Overview
Workplace's iOS and Android applications include security capabilities that give your organisation the option apply additional security checks as well as placing limits on copying or removing information from the apps. These restrictions can provide additonal guardrails that help keep sensitive company content isolated, especially when Workplace is accessed from a personal rather than a corporate device.
You can read more about Workplace's Mobile Security capabilties in general and the different modes of deployment in the Mobile Security deployment approaches.
Workplace and EMM
This section discusses the activation of Workplace Mobile Security restrictions using the application configuration capabilities of Enterprise Mobility Management (EMM) or Mobile Device Management (MDM) platforms. The documentation below applies only to either corporate or personal (BYOD) devices which are enrolled in these platforms. For further details on the enrollment requirements and provider specific information see integrating with your EMM Solution.
The Workplace-specific app configuration is described in the App Supported Configuration section, and the device-specific configuration is described in the OS Supported Configuration section.
Integrate with your EMM Solution
Corporate devices must be registered and enrolled in an EMM solution. For Android devices, this means that they must have a work profile.
Once the device is enrolled, you have to follow these steps to configure and deploy Workplace Apps:
In the apps section of the EMM solution, add Workplace and Workplace Chat as managed apps. Two applications per platform – iOS and Android – should be added.
Pick which users should have access to the Workplace applications.
In the app configuration section of the EMM solution, create a new Key Value (KV) pair configuration set following AppConfig guidelines.
See the section on OS Supported Configurations and App Supported Configurations for configuration values.
Assign the configuration policy created in the previous step to the Workplace apps and apply the policy to all the users of the Workplace apps.
For specific instructions, refer to the documentation of your own EMM:
VMWareSAP
MobileIron
IBM
SOTI
JAMF
Blackberry
Microsoft Intune
App Supported Configuration
The app supported configuration that can be set on Workplace via EMM adheres to the specifications defined by the AppConfig Community, which is a standards body formed by many of the leading EMM vendors and application providers. AppConfig members include VMWare, SAP, MobileIron, IBM, SOTI, JAMF and Blackberry. The Workplace apps are configurable by any of these solutions.
If your EMM solution is not a member of AppConfig, see the section on Support for non-AppConfig vendors.
Following the AppConfig standards, the Workplace apps support the ability to be pre-configured with Key Value Pairs (KVPs).
The KVPs (Key Value Pairs) that Workplace supports are listed below.
Key | Expected Value | Platform | Description |
|---|---|---|---|
emailAddress | {wp_account_email_address} | iOS, Android | Represents the Workplace username of the device’s assigned user. |
enableExternalBrowserSupport | YES | iOS, Android | Defines whether the links on the Workplace apps should be opened with a predefined browser app or with the default in-app browser. Requires externalBrowserURLScheme to be set. |
externalBrowserURLScheme | {external_browser_app_http-url_scheme} or {android_app_id} | iOS, Android | Defines which browser app should be used to open urls on the Workplace apps. Requires enableExternalBrowserSupport to be set to YES. |
enableAppLock | True/False | iOS, Android | Defines whether the user will be challenged to use fingerprint or face recognition when opening or returning to the Workplace applications. Enabling this feature ensures encryption (device-level) of Workplace contents. |
timeBeforeShowingAppLock | 0/1/15/60 | iOS, Android | Time (in minutes) after which the reauthentication challenge will be required. A value of 0 means a challenge ever time. |
disableCopyPaste | True/False | iOS, Android | Restricts people from directly pasting text copied within Workplace apps into other applications. |
disableDownload | True/False | iOS, Android | Restricts people from downloading files or images from Workplace apps. |
disableScreenshot | True/False | iOS, Android | Restricts people from taking screenshots and/or recording content in Workplace apps. |
isManagedConfiguration | True/False | iOS, Android | Define whether to prioritise MDM configurations over MAM settings that may apply to the user. If unset or set to False, applicable MAM settings will be enforced. |
Email Address
This configuration allows Workplace customers to pre-populate the Workplace account’s email that is going to be used in a given device.
If a customer knows that a corporate device belongs to a user, they can set this KV pair so the user doesn’t have to input their email address when login into the Workplace apps.
The field expects a string with the email of the user , i.e. john.doe@futureofwork.com.
Enable External Browser Support
By default, urls and links on Workplace apps are opened on an in-app browser. This configuration allows Workplace customers to define if the urls shared on Workplace should be opened with a different browser app, i.e. secure browser.
Managed/Secure browsers will frequently have different configuration and connection policies including per-app VPN, and that is why some customers may want to choose all Workplace linked traffic going to the corporate browser.
The field expects a string with YES in uppercase. It requires externalBrowserURLScheme KVP to be set.
External Browser URL Scheme
This configuration allows Workplace customers to define which browser app should be used to open any url or link shared on Workplace.
For iOS, the field expects a string with the http-url scheme used by the external browser app in lowercase.
For Android, the field expects a string with the application ID used by the external browser app in lowercase.
It requires enableExternalBrowserSupport KVP to be set.
Below we offer a list of http-url schemes and Android application IDs for some of the most used browser apps. Check with browser vendors for further indications.
Browser | iOS http-url scheme | Android application ID |
|---|---|---|
Apple Safari | safari-http | - |
Google Chrome | googlechrome | com.android.chrome |
Mozilla Firefox | firefox://open-url?url= | org.mozilla.firefox |
Opera | opera-http | com.opera.browser |
Microsoft Edge | microsoft-edge-http | com.microsoft.emmx |
Microsoft Intune Managed Browser | http-intunemam | com.microsoft.intune.mam.managedbrowser |
IBM MaaS360 Secure Mobile Browser | maas360browser | com.fiberlink.maas360.android.securebrowser |
VMWare Airwatch Workspace ONE | awb | com.airwatch.browser |
Citrix Secure Browser | ctxmobilebrowser | com.citrix.browser.droid |
Blackberry Access | access://open?url= | com.good.gdgma |
MobileIron Web@Work | mibrowser | - |
Require reauthentication
This configuration allows Workplace customers to prompt people opening or returning to the Workplace applications with a biometric challenge. Enabling this setting will ensure encryption (device-level) is enforced.
On Android, devices without face and fingerprint login will not be able to log in to Workplace.
On iOS, people without Touch ID or Face ID will need to enter the passcode for their device.
The field expects a boolean with True or False.
Time before requiring reauthentication
This configuration allows Workplace customers to set the time (in minutes) after which people will receive the biometric challenge to reauthenticate.
It requires enableAppLock KVP to be set.
The field expects an integer with 0, 1, 15 or 60. If not set or set to an unrecognized value, the time will default to 1. A value of 0 will force a challenge every time the app is opened or returned to.
Turn off copy/paste
This configuration allows Workplace customers to restrict people from directly pasting text copied within Workplace apps into other applications
The field expects a boolean with True or False.
Turn off screenshots and screen recordings
This configuration allows Workplace customers to restrict people from taking screenshots and/or recording content in Workplace apps.
On iOS, you can only prevent people from recording content.
The field expects a boolean with True or False.
Turn off downloads
This configuration allows Workplace customers to restrict people from downloading files or images from Workplace apps.
The field expects a boolean with True or False.
Managed Configurations
This configuration specifies that the MDM key values applied should be respected above any applicable MAM settings for that user. If unset or set to False, applicable MAM settings will be enforced.
The field expects a boolean with True or False.
OS Supported Configuration
In addition to providing many device security features, most EMM solutions provide application security capabilities that are natively supported by the mobile OS and that can be applied to Workplace. These include:
- Remote wipe of the app.
- Encryption of app data.
- Restrict file export to managed apps.
- Prevent backup of app data.
- Route all app traffic through VPN (Per-App VPN).
- Block jailbroken/rooted devices.
- Block screenshots (only Android).
- Restrict copy-paste to managed apps (only Android).
- Biometric/Pin Reauthentication (only Android).
In some cases, customers may require that Workplace access be restricted to managed devices only. In these situations, there are two approaches that can be taken:
- Certificate Based Authentication: Distribute a user certificate to the device through EMM and enable 2-factor authentication on the identity provider with the certificate as a required authentication factor.
- IP Based Restriction: Configure the Workplace apps to use VPN through EMM and enable a policy on the identity provider limiting access based upon source IP address.
Support for non-appconfig.org vendors
If your EMM solution is not a member of appconfig.org it may still support the use of app configurations, follow these steps:
.plist file as shown below and replace the string variable with the email variable from your EMM solution. <plist version="1.0">
<dict>
<key> emailAddress </key>
<string> {EMM_Email_Variable} </string>
</dict>
</plist> .plist file to the EMM solution and associate with the Workplace apps.