App Management in Modern Android Enterprise mode

IBM® MaaS360® improvises the user interface and advanced app management capabilities for devices that are managed in Modern Android Enterprise mode. In the redesigned user interface, you can configure settings for both environments within a single app. It automatically applies the appropriate settings to the distributed app based on management mode of the device.

Modern Android Enterprise enables the administrator to set App Permissions directly from the App Distribution wizard. IBM MaaS360 supports various app types, including Google Play, Private Channel, Enterprise, and Web Apps.

Also, it specifies the Disable app and Dedicated Scopes during App Distribution.

Important: The apps that support managed app configuration must be added to the App Catalog before you can add configuration settings for those apps.

Adding an app for Android

Add an Android public app to the App Catalog. Public apps are without cost that are generally available in the Google Play Store.

You can search public apps directly from Google Play Store and add them to MaaS360 App Catalog
Note: The apps that are added through this workflow can be deployed only to Android devices that are enrolled in Device Admin mode. To deploy apps to Android Enterprise devices, see Adding a public app for Android Enterprise
  1. From the IBM MaaS360 Portal home page, select Apps > Catalog.
  2. Click Add, expand the Android section, and then select Google Play App or Private App for Android Enterprise.
    • Select the Google Play App to add a public app.
    • Select the Private App for Android Enterprise to add a private app.
  3. One of the following windows appears based on the selection.
    • If you select Google Play App, then the Add Google Play App window is displayed.

      Enter the name to search the app or select an app from list under Featured Apps and then click Select. For searching an app, when you start typing the name of the app, IBM MaaS360 automatically populates the entry with the corresponding public apps from the Google Play Store.

    • If you select Prive Add for Android Enterprise, then the Manage Private Google Play Apps window appears and the Managed Google Play iframe is displayed.
      1. Click Create (+ icon).
      2. Enter a title, upload an APK file, and click Create.
        Important: When you publish a private app for the first time, you must provide an email address to receive notifications about your app and developer account. You can update the contact email address later.
  4. Configure the following details in the Settings tab.
    Option Description
    Remove app on The app is automatically removed in the following scenarios.
    • MDM Control Removal: When MDM control of a device is terminated by the administrator or a user.
    • Selective Wipe: When a selective wipe is issued to the device.
    • Deletion from portal or stopping distribution: When the app is deleted from IBM MaaS360 Portal or distribution to a specific distribution list is stopped.
    • Sign out from Shared Device: When a user signs out of a shared device and the user signs back into the device, the app is restored on the device.
    Security Policies The following policies are enforced on the app:
    • Enforce Authentication: Based on authentication type, users are prompted to provide a corporate or local MDM password to access the app.
    • Enforce Compliance: The app cannot be accessed if the device is out of compliance. The Usage data access permission must be enabled on the device for the MaaS360 app to restrict access to the app when the device is in out-of-compliance (OOC).
    Update Settings If the Control app updates checkbox is selected, all apps receive app updates when they are available, but the updates are auto-installed on supervised devices only. Users are prompted to install updates manually on nonsupervised devices.
    Modern Android Enterprise
    Install Settings The type of installation for an app on the device. Select the one of the flowing options:
    • Available to install: The app is available to install.
    • Pre installed: The app is automatically installed and it can be removed by the user.
    • Force installed: The app is automatically installed regardless of a set maintenance window and it cannot be removed by the user.

    When the Disable app option is selected, the installed app is available on the device without functioning.

    Security Policies Enforce Always on VPN: Must have a VPN connection to access the app.
  5. Configure the following details in the Permission tab.
    Option Description
    Default Permission The default permission policy for runtime permission requests.
    Select one of the following options.
    • Always prompt: Prompt the user to grant a permission.
    • Always Grant: Automatically grant a permission.
    • Always Deny: Automatically deny a permission.
    Override Permissions To override the default permissions, configure permission with the respective actions.

    Select the permission from the Permission list.

    Select the respective action for the selected permission from the Action list.
    • Always prompt: Prompt the user to grant a permission.
    • Always Grant: Automatically grant a permission.
    • Always Deny: Automatically deny a permission.

    Click Add to add multiple permissions with actions, and it also allows the removal of individual permissions.

    Delegate scope The scopes that are delegated to the app from Android Device Policy (ADP). The following are extra privileges for the applications that are applied to. Select the individual privilege checkbox based on your requirement.
  6. Configure the following details in the Settings tab.
    Option Description
    Distribute to The devices that receive the app. Use the plus icon to add multiple distributions. MaaS360 enables to distribute an app to devices in the following ways.
    • None: The app is loaded in the App Catalog, but the app is not distributed to devices immediately.
    • Specific Device: The app is loaded in the App Catalog and deployed to a specific device.
    • Group: The app is deployed to a group of devices.
    • All Devices: All devices receive the app.
  7. Click Add.

    The app is successfully added to the App Catalog. The app might take up to 10 minutes to publish depending on the size of the app.

Creating an app configuration

Important: The apps that support managed app configuration must be added to the App Catalog before you can add configuration settings for those apps.
  1. From the IBM MaaS360 Portal home page, go to Apps > App Configurations. The App Configurations page is displayed.
  2. Click Add Configuration and configure the following.
    • App configuration name: Provide a name for your configuration.
    • Create from existing configuration: Use an existing configuration as a base for your new configuration instead of creating a new configuration.
    • Select the app you want to configure: Use the search icon to find an app that you want to add the configuration to. MaaS360 displays a list of apps from the App Catalog that match the search criteria.
    • Select managed config: View the app configurations that are configured for the selected app. The configurations from the selected app configuration are used as a base for the new configuration.
  3. Click Next. The configuration settings that are available for the app are displayed on the Configuration tab.
    The following configuration options are displayed based on the type of app.
    App type Configuration options
    Google Play app Supported app configurations are displayed
    Private app for Android Enterprise Supported app configurations are displayed
    Notes:
    • You can use custom attributes such as username (%username%) or domain (%domain%) to configure the settings.
    • Bundle array configurations are supported on Android 6.0+ only.
    • The app configurations apply to the primary version of the iOS enterprise apps only. The additional versions of iOS enterprise apps do not support app configurations.
    • By default, the administrator selects the XML template as the first app configuration that is used for all app configurations that are created for an app. MaaS360 does not allow administrators to override XML templates later.
  4. Click Next.
  5. On the Distributions tab, choose the entities that you want to distribute the app configuration to:
    • Set as default configuration: The default configuration is automatically distributed to the device if another configuration is not specified for that device through a group-based or a device-based distribution.
    • Groups: Select the groups that receive the app configuration.
    • Specific devices: Select the individual devices that receive the app configuration.
    • Distribute application: The application is distributed to the selected groups and devices along with the app configuration.
  6. Click Publish. The configuration settings are deployed to the device. The app configuration is displayed at Apps > App Configurations. The app is added to the App Catalog and the corresponding app configurations are displayed in the App Configurations section on the App Summary page.

Editing an app in the Details view

Use the Details view to update app settings, review app properties, and track the history of the app.

  1. From the IBM MaaS360 Portal home page, select Apps > Catalog.
  2. Click View next to an app name to open the app in the Details view.
  3. Review information about the app that is available in the following sections and click Edit on each section to edit fields based on your requirement and then save the changes.
    • App Summary
      Option Description
      App ID The unique ID that identifies the app on the device. When you add a version of an enterprise app, the App ID must be the same as the original app. If the App ID is different, the app is added as a new app.
      Type The type of app. For more information, see App Catalog overview.
      Category The app category that is defined by the app developer. Users can browse for apps by category in the user App Catalog.
      Supported on The list of devices that are supported by the app.
      Distributions The list of distribution targets for the app. Click the X icon to stop the distribution of the app to targets.

      Note: If an app is distributed to more than 10 targets, click the More link to view a complete list of distribution targets in the Manage Distributions page.

      Installs The number of devices that received the app versus the number of devices that installed the app.
      App Bundles The list of app bundles that the app is a member of. Click the X icon to remove the app from the bundle.
      Update Date (Uploaded By) The date and time the app was updated last.
      Available Tracks The distribution tracks (alpha, beta, production) that are available for public and private channel Android Enterprise apps. For more information, see Distribution of alpha and beta tracks.
    • Install Settings
      Option Description
      Install Automatically The app is automatically downloaded on devices and users are prompted to install the app.
      Note: On Samsung for Enterprise (SAFE) devices, the app is downloaded and installed automatically.

      If an app is not marked for installation, users are prompted to download the app from the app store.

      Install mode The type of installation for an app on the device. Select the one of the following options:
      • Available to install: The app is available to install.
      • Pre installed: The app is automatically installed and can be removed by the user.
      • Force installed: The app is automatically installed regardless of a set maintenance window and can't be removed by the user.
      Disable app When the Disable app option is selected, the installed app is available on the device without functioning.
      Control app updates The following auto-update options are displayed:
      • Default: Updates the app over a wifi network when the device is charging or idle.
      • Postpone: Pauses automatic app updates for 90 days. The app is not automatically updated during these 90 days, starting from the day the developer publishes the new update. After the 90-day period is over, the newer version of the app is automatically installed on the device according to the default app update behavior.
        Note: The Postpone mode does not prevent users from manually updating apps. Users can manually update apps from the Google Play store during the postponement period.
      • High-priority: Updates the app when the app developer publishes a new version, without taking the default app update conditions in to consideration. If the device is offline, the app is updated when the device is connected to the internet. Updates might occur during business hours and cause work disruptions.
    • Permission Settings (Modern Android Management)
      Option Description
      Default Permission The default permission policy for runtime permission requests.
      Select one of the following options:
      • Always prompt: Prompt the user to grant a permission.
      • Always Grant: Automatically grant a permission.
      • Always Deny: Automatically deny a permission.
      Override Permissions To override the default permissions, configure permission with the respective actions.

      Select the permission from the Permission list.

      Select the respective action for the selected permission from the Action list.
      • Always prompt: Prompt the user to grant a permission.
      • Always Grant: Automatically grant a permission.
      • Always Deny: Automatically deny a permission.

      Click Add to add multiple permissions with actions, and it also allows the removal of individual permissions.

      Delegate scope  
    • Delegated Scope Settings (Modern Android Management)
      The scopes that are delegated to the app from Android Device Policy (ADP). The following are extra privileges for the applications that are applied to. Select the individual privilege checkbox based on your requirement.
      • Certificate installation and management
      • Managed configurations management
      • Blocking uninstallation
      • Permission policy and permission grant state
      • Package access state
      • Enabling system apps
    • Security Policies
      Important: Policy changes are applied to devices that install the app after the policy change.
      Select the following options based on your requirement and click Save.
      Option Description
      Remove on MDM Control Removal The app is automatically removed from the device when MDM control of the device is terminated.
      Remove on Selective Wipe The app is automatically removed from the device when a selective wipe is issued to the device.
      Enforce Compliance If this setting is enabled, access to the app is restricted when the device violates a corporate policy.
      Enforce Authentication If this setting is enabled, the device requires authentication to access the app. Based on the authentication type, users are prompted to provide a corporate or local MDM password.
      Remove on Stopping Distribution The app is automatically removed from the device when distribution to a specific distribution list is stopped.
      Remove on Signout from Shared Device The app is removed from a device when a user signs out of a shared device. When the user signs back into the device, the app is restored on the device.