies and Remove Policies buttons. Available status messages are listed at the end of this topic.

    Policies Enabled by Default

    This section only appears if an administrator has selected On for any policies on the Policies page. The policies here are selected by default, but you can clear the selection if you don't want to apply those policies to a specific app. This section disappears when policies are applied to the app.

    Policies Available

    This section lists the policies that can be applied to the app. Some apps can only be applied to iOS apps, so they won't appear in the list for Android apps. Use this section to select the policies you want to apply.

    Some apps have additional options that should be configured for the policy to work properly. If a policy includes additional options, they appear when you select the policy. If an administrator has configured presets on the Policies page, some of the options may already be preconfigured. You can change the preconfigured options if you want, or leave them as is.


    If you or another administrator changes the policy presets on the Policies page, it has no effect on policies you have already applied to an app. For instructions on modifying the policy presets, see Define Policy Presets. 

    Policies Applied

    This section lists all policies that are currently applied to the app.

    You can select and clear policies in this section, and modify their options. If you clear the checkbox for a policy in this section, it will be removed from the app the next time you click Apply Policies (the policy will appear back in the Policies Available section). Similarly, if you change a policy's options in this section, they will be updated the next time you click Apply Policies.

    Apply Policies

    To apply policies to an app
    1. On the Admin Portal navigation bar, click Applications. Status tags on the page indicate the status of policies for the app. 

    2. Click the Policies link by the app to open the Policies tab for the app.

    3. Select policies and modify their options as necessary. Depending on whether presets have been configured on the Policies page, some policy options may already be preconfigured. 

    4. As you select policies you may see a message that indicates whether the changes are effective immediately or require re-signing the app.

    5. Click Apply Policies at the top of the page. If you clear the check box for all policies, the Apply Policies button remains disabled

    (grayed out); to
    1. . To remove all policies,

     use the
    1. click Remove

    button. See the following table to identify
    1. Policies.


    If you update the version of an app that has policies applied (that is, if you upload a new binary file for the app), you need to reapply the application policies and re-sign the app if you want the policies to continue working with the new version. For instructions on updating an app, see Edit or Update an Application.  

    Next Steps

    The following table identifies the steps you should take


    based on the status message.


    Status MessageDescriptionNext Steps
    In Progress
    There are no policies currently applied to this app.

    Applying policies. Please waitThis message displays until the policies are applied or an error occurs. The size of the app may impact how long the process takes.
    Wait until the status changes to one of the other messages listed in this table.
    Error Applying PoliciesAn error occurred while policies were being applied. There may have been a problem accessing the MAP server.

    Wait a few minutes and click Apply Policies again. If you continue to receive an error, click the

    Roll Back button to the right of the status message to roll back to the previous version of the app that either did not have any policies applied or had been wrapped successfully. If you do not want to roll back to a previously wrapped version of the app, click Remove

    Remove Policies to remove all policies from the app.


    After you click

    Roll Back or

    Remove Policies, note that the app will still be disabled. You must enable it if you want users to access it in the App Catalog. For instructions, see the steps for the

    Policies Applied

    "policies were successfully applied" status message below.


    Pending Signing

    Policies were successfully applied. You must re-sign the app and deploy the updated app to your users for the changes to take effect.

    Policies were successfully applied to the app and the


    new policy layer version of the app must be signed and uploaded to Apperian.

    When signing is pending, Apperian automatically disables the app so that users cannot access it in the App Catalog. You can re-enable it once the app is signed.  

    Sign the


    app. For more information, see About Signing.

    were successfully applied. 

    Policies were successfully applied to the app.


    Look at the Enabled/Disabled status of the app listed at the top of the page.

    Image Modified

    If you signed the app after


    applying policies and did not enable it during the signing process, follow these steps to enable the app and notify users about the update:

    1. On the Admin Portal navigation bar, click Applications.
    2. Click the Edit link next to the application.
    3. Expand the Application field.
    4. Select the Enabled check box.
    5. (for iOS apps only) Under Notify Users, select Send push notification to App Catalog. If you are updating an app signed for Ad Hoc distribution, there are different options for sending the push notification. For more information, see Update an Application.
    6. Complete the Application Update Settings to select the date by which users must install the new version of the app:

      • Click Set to today to force users to update the application today. Users will not be allowed to log in to the App Catalog until they install the update.

      • Click Set to never to allow the user to decide when to update.
      •  or 
      • Select a specific date in the calendar field.

    1. Click OK.




    Apple On-Demand VPN Configuration Profile Settings

    Fill in the form to define a VPN configuration profile.


    Profile Name

    Enter a name for the VPN configuration profile. This name will display on the Settings->General->VPN page of the device when the VPN configuration is added.

    Profile DescriptionEnter a brief description of the VPN profile.VPN ServerEnter the address of the VPN server. The address can be a numeric IP address or a fully-qualified host name.Pre-shared KeyEnter the IPsec PSK (shared secret) to be used by IKE during the authentication phase.Key Id/VPN Group

    Enter the IPsec identifier or VPN group name.

    IKE VersionSelect the IKE (Internet Key Exchange) version: 1 or 2. IKE version 1 or 2 is the protocol used to set up a security association in the IPsec protocol suite. AnchorpassphraseoptionspassphraseoptionsLocal App Authentication Policy Options

    For the  policy, set the following options to define the criteria of the user-set passphrase.

    OptionalDescriptionPassphrase Settings

    Minimum Length


    Specify the minimum number of characters required for the passphrase.

    Valid values: 6 to 16



    OptionalIf you want the app session to time out after a period of inactivity, select this option and select a number of minutes of inactivity. If the app is inactive for a period of time greater than this setting, the app times out and the user is prompted to re-enter the passphrase to re-open the app.  
    Valid values: 1, 2, 3, 4, 5 - 60 (in increments of 5)ComplexityOptional

    Select any of the following passphrase requirements:

    • At least one alpha character
    • At least one number
    • At least one special character
    Maximum Age RuleOptional

    Specify the interval at which the user must change the passphrase.

    Valid values: once a day, every other day, once a week, once a month, every other month, every six months, once a year.

    Optionally, set a reminder for a number of days before expiration.

    Valid values: 0 to 7


    Specify the number of previously-used passphrases that the system will remember. A user cannot repeat a passphrase stored in this passphrase history.

    Valid values: 3 to 10

    Fingerprint Authentication SettingsAllow fingerprint authenticationOptional

    Select this option to allow a user to authenticate with a fingerprint. The first time the user launches the app, the user will need to set a passphrase, but on subsequent launches he/she will be able to authenticate with a fingerprint. If the user cancels the fingerprint authentication dialog, then the user will be prompted to enter the passphrase.

    Authentication using a fingerprint is supported only on devices that allow for fingerprint scanning.

    titleOn this Page

    Table of Contents

    titleRelated Pages

    Content by Label
    cqllabel = "policies" and space = currentSpace()