Overview
Some customers might define privacy and security policies which require an extra layer of security for the devices – corporate or not – that their employees use for work purposes. This layer can imply actions like routing all the traffic of work apps through a VPN (Per-App VPN), restricting the available apps to a curated list defined by the customer or being able to wipe the device remotely.
In this kind of scenario, customers might make use of third party solutions that not only allow them to manage these devices, but also to supervise and control them. These solutions are commonly known as Enterprise Mobility Management (EMM) or Mobile Device Management (MDM).
Workplace, as an app for work, normally falls under the scope of the mentioned policies, and thus the EMM management.
Workplace and EMM
Workplace features two mobile apps that are available on both iOS and Android – Workplace and Workplace Chat. For those customers that use an EMM solution, there are two different sets of configurations available for Workplace apps.
One of them is the set of features that are provided by most of the EMM solutions and that are natively supported by the mobile operating systems, and thus applicable to any app installed on the mobile devices, including Workplace. To know more, see the section on OS Supported Configurations.
The second one is the set of features that are specifically supported by Workplace apps, which can receive certain configuration values that can be deployed with the application to enable concrete features for the users.
This app supported configuration adheres to the specifications defined by the AppConfig Community, which is a standards body formed by many of the leading EMM vendors and application providers. AppConfig members include VMWare, SAP, MobileIron, IBM, SOTI, JAMF and Blackberry. The Workplace apps are configurable by any of these solutions. To know more, see the section on App Supported Configurations.
If your EMM solution is not a member of AppConfig, see the section on Support for non-AppConfig vendors.
Integrate with your EMM Solution
Prerequisites
Corporate devices must be registered and enrolled in an EMM solution. For Android devices, this means that they must have a work profile.
Once the device is enrolled, you have to follow these steps to configure and deploy Workplace Apps:
In the apps section of the EMM solution, add Workplace and Workplace Chat as managed apps. Two applications per platform – iOS and Android – should be added.
Pick which users should have access to the Workplace applications.
In the app configuration section of the EMM solution, create a new Key Value (KV) pair configuration set following AppConfig guidelines.
See the section on OS Supported Configurations and App Supported Configurations for configuration values.
Assign the configuration policy created in the previous step to the Workplace apps and apply the policy to all the users of the Workplace apps.
For specific instructions, refer to the documentation of your own EMM:
VMWareSAP
MobileIron
IBM
SOTI
JAMF
Blackberry
Microsoft Intune
App Supported Configurations
Workplace apps support the ability to be pre-configured with Key Value Pairs (KVPs).
The KVPs (Key Value Pairs) that Workplace supports are listed below.
Key | Expected Value | Platform | Description |
---|---|---|---|
emailAddress | {wp_account_email_address} | iOS, Android | Represents the Workplace username of the device’s assigned user. |
enableExternalBrowserSupport | YES | iOS, Android | Defines whether the links on the Workplace apps should be opened with a predefined browser app or with the default in-app browser. Requires externalBrowserURLScheme to be set. |
externalBrowserURLScheme | {external_browser_app_http-url_scheme} or {android_app_id} | iOS, Android | Defines which browser app should be used to open urls on the Workplace apps. Requires enableExternalBrowserSupport to be set to YES. |
Email Address
This configuration allows Workplace customers to pre-populate the Workplace account’s email that is going to be used in a given device.
If a customer knows that a corporate device belongs to a user, they can set this KV pair so the user doesn’t have to input their email address when login into the Workplace apps.
The field expects a string with the email of the user , i.e. john.doe@futureofwork.com.
Enable External Browser Support
By default, urls and links on Workplace apps are opened on an in-app browser. This configuration allows Workplace customers to define if the urls shared on Workplace should be opened with a different browser app, i.e. secure browser.
Managed/Secure browsers will frequently have different configuration and connection policies including per-app VPN, and that is why some customers may want to choose all Workplace linked traffic going to the corporate browser.
The field expects a string with YES in uppercase. It requires externalBrowserURLScheme KVP to be set.
External Browser URL Scheme
This configuration allows Workplace customers to define which browser app should be used to open any url or link shared on Workplace.
For iOS, the field expects a string with the http-url scheme used by the external browser app in lowercase.
For Android, the field expects a string with the application ID used by the external browser app in lowercase.
It requires enableExternalBrowserSupport KVP to be set.
Below we offer a list of http-url schemes and Android application IDs for some of the most used browser apps. Check with browser vendors for further indications.
Browser | iOS http-url scheme | Android application ID |
---|---|---|
Apple Safari | safari-http | - |
Google Chrome | googlechrome | com.android.chrome |
Mozilla Firefox | firefox://open-url?url= | org.mozilla.firefox |
Opera | opera-http | com.opera.browser |
Microsoft Edge | microsoft-edge-http | com.microsoft.emmx |
Microsoft Intune Managed Browser | http-intunemam | com.microsoft.intune.mam.managedbrowser |
IBM MaaS360 Secure Mobile Browser | maas360browser | com.fiberlink.maas360.android.securebrowser |
VMWare Airwatch Workspace ONE | awb | com.airwatch.browser |
Citrix Secure Browser | ctxmobilebrowser | com.citrix.browser.droid |
Blackberry Access | access://open?url= | com.good.gdgma |
MobileIron Web@Work | mibrowser | - |
OS Supported Configurations
In addition to providing many device security features, most EMM solutions provide application security capabilities that are natively supported by the mobile OS and that can be applied to Workplace. These include:
- Remote wipe of the app.
- Encryption of app data.
- Restrict file export to managed apps.
- Prevent backup of app data.
- Route all app traffic through VPN (Per-App VPN).
- Block screenshots (only Android).
- Restrict copy-paste to managed apps (only Android).
- Biometric/Pin Reauthentication (only Android).
- Block jailbroken/rooted devices.
In some cases, customers may require that Workplace access be restricted to managed devices only. In these situations, there are two approaches that can be taken:
- Certificate Based Authentication: Distribute a user certificate to the device through EMM and enable 2-factor authentication on the identity provider with the certificate as a required authentication factor.
- IP Based Restriction: Configure the Workplace apps to use VPN through EMM and enable a policy on the identity provider limiting access based upon source IP address.
Support for non-appconfig.org vendors
If your EMM solution is not a member of appconfig.org it may still support the use of app configurations, follow these steps:
.plist
file as shown below and replace the string variable with the email variable from your EMM solution. <plist version
="1.0"
>
<dict>
<key> emailAddress
</key>
<string> {EMM_Email_Variable}
</string>
</dict>
</plist>
.plist
file to the EMM solution and associate with the Workplace apps.