Assume Management

Apple iOS enables Workspace ONE UEM to assume management of user-installed applications without requiring the deletion of the previously installed application from the device. In this section, we are going to install a public app from App Store and assume the management for it. This will enable us to perform all the mobile application management policies on this user-installed app, including removal upon un-enrollment. We will validate this in the next article.

Consider the scenario where your employee has installed the app from App Store directly (very common in BYOD - Bring Your Own Device). In that case this app is unmanaged since it is not pushed down via Workspace ONE UEM. As a result, this app can not have MAM (Mobile Application Management) enhancements like per-app VPN (to connect to a backend resource), App Config (to auto-configure the app over-the-air), or Data Loss Prevention (removal of the app in case the device is stolen or compromised).

In this section, we will see how to convert such apps as managed apps so that they can leverage the above Workspace ONE UEM Mobile Application Management (MAM) enhancements and much more.

1. Install an unmanaged app from App Store

Begin by downloading and installing an unmanaged app from the App Store on our device.  You will assume management of this app in an upcoming step.

1.1. Launch App Store

Tap on App Store to launch.

1.2. Search Salesforce

  1. Enter Salesforce in the search box.
  2. Tap on GET to initiate the install.

1.3. Install Salesforce

Tap on Install.

1.4. Open Salesforce

Once the download is completed, tap OPEN to launch the app.

1.5. Accept Salesforce EULA

Tap I Accept to accept Salesforce EULA.

1.6. Accept the notification prompt for Salesforce

Tap OK to accept the notification prompt for Salesforce.

1.7. Validate Connection options

Tap on the gear icon to validate the available connections. Notice that you are seeing just the default connections, Production and Sandbox.

2. Add the same application as a public app from the Workspace ONE UEM Console

Now that you have downloaded an unmanaged app, we will publish the same app from the Workspace ONE UEM Console as part of the process of assuming management.

2.1. Add Salesforce as a public app

In the Workspace ONE UEM Console,

  1. Click Add.
  2. Click Public Application.

2.2. Search for Salesforce

  1. Select Apple iOS for the Platform.
  2. Select Search App Store for the Source.
  3. Enter SalesForce for the Name.
  4. Click Next.

2.3. Select the Salesforce Result

Click Select on the Salesforce result.

2.4. Save & Assign

Click Save & Assign.

2.5. Add Assignment

Click on Add Assignment.

2.6. Select Group and Delivery Method

  1. Select All Devices ([email protected]) for the Assignment Groups.
  2. Select Auto for the App Delivery Method.

NOTE: Automatic App Delivery ensures that the app is installed on the device automatically, without relying on end users to download it from the catalog. Use this setting for the apps that you want to make mandatory for your end users.

2.7. Enable Flags

  1. Scroll down to the Policies section.
  2. Select Enabled for Remove on Unenroll.
  3. Select Enabled for Make App MDM Managed if User Installed.
  4. Select Enabled for Application Configuration.

NOTE: Enabling the Make App MDM Managed if User Installed is the policy used if you wish to manage apps that have already been installed by the user.  This is useful to ensure that the apps you are pushing down with AppConfig (Application Configuration) settings are not being overridden by user installed apps which will not be able to access the AppConfig settings.

2.8. Add App Config

NOTE - Now, we will configure Salesforce app to have a connection to a custom domain using App Config. We will validate this new connection on the device at a later step.

  1. Scroll down until you see the Application Configuration section.
  2. Enter AppServiceHosts for the Configuration Key.
  3. Enter vmtestdrive.my.salesforce.com for the Configuration Value.
  4. Click Add.

2.9. Save & Publish

Click Save & Publish.

2.10. Publish the app

Click Publish

3. Salesforce as managed app

We will now see how the Salesforce app becomes managed by AirWatch on our device.

3.1. Close Salesforce app

Double press the Home button to launch app switcher. Swipe up the salesforce app to close Salesforce app.

3.2. Relaunch Salesforce app

Tap on the icon to relaunch Salesforce app.

3.3. Accept App Management Change prompt

Review the App Management Change prompt confirming the EMM is managing this app now. Tap Close to continue.

3.4. Review the Connection List

  1. Click on the Gear Icon to view the connections that are available.
  2. Validate that you are seeing the new connection vmtestdrive.my.salesforce.com which we add via App Config.

NOTE - Since we assumed the management of the Salesforce app, we could update the app over-the-air with Application Configuration. This app will also get removed automatically when we un-enroll the device preventing any data loss from an user-installed app.

NOTE - You are not expected to be able to authenticate to the vmtestdrive.my.salesforce.com endpoint, this is simply to demonstrate the Application Configuration values applying to the device!

4. Conclusion

This is how easy it is to manage a user installed device via Workspace ONE UEM. This feature is very powerful in a BYOD scenario to enhance functionality and ensure proper security of the user installed apps.

0 Comments

Add your comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.