App Wrapping MD
Total Page:16
File Type:pdf, Size:1020Kb
App Wrapping MD VMware Workspace ONE UEM App Wrapping MD You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/ VMware, Inc. 3401 Hillview Ave. Palo Alto, CA 94304 www.vmware.com © Copyright 2021 VMware, Inc. All rights reserved. Copyright and trademark information. VMware, Inc. 2 Contents 1 VMware AirWatch App Wrapping 5 Wrapping Process in On-Premises Environments 5 File Storage 6 The Storage of Data 6 Disabling Logging in Wrapping Profiles 6 Location Data, Analytics, and Telecom Data 7 Cluster Session Management in iOS and Reduced Flip Behavior for SSO with App Wrapping v5.4 or later 7 SSO Sessions and SDK-Integrated Apps 7 2 App Wrapping Requirements 8 General Requirements 8 Supported Platforms and Bit Versions 8 Supported Deployments and Requirements 8 Store Apps Do Not Wrap 9 Standard Processes 9 Standard and C/C++ Libraries 9 Tampering Protection 9 Supported Settings and Policies Options 9 Visual Studio Enterprise Edition 11 Android Requirements 11 Supported Android Components 11 Android Apps Built with Crosswalk Project Libraries Do Not Wrap 11 Android Enterprise Support 11 Xamarin Requirements for Android 11 Android Bit Architecture Native Files 12 Android Method Limits and Multidex Support 12 Android Apps and the Version of the SDK That Wraps Them 13 Native Libraries in Android Apps 13 Android Library Dependencies 13 Enabling and Disabling Encryption for Android Wrapped Apps 14 iOS Requirements 14 iOS App Wrapping Requirements 14 Using iOS Apps Developed in Swift 15 Entitlements for iOS Apps 15 Mobile Provisioning Profile for iOS Apps 15 Synchronous Calls and iOS Apps 15 Integrated Authentication Code Requirements for iOS (Swift) Apps 15 VMware, Inc. 3 App Wrapping MD No Support for UIWindowSceneDelegate in iOS Apps 15 3 How Do You Wrap and Re-Wrap Applications with the AirWatch App Wrapping Engine 16 Step One: Turn on AirWatch App Wrapping 16 Step Two: Turn On Cloud Services 16 Step Three: Configure an App Wrapping Profile 17 Step Four: Deploy Your App 17 Step Five: Use Send Logs (iOS Only) as an Application Configuration 17 Step Six: Rewrapping 18 4 Troubleshooting AirWatch App Wrapping 19 General Troubleshooting Steps 19 Send Logs for iOS (Swift) Apps 19 Troubleshooting No Static Method Error 20 Requesting App Wrapping Logs 20 App Tunnel and Per-App VPN as a Wrapping Alternative 20 Per App Tunnel and VMware Tunnel Component Explanations and Configurations 20 Additional Details for Per App Tunnel and VMware Tunnel 21 5 Known Issues for App Wrapping 22 Known Issue – Browsing Web Sites and Accessing HTTP Endpoints, iOS 22 Known Issue – DAR, Data at Rest, Encryption 23 Known Issue – Incorrect Parameter Error for iOS Applications 23 Known Issue – Wrapped App Run Failure 24 Known Issue – Issues Wrapping With Apple iOS 8 24 6 Developer Resources 26 Supported Developer Resources - iOS Wrapped Apps 26 Supported Developer Resources -Android Wrapped Apps 27 Mobile App Development Platform, MADP Support 28 App Wrapping and Tunnel Support for iOS APIs 29 VMware, Inc. 4 VMware AirWatch App Wrapping 1 AirWatch App Wrapping, allows organizations to secure enterprise applications with little code changes. App wrapping can add an extra layer of security and data loss prevention while offering a consistent user experience. Consistency comes from using Workspace ONE UEM options such as branding, single sign on SSO, and authentication. Modifying your internal applications with app wrapping lets you access tools already available with Workspace ONE UEM by adding a layer of features over the application. Once the advanced features are applied, deploy the application to your enterprise app catalog for end-users to access. This chapter includes the following topics: n Wrapping Process in On-Premises Environments n File Storage n The Storage of Data n Disabling Logging in Wrapping Profiles n Location Data, Analytics, and Telecom Data n Cluster Session Management in iOS and Reduced Flip Behavior for SSO with App Wrapping v5.4 or later n SSO Sessions and SDK-Integrated Apps Wrapping Process in On-Premises Environments The SaaS-based app wrapping engine communicates with your Workspace ONE UEM on- premises environment in the background to wrap your apps. Workspace ONE UEM wraps and stores modified applications within the SaaS infrastructure, and it does not keep any unmodified application files. The system securely stores and deletes internal application files and auxiliary files. All communication on port 443 is encrypted with AES-256, over SSL, and requiring HMAC token authentications. VMware, Inc. 5 App Wrapping MD Component Action Administrator Uploads the internal application and ancillary files, like provisioning profiles and signing certificates, to the Workspace ONE UEM console and initiates wrapping. Console Notifies the wrapping engine that it has a file. The console populates the download URL for the internal application file and ancillary files. Wrapping Engine Goes to the URL on the internal network device services server and retrieves the files. Unzips the files. Injects SDK functionality. Code-signs the application and recompresses the files. Sends the download URL of the wrapped application to the internal network device services server. Device Services Downloads the wrapped application. Stores the wrapped application in the Workspace ONE Server UEM database, along with auxiliary files. Wrapping Engine Securely deletes original application files, provisioning profiles, and signing certificates, depending on the scheduler task. File Storage The app wrapping process deletes application binary files, provisioning profiles, and signing certificates from the app wrapping service when it completes wrapping. The system stores these files in the Workspace ONE UEM database. When adding a version of the application, the code signing files automatically populate and you can change them if needed. However, the app wrapping service does not store the files you supply. The app wrapping service uses the application binary, signing certificate, and provisioning profile temporarily to sign the wrapped application. After wrapping is complete, the system removes the files from the wrapping service and stores them securely in the Workspace ONE UEM database. If the wrapping fails or times out, the system automatically removes files from the wrapping service and stores them in the Workspace ONE UEM database. The Storage of Data The AirWatch App Wrapping system can log data about the wrapped application, but it does not store location data, analytics, or telecom data. Disabling Logging in Wrapping Profiles To deploy a wrapped application, you assign it a profile. You can enable the logging payload and configure the logging level in that profile. When you apply the profile to the wrapped application, the system creates an application log. If you do not want the console to log data about the application, ensure that this feature is disabled. Find the setting in these places: n In the default VMware Workspace ONE SDK settings in Settings and Policies n In a custom VMware Workspace ONE SDK profile VMware, Inc. 6 App Wrapping MD Location Data, Analytics, and Telecom Data The AirWatch App Wrapping system does not track location, analytics, or telecom data. Although, other sections of the console do if you configure the settings. n The Workspace ONE Intelligent Hub tracks location data. n The Workspace ONE SDK records analytics. n The Telecom dashboard reports telecom data for devices. Disable these features if you do not want to track this data. Cluster Session Management in iOS and Reduced Flip Behavior for SSO with App Wrapping v5.4 or later Causes of Flipping iOS applications wrapped with the following components are in the same keychain group, also called a cluster. n Apps wrapped with signing certificates from the same developer account n Apps that share the same AppIdentifierPrefix These applications can share session data like an app passcode and an SSO session. By sharing this session data, they do not have to flip to the Workspace ONE Intelligent Hub or to the anchor application every time authentication is required. Applications wrapped with the listed components are in different keychain groups, or clusters. n Apps wrapped with signing certificates from different developer accounts n Apps that have a different AppIdentifierPrefix These applications cannot take advantage of passcode sharing. These scenarios require flipping to the Workspace ONE Intelligent Hubor the anchor application to obtain data like the server URL. This flipping action occurs once per cluster. Reduced Flipping On iOS application wrapped with app wrapping engine v5.4+, only the first wrapped app flips to the anchor application on the first launch. It flips to retrieve environment information. It does not flip to retrieve account data or to lock and unlock operations. In older versions of the wrapping engine, applications had to flip to the anchor application to retrieve data and to lock and to unlock operations. SSO Sessions and SDK-Integrated Apps The SSO session is a time frame created at the time of SDK unlock. During this time frame the application can access allowed network resources. If you enable SSO, all SDK-integrated applications are unlocked and able to share keychain information between them. VMware, Inc. 7 App Wrapping Requirements 2 View the supported platforms, bit versions, architectures, console versions, and environments for wrapping apps. Use supported systems to ensure that the solution integrates