Security model choices for your enterprise app
Your security and development model depends on the type of apps that your organization uses.
Use these guidelines to help you decide what type of app security to use for your enterprise app.
No app wrapping or app SDK, just apps managed by MDM
If the app you want to deploy contains no confidential data and you are not concerned about data leaks on the app, you do not need to wrap or build with the app SDK. You can push the app to the device from MaaS360®. MaaS360 provides the following security mechanisms for apps that are managed by MDM:
- Installs the app from the App Catalog
- Uninstalls the app remotely
- Uninstalls the app automatically if the device is out of compliance (for example, if the device is jailbroken or rooted, not adhering to passcode or other policies)
- Prevents backups of apps or enforces encrypted backups of app data
- Enforces managed status of apps on iOS and restricts data exports from your app to other managed apps only (pushed and managed with MDM) in iOS
If your app is managed with these controls, you do not need app wrapping or the app SDK for your apps.
App wrapping
- Your app contains confidential data, and you need to protect this data from data leak on the app.
- You must enforce encryption of your app data locally on the device.
- Your app must contact an internal resource on your corporate network that is not available on the internet. (The app in the MaaS360 wrapper and the Mobile Enterprise Gateway (MEG) can communicate with your internal server.)
- You want to use MaaS360 to configure your app by passing app configuration parameters such as user name, server URL, and email address.
- You must restrict usage of the app if the device is not in compliance with your corporate policies, and removing the app is not an option (such as apps managed by MDM).
- You must enforce the same container password or PIN to unlock all wrapped apps.
App SDK
The app SDK includes the same set of features as app wrapping, plus some additional features. Use the app SDK if one of the following scenarios applies to your environment:
- You want to extract information such as user name, domain, and user email from the MaaS360 app.
- You want to implement callbacks for security events (for example, device compliance events) and customize how you handle your app data.
- You want to send email from your app from MaaS360 Secure Mail.
- You want to open a link from your app in the MaaS360 Secure Browser.
- You want to open a document from your app in the MaaS360 Secure Editor.
Security features comparison tables
Feature name | Feature description | Benefit | iOS Native SDK | iOS Cordova SDK | Android Native SDK | Android Cordova SDK | iOS Wrapping ** | Android Wrapping ** |
---|---|---|---|---|---|---|---|---|
Get user and device information | Allows the SDK to obtain information about the device and user that includes Device UDID, MaaS360 Device ID, User name, Access Groups, Email Address, Compliance Status, and Out of Compliance reasons (if applicable). | Provides unique identification details about the user and the device. | Yes | Yes | Yes | Yes | N/A | N/A |
Single sign-on. Access control across apps | Allows the user to use a single PIN to access any app that is built by the same developer. | Users sign on with a simple container PIN and stay logged in until the login time lapses. | Yes | Yes | Yes | Yes | Yes | Yes |
User custom attribute support | Allows custom user-level attributes to be defined and propagated to the app. | Enterprises define custom attributes for users that are used across apps. | Yes (Note A ) |
Yes (Note A ) |
Yes | Yes | ||
Shared device support | Allows the user to access the app only when the user is signed in, and prevents the user from accessing the app when the user is signed out. | Makes sure that data is secure when multiple users share a single device. | Yes (Note B ) |
Yes (Note B ) |
Yes | Yes | Yes |
Feature name | Feature description | Benefit | iOS Native SDK | iOS Cordova SDK | Android Native SDK | Android Cordova SDK | iOS Wrapping ** | Android Wrapping ** |
---|---|---|---|---|---|---|---|---|
Compliance enforcement | Sets up policies for user and device compliance and enforces restrictions on apps for non-compliant devices. | Detects user and device compliance events and automatically enforces restrictions on apps, such as blocking user access to an app. | Yes | Yes | Yes | Yes (Note C ) |
Yes (Note D ) |
Yes |
Location and time-based policies | Defines location and time boundaries for using an app. | Allows or blocks users from accessing an app based on time and location. | Yes | Yes | Yes | |||
Restrict access on jailbreak | Detects jail-broken devices and restricts user access to an app. These APIs are enforced automatically by the app SDK or the SDK provides the delegate call backs on these events for the app to implement. | Detects jailbreaks and immediately restricts the user from accessing an app. | Yes | Yes | Yes | Yes (Note C ) |
Yes | Yes |
Restrict access after long periods of inactivity | These APIs are enforced automatically by the app SDK or the SDK provides the delegate call backs on these events for the app to implement. | Enforces authentication to an app after a specified login period expires. | Yes | Yes | Yes | Yes | Yes | Yes |
Restrict access on selective wipe | These APIs are enforced automatically by the app SDK or the SDK provides the delegate call backs on these events for the app to implement. | Sends an alert when the admin starts a selective wipe to protect or delete corporate data within the app. | Yes | Yes | Yes | Yes (Note C ) |
Yes | Yes |
Feature name | Feature description | Benefit | iOS Native SDK | iOS Cordova SDK | Android Native SDK | Android Cordova SDK | iOS Wrapping ** | Android Wrapping ** |
---|---|---|---|---|---|---|---|---|
Data at rest encryption | Enforces maximum security for the app data at rest. | Encrypts the app data for more security. Encrypts the metadata for the app, the app database, and all the files that are in use for the app. | Yes | Yes (Note E ) |
Yes | Yes (Note F ) |
Yes | Yes |
Advanced encryption handling | Encrypts an app that uses a container PIN. | Provides simpler key handling for encryption. | Yes | Yes | Yes | Yes | Yes | |
Encrypted inter-app data transfer with MaaS360 | Encrypts and transfers data between MaaS360 and the app securely without the possibility of man-in-the-middle attacks. | Encrypts data while in transit between MaaS360 and the apps on the device. | Yes | Yes | Yes | Yes | Yes | |
Restrict cut, copy, or paste | Allows cut, copy, or paste only within the set of containerized apps. | Restricts the user from copy or pasting documents from within the container to a personal app. | Yes | Yes | Yes | Yes (Note G ) |
Yes | Yes |
Restrict screenshot | Restricts the user from taking a screen capture of the device. | Protects sensitive data from leaking through screen captures. | N/A (Note H ) |
N/A | Yes | Yes (Note J ) |
N/A (Note H ) |
Yes |
Restrict import from camera or gallery | Restricts the user from using the camera or importing images from the Gallery into the app. | Isolates work apps from personal images and data. | Yes | Yes | Yes | |||
Restrict import from SD card | Restricts the user from importing content from the SD card into the app. | Isolates work apps from extraneous content that is stored on the SD card. | N/A | N/A | Yes | |||
Restrict file import | Restricts the importing of files from other apps into the containerized app. | Prevents users from importing non-work related documents into the containerized app. | Yes | Yes | Yes | |||
Filter notifications if container is locked | Prohibits notification messages from the app when the container is locked, preventing data leakage. | Blocks sensitive notification messages from displaying on the screen if the container is locked. These notifications are displayed when the user unlocks the container. | Yes | Yes | Yes | |||
Allow file import from set of allowed apps | Allows the importing of files from a select list of allowed apps, as defined in the policy. | Allows users to import documents from a select list of trusted apps into the containerized app. | Yes | Yes | ||||
Restrict file export | Restricts the exporting of files to allowed apps only. (The SDK provides a separate interaction controller to handle this action.) |
Prevents the leakage of files and allows files to be opened in a set of allowed and containerized applications. Users cannot export files to other apps. | Yes | Yes | Yes | Yes (Note J ) |
Yes | Yes |
Restrict printing | Restricts the printing of files, if enabled. | Prevents leakage of data from printing. Users cannot print from the wrapped app. | Yes | Yes | Yes | Yes | Yes | Yes |
Certificate pinning | Validates that the trusted CA public certificates match with certificates that are pinned by the app. | Protects apps from certificates that are fraudulent. | Yes | Yes | Yes |
Feature name | Feature description | Benefit | iOS Native SDK | iOS Cordova SDK | Android Native SDK | Android Cordova SDK | iOS Wrapping ** | Android Wrapping ** |
---|---|---|---|---|---|---|---|---|
Per-app VPN | Establishes the gateway access for the app to access resources behind the corporate firewall. | Provides app-level intranet access without a device-level VPN. Encrypts data in motion. Reduces VPN traffic since only corporate apps fetch data through the gateway, while all personal apps directly access the internet. | Yes | Yes | Yes | Yes | Yes | Yes |
Regional gateway support for per-app VPN | Uses a regional MaaS360 gateway for the per-app VPN based on the geographic location of the user. | Allows users to access data faster due to reduced network latency. | Yes | Yes | Yes | Yes | Yes | Yes |
Corporate Network Detect | Uses direct access and skips the per-app VPN in the corporate network. | Allows users to access data faster through direct access to corporate resources while in the corporate network. | Yes | Yes | Yes | Yes | ||
Identity Certificate for direct gateway | Allows Identity Certificate validation by a load balancer during SSL negotiations. | Validates an identity certificate from the device by using a direct gateway setup with a load balancer. | Yes | Yes | Yes |
Feature name | Feature description | Benefit | iOS Native SDK | iOS Cordova SDK | Android Native SDK | Android Cordova SDK | iOS Wrapping ** | Android Wrapping ** |
---|---|---|---|---|---|---|---|---|
App configuration | A configuration file with required inputs is passed from MaaS360 and delivered securely to the app. | Provides a better user experience because the app is preconfigured. | Yes | Yes | Yes | Yes | N/A | N/A |
App authenticity | Validates the app signature before an app accesses the MaaS360 container. | Makes sure that tampered or malicious apps do not gain access to the container. | Yes | Yes | Yes |
Feature name | Feature description | Benefit | iOS Native SDK | iOS Cordova SDK | Android Native SDK | Android Cordova SDK | iOS Wrapping ** | Android Wrapping ** |
---|---|---|---|---|---|---|---|---|
Send MaaS360 email | Provides an interaction controller that is used to send email through MaaS360 Secure Mail with or without attachments. | Allow users to send email from your app with MaaS360 Secure Mail. | Yes | Yes | Yes | Yes | N/A | N/A |
Open document directly in Secure Viewer | Provides the option for developers to open documents directly in the Secure Viewer, since Android does not provide a viewer. | Enables developers to easily provide document views within apps that use the MaaS360 SDK. | N/A | N/A | Yes | Yes | N/A | Yes |
Save documents in MaaS360 app | Provides an interaction controller for the app to allow users to save the document securely in the MaaS360 app. | Users can save documents from any app into the My Docs section of the container. | Yes | Yes | Yes | Yes | N/A | N/A |
Open links in MaaS360 Secure Browser | Allows users to open links from apps in the MaaS360 Secure Browser. | Users are directed to the MaaS360 Secure Browser to open URLs present in apps, including intranet sites without a device-level VPN. | Yes | Yes | Yes | Yes | ||
Browse in MaaS360 Docs | Provides an interaction controller for the app to allow users to browse documents securely from MaaS360 Docs. | User can browse documents in MaaS360 Docs from any app securely. | Yes | Yes | Yes | |||
Edit documents in MaaS360 Secure Editor | Provides an interaction controller for the app to allow users to edit the document securely in the MaaS360 Secure Editor. The SDK handles the transfer of the document to the editor and handles the receiving of the document from the editor when the edit is complete. | Allows users to edit a document directly inside the container by using the MaaS360 Secure Editor. | Yes | Yes | Yes | Yes | Yes |
Note | Description |
---|---|
A | Can be used with app configuration |
B | Requires app reconfiguration |
C | Selective Wipe action by MaaS360 app only. No delegate call backs. |
D | Only for selective wipe events |
E | Provided by iOS. JSON database encrypted by Worklight. |
F | Files and text encrypted by MaaS360. JSON database encrypted by Worklight. |
G | By extending the MaaS360WLDroidGap class |
H | Available by using MDM |
J | By extending the MaaS360WLDroidGap class |
N/A | Not possible or made available by the OS |
** | Wrapping support for iOS Cordova-based apps is at parity with SDK-integrated apps, while wrapping is not currently supported for Android Cordova-based apps. |