Getting Managed Apps Working with a pin for iOS

Scenario

Your organisation has the requirement to have applications that are used in a company compliant and secure state. For example they want to restrict certain actions such as cut, copy, and paste operations within a specific application or configure an application to open all web links inside a managed browser that the company specify specific policies around.

 

Background

In the December 2014 release of Microsoft Intune, Microsoft added the capability to enable policy for compliance and security into an application. The restrictions to an application can be done via the use of the Microsoft Intune App Software Development Kit (SDK) or Application Wrapped app using the Microsoft Intune App Wrapping Tool for iOS.

This currently is available via the standalone release of Microsoft Intune.

 

Pre-Reqs

When setting this configuration for managed apps, you will have the requirement for Workplace Join (WPJ) to take place. For this to take place correctly you need a CNAME record specified.

image

We have highlighted the enterpriseregistration CNAME as we have seen a lot of people missing this option.

The device must also be workplace joined to be able to receive managed applications. We will cover this in part 4, however the above CNAME is critical for this to work.

Available Managed apps

The first set of applications that have been made available are the office applications. From the app store, find, and note the URL of the policy managed app you want to deploy

Microsoft Word for iPad – https://itunes.apple.com/gb/app/microsoft-word/id586447913?mt=8
Microsoft Excel for iPad – https://itunes.apple.com/gb/app/microsoft-excel/id586683407?mt=8
Microsoft PowerPoint for iPad – https://itunes.apple.com/gb/app/microsoft-powerpoint/id586449534?mt=8
Managed Browser – link TBA

Or you can look to create a wrapped app for iOS applications. Use the information in the topic Prepare apps for mobile application management with the Microsoft Intune App Wrapping Tool for iOS to create a wrapped app.

Part 1 : Publishing the Microsoft Office Managed Apps

In this example we will push a managed application as a required install to an iPad. To publish a managed application we must start the Microsoft Intune Software Publisher.

In the Microsoft Intune console select Software on the left hand side and then Managed Software. Then select Add Software and then pass your credentials to open the Microsoft Intune Software Publisher

SNAGHTML45782e

At the Before you begin page click next

image

In the Select the platform and specify the location of the software files , click the drop down for Managed iOS App from the App Store and then paste the url for one of your managed applications

Microsoft Word for iPad – https://itunes.apple.com/gb/app/microsoft-word/id586447913?mt=8
Microsoft Excel for iPad – https://itunes.apple.com/gb/app/microsoft-excel/id586683407?mt=8
Microsoft PowerPoint for iPad – https://itunes.apple.com/gb/app/microsoft-powerpoint/id586449534?mt=8

In the below example we have pasted the Microsoft Word application. Then click next

image

In the describe the software enter details and icons for the software and the click next

image

In the specify the requirements that must be met on the target mobile devices before installation can start, we have left this as Any. You can at this point be more targeted to your specific iOS device. Then click next

image

Review the software that you are adding to Microsoft Intune and click upload and then click close one the upload of data completed successfully

SNAGHTML33e314

Part 2 : Creating the Management Policy

Currently we have configured and uploaded an application. However we have not created a management policy for the application, nor have we targeted who the application or management policy is going to be delivered to.

To configure a simple management policy go to policy on the left hand side and then select Configuration Policies and click add

image

In the Create a New Policy wizard select Software then Mobile Appliacation Management Policy (iOS 7 and later) and select whether to use the recommended settings or create a custom policy. In this example we will use the Create a Policy with the Recommended Settings and click Create Policy

image

Once this complete you will see your policy in the list of policies. If you want you can edit this further or customise it by selecting your policy and clicking edit.

You can see in the policy i have configured that i have a requirement for a simple PIN for access

SNAGHTML4a91d8

At this point the basic policy is now configured. See section 3 for Create a mobile application management policy for more detail.

Part 3 : Deploy the Application and the Policy

Now that we have the application uploaded and the policy configured we can now look to distribute this to our targeted group.

In the Microsoft Intune console select Software on the left hand side and then Managed Software. Then select our managed application, in this scenario it is Microsoft Word, and the select Manage Deployment

image

Select the group of users or devices you want to target the application to. In this scenario we will target it to the User Group for Windows Intune Users, once added select Next

image

In the Deployment Action we have selected a required install to take place then select next

image

In the Mobile App Management , this is where our Mobile Application Management Policy is bound to this managed deployment. Validate that the policy is selected and click next

image

In the VPN Profile click Finish

image

At this point our managed deployment has been completed and the application and management policy will be targeted to the group.

 

Part 4 : Validate Managed App on iOS device

On your iOS device you can force a policy update or wait for the policy to be delivered to your device.

To force a policy go into the company portal and select your device and hit the sync button.

image

If your iOS device has yet to workplace join it will need to update your enrollment prior to a managed application being able to work.

If you select the company portal and are prompted for an update to the enrollment for this device this will be your iOS device Workplace joining.

SNAGHTML5e7fc5

Warning: If you do not have the CNAME pre-req in place you will not be able to workplace join and will be unable to use managed apps and will get an error similar to the below

SNAGHTML607646

Once that this is completed you should be prompted for an app installation and a warning that an icon will be landing on your home screen. You will then see the Microsoft Word application icon appearing on your home screen.

SNAGHTML59d34c

 

On the first time you launch the first managed application, in our case Microsoft Word you will be prompted for your corporate credentials

image

Once you supply your corporate credentials you will be prompted to set a numerical pin (remember the option we selected for our managed application policy)

image

Once that is set you will be able to use Microsoft Word

image

This policy will be in place for each time you start Microsoft Word.

 

Remember that when there is a mobile application management policy conflict on the first deployment to the user or device, the specific setting value in conflict will be removed from the policy deployed to the app, and the app will use a built-in conflict value.

When there is a mobile app management policy conflict on later deployments to the app or user, the specific setting value in conflict will not be updated on the mobile app management policy deployed to the app, and the app will use the existing value for that setting.

In cases where the device or user receives two conflicting policies, the following behaviour applies:

  • If a policy has already been deployed to the device, the existing policy settings are not overwritten.
  • If no policy has already been deployed to the device, and two conflicting settings are deployed, the default setting built into the device is used.

 

 

References:

Control apps using mobile application management policies with Microsoft Intune – http://technet.microsoft.com/library/dn878026.aspx

Microsoft Intune App Wrapping Tool for iOS – http://www.microsoft.com/en-us/download/details.aspx?id=45218&navItemId=dbb2a3ad-e4aa-1f57-8f7d-ef44b95f2e2f&e6b34bbe-475b-1abd-2c51-b5034bcdd6d2=True

Prepare apps for mobile application management with the Microsoft Intune App Wrapping Tool for iOS – http://technet.microsoft.com/library/dn878028.aspx

Start managing Windows devices with Microsoft Intune – http://technet.microsoft.com/library/dn764959.aspx