MAM Guide v7 0

Download as pdf or txt
Download as pdf or txt
You are on page 1of 56

Mobile Application Management (MAM)

Guide
Enable access to public and enterprise apps with AirWatch v7.0

2014 AirWatch, LLC All Rights Reserved.


This document, as well as the software described in it, is furnished under license. The information in this manual may only be used in accordance with the terms of the license. This
document should not be reproduced, stored or transmitted in any form, except as permitted by the license or by the express permission of AirWatch, LLC
Other product and company names referenced in this document are trademarks and/or registered trademarks of their respective companies.

Mobile Application Management (MAM) Guide | v.2014.01 | January 2014


Copyright 2014 AirWatch, LLC All rights reserved. Proprietary & Confidential.

Table of Contents
Introduction to the Mobile Application Management (MAM) Guide

Application Management Requirements

Supported Browsers

Supported Devices

In This Guide

Before You Begin

Creating Application Categories

Creating Custom Notifications for Applications

Creating Smart Groups

Configuring AirWatch Application Reputation

Integrating with Other Systems

11

Available Features for Public, Purchased and Internal Applications

12

Deploying Public Applications

14

Searching for the Application

14

Configuring Settings

15

Deploying Purchased Applications

19

License Codes or Redemption Codes

19

Deploying VPP Applications Process

19

Deploying VPPApplications, Redemption Codes

19

Deploying VPPApplications, License Codes

21

Notifying End-Users

23

Managing and Tracking VPP Application Orders

23

Deploying Internal Applications

25

Uploading Internal Applications

25

Configuring Settings

25

Using the Application Workflow

29

Managing Applications

32

Sorting and Viewing Application Information

32

Using the Application Actions Menu

32

Enforcing Application Security and Compliance

38

Creating Application Groups

38

Building an Application Compliance Policy

40

Enforcing Application Control for Android Devices

41

Enabling Restricted Mode for Public iOS Applications

41

Using Tracking Application

42
Mobile Application Management (MAM) Guide | v.2014.01 | January 2014
Copyright 2014 AirWatch, LLC All rights reserved. Proprietary & Confidential.

Page 2

Deploying an Enterprise Application Catalog

43

Deploying the Enterprise App Catalog

43

Adding Featured Applications

44

Enabling the App Catalog without MDM

45

Using the App Catalog

46

Advanced Application Management

48

Overview

48

Using the SDK and App Wrapping

48

Configuring Settings and Policies

49

Appendix SDK Profiles, Policies and Settings Compatibility

53

Mobile Application Management (MAM) Guide | v.2014.01 | January 2014


Copyright 2014 AirWatch, LLC All rights reserved. Proprietary & Confidential.

Page 3

Introduction to the Mobile Application Management (MAM) Guide

Introduction to the Mobile Application Management


(MAM) Guide
With an increasing mobile workforce, the power and impact of mobile applications are extending to far more than just
the consumer. Businesses are rapidly adopting mobile applications to create business intelligence, deploy mobile points
of sale, configure sales kiosks and provide work-related applications to boost productivity and increase efficiency.
However, organizations still face many challenges when trying to secure and manage applications, such as:
l

Managing different applications across different locations.

Deploying on-the-fly updates that are applied asynchronously and without testing.

Blacklisting unapproved and malicious applications that should not be on devices.

Ensuring all required business applications are on devices.

Keeping all business applications up-to-date across all devices.

Purchasing and allocating purchased applications.

Enforcing data-loss prevention to keep your mobile application investments protected and secure.

Distribute, secure and track mobile applications across your mobile fleet with the AirWatchs Mobile Application
Management capabilities directly from the AirWatch Admin Console.

Distribute Applications
l

Install, update and remove managed applications


remotely.
Install required applications automatically during
enrollment.

Secure Applications
l

Restrict application usage by creating blacklists, whitelists


and application compliance policies.

Restrict access to pre-installed applications on a device.

Disable iTunes, Google or other public application stores.

Allow users to install applications on-demand from


the Enterprise App Catalog.

Configure application access based on assignment


rules.

Prevent data backup and automatically remove


applications on un-enrollment from AirWatch Agent.
Scan applications to identify security risks.

Track Applications
l

Track and view installed, approved and blacklisted


applications at the device and user level.
Receive alerts when an end-user has installed an
unapproved application.
Generate application inventory, version history
and compliance reports.

Mobile Application Management (MAM) Guide | v.2014.01 | January 2014


Copyright 2014 AirWatch, LLC All rights reserved. Proprietary & Confidential.

Page 4

Application Management Requirements

Application Management Requirements


Supported Browsers
The AirWatch Admin Console supports the following web browsers:
l

Internet Explorer 8+

Google Chrome 11+

Firefox 3.x+

Safari 5.x

Comprehensive platform testing has been performed to ensure functionality while using these web browsers. The
AirWatch Admin Console may still function in non-certified browsers with minor performance issues.

Supported Devices
AirWatch supports the following devices and operating systems:
Symbian
Android v2.3+

iOS v3.0+

Windows
Phone

Windows
Phone 8

Windows
8/RT

3rd Edition FP2


5th Edition
Anna
Belle

Deploy Public
Applications

Deploy Internal
Applications

Deploy
Purchased
Applications

Enforce
Application
Compliance

Use the
AirWatch SDK

Use AirWatch
App Wrapping

Reputation
Analysis

*AirWatch supports only unmanaged public applications for Windows 8/RT. The AirWatch Admin Console cannot push
unmanaged applications to devices and it directs end-users to the Windows Store, using the App Catalog, to download
these applications. AirWatch cannot remove unmanaged applications from devices.

Mobile Application Management (MAM) Guide | v.2014.01 | January 2014


Copyright 2014 AirWatch, LLC All rights reserved. Proprietary & Confidential.

Page 5

Application Management Requirements

In This Guide
This document discusses the process of deploying applications to your end-users using the AirWatch Admin Console
from beginning to end. It is divided into the following sections where you will learn about the following processes:
l

Before You Begin Recommended Considerations Details actions and considerations to evaluate prior to
beginning your application management deployment. These actions are not prerequisites, but they can help the
process of uploading and deploying applications smoothly.
For example, register for Apple's Volume Purchasing Program (VPP), create application categories, configure Smart
Groups, and set the AirWatch Application Reputation service.

Deploying Public Applications Recommend public applications to your end-users for work and related use.
Deploying Purchased Applications Manage your purchased applications for Apple VPP to disseminate them to
end-users from the AirWatch Admin Console.
Deploying Internal Applications Upload your own enterprise applications to the AirWatch Admin Console and
provide them to your end-users.
Managing Applications Manage all your applications with actions for feedback, notifications, feedback, version
control, retirement and other management functions.
Enforcing Application Security and Compliance Configure compliance policies for your applications to require
access to mandatory applications and to restrict the use of unauthorized applications.
Deploying an Enterprise App Catalog Deploy an Enterprise App Catalog so your end-users can easily access all of
your deployed applications.
Advanced Application Management Use advanced application management settings to tailor AirWatch
applications for your mobile environment using the AirWatch SDK, injects AirWatch functionality into your
applications without changing code with AirWatch App Wrapping or fine tune all your managed applications with
SDK profiles.
Appendix SDK Profiles, Policies and Settings Compatibility See which advanced application management
settings apply to the various types of applications AirWatch supports.

Mobile Application Management (MAM) Guide | v.2014.01 | January 2014


Copyright 2014 AirWatch, LLC All rights reserved. Proprietary & Confidential.

Page 6

Before You Begin

Before You Begin


This topic explains some of the application settings you can configure prior to uploading applications. Note that you can
configure these settings at any time and change them as necessary, but doing so before you begin may help you to start
thinking about how you intend to manage your application deployments. For example, how will your applications be
categorized if using an Enterprise App Catalog?How will you configure your smart groups, which are the sets of users
that receive applications?Will you use the AirWatch Application Reputation service for your applications?These topics
and more are covered in detail below.

Creating Application Categories


You can define your own application categories to filter applications by type or function. You can create, view, edit, delete
and assign one or more categories for both public and internal applications in a selected Organization Group. The App
Catalog also displays these categories, allowing end-users to browse and filter.
1. Navigate to Apps & Books Applications Settings App Categories.
2. Select Add Category.
3. Provide the Category Name and Category Description and save the settings.
Note: While adding a new internal or public application, the system automatically looks into all the existing seeded
system categories and selects the one that matches the application as received from the app store. You can also
assign or un-assign one or more categories while creating the applications.

Creating Custom Notifications for Applications


AirWatch enables you to notify end-users about new and updated applications through custom or template messages.
You can send messages using email, SMS or push notification. A message template can be customized to include
application name, description, image and version information. You can edit the message templates to have a lookup
value for the URL of an application page in the Application Catalog.
To create an application notification message:
1. Navigate to Groups & Settings All Settings Devices & Users General Message Templates.
2. Select Add and complete the required information:

Mobile Application Management (MAM) Guide | v.2014.01 | January 2014


Copyright 2014 AirWatch, LLC All rights reserved. Proprietary & Confidential.

Page 7

Before You Begin

Name Enter the name of the new template.


Description Enter a description of the message that will be used internally by AirWatch to describe this
template.
Category Enter the message template category. For VPPApplication Messages, select Application and
Application Notification as the Type.
Select Language Enter a parameter to limit the message delivery to only devices that belong to end-users who
understand the specified languages.
Default Select whether the AirWatch Admin Console uses this message template by default for the Category
Application and the Type Purchased Application.
Message Type Select the message configuration types (email, SMS or push) that will be used for this template.
Message Bodies Enter the message to be displayed on end-user devices for each message type. Use the
{ApplicationName} look-up value to automatically populate the application name in each message.

3. Select Save.

Creating Smart Groups


Smart Groups are customizable groups you define that determine which end-users receive an application. With Smart
Groups you can deploy an application to additional Organization Groups, or refine parameters to deploy only to specific
platforms, devices, users or other settings. While you can create Smart Groups when you are adding and deploying
applications, you can also create them up front so they are available for use later.

Mobile Application Management (MAM) Guide | v.2014.01 | January 2014


Copyright 2014 AirWatch, LLC All rights reserved. Proprietary & Confidential.

Page 8

Before You Begin

Creating a Smart Group


Before you can assign a Smart Group to an application you must first create it. Configure the Smart Group at the
applicable Organization Group level.
1. Navigate to Apps & Books Applications Settings Smart Groups and then select Add Smart Group.
2. Enter a Name for the Smart Group.
3. Configure the Smart Group using Select Criteria or using Select Specific Devices and Users.
Note: Switching between Criteria and Specific Devices and Users erases entries.
l

In the Criteria section, select the users and devices or select parameters to add in the Smart Group. Parameters
includeOrganization Group, User Group, Ownership, Platform, Model and Operating System.
You can add and exclude devices and users in the Additions and Exclusions sections.

In the Specific Devices and Users section, search for the device or user. You must add one device or user or you
cannot save the Smart Group.

4. ClickSave when finished.

Assigning a Smart Group to a New Application


When uploading a new internal, purchased or public application, you select the Smart Group on the Assignment tab,
where you can also view the current device assignments for a particular Smart Group. A detailed description of the
Assignment tab and other tabs used to configure applications is described in the Deploying Public Applications ,
Deploying Purchased Applications and Deploying Internal Applications sections.

Assigning a Smart Group to an Existing Application


Once you upload an application you can reassign or add devices to the assignment directly from the Applications List
View.
1. Navigate to Apps & Books Applications List View and select either Internal or Public.
2. Locate the application and use the Edit Assignment option from the Actions menu.
3. Select a Smart Group or create a new one. You can select more than one.
4. ClickSave &Publish when you are finished.

Configuring AirWatch Application Reputation


The AirWatch App Reputation Cloud Service and its Reputation Analysis Engine scan mobile Android applications for
security risks and identifies them in scan results. AirWatch offers this feature through the AirWatch MAM space so that
you can control the influx of insecure applications to your mobile environment. The Reputation Analysis engine uses
proprietary technologies to search applications for unwanted behaviors such as:
l

Making insecure network connections

Accessing privacy settings


Mobile Application Management (MAM) Guide | v.2014.01 | January 2014
Copyright 2014 AirWatch, LLC All rights reserved. Proprietary & Confidential.

Page 9

Before You Begin

Deploying malicious code

How App Reputation Works


1. You can enable a scan on an application recently uploaded into the AirWatch environment, or run the feature on an
previously deployed application.
2. The AirWatch Admin Console sends the application data to the AirWatch App Reputation Cloud Service.
3. The Reputation Analysis Engine scans the application, identifies risks and compiles scan results.
4. The AirWatch App Reputation cloud service sends results to the AirWatch Admin Console.
5. The AirWatch Admin Console displays the scan results as part of the application's AirWatch record. View the results
on the internal or public application page by selecting the application and viewing the Reputation tab.

Enabling App Reputation Analysis


Enable the App Reputation Cloud service at any time. You can analyze new applications when you upload them and you
can analyze applications previously deployed in your environment.
1. Navigate to Groups & Settings All Settings Apps Catalog App Reputation.
2. Select Enable App Reputation Analysis to use the Reputation Analysis engine and the AirWatch App Reputation
Cloud service.

Scanning an Application
You can run a scan when adding a new internal or public application or on an existing one.
Scan a new application
Run a scan on the Reputation tab when adding new public or internal applications. This process is outlined in Managing
Public Applications and Managing Internal Applications.
Scan an existing application
Use the Run Reputation Analysis action from the Applications List View page to scan public and internal applications
already in the AirWatch Admin Console. This process is outlined in Managing Risk with Reputation Analysis.

Viewing Scan Results


View scan results in the AirWatch Admin Console and use the Console as a central repository of scan results for your
most commonly used applications. The scan results qualify risks as high, medium and low and are divided into three
types: Design and Programming, Privacy and Risky Behavior. View the number of risks in each level.
l

Design and Programming Examples include insecure network communications.

Privacy Examples include reading calendars and accessing locations.

Risky Behavior Examples include inter-application communication and installing packages.

Mobile Application Management (MAM) Guide | v.2014.01 | January 2014


Copyright 2014 AirWatch, LLC All rights reserved. Proprietary & Confidential.

Page 10

Before You Begin

Integrating with Other Systems


Enable your AirWatch application solution to integrate with the Android Market and apple's Volume Purchase Program
(VPP). You can streamline deployment by integrating and registering r these systems before deploying applications to
devices.

Google Play (Android Market) Integration


To search for and deploy public Android application, you must first configure a connection between the AirWatch MDM
and the Google Play Store. Enabling this feature is necessary for on-premise customers only.
Use the following steps to add a Google Account:
1. Navigate to Groups & Settings All Settings Device &Users Android Google Play Integration.

2. Complete the form for a Phone or Tablet with the following information:
l

Username Google Account username.

Password Google Account password.

Android Device ID Enter in a valid Android Device ID.


o

The Device IDfrom a phone or a tablet is used accordingly to provide the system with access to all apps in
the Google Play Store.

Click Test Connection after filling out the form to see if the system can connect to the Google Play Store
using the supplied credentials.

Mobile Application Management (MAM) Guide | v.2014.01 | January 2014


Copyright 2014 AirWatch, LLC All rights reserved. Proprietary & Confidential.

Page 11

Before You Begin

Note: To find the Device ID of your Android device, download the Device ID application from the Google
Play Store.

Enrolling in the Apple VPP


To register for the Apple VPP, navigate to http://www.apple.com/business/vpp for businesses or
http://www.apple.com/itunes/education for educational institutions. You will need to provide the following
information:
l

Basic contact information, such as your business phone number and email address, to verify your business.

A Dun &Bradstreet (D-U-N-S)number for your company.

Acorporate credit card or PCard to purchase applications.

Note: Once your enrollment information has been verified, you will create a new Apple IDspecifically for the VPP. This
Apple IDshould not be used for other Apple services, such as the iTunes Store.

Purchasing Applications with VPP


1. Navigate to https://vpp.itunes.apple.com/us/store.
2. Log in with the VPPApple ID created during the enrollment process.
3. Search for applications by entering the name or copying and pasting a link from the App Store in the search field.
Enter the quantity you want to purchase. Complete the application purchases with a corporate credit card.
4. Check your email for an order processing confirmation from Apple. When you receive this email, you can log in to the
VPPwebsite and download a spreadsheet of redemption codes for the applications you purchased. This spreadsheet
contains details such as the redemption code, redemption status and most importantly, a redemption URL to give to
end-users that automatically validates the code and installs the program through the App Store.

Available Features for Public, Purchased and Internal Applications


Public, purchased and internal applications are compatible with different AirWatch features. The following table lists the
AirWatch feature and the platforms and application type for which it supports the functionality.
Feature

Supported
Platform

Public

Purchased

Internal

Asset Tracking

All supported
platforms

Ratings Management

All supported
platforms

AirWatch App Reputation Cloud Service

Android

Google Play Integration

Android

Silent Activity

Android

Mobile Application Management (MAM) Guide | v.2014.01 | January 2014


Copyright 2014 AirWatch, LLC All rights reserved. Proprietary & Confidential.

Page 12

Before You Begin

Feature

Supported
Platform

Public

Purchased

Internal

Application Compliance

Android, iOS

Apple Volume Purchase Program, VPP

iOS

Feedback Management

iOS

Application Configurations

iOS

Mobile Application Management (MAM) Guide | v.2014.01 | January 2014


Copyright 2014 AirWatch, LLC All rights reserved. Proprietary & Confidential.

Page 13

Deploying Public Applications

Deploying Public Applications


Many of the applications available within public app stores can be used to enhance the business interactions that take
place on your managed devices. Deploy and manage some of these applications from the AirWatch Admin Console for
the specific groups and users within your organization.

Searching for the Application


Search for public applications in an application store when adding them to the AirWatch Admin Console. Retrieving the
application from a store ensures you pull the latest version and also ensures the AirWatch Admin Console properly
manages the public application for your mobile deployment.
1. Navigate to Apps & Books Applications List View Public.
2. Click Add Application.
3. Provide the Organization Group in the Managed By field along with the Platform and the Name of the publicly
available application you wish to search for.
4. Select Search App Store to automatically search for the application in Apple App Store, Google Play Store (Android
Market) or Microsoft Windows Phone Store.
Note: In order to search the Google Play Store, a Google Account must first be integrated with the AirWatch
MDM environment. See Google Play Integration.
5. Click Next and Select the desired application from App Store result page.

Adding Using an App Store Search


Use the AirWatch search feature to add public applications rather than add them manually. Addition by searching lets
you use management functions whereas manual addition does not. With addition by searching you can perform the
following management functions for your public applications:
l

Push the application to devices using the AirWatch Admin Console.

Publish the application to devices on-demand or automatically.

Mobile Application Management (MAM) Guide | v.2014.01 | January 2014


Copyright 2014 AirWatch, LLC All rights reserved. Proprietary & Confidential.

Page 14

Deploying Public Applications

Install the application using the AirWatch Agent without users having to retrieve the application from the App
Catalog manually.

Configuring Settings
After selecting an application, complete the Add Application page to configure assignment and deployment options.
Most of the application information automatically populates for Apple iOS, Android, Windows Phone 8 and Windows
8/RT devices. Fill in the remaining fields in all four tabs.

Configuring Info
1. Provide the Comments for the application to appear in the Additional Comments tab in the App Catalog.
2. Select as Reimbursable, Not Reimbursable or Undefined to designate whether or not your organization reimburses
end-users for the application, if purchased. A small icon in the AirWatch App Catalog indicates if an application is
reimbursable.
3. Provide a Rating of 1-5 stars for the application.
4. Provide a Category type in the Categories field to help identify how the application can help users. For more
information see Categories.
5. Provide the Default Scheme (iOS only) to indicate the URL scheme for iOS applications.

Mobile Application Management (MAM) Guide | v.2014.01 | January 2014


Copyright 2014 AirWatch, LLC All rights reserved. Proprietary & Confidential.

Page 15

Deploying Public Applications

Other iOS applications and web applications can integrate with this application using this scheme. The application
also uses this scheme to receive messaged from other applications and to initiate specific request. The AirWatch
Workspace uses this scheme to launch the application in the Workspace.

Configuring Assignment
1. Select Assigned Smart Groups to deploy the application using Smart Groups or the legacy assignment. Additionally,
create a new Smart Group by selecting Create New Smart Group. For more information about Smart Groups, see
Assigning by Smart Groups.
2. Enable Restrict to Devices Supporting Silent Activity (Android only) to assign this application to those Android
devices that support the Android silent uninstallation feature. The end-user does not have to confirm an
uninstallation when you enable silent activity for a device. This feature makes it easier to uninstall many applications
simultaneously.
Only Android devices in the Smart Group that support silent uninstallation get this application.
3. Select View Device Assignment to see the list of devices available under assigned Smart Groups.
Using Legacy Assignments
You do encounter some instances where you cannot use Smart Groups for your public applications and you must use
your legacy assignment settings. This feature ensures that your public applications do not loose their override settings.
For example, a public application has legacy assignments that are configured at a child Organization Group (OG) and are
set to override the parent OG settings. You cannot assign these applications to Smart Groups unless you change these
override settings at the child level. To change the override settings, click the Edit Legacy Assignment link and change
Override to Inherit.
Important: Before you change override settings, ensure other groups are not affected by these configuration
changes.

Configuring Deployment
Note: AirWatch supports only unmanaged public applications for Windows 8/RT. The AirWatch Admin Console
cannot push unmanaged applications to devices and it directs end-users to the Windows Store, using the App
Catalog, to download these applications. AirWatch cannot remove unmanaged applications from devices.
1. Select Push Mode to determine if the application is installed automatically (auto) or manually (on demand) by the
user when needed.
l

Automatically deploying an application immediately prompts users to install the application on their devices.
Auto is the best choice for applications critical to your organization and its mobile users.
Manually deploying an application allows access and downloads this application, if selected, from an enterprise
application catalog. On Demand is the best choice for applications that are not critical to the organization.
Allowing users to download these applications when they want helps conserve bandwidth and limits
unnecessary traffic.

2. Enable Remove On Unenroll (iOS only) to determine whether the application gets removed when a device is

Mobile Application Management (MAM) Guide | v.2014.01 | January 2014


Copyright 2014 AirWatch, LLC All rights reserved. Proprietary & Confidential.

Page 16

Deploying Public Applications

unenrolled.
3. Enable Prevent Application Backup (iOS only) to disallow backing up the application to iCloud. This option stops
end-users from saving different versions of a public application in the iCloud. It helps to keep your organization's
collection of public iOS applications clean and properly versioned.
Note: Although this helps with keeping application versions clean, it can also hinder saving important updates
and data. Ensure you manage these applications so that you do not loose vital data or features.
4. Enable Use VPN (iOS 7+ only) to configure a VPNat the application level. This configures end-users to access the
application using a VPN, which helps ensure application access and use is trusted and secure.
Enable Send Application Configuration(iOS 7+ only) to send application configurations to iOS devices. This feature
allows you to automatically configure managed applications. Users do not have to manually configure these specified
values in the application.
Enter the configuration values as unique keys into the appropriate fields. Supported entries for key/value pairs are
String, Number, Boolean and Date. You can also use Lookup Values when entering the application configurations.
Note: If you make any changes to application configurations, you must re-publish the application to apply the
changes.
5. Example: ABC map application needs to have the DNS server configured in its settings for it to work. You can set
these configurations and send them down to the application so that end-users do not have to enter the DNS server
details in the application.
6. Set if the application was created using the SDK and needs a profile to integrate with AirWatch.
Select the shared or custom SDK profile from the SDK Profile drop-down menu.
Select the certificate profile from the Application Profile drop-down menu so that the application and AirWatch
communicate securely.
7. Click Add Exceptions to quickly deploy public applications to those unusual use cases that can develop within an
organization.
l

Add Criteria for ownership and user groups towhich to apply the specific exceptions.
Enable an Override Value to create specific exceptions to the options located under the Deployment view.
Override Value options vary depending on the platform.

Configuring Terms of Use


To select Terms of Use you must first create them if you have not already. Find the Terms of Use configuration options in
Groups &Settings All Settings System Terms of Use.
Select a Required Terms of Use for the application, if desired.
Terms of Use let the organization specifically state how to use the application. This option makes the organization's
expectations clear to end-users. When the application pushes to devices, users view a Terms of Use page that they must
accept in order to use the application. If users do not accept, they cannot access the application.

Mobile Application Management (MAM) Guide | v.2014.01 | January 2014


Copyright 2014 AirWatch, LLC All rights reserved. Proprietary & Confidential.

Page 17

Deploying Public Applications

Configuring Reputation (Android only)


Enable Run Reputation Analysis to send the application to the AirWatch App Reputation Cloud Service. The Reputation
Analysis Engine scans applications for security risks and identifies them in scan results. View results on this tab, the
Reputation tab.
Use the Notify Developer option to send a message to developers to notify them of potential risks with their
applications. Send the message using email notifications and the applicable template. The system attaches the detailed
Reputation Analysis report to the email.
Note: Consider analyzing the application before assigning it to a Smart Group. If you approve of the scan results, then
assign it to Smart Groups and push it to devices in the group.

Mobile Application Management (MAM) Guide | v.2014.01 | January 2014


Copyright 2014 AirWatch, LLC All rights reserved. Proprietary & Confidential.

Page 18

Deploying Purchased Applications

Deploying Purchased Applications


If you want to distribute a public or B2B application to hundreds or thousands of iOS devices or users, you may consider
using the Apple Volume Purchase Program (VPP). The Apple VPP enables organizations to purchase publicly available
applications or specifically developed third-party applications in bulk for distribution. Any paid application from the App
Store is available for volume purchase at the existing App Store price. Custom B2B applications can be free or purchased
at a price set by the developer.
Note: The Apple VPP is currently only available in Australia, Canada, France, Germany, Italy, Japan, New Zealand,
Spain, the United Kingdom and the United States. In addition, AirWatch also deploys iBooks purchased through the
Apple VPP. For more information on deploying iBooks with the Apple VPP, see the AirWatch iBooks Deployment
Guide.

License Codes or Redemption Codes


AirWatch has methods to let you centrally control the management and distribution of VPP applications. Use the order
based method which includes VPP redemption codes or use the licensed based method which includes VPP license
codes.
The orders based method that uses redemption codes does not support the revoking of the license of an iOS device.
Once the redemption code is redeemed, you cannot recycle it. If you use VPP applications, then you are familiar with
redemption codes and you can continue to use them to purchase applications for iOS 7+, if desired. With the release of
iOS 7+, Apple offers a new method for purchasing VPP applications.
The licensed based method that uses license codes does allow you to revoke a license and recycle it. This is new for iOS 7+
but you cannot use it for Apple operating systems older than iOS 7+.

Deploying VPP Applications Process


Perform a three-part process to deploy applications in bulk through the Apple VPP:
1. VPP Enrollment You must enroll in the program and verify with Apple that you are a valid organization. See
Enrolling in the Apple VPP for information.
2. Application Purchasing You then purchase applications in bulk through the VPP website. See Purchasing
Applications with VPP for information.
3. Application Deployment You then distribute the applications throughout your device fleet using redemptions
codes or licenses.

Deploying VPPApplications, Redemption Codes


AirWatch enhances management and distribution of applications purchased through the VPP to your iOSdevices. Use
the following instructions to set up the distribution process.

Mobile Application Management (MAM) Guide | v.2014.01 | January 2014


Copyright 2014 AirWatch, LLC All rights reserved. Proprietary & Confidential.

Page 19

Deploying Purchased Applications

Upload the Apple VPPRedemption Code Spreadsheet to AirWatch


The first step to manage and deploy VPP application orders through AirWatch is to upload the Apple VPP Redemption
Code Spreadsheet to the AirWatch Admin Console:
1. Navigate to Apps & Books Applications Orders.
2. Select Add and then select Purchased Public App or Purchased Custom App.
3. Click Choose File to upload the CSV or XLS file that you downloaded from the Apple Portal. This action creates the
application order.
4. Click Save to continue to the Product Selection Form.
5. Locate the appropriate product and click Select to finish uploading the spreadsheet. If the Apple VPP Redemption
Code Spreadsheet contains licenses for multiple applications, several products can be listed on this form. You can
select only one per order.

Assigning and Publishing Redemption Codes


After you upload the Apple VPP Redemption Code Spreadsheet you can allocate the redemption codes for individual
application purchases for your device fleet.
You must enable the AirWatch Admin Console to assign redemption codes to users and devices. Select the applicable
Organization Groups and Smart Groups to which to assign redemption codes.
1. Navigate to Apps & Books Applications Orders.
2. Locate the specific order to enable and allocate redemption codes.
3. Select Edit Assignment

from the Actions menu and then select the Assignment tab.

4. Enter the number of redemption codes that you want to place on hold in the Redemption Codes On Hold field. Use
this field to save the redemption codes for later use.
5. Select Add Assignment By to assign redemption codes to Organization Groups or Smart Groups:
l

Organization Group Allocate redemption codes to an Organization Group and either select All Users to include
all users in that Organization Group or select Selected Users to display a list of users in the Organization Group.
Use the Add and Remove buttons to choose the specific users to receive the application.
Smart Group - Allocate redemption codes to a Smart Group. You can create a new Smart Group, if necessary.
Note: You can apply redemption codes to Organization Groups and to Smart Groups simultaneously.
However, you can only specify the users for Organization Groups of the Customer type. You cannot specify
users for Smart Groups. However, you can edit the Smart Group so that it contains the necessary users.

Verify the information in the following columns for each Organization Group or Smart Group row:
o

Users View the number of users for the order.

Allocated Enter the number of licenses to allocate to the selected users. This entry should not exceed the

Mobile Application Management (MAM) Guide | v.2014.01 | January 2014


Copyright 2014 AirWatch, LLC All rights reserved. Proprietary & Confidential.

Page 20

Deploying Purchased Applications

total number in the order.


o

Redeemed View the number of licenses that have already been redeemed, if any.

6. Select the Assignment Type in the Deployment section. Set it as Auto to push the purchased application to the end
user device automatically or select On-Demand to let the end user install the application on the device. Complete the
following options.
Note: When Assignment Type is Auto, only eligible iOS 5+ devices receive the application automatically.
l

Remove On Unenroll Wipes the application from the device when the device is unrolled from AirWatch Admin
Console.
Note: Removing an application when a device is unenrolled does not recover the redeemed license. When
installed, the application is associated to the user's App Store account.

Prevent Application Backup Prevents backup of application data when an end-user does either a local backup
with iTunes or backs up to iCloud.
Use VPN Configures a VPNat the application level.

7. Select Save when you finish allocating licenses.


8. Navigate to Apps & Books Applications List View Purchased.
9. Select Publish (

) from the actions menu for the purchased application.

Deploying VPPApplications, License Codes


Use the licensed based method to distribute your VPP applications to iOS 7+ devices. The license code model uses
authentication tokens (also called STokens) to retrieve your VPP applications and distribute them to iOS 7+ devices using
the AirWatch Admin Console.
Note: You cannot deploy license codes to iOS 6 and older.

Uploading Authentication Tokens


Upload the authentication token so that the AirWatch Admin Console can use it to access the Apple web services. Apple
uses web services to manage VPP license codes.
Note: Upload the token at the applicable Organization Group. This token automatically configures with an Inherit
setting. This setting configures the token to apply to all child levels below the configured Organization Group. Due to
the Inherit setting, the AirWatch Admin Console invites all enrolled iOS 7+ devices at this level and below to join the
Apple's License Program for VPP applications.

Mobile Application Management (MAM) Guide | v.2014.01 | January 2014


Copyright 2014 AirWatch, LLC All rights reserved. Proprietary & Confidential.

Page 21

Deploying Purchased Applications

You can apply an authentication token to only one Organization Group instance. You cannot apply the same
authentication token to another group.

1. Navigate to Groups & Settings All Settings Apps Catalog License Based VPP.
2. Enter a description for the token for your VPP license codes in the Description field.
3. Select Upload to navigate to the SToken on your network.
4. Enable Automatically Send Invite to send invitations to users immediately after you save the token.
You do not have to enable this immediately. You can leave it disabled and still upload your token and then return
when you are ready to send invitations by selecting the (Re)Invite Users option.
5. Save the token and confirm the addition of the token.
The AirWatch Admin Console sends an invitation to join Apple's License Program for VPP applications to all iOS 7+
devices enrolled at the configured Organization Group level and below.
6. Select ReInvite Users to resend invites to iOS 7+ users who did not accept the initial invitation.
7. Select Delete SToken to remove the token from the AirWatch Admin Console.

Syncing Licenses
Add new purchased applications for the VPP account and update licenses for applications already added to the AirWatch
Admin Console under the same VPP account. This procedure makes the VPPapplications available to your iOS 7+
devices. Previous functionality still remains on the Purchased page so you can still access VPPapplications bought using
the order based method from this page.
1. Navigate to Apps & Books Applications List View Purchased.
2. Select Sync Licenses. This adds VPP applications bought using license codes and those applications that were
originally bought using the redemption codes but were re-bought under the license based method.

Assigning and Publishing License Codes


Assign license codes using Smart Groups. You cannot assign license codes to Organization Groups.
1. Navigate to Apps & Books Applications List View Purchased.
2. Locate the specific order to enable and allocate license codes.
3. Select Edit Assignment

from the Actions menu and then choose the Assignment tab.

4. Enter the number of license codes that you want to place on hold. Use this field to save the license codes for later
use.
5. Select Add to assign license codes to Smart Groups. You can create a new Smart Group, if necessary.
l

Users View the number of users for the order.

Allocated Enter the number of licenses to allocate to the selected users.

Redeemed View the number of licenses that have already been redeemed, if any.

Mobile Application Management (MAM) Guide | v.2014.01 | January 2014


Copyright 2014 AirWatch, LLC All rights reserved. Proprietary & Confidential.

Page 22

Deploying Purchased Applications

6. Deployment Select the Assignment Type as Auto to push the purchased application to the end user device
automatically or select On-Demand to let the end user install the application on the device. Complete the following
options.
Note: When Assignment Type is Auto, only eligible iOS 5+ devices receive the application automatically.
l

Select the Remove On Unenroll check box to wipe the application from the device when the device is unrolled
from Admin Console.
Select Prevent Application Backup to prevent backup of application data when an end-user does either a local
backup with iTunes or backs up to iCloud.
Select Use VPN to allow deployment over virtual private networks.

7. Select Save when you finish allocating licenses.


8. Select Publish option from the Actions menu

Revoking License Codes


You can revoke license codes using two methods:
1. Unassign the application from the user or the device. If the assigned license is not used by any other device, the
AirWatch Admin Console revokes it so that it is available for reuse by other devices.
2. Revoke the license manually off the device. This method is available only for those licenses that are redeemed from
an external system and you want to use them within AirWatch.

Notifying End-Users
After you allocate VPP application licenses, you can notify end-users that the application is available to download. By
default, AirWatch is configured to send an email to end-users. However, you can create custom Purchased Application
Messages or enable SMS and push-based Purchased Application Messages.
1. Create a Message Template. For instructions on how to do this, see Creating Custom Notifications for Applications.
2. Navigate to Apps & Books Applications List View Purchased. Locate the specific application about which you
want to notify end-users.
3. Use the Actions menu

and select Notify Devices.

4. Select the Message Type, Email, SMS or Push.


5. Use your custom message template from the Message Template menu and then select Send. You can use the
Application Notification Template if you do not want to create a custom template.

Managing and Tracking VPP Application Orders


Once you allocate VPP Application Orders to the device fleet and notify end-users, the VPP Application Deployment is in
effect. During this period, you can use the Available Views pages in the AirWatch Admin Console to manage and monitor
Mobile Application Management (MAM) Guide | v.2014.01 | January 2014
Copyright 2014 AirWatch, LLC All rights reserved. Proprietary & Confidential.

Page 23

Deploying Purchased Applications

the status of their application deployment.


Navigate to Apps & Books Orders List View. From the List View page you can:
l

View the order status.

View the order redemption status.

Edit an assignment.

Delete an order

Navigate to Apps & Books Orders Products. From the Products view you can:
l

View the status of the installation.

Edit an assignment.

Publish an application.

Delete an application.

Navigate to Apps & Books Orders Redemption Codes. From the Redemption Codes view of the AirWatch Admin
Console you can access the following order based method information:
l

View the availability status of the code.

View each redemption code and the order number.

View the date the redemption code was redeemed.

View to whom the code is assigned.

Delete a redemption code.

Tracking VPP Applications


Once the VPP applications are deployed on to the devices, you can track its status using AirWatch Admin Console:
l

Identify and send a message to users who have installed or not yet installed the application from the AirWatch Hub.

Track individual codes from the Redemption Codes page.

Mobile Application Management (MAM) Guide | v.2014.01 | January 2014


Copyright 2014 AirWatch, LLC All rights reserved. Proprietary & Confidential.

Page 24

Deploying Internal Applications

Deploying Internal Applications


Internal applications are those applications developed by your organization that you may not necessarily want to be in a
public app store. Since internal applications are company-specific applications, you can obtain the application file from
your developers and upload it to the AirWatch Admin Console. Once the internal application is uploaded, you can
manage the application's settings and deployment over-the-air from the AirWatch Admin Console alongside publiclyavailable applications or applications purchased in bulk. Install, remove and update the application wirelessly and with
minimal end-user interaction. Additionally, take advantage of available AirWatch SDK and App Wrapping features to
maximize your internal application's potential.
Note: Depending on which platform you build your internal applications, consider going to that platform's site and
reviewing their best practices for developing and packaging applications.

Uploading Internal Applications


Use the AirWatch Admin Console as your central tool for deploying, managing and surveying internal applications
developed by and for your team.
1. Navigate to Apps & Books Applications List View Internal and then select Add Application.
2. Managed by information automatically populates. You can upload an Application File in the following formats;
l

.ipa for iOS

.apk for Android

.sis and .sisx for Symbian

.xap for WP8

.appx for Windows 8/RT

You can also provide an external application repository link hosting the application file. For iOS applications, you may
have to provide a Provisioning Profile, which can be obtained from your developers.
If you opt to use an external application repository link, then you can set the credentials used to authenticate with
the repository by navigating to Groups &Settings All Settings Apps Catalog External App Repository and
entering the credentials. Your AirWatch environment must be integrated with the Mobile Access Gateway (MAG).
Note: Files for Windows 8/RT must work for all three processors, ARM, x64 and x86.
3. Select Continue and configure options for the internal application.

Configuring Settings
From the Add or Edit Application page, configure assignment and deployment options for the internal application.
Most of the application information automatically populates for Apple iOS, Android, Windows Phone 8 and Windows
8/RT devices. Fill in the remaining fields in all the tabs.

Mobile Application Management (MAM) Guide | v.2014.01 | January 2014


Copyright 2014 AirWatch, LLC All rights reserved. Proprietary & Confidential.

Page 25

Deploying Internal Applications

Configuring Info
1. Enter version information to help organize versions so the mobile fleet uses the applicable one to perform tasks.
2. Enable if the application is a beta version using the Is Beta option.
3. Add comments to the Change Log field to keep notes on changes between versions.
4. Provide a Category type in the Categories field to help identify how the application can help users. For more
information see Categories.
5. Provide the Default Scheme (iOS only) to indicate the URL scheme for iOS applications.
Other iOS applications and web applications can integrate with this application using this scheme. The application
also uses this scheme to receive messaged from other applications and to initiate specific request. The AirWatch
Workspace uses this scheme to launch the application in the Workspace.

Configuring the Description


Enter descriptive information in this tab to use as an application record. Enter specifics about the application and the
developer who created it. You can use the Send Logs to Developer Email option so that developers can use the logs for
troubleshooting and forensics to improve their applications.
Enter cost information for the application to help report metrics concerning your internal application development
systems to the organization.

Uploading Images
Upload images of the application that end-users view in the App Catalog before installing the application to their device.

Mobile Application Management (MAM) Guide | v.2014.01 | January 2014


Copyright 2014 AirWatch, LLC All rights reserved. Proprietary & Confidential.

Page 26

Deploying Internal Applications

Configuring Terms of Use


To select Terms of Use you must first create them if you have not already. Find the Terms of Use configuration options in
Groups &Settings All Settings System Terms of Use. Select a Required Terms of Use for the application, if
desired.

Uploading Files
Automatically populates Application file/Provisioning profile information required for messaging functionality and
access control. You need to enable/disable other options accordingly. For example, if the application supports Apple
Push Notifications Services (APNs), you must upload either the Development or Production APNs Certificate.
A provisioning profile for iOS authorizes developers and devices to create and run applications built for iOS devices. For
an internal iOS application to work in AirWatch, every device that runs the application must also have the provisioning
profile installed on it. When using provisioning profiles, ensure you upload the profile that was generated for the
application you are uploading and that the profile is not expired.
Note: You can use the default developer certificate for Windows 8/RT applications or you can override this option and
upload a custom developer certificate.

Configuring Wrapping
Enable App Wrapping to associate extra security and management features to an existing application and then to redeploy it to an application store.
You must assign an App Wrapping profile in the App Wrapping Profile option to the application in order for your
application to use the extra features. For more information about the AirWatch App Wrapping feature, see the
AirWatchAppWrapping Guide.
Note: For iOS applications, you also need to upload a Provisioning Profile and a Code Signing Certificate. Get both of
these from Apple.

Configuring Assignment
1. Assign the application to a group of devices by selecting an existing Smart Group or by creating a new Smart Group.
Add multiple Smart Groups at a time to tailor the application's deployment.
2. Enable Restrict to Devices Supporting Silent Activity (Android only) to assign this application to those Android
devices that support the Android silent uninstallation feature. The end-user does not have to confirm an
uninstallation when you enable silent activity for a device. This feature makes it easier to uninstall many applications
simultaneously.
Only Android devices in the Smart Group that support silent uninstallation get this application.
3. Select View Device Assignment to see the list of devices available under assigned Smart Groups.

Configuring Deployment
Configure the deployment details of the application in terms of how the application is made available, during which times
and if the application will be removed if the device is unenrolled. If the application uses the AirWatch SDK then enable this

Mobile Application Management (MAM) Guide | v.2014.01 | January 2014


Copyright 2014 AirWatch, LLC All rights reserved. Proprietary & Confidential.

Page 27

Deploying Internal Applications

option and provide the SDK Profile and Application Profile. You can also create exceptions based on User Groups and
Device Ownership types.
1. Select Push Mode to determine if the application is installed automatically (auto) or manually (on demand) by the
user when needed.
l

Automatically deploying an application immediately prompts users to install the application on their devices.
Auto is the best choice for applications critical to your organization and its mobile users.
Manually deploying an application allows access and downloads this application, if selected, from an enterprise
application catalog. On Demand is the best choice for applications that are not critical to the organization.
Allowing users to download these applications when they want helps conserve bandwidth and limits
unnecessary traffic.

2. Enter a date and time for the Effective Date option to configure when the App Catalog makes this application
accessible.
3. Enter a date and time in the Expiration Date option to configure when the App Catalog removes the availability of
this application.
4. Set if the application was created using the AirWatch SDK and needs a profile to integrate with AirWatch.
Select the shared or custom SDK profile from the SDK Profile drop-down menu.
Select the certificate profile from the Application Profile drop-down menu so that the application and AirWatch
communicate securely.
5. Enable Remove On Unenroll (iOS only) to determine whether the application gets removed when a device is
unenrolled.
6. Enable Prevent Application Backup (iOS only) to disallow backing up the application to iCloud. This option stops
end-users from saving different versions of a public application in the iCloud. It helps to keep your organization's
collection of public iOS applications clean and properly versioned.
7. Enable Use VPN (iOS 7+ only) to configure a VPNat the application level. This configures end-users to access the
application using a VPN, which helps ensure application access and use is trusted and secure.
8. Enable Send Application Configuration(iOS 7+ only) to send application configurations to iOS devices. This feature
allows you to automatically configure managed applications. Users do not have to manually configure these specified
values in the application.
Enter the configuration values as unique keys into the appropriate fields. Supported entries for key/value pairs are
String, Number, Boolean and Date. You can also use Lookup Values when entering the application configurations.
Note: If you make any changes to application configurations, you must re-publish the application to apply the
changes.
9. Click Add Exceptions to quickly deploy public applications to those unusual use cases that can develop within an
organization.
l

Add Criteria for ownership and user groups to which to apply the specific exceptions.

Mobile Application Management (MAM) Guide | v.2014.01 | January 2014


Copyright 2014 AirWatch, LLC All rights reserved. Proprietary & Confidential.

Page 28

Deploying Internal Applications

Enable an Override Value to create specific exceptions to the options located under the Deployment view.
Override Value options vary depending on the platform.

Configuring Reputation (Android only)


Enable Run Reputation Analysis to send the application to the AirWatch App Reputation Cloud Service. The Reputation
Analysis Engine scans applications for security risks and identifies them in scan results. View results on this tab, the
Reputation tab.
Use the Notify Developer option to send a message to developers to notify them of potential risks with their
applications. Send the message using email notifications and the applicable template. The system attaches the detailed
Reputation Analysis report to the email.

Using the Application Workflow


Application workflow simplifies the internal application deployment process for organizations developing their own
applications. It allows organizations to delegate key steps in the process to administrators who are responsible for
individual stages. Some of the key benefits of this feature include:
l

Clear separation of responsibility.

Automated notifications for completed steps.

Implementing Application Workflow


To bring the application workflow into effect, four different administrator user accounts have to be created. Each of the
created user accounts must have different administrator workflow permissions assigned under a specific Organization
Group.

Roles involved in Application Lifecycle Workflow


There are four major administrator roles participating in the application lifecycle at various stages. The responsibilities of
each of the roles are listed below.
Admin Role

Description of Responsibility

Developer

Is responsible for developing internal applications and revising them based on the analysis of
performance and feedback provided by reviewer, publisher or sponsor. Once the application is ready
to go out to end-users, an administrator uploads the application to the AirWatch Admin Console.

Reviewer

Is responsible for reviewing a new application created by developer, and assigning it an appropriate
description, screen shots, and Terms of Use. Reviewer also looks at the change log provided by the
developer for the application to determine if the application is eligible for promoting to assignment or
needs rework. From the Edit Application area of the Application page, the Reviewer can review the
application's description and change log, reject the application back to the developer and submit the
application for assignment. Submitting the application pushes the status to To Be Assigned status.

Assigner

Is responsible for assigning the application to Smart Groups and promoting it to a full rollout based on
whether the application meets the required criteria. The assigner makes recommendations to the
publisher accordingly. From the Edit Application area of the Application page, the Assigner can
review application settings and descriptions, configure Smart Group and device assignment settings

Mobile Application Management (MAM) Guide | v.2014.01 | January 2014


Copyright 2014 AirWatch, LLC All rights reserved. Proprietary & Confidential.

Page 29

Deploying Internal Applications

Admin Role

Description of Responsibility

and submit the application for publishing. Submitting the application pushes the status to Ready for
Publishing status.
Publisher

Is responsible for reviewing the assignment criteria for application configured by the assigner and
determines whether the right set of devices is receiving the application. The publisher can also
republish the application to devices that were assigned but have not installed the application. From
the Publish area of the Application page, the Publisher can review application settings and
descriptions, review or alter assignment configuration and publish the application to all assigned
users.

Enabling Application Workflow


Use the following steps to configure an application workflow in the AirWatch Admin Console:
1. Navigate to Groups & Settings All Settings Apps Catalog Application Workflow.

2. Select the Enable Work Flow for Applications check box.


Note the separate sections for each of the workflow actions to:

Mobile Application Management (MAM) Guide | v.2014.01 | January 2014


Copyright 2014 AirWatch, LLC All rights reserved. Proprietary & Confidential.

Page 30

Deploying Internal Applications

Add Application

Review Application

Assign Application

Publish Application

3. Select the Role to define the admin role to perform the workflow action.
4. Select a message template to notify users within the role when an application becomes available for performing the
workflow action.

Mobile Application Management (MAM) Guide | v.2014.01 | January 2014


Copyright 2014 AirWatch, LLC All rights reserved. Proprietary & Confidential.

Page 31

Managing Applications

Managing Applications
From the Applications List View page, you can view all the applications that you manage in the AirWatch Admin Console
and push applications to devices over-the-air. This page provides you with a detailed list of all the internal, public, and
purchased applications for the specified Organization Groups or Child Organization Groups.

Sorting and Viewing Application Information


There are three separate pages for managing your public, internal and purchased applications. Navigating to Apps
&Books Applications List View displays the three tabs, which you can select to view a list of those types of
applications. You can use a number of filters to sort and view information for your public, internal and purchased
applications. Once you have found an application you would like to manage, you can perform actions using the actions
menu.

Sorting and Viewing Public and Internal Applications


The following columns/filters are available to sort public and internal applications:
l

Platform Filter based on platform type.

Status Filter based on whether an application is active or inactive.

Reputation Analysis Filter based on the status of a reputation analysis scan.

Categories Filter based on the application categories you have created.

Sorting and Viewing Purchased Applications


The following columns/filters are available to sort purchased applications:
l

Platform Filter based on platform type.

Status Filter based on whether an application is active or inactive.

App Type Filter based on whether a purchased app is a public or custom B2Bapp.

Using the Application Actions Menu


Each application is listed in a row, and each row has an actions menu on the right side that you can use to perform
various actions. These can differ based on whether you are viewing public, internal, or purchased apps.
Manage Devices (Jump to) Offers options for installing, removing, or notifying users about a public or internal
application.
Manage Feedback (Jump to) Displays, requests and clears application feedback from iOS devices for public and
internal applications
Deactivate Removes a public or internal application and all versions of it from all managed devices.
User Ratings (Jump to) Shows the application rating and feedback.
View Events Shows device and console events for applications and allows you to export these events as a .csv

Mobile Application Management (MAM) Guide | v.2014.01 | January 2014


Copyright 2014 AirWatch, LLC All rights reserved. Proprietary & Confidential.

Page 32

Managing Applications

file.
Delete (Jump to) Removes the application from devices and from the AirWatch Admin Console.
View Provides detailed information about a public or internal application.
Edit Assignment (Jump to)Edits settings of an application to exclude or include specific devices via Smart
Groups. For purchased applications, this action's icon is
which lets you allocate available redemption codes.
See Assigning and Publishing Redemption Codes for more information.
Add Version (Jump to) Updates your internal application with a new version.
Retire Removes an internal application from all managed devices. If an older version of the application exists in
the AirWatch solution, then this older version is pushed to devices.
View Analytics Exports the analytics for internal applications that use the AirWatch Software Developers Kit
(SDK).
View Logs (Jump to) Downloads or deletes log files for an internal SDK application.
View Other Versions Shows previous versions of an internal application that were added to the AirWatch Admin
Console.
Run Reputation Analysis (Jump to) Requests the AirWatch App Reputation cloud service to run a Reputation
Analysis scan on an application.
Notify Devices Sends a notification to devices with information about a purchased application. For more
information, see Creating Custom Notifications for Applications.

Managing Devices
Use the Manage Devices option to control devices assigned to public and internal applications, either assigned
individually or as members of a Smart Group. From this screen, you can install, remove and notify end-users about
applications.
1. Navigate to Apps &Books Applications List View and select either the Public or Internal tab. Select the Manage
Devices icon ( )from the actions menu for the application row you want to manage devices for.
Alternatively, you can select one of the links (represented as #/#/#) for the row in the Not Installed / Installed /
Assigned column (

).

The Manage Devices page displays. From here, you can perform three actions:
Install Installs the application to devices.
Remove Removes the application from devices.
Notify Notifies devices about the application. Settings include email, SMS, push and message template options for
sending messages to devices.
2. Perform these actions using one of these two methods:
l

Select the check boxes for the devices you want to manage and then select either Install On Selected, Remove
From Selected or Notify Selected.
Note: If the list is long and continues to another page, ensure to perform the action for the current page.
Settings are not saved when you move to another page.

Mobile Application Management (MAM) Guide | v.2014.01 | January 2014


Copyright 2014 AirWatch, LLC All rights reserved. Proprietary & Confidential.

Page 33

Managing Applications

Select Install On Listed , Remove From Listed or Notify Listed to perform the action for every device listed. You
can filter the list of devices using the Status drop-down menu. Enabled check boxes have no affect with this
method.

Managing Feedback for iOS 7+


Use the Manage Feedback option from the Actions menu to request, clear and view feedback for public or internal iOS
applications. Feedback for iOS 7+ applications is stored on the device. The AirWatch Admin Console retrieves the
feedback from the device and displays and stores it in the AirWatch Admin Console. This action offers a central location
for you to view and manage the feedback.
In order to use Manage Feedback for iOS 7+ devices, the AirWatch Admin Console requires two criteria:
1. You must assign at least one iOS 7+ device to the application.
2. An iOS 7+ device must transmit to the AirWatch Admin Console that it contains feedback and data.
When these two criteria are met, you can see and use the Manage Feedback option in the AirWatch Admin Console.
From the Manage Feedback page, use the check boxes to select devices and apply the following functions:
l

Request Feedback Initiates a command to the device to retrieve the feedback from its location in the application on
the device.
Clear Feedback Initiates a command to clear data in the directory where the feedback is stored in the application
on the device.
View Feedback Displays the View Feedback page. Use the View Feedback page to download and delete feedback.
Download the file as a .zip file. Deleting the feedback from this page, deletes it from the AirWatch Admin Console.

Managing Ratings
AirWatch lets you view feedback in the form of user ratings and comments for individual applications from users on the
internal, public and purchased applications published to their devices. This also allows you to make future decisions
related to the specific application. For example, redeploying the application with better capabilities, rolling out the
application to more users, or scrapping specific features because the users did not find any value in them.
Viewing User Ratings and Comments
1. Navigate to Apps & Books Applications List View Public, Internal or Purchased.
2. To access the rating comments, select User Ratings from the Actions menu. The number of ratings (star icons)
indicates the average/effective rating. The User Rating indicates the number of users who provided the ratings for
the application and is used to calculate the effective rating.
l

Average Rating The average of the total number of user ratings.

User Group Filters the comments based on a specific User Group.

Individual Entries Entries include the individual rating, any comments, when the rating was created and the
user who created the entry.
Note: You can edit Ratings for Public applications. To edit, select Edit from the Action menu on the Public
application page and enter the number of stars (none through five) in the Rating field.

Mobile Application Management (MAM) Guide | v.2014.01 | January 2014


Copyright 2014 AirWatch, LLC All rights reserved. Proprietary & Confidential.

Page 34

Managing Applications

Deleting User Comments


On the User Ratings page, select a rating entry, then select Delete Rating. Once deleted from the AirWatch Admin
Console, the change gets reflected in the App Catalog.

Managing Deletions
Deleting applications can take two steps depending on if the application is assigned to devices and the type of application
it is.
Deleting Public and Internal Applications
1. Select the application you want to delete.
2. Click the Delete option from the Actions Menu to uninstall the application from devices to which you assigned it. The
application is still part of your application repository in the AirWatch Admin Console.
Note: If the application is not assigned to devices, then clicking the Delete option one time removes the
application from the AirWatch Admin Console. You do not have to use Delete twice.
3. Select the application and click the Delete option from the Actions Menus again. This action completely removes the
application from AirWatch Admin Console.
Deleting Purchased Applications
1. Select the application you want to delete.
2. Click the Delete option from the Actions Menu. This action removes the purchased application off of devices to which
it has been assigned and it removes it from the AirWatch Admin Console.
Note: Unlike Public and Internal applications, clicking Delete once removes the application from devices and the
AirWatch Admin Console.
Deleting, Deactivating and Retiring
The options to deactivate, delete and retire might seem similar but they have different capabilities that help you to
manage your applications in certain situations.
Deactivate Deactivating an application removes the application and all versions of the application from devices it is
assigned to but it does not delete it from your application repository in the AirWatch Admin Console.
l

When to use Your organization does not want end-users accessing an application during a certain time but
otherwise, the application is useful. You can deactivate the application and all versions during the specific time and
easily reactivate it when appropriate.

Delete Deleting an application erases the application from devices and from the AirWatch Admin Console.
l

When to use Your organization no longer wants an application in its repository and it does not want end-users
accessing it for work purposes. Delete the application from devices and from the AirWatch Admin Console.

Retire Retiring an application removes the application from the devices it is assigned to; however, if there is an earlier
version of the application, then that earlier version is pushed to devices.

Mobile Application Management (MAM) Guide | v.2014.01 | January 2014


Copyright 2014 AirWatch, LLC All rights reserved. Proprietary & Confidential.

Page 35

Managing Applications

When to use A new version of an application has several bugs and is causing end-users productivity. The previous
version worked fine for your organization. You can retire the current version of the application and the AirWatch
Admin Console pushes the previous version to devices.

Managing Application Versions


Update the application version of your internal applications to incorporate new features and fix bugs. Use the AirWatch
Admin Console to:
l

Deploy multiple versions of the same application.

Assign different versions to different device groups.

Push beta versions for testing purposes.

Allow devices to roll back to a previous version.

Ensure employees are compliant with the latest version.

You can leverage the application management tools in AirWatch to manage different versions of the same Internal
application. This feature is especially useful for application testing as you may wish to upload a beta version of an
application update to deploy to specific users for testing purposes while still deploying the current version of the
application to all other users. Once the testing is complete, you can replace the existing version of all devices with the
newest version of the application.
To add a version of an internal application:
1. Select Add Version for the application from Actions menu.
2. Upload the updated application file.
3. Retire the older version if you want to at this time using the Actions menu.
Note: If you do not want to immediately retire the previous version of the application you have the option to do
so at a later time.
4. Review version information and specify application settings, if they differ.
5. Click Save to save the application.

Managing SDK Application Logs


Use the View Logs feature to quickly access available log files pertaining to your internal SDK applications. Log types
include all logs, crash logs and application logs. From this feature, you can download logs or delete them.
l

Download/ Delete Selected Downloads or deletes the logs selected using individual check boxes or the main check
box .
Note: If the list is long and continues to another page, perform the action for the current page. Settings are not
saved when you move to another page.

Mobile Application Management (MAM) Guide | v.2014.01 | January 2014


Copyright 2014 AirWatch, LLC All rights reserved. Proprietary & Confidential.

Page 36

Managing Applications

Download/ Delete Listed Downloads or deletes the logs in the list. You can filter the list using the Log Type and
Level drop-down menus. Enabled check boxes have no affect on this function.

Managing Risk with Reputation Analysis


Use the Run Reputation Analysis option to request the AirWatch App Reputation cloud service to run a Reputation
Analysis scan. It scans applications on Android devices to identify security risks. You can scan one application or multiple
applications using this feature. This feature is useful for scanning those applications already deployed before the App
Scanning feature was implemented in the AirWatch solution.
See Configuring AirWatch Application Reputation for more information about this feature.

Mobile Application Management (MAM) Guide | v.2014.01 | January 2014


Copyright 2014 AirWatch, LLC All rights reserved. Proprietary & Confidential.

Page 37

Enforcing Application Security and Compliance

Enforcing Application Security and Compliance


Using the AirWatch Admin Console you can ensure users have access to the appropriate applications based on their
organizational roles. For example, you can restrict access to a specific set of applications by creating a blacklist, or you
can designate a whitelist of approved applications that will serve as the only applications users can access. You can also
create compliance policies that will detect when users install forbidden applications and perform escalating actions the
longer they remain out of compliance. To begin, you will first group your applications into Application Groups, which will
give you the ability to manage the various applications in your enterprise App Catalog.

Creating Application Groups


The AirWatch Admin Console provides the ability to group applications into blacklisted, whitelisted, and required
applications. These groups are called Application Groups and each application group is tied to an Organization Group.
Use Application Groups to give access to desired users and to restrict access to unnecessary users.
Examples of Application Groups include the following suggestions:
l

Blacklisted applications such as common games and other bandwidth intensive applications.

Whitelisted applications such as the AirWatch Agent and Enterprise applications.

Required applications such as the AirWatch Agent, Secure Browser and Secure Content Locker.

Configuring an Application Group


1. Navigate to Apps & Books Applications Settings App Groups.
2. Select Add Group.

Mobile Application Management (MAM) Guide | v.2014.01 | January 2014


Copyright 2014 AirWatch, LLC All rights reserved. Proprietary & Confidential.

Page 38

Enforcing Application Security and Compliance

List tab:
o

Select Type as Whitelist, Blacklist, Required or MDM Application. On selecting the Type, the Name field gets
automatically populated.
Note: Select MDM Application for custom MDM applications.

Select Platform as either Apple or Android.

Enter the Application Name and the Application ID. The Application ID automatically completes when you use
the search function to search for the app from an app store.

Select Add Application to add multiple applications and then click Next to navigate to the Assignment tab.

Assignment tab:
o

Enter a Description for the Application Group.

Define the Device Ownership as Corporate-Dedicated, Corporate-Shared, Employee Owned or Undefined.

Assign the device Model and the Operating System.

Select the Organization Group and User Group for the Application Group to be assigned to and then click Finish
to complete the process.

Adding Custom MDM Applications to Application Groups


You can add custom MDM applications that track device location, device information and jailbreak status. Apply these
custom MDM applications to desired Application Groups for information gathering, troubleshooting and asset tracking.

Mobile Application Management (MAM) Guide | v.2014.01 | January 2014


Copyright 2014 AirWatch, LLC All rights reserved. Proprietary & Confidential.

Page 39

Enforcing Application Security and Compliance

Note: AirWatch does not remove custom MDM applications when the Compliance Engine detects a non-compliance
status on the device.
To enable this feature, perform the following steps at the applicable Organization Group:
1. Navigate to Groups & Settings All Settings Devices & Users General Enrollment.
2. Select Customization.
3. Enable Use Custom MDM Applications.

Building an Application Compliance Policy


Once the Application Groups are defined and are in place, you can use these groups to initiate protective actions
through the AirWatch Compliance Engine.
For example, if you detect a user with game-type application, which is one of the blacklisted application in a Blacklisted
Application Group list, the Compliance Engine can be used to:
l

Send a push notification to the user prompting them to remove the application.

Remove certain features such as Wi-Fi, VPN or Email profiles from a device.

Remove specific managed applications and profiles.

Send a final email notification to the user copying IT Security and HR.

Follow the steps below to build an application compliance policy to perform an action on the device:
1. Navigate to Devices Compliance Policies List View. Select Add.

2. Select Application List on the Rules tab. For the Contains drop-down, select whether this rule will be for detecting a
whitelisted or blacklisted application, or the absence of a required application or app version. Define the other
conditions to complete the rule:
l

Actions Set escalating actions to perform if a user is not in compliance with an application-based rule. For
example, you could send a message to users with blacklisted applications informing them to uninstall the
application or else risk losing access to corporate applications.

Mobile Application Management (MAM) Guide | v.2014.01 | January 2014


Copyright 2014 AirWatch, LLC All rights reserved. Proprietary & Confidential.

Page 40

Enforcing Application Security and Compliance

Assignment Set the assignment criteria for this rule. For example, you can specify particular platforms and
models, or you can apply the rule to certain Organization Groups.
Summary Name the rule and give it a brief description.

3. Select Finish and Activate to enforce the newly created rule.


More information about compliance policies can be found in the Mobile Device Management Guide.

Enforcing Application Control for Android Devices


To allow or prevent installation of applications on Android devices, you can enable Application Control to whitelist and
blacklist specific applications. While the Compliance Engine sends alerts and takes administrative actions when a user
installs or uninstalls certain applications, Application Control prevents users from even attempting to make those
changes. For example, prevent a certain game application from ever installing on a device, or force the AirWatch Agent to
remain on a device.
Note:Application Control is available only for Samsung SAFE and select LGvendor specific devices.
To establish Application Control:
1. Navigate to Device Profiles List View Add Android Device.
2. Configure the Application Control payload by enabling or disabling the required control to perform on the devices.

Enabling Restricted Mode for Public iOS Applications


You can also restrict end-user from installing public applications from iTunes by enabling Restricted Mode for iOS
devices.Once a device is enrolled into AirWatch, Restricted Mode end-users are able to manage public applications

Mobile Application Management (MAM) Guide | v.2014.01 | January 2014


Copyright 2014 AirWatch, LLC All rights reserved. Proprietary & Confidential.

Page 41

Enforcing Application Security and Compliance

deployed down to them, but are unable to download any other applications from iTunes. For example, end-users are
able to install and uninstall business-related applications made available in the App Catalog, but won't be able to install
games, social media applications or previous versions of applications from the AppStore.
To enable Restricted Mode for iOS Applications:
1. Navigate to Groups & Settings All Settings Apps Catalog App Restrictions.
2. Enable Restricted Mode for Public iOS Applications.
Note: This option restricts the device by allowing you to install only the assigned applications from the iTunes App
Store. Enabling the above setting automatically sends a restricted profile to the iOS devices. The presence of this
restricted profile does not require configuring any additional restriction profiles to block the App Store.

Using Tracking Application


Tracking applications helps you to monitor all applications for compliance, installation status and ratings. There are many
ways to track the applications on devices using AirWatch Admin Console:
l

The AirWatch Hub Use the Compliance and Apps sections for tracking. The Hub is found at the top of the Main
Menu.
o

Compliance section The Compliance section provides a condensed summary on devices with blacklisted apps
and devices without required apps.

Apps section The Apps section provides a condensed summary of devices without the latest application
version. It also provides a list of most generally installed applications. In addition, the App view also provides
information on compliant applications, top installed/least installed, top rated/bottom rated and their
installation percentage, health (the most crashed and those with the most errors), and size.

Devices Details View Shows the list of installed applications along with the status, name, type, version, identifier
and size. To find the Devices Details View, select Devices from the Main Menu, choose the List View, click on the
device for which you want the details and finally select the Apps tab for that device.
Reports And Analytics The All Reports tab provides you with actionable, result-driven statistics.The Application
Compliance report provides a way for tracking the devices that do not have the latest version of applications. To find
Reports and Analytics, navigate to Hub Reports And Analytics Reports List View All Reports.

Mobile Application Management (MAM) Guide | v.2014.01 | January 2014


Copyright 2014 AirWatch, LLC All rights reserved. Proprietary & Confidential.

Page 42

Deploying an Enterprise Application Catalog

Deploying an Enterprise Application Catalog


After you configure your public applications, internal applications and purchased applications in the AirWatch Admin
Console, you can deploy an Enterprise App Catalog to your end-users, which will let them access those applications.
While the AirWatch Admin Console allows you to manage applications over-the-air in a centralized location, the
AppCatalog serves as a one-stop shop for your end-users to access applications based on the settings you established in
the AirWatch Admin Console.
The AirWatch App Catalog is where users can do the following tasks:
l

View and install recommended public, internal, purchased or web applications.

Browse and filter applications by type and category.

Receive notifications on application updates for both managed and unmanaged applications.

Install application updates for managed applications.

Add ratings and comments for public, internal or purchased applications.

View overall rating for the applications based on ratings provided by other users and view specific comments
provided by other users.
View application status whether an application is Not Installed, Installed, Needs Update or is Blocked.

Deploying the Enterprise App Catalog


The first step to deploying applications through AirWatch is publishing the Enterprise App Catalog. You can do this in one
of two ways. You can automatically push the App Catalog to devices upon enrollment, or you can create and deploy a
device profile with a web clip or bookmark payload. The advantages of pushing the App Catalog automatically are ease of
set up and maintenance. Advantages for manually pushing a device profile are control over updating and having different
app catalogs for different platforms. However, you must maintain these different device profiles and you have to
remember to republish or push the profile when you have updates.

Automatically Push the App Catalog


1. Set the active Organization Group to receive the App Catalog, navigate to Groups & Settings All Settings Apps
Catalog General.
2. Configure the following settings on the General tab:
l

Require Encrypted Uid Requires the encryption of communications with the App Catalog through the URL
when using a devices profile to configure and push your App Catalog. If devices do not use an encrypted URL link
to access your App Catalog when this is enabled, then devices cannot access your App Catalog.
Note: This option only affects App Catalogs that you push using a separate devices profile. If you are pushing
your App Catalog automatically using the Publish App Catalog option on the Publishing tab, then the App
Catalog UID is always encrypted and you do not need to set this option.

Mobile Application Management (MAM) Guide | v.2014.01 | January 2014


Copyright 2014 AirWatch, LLC All rights reserved. Proprietary & Confidential.

Page 43

Deploying an Enterprise Application Catalog

Require Authentication for App Catalog Requires users to log in with their username and password before
they can access the App Catalog.

Keep User Signed In Keeps users signed in and does not require them to log in each time.

Reauthenticate After (Days) Requires users to authenticate (log in) after a set number of days.

Default Tab Sets the default tab that displays when the App Catalog launches.

3. Configure the following settings on the Publishing tab:


l

Publish App Catalog Publishes the App Catalog for iOS, Android and Windows 8/RT devices in the currently
selected Organization Group.
Note: This option automatically pushes the App Catalog to devices upon enrollment.

App Catalog Title Enter a name for your App Catalog.


Platform Select the supported platforms for your App Catalog. Supported platforms include Android, Apple
iOS and Windows 8/RT.
Icon Upload an icon for your App Catalog.
Full Screen (iOS only) Enable always having the App Catalog web clip open in full screen mode. Use this setting
for iOS systems that, by default, do not open web clips in full screen mode.

Manually Push the App Catalog with a Device Profile


You can deploy the App Catalog using this method for iOS, Android and Windows 8/RT devices.
1. Navigate to Devices Profiles List View and select Add. Select either Android or iOSas the platform.
2. Enter General information as necessary.
3. Select the Web Clips (iOS and Windows 8/RT)or Bookmarks (Android)payload.
4. Enter one of the following App Catalog URLs:
Unencrypted https://<Environment>/Catalog/AppCatalog?uid={DeviceUid}
Encrypted https://<Environment>/Catalog/AppCatalog?uid={SecureDeviceUdid}

Adding Featured Applications


Once you've uploaded and configured all of your applications for the App Catalog, you often need a way to set a few
select applications apart from all other applications. Use AirWatch's Featured Applications option to highlight specific
applications within the App Catalog for your end-users.
The App Catalog hosts Featured Applications on their own page and also lists them in the main list of applications. You
can add internal or public applications as Featured Applications.

Mobile Application Management (MAM) Guide | v.2014.01 | January 2014


Copyright 2014 AirWatch, LLC All rights reserved. Proprietary & Confidential.

Page 44

Deploying an Enterprise Application Catalog

1. Navigate to Apps & Books Applications Settings Featured Apps.


2. Select Add Application depending on platform type, either Apple or Android. Choose whether the application is an
Internal or Public application and select the application from the list of applications in the AirWatch Admin Console.
3. Select Add Category depending on platform type, either Apple or Android. Choose the types of categories to make
available in the App Catalog on a device.
4. Optionally, set an application type to highlight the most popular applications in the Most Downloaded Applications
section.

Enabling the App Catalog without MDM


AirWatch provides a solution for deploying the App Catalog without requiring users to enroll in full MDM using the
AirWatch Agent. This prevents users from enrolling into MDM, but they can still have access to applications assigned to
an App-Catalog-Only-Organization-Group through the App Catalog.
1. Create an Organization Group (OG) for devices that will be receiving only the App Catalog (for example,
AppCatalogOnly). The parent of this OG must be a Global or Customer OG type.
2. Navigate to Groups & Settings All Settings Apps Catalog App Catalog without MDM.
3. Enable the App Catalog without MDM to prevent users that enroll into the selected App Catalog Only Organization
Group from enrolling into MDM. Users that this setting should apply to should be created in this Organization Group
or in a parent above it.
4. Enable the Allow New User Registration check box to allow new users to register for access to the App Catalog.
5. Select the Enable Email Domain Validation option to use specified email domains to validate users when they
register for access to the App Catalog without MDM. You set specific email domains when configuring enrollment
settings in Groups & Settings All Settings Devices & Users General Enrollment Authentication Add
Email Domain.
6. Enter a title for the App Catalog Web Clip or Bookmark.
7. Upload an image for the App Catalog.
8. Select Save.
End-users can now proceed with enrollment and select or enter the Group IDof the AppCatalog Only OG you set up.
After completing enrollment, the App Catalog profile prompts for install. When finished, it displays on the launch screen.
Unmanaged devices enrolled using this method still create a device record in the AirWatch Admin Console for audit
purposes. The status of these devices will be App Catalog Only. You will not be able to track the download status of
applications on this device, but you can see a list of all assigned applications. If a user removes the unmanaged profile,
the applications will remain and the Web Clip/Bookmark will be removed.
Note: In order for public and internal applications created using the AirWatch SDK to communicate and work with the
AirWatch solution in a deployment that uses the App Catalog without MDM, the device user must activate the
application within the App Catalog.

Mobile Application Management (MAM) Guide | v.2014.01 | January 2014


Copyright 2014 AirWatch, LLC All rights reserved. Proprietary & Confidential.

Page 45

Deploying an Enterprise Application Catalog

To activate the public or internal application, access the SDK-created application in the App Catalog. Before the
application opens, it prompts you to activate it. By clicking the activation button, the application opens on the device
and begins communication with AirWatch.

Using the App Catalog


Once deployed, the AirWatch App Catalog is accessible through the AirWatch Agent on a device. Additionally available for
iOS devices, you can make the AppCatalog accessible as a web clip directly from the device home screen.

Default and Other Tabs


The App Catalog opens to the page you configured as the Default Tab. Choose the default tab that best meets the needs
of end-users.
l

Featured Displays applications and categories you set as featured. This tab, with the help of your application
categories, gives special applications up front real estate and helps draw your mobile fleet's attention to these
applications.
Public Displays the public applications available for download to the device. Users can also update their public
applications from this tab. Prices display on this tab for those public applications that are not free.
Purchased Displays the purchased applications your organization buys through the Apple VPP. Users can
download these applications and they can also update their existing versions. If you do not use the Apple VPP, then
this tab does not display.
Web Displays those applications you pushed to devices using a device profile, either a Bookmark (Android) payload
or a Web Clip (iOS) payload.
o

Bookmarks Enable the Show in App Catalog / Workspace check box in an Android Bookmarks device profile.

Web Clips Enable the Show in App Catalog / Workspace check box in an iOS Web Clips device profile.

Internal Displays internal applications your organization created for use. Applications you created using the
AirWatch SDK or that you have wrapped with the AirWatch App Wrapping feature can display on this tab.

Application Detail Tabs


When a user opens an application in the App Catalog, they can view descriptive and ratings information.
l

Description Displays a brief explanation concerning the application and can link the user to more information
about the application. It displays new versioning details, contains screenshots and can lists prices, if applicable. All
this information you can configure in the AirWatch Admin Console when you upload and push applications.
Ratings Displays reviews for the application from other users and lets users write and add their own views about
the application. You can manage ratings in the AirWatch Admin Console for all three types of applications, public,
purchased and internal.

Available Actions
Use the action icons in the App Catalog to view the following information:

Mobile Application Management (MAM) Guide | v.2014.01 | January 2014


Copyright 2014 AirWatch, LLC All rights reserved. Proprietary & Confidential.

Page 46

Deploying an Enterprise Application Catalog

Takes you to the homepage to view the default tab and other available application tabs.
Displays the blacklisted applications detected on the device.
Displays available updates for installed applications.
Displays featured and available categories and lets you filter applications to display applications in a specific
category.
Other actions you can perform from the App Catalog include installing and uninstalling applications from devices using
the applicable buttons. You can also search for applications in the App Catalog using the Search field.

Mobile Application Management (MAM) Guide | v.2014.01 | January 2014


Copyright 2014 AirWatch, LLC All rights reserved. Proprietary & Confidential.

Page 47

Advanced Application Management

Advanced Application Management


Overview
Advanced application management includes the AirWatch Software Development Kit (SDK) and the App Wrapping
feature. The SDK allows developers to create their own applications while adding AirWatch features into the code. App
Wrapping does not require coding in order to add AirWatch functionality, rather you wrap your application within an
AirWatch skin so that you can leverage the features without having to change or add code. Both features let you add
custom control to your applications while maintaining compatibility with the AirWatch solution. You also have the option
of adding the SDK features to other AirWatch applications using the configurations in the Settings and Policies section.

Using the SDK and App Wrapping


The AirWatch SDK and the App Wrapping feature have the following uses and controls:
SDK
l

Use to dramatically enhance applications:

App Wrapping
l

No development or code change required.

Use to secure applications:

User Authentication

Compromised Status

User authentication

Certificates

Compromised status

Geofencing

App Restrictions

Branding

Analytics

Logging

Reporting

Custom Settings

Ideal for organizations requiring immediate


security for fully developed applications.

Flexibility to use SDKdifferently per application.


Ideal for large corporations or businesses with a mobile
applications team.
Requires development and code change.

For more information on these advanced security and configuration features, see:
l

AirWatch SDKGuides

AirWatch Application Wrapping Guide

Mobile Application Management (MAM) Guide | v.2014.01 | January 2014


Copyright 2014 AirWatch, LLC All rights reserved. Proprietary & Confidential.

Page 48

Advanced Application Management

Configuring Settings and Policies


Settings and Policies control how users access and interact with AirWatch applications and how these applications
behave and look on devices. Settings in the first two sections apply to all AirWatch applications and App Wrapped
corporate applications so that you only need to configure options once.
This section also includes the ability to customize behaviors for SDK and App Wrapped applications. You can also edit
older SDK and App Wrapping profiles from these sections.
The Single Sign On (SSO) feature includes options to use one identity to access all AirWatch applications like the AirWatch
Browser, all SDK applications and App Wrapped applications.
Note: You must have the AirWatch Workspace application installed in your mobile deployment for SSO configurations
to work.

Shared or Custom SDK Profile Configurations


You can apply AirWatch SDK functionality not only to your custom iOS and Android applications but also to other
AirWatch applications. You can choose to apply SDK profile settings and policies at an Organization Group (OG) level so
they are shared across applications located in the OG. You can also customize SDK profiles for SDK, App Wrapped, and
other AirWatch Applications. Options are mirrored in each area to offer the choice and flexibility to apply settings to
service your mobile environment.
Shared SDK Profile Configurations
The first two sections of the Groups & Settings All Settings Apps Settings and Policies page, Security Policies and
Settings, are options that you can share with all the AirWatch applications in that OG (like the AirWatch Browser and the
AirWatch Secure Content Locker), SDK applications and App Wrapped applications. Shared options offer ease of use and
a single point of configuration.
The shared default policy is titled iOS Default Settings @ [Organization Group] or Android Default Settings @
[Organization Group] in the AirWatch Admin Console. However, you can still use and apply your legacy policies to
configurations. You do not have to use the shared configurations.
View the Appendix for information on which shared SDK profiles apply to specific AirWatch applications.
Custom SDK Profiles
The last section, Profiles, includes settings that you can apply to SDK applications, App Wrapped applications and other
AirWatch applications. You would also use the Profiles section to edit SDK and App Wrapping profiles created before the
AirWatch v6.5 release. Profiles offer granular control for specific applications and the ability to override shared
configurations. However, they also require separate input and maintenance.
Applying the SDK Profile
You must apply the applicable shared profile or custom profile to the application.
l

Shared SDK Profile


o

For Android applications, select the Android Default Settings @ [Organization Group].

For iOS applications, select the iOS Default Settings @ [Organization Group].

Custom SDK Profile For Android and iOS applications, select the applicable legacy or custom profile.

Mobile Application Management (MAM) Guide | v.2014.01 | January 2014


Copyright 2014 AirWatch, LLC All rights reserved. Proprietary & Confidential.

Page 49

Advanced Application Management

Configuring Security Policies


Configure Security Policies to set options for accessing and using AirWatch applications.
1. Navigate to Groups & Settings All Settings Apps Settings and Policies Security Policies.
2. Select Passcode Mode and set the passcode as Numeric, Alphanumeric or Disabled.
Passcode Mode sets a passcode requirement for AirWatch or wrapped applications that have the shared SDK profile
applied to them. Enter these passcode options:
a. Passcode Timeout Sets the allowable time the passcode accesses applications before it ceases access due to
inactivity. If SSO is enabled and the passcode times out, the SSO identity logs out of all AirWatch and configured
corporate applications and resources.
b. Allow Simple Value Sets the passcode to allow simple strings.
c. Minimum Passcode Length Sets the minimum number of characters for the passcode.
d. Minimum Number Complex Characters (Alphanumeric) Sets the minimum number of complex characters for
the passcode.
e. Maximum Passcode Age (days) Sets the time frame for using the passcode.
f. Passcode History Sets the number of passcodes the AirWatch Admin Console stores so that users cannot reuse passcodes for a specified time frame.
g. Maximum Number Of Failed Attempts Sets the maximum times a user can login with the passcode before
having an action taken in response to the failed attempts.
3. Enable Single Sign On (SSO) to apply a single identity, encrypted on the device, to access all AirWatch applications.
SSO does not leverage the Passcode Mode settings, but rather incorporates a personalized PINthat each user
creates and uses to access all AirWatch Workspace applications and AirWatch applications that have the shared SDK
profile applied to them.
Note: You must have the AirWatch Workspace application installed in your mobile deployment for SSO
configurations to work.

Note: For information about Single Sign On for iOS 7 using Kerberos authentication, refer to the AirWatch iOS
Platform Guide.
4. Enable Integrated Authentication to allow access to corporate resources, such as content repositories, through the
AirWatch Workspace using corporate credentials. These credentials are not the same as the AirWatch SSO
credentials.
Enter systems in the Allowed Sites field if you want to restrict AirWatch Workspace access to a specific set of sites.
This feature ensures that AirWatch does not expose credentials to non-trusted resources.
Note: Integrated Authentication works only in the AirWatch Browser at this time.

Mobile Application Management (MAM) Guide | v.2014.01 | January 2014


Copyright 2014 AirWatch, LLC All rights reserved. Proprietary & Confidential.

Page 50

Advanced Application Management

5. Select Offline Access to allow access using the SSO identity to applications when the device is offline. Choose an
acceptable timeframe for offline access before the device re-authenticates to the network and applications. Devices
should return online periodically so the system can check device compliance and security status.
6. Enable Compromised Protection so that the AirWatch Admin Console blocks access if the device is compromised.
7. Enable App Tunnel to allow an application to travel through a VPN or reverse proxy to access internal resources,
such as a SharePoint or intranet site. Select the App Tunnel Mode.
Enter domains in the App Tunnel Domains field.
Note: Enter domains to route through the App Tunnel. All traffic not listed here, goes directly to the Internet. If
nothing is listed here, all traffic directs through the App Tunnel.
8. Enable Geofencing to restrict access to applications depending distances set in Geofencing settings in the AirWatch
Admin Console. Set Geofencing in Device Profiles Settings Geofencing.
9. Enable Data Loss Prevention to protect sensitive data in applications. This setting controls copying and pasting,
printing, taking pictures and screen captures, using Bluetooth and adding watermarks to documents in the Secure
Content Locker (SCL).
When you enable the use of a watermark, enter the text in the Overlay Text field that displays after you select to
Enable Watermark.
Note: The SCL has a preconfigured way of applying the watermark and you cannot change the appearance of the
watermark from the AirWatch Admin Console at this time.
Limit Documents to Open Only in Approved Apps Controls the applications used to open resources on devices.
Enter the allowed applications in the Allowed Applications List field.
10. Enable Network Access to allow applications to access the mobile network. Control the type of network, cellular or
Wi-Fi, and control the Service Set Identifiers (SSIDs) in the Allowed SSIDs field.

Configuring Settings
Configure Settings to set options for behaviors and customization of AirWatch applications.
1. Navigate to Groups & Settings All Settings Apps Settings and Policies Settings.
2. Enable Branding to apply branding configurations in the AirWatch Admin Console to applications.
3. Enable Logging to record log files concerning application processes and set the Logging Level. Logging level severity
from least to wors are ordered as Debug, Information, Warning and Error. Also choose to enable Send Logs Over
WiFi Only to help control traffic when devices connect to WiFi networks.
The AirWatch Admin Console reports the messages that match the configured logging level plus any logs with a
higher critical status. For example, if you set the logging level to Warning, messages with a Warning and Error level
display in the AirWatch Admin Console.
4. Enable Analytics to capture application data for use in business intelligence systems and data marts.
5. Enable Custom Settings to add XML code for custom processes and apply them to applications.

Mobile Application Management (MAM) Guide | v.2014.01 | January 2014


Copyright 2014 AirWatch, LLC All rights reserved. Proprietary & Confidential.

Page 51

Advanced Application Management

Configuring Profiles
Use these options to create and apply custom controls to SDK and App Wrapped applications. Most of the settings in the
Profiles section mirror the options in Security Policies and Settings. These settings are also explained in the applicable
SDK and App Wrapping Guides.

Mobile Application Management (MAM) Guide | v.2014.01 | January 2014


Copyright 2014 AirWatch, LLC All rights reserved. Proprietary & Confidential.

Page 52

Appendix SDK Profiles, Policies and Settings Compatibility

Appendix SDK Profiles, Policies and Settings


Compatibility
The AirWatch v6.5 release introduces the ability to apply AirWatch SDK functionality not only to your custom iOS and
Android applications but also to other AirWatch applications and wrapped apps.
Use the Shared SDK Configurations to apply an AirWatch SDK feature to an application by setting the applicable shared
configurations in Policies and Settings and then applying the parameter. The shared SDK parameters are entitled:
l

iOS Default Settings @ [Organization Group]

Android Default Settings @ [Organization Group]

Note: You can continue to use legacy profiles to control the behaviors of your AirWatch applications. You are not
restricted to using shared SDK and custom SDK profiles at this time.
View the available shared SDK configurations with secondary options in the table and see if they are applicable to the
platform-specific AirWatch application.

Mobile Application Management (MAM) Guide | v.2014.01 | January 2014


Copyright 2014 AirWatch, LLC All rights reserved. Proprietary & Confidential.

Page 53

Appendix SDK Profiles, Policies and Settings Compatibility

SDK Profiles, Policies and Settings Compatibility Matrix


SDK

Settings and Policies


Option

App Wrapping

UI Label

Workspace

AirWatch
Browser

Secure Content Locker

iOS

Android

iOS

Android

iOS

Android

iOS

Android

iOS

Android

Enable

Toolbar Color

Toolbar Text Color

Primary Color

Primary Text Color

Secondary Color

Secondary Text Color

Background Image
(iPhone)

Background Image
(iPhone High Res)

Background Image
(iPad)

Background Image
(iPad High Res)

Background Image
(iPhone 5 High Res)

Background Small

Background Medium

Background Large

Background XLarge

Company Logo Phone

Company Logo Phone


High Res

Company Logo Tablet

Company Logo Tablet


High Res

Organization Name

Enable

Logging Level

Send Logs Over Wi-Fi

Enable

Authentication: Single
Enable
Sign-On

Branding

Logging

Analytics

Mobile Application Management (MAM) Guide | v.2014.01 | January 2014


Copyright 2014 AirWatch, LLC All rights reserved. Proprietary & Confidential.

Page 54

Appendix SDK Profiles, Policies and Settings Compatibility

SDK

Settings and Policies


Option
Authentication:
Integrated
Authentication

Authentication:
Passcode

Compromised
Protection

Offline Access

App Tunnel

App Wrapping

UI Label

Workspace

AirWatch
Browser

Secure Content Locker

iOS

Android

iOS

Android

iOS

Android

iOS

Android

iOS

Android

Enable

Allowed sites

Passcode Mode

Allow Simple Value

Minimum Passcode
Length

Minimum Number
Complex
Characters

Maximum
Passcode Age

Passcode History

Maximum Failed
Attempts

Passcode Timeout

Replaces
Replaces
application application
settings
settings

Enable

Enable

Maximum Period
Allowed Offline

Enable

App Tunnel Mode

App Tunnel
Domains

Enable

Replaces
Replaces
application application
settings
settings

Replaces
Replaces
application application
settings
settings

Replaces
Replaces
application application
settings
settings

Data Loss
Prevention

Copy and Paste

Printing

Mobile Application Management (MAM) Guide | v.2014.01 | January 2014


Copyright 2014 AirWatch, LLC All rights reserved. Proprietary & Confidential.

Page 55

Appendix SDK Profiles, Policies and Settings Compatibility

SDK

Settings and Policies


Option

AirWatch
Browser

Secure Content Locker

Android

iOS

Android

iOS

Android

iOS

Android

iOS

Android

Open Documents
in Approved
Applications

Allowed
Applications

Enable

Cellular Connection

Wi-Fi Connection

Allowed SSIDs

Enable

Areas

Enable

Custom Settings
XML entries

Geofencing

Custom Settings

Workspace

iOS

Watermark

Network Access
Control

App Wrapping

UI Label

* This option is supported but is not configured using Settings and Policies.

Mobile Application Management (MAM) Guide | v.2014.01 | January 2014


Copyright 2014 AirWatch, LLC All rights reserved. Proprietary & Confidential.

Page 56

You might also like