Professional Documents
Culture Documents
Page 2
Introduction to App Wrapping
Overview
AirWatch Application Wrapping, or App Wrapping, allows organizations to inject AirWatch functionality into internal
applications. The feature requires no need for development or code changes. The process of App Wrapping an
application requires no code changes or development because AirWatch functionality App Wrapping initiates
functionality into applications directly from the AirWatch Admin Console. Once an application is wrapped, AirWatch can
perform a number of administrative actions on the application, increasing its security and value to your company.
Modifying your internal applications with App Wrapping reduces time and expenses spent on developing management
and security. It lets you access tools already available with AirWatch by simply adding a layer of features over the
application. Once the advanced features are applied, deploy the application to your enterprise application catalog for
end-users to access. App Wrapping offers the following functionality:
l Require authentication and a unique password for Single Sign On integration.
l Control network access based on the type of network or by service set identifiers (SSIDs).
l Redirect traffic using App Tunneling with the AirWatch Mobile Access Gateway (MAG), a standard proxy or an F5
proxy.
In This Guide
This document discusses the process of configuring the App Wrapping feature for SaaS and on-premise deployments. It
is divided into the following sections where you will learn about the following processes:
l Before You Begin Read about supported components for App Wrapping, configuring the Mac Mini (only for on-
premise deployments) and about enabling the feature.
l Creating an App Wrapping Profile Use SDK functionality in your App Wrapping by creating a custom or shared App
Wrapping profile.
l Assigning an App Wrapping Profile Assign your custom or shared App Wrapping profile to complete the
configuration process.
l Appendix Feature Matrix View App Wrapping features and their release version.
Page 3
Before You Begin
Overview
Before configuring App Wrapping, you should consider the following prerequisites, requirements, supporting materials
and helpful suggestions from the AirWatch team. Familiarizing yourself with the information available in this section will
help prepare you for configuring App Wrapping.
In This Section
l Supported Operating Systems View a list of supported operating systems.
l Recommended Reading Review helpful background and supporting information available from other AirWatch
guides. Access all of these guides on the AirWatch Resources Portal (http://resources.air-watch.com).
l Getting Started - Set up App Wrapping using some recommendations and tips from the AirWatch team to streamline
configuration.
Supported Deployments
l SaaS deployments Start in the section Creating an App Wrapping Profile.
l iOS, AirWatch SaaS Mac mini Start with the section entitled Enabling App Wrapping in the AirWatch Admin
Console.
l Mobile Provisioning Profile Get this from Apple's Developer Portal. Upload this to AirWatch as proof of
authorization to create and run applications built for iOS devices. This profile is specific to your application and to the
Code Signing Certificate.
l Code Signing Certificate Get this from Apple's Developer Portal. Upload this to AirWatch as proof of your code
signing identity. This certificate is specific to the application and to the Mobile Provisioning Profile.
Page 4
Before You Begin
Recommended Reading
l Mobile Application Management (MAM) Guide Read about how to manage applications using the AirWatch Admin
Console.
l iOS Platform Guide Read about the ways AirWatch manages App iOS features for your mobile fleet.
l Android Platform Guide Read about the ways AirWatch manages Android features for your mobile fleet.
Getting Started
You can perform the following processes in preparation for configuring App Wrapping. For on-premise deployments,
configure your dedicated Mac mini. For both SaaS and on-premise deployments, enable the App Wrapping feature in the
AirWatch Admin Console.
l Android Enter the URL for the server that hosts your Google Play integration system in the Android App
Wrapping Service Url field. Typically, this is the same as your AirWatch Admin Console Server and you can enter
http://localhost:9001/.
Page 5
Creating an App Wrapping Profile
Overview
Configure the App Wrapping feature by creating a profile using a custom profile or using the Settings and Policies section
in the AirWatch Admin Console.
Modifying your internal applications with App Wrapping reduces time and expenses spent on developing management
and security. It lets you access tools already available with AirWatch by simply adding a layer of features over the
application. Once the advanced features are applied, deploy the application to your enterprise application catalog for
end-users to access. App Wrapping offers the following functionality:
In This Section
Creating an App Wrapping Profile, Shared and Custom Create a default application or custom App Wrapping profile to
implement AirWatch functionality into your wrapped app. Also, configure VPN on demand for internal applications using
Cisco AnyConnect VPN and F5 VPN clients in combination with AirWatch App Wrapping.
Custom Profiles
The last section, Profiles, includes settings that you can apply to SDK applications, App Wrapped applications and other
AirWatch applications. You also use the Profiles section to edit SDK and App Wrapping profiles created before the
AirWatch v6.5 release. Profiles offer granular control for specific applications and the ability to override shared
configurations. However, they also require separate input and maintenance. See "Custom App Wrapping Profiles" on
page 8.
Page 6
Creating an App Wrapping Profile
2. Authentication Select Security Policies Passcode Mode. Set the passcode as Numeric or Alphanumeric. This
option sets the passcode for the SSO feature. Complete the following options.
Passcode Mode sets a passcode requirement for the AirWatch applications in the AirWatchWorkspace and for
AirWatch applications that have the shared SDK profile applied to them. If you enable SSO, then the AirWatch
Workspace application applies the Passcode Mode settings across all AirWatch applications. If you do not apply SSO,
then end-users have to log in to each AirWatch application, separately.
l Passcode Timeout Sets the allowable time the passcode accesses applications before it ceases access due to
inactivity.
l Minimum Passcode Length Sets the minimum number of characters for the passcode.
l Minimum Number Complex Characters(Alphanumeric) Sets the minimum number of complex characters for
the passcode.
l Maximum Passcode Age (days) Sets the time frame for using the passcode.
l Passcode History Sets the number of passcodes the AirWatch Admin Console stores so that users cannot re-
use passcodes for a specified time frame.
l Maximum Number Of Failed Attempts Sets the maximum times a user can login with the passcode before
having an action taken in response to the failed attempts.
3. Single Sign On Select Security Policies Singl Sign On. Applies a single identity, encrypted on the device, to access
all AirWatch applications.
Note: You must have the AirWatch Workspace application deployed for SSO configurations to work.
4. Integrated Authentication Select Security Policies Integrated Authentication. Allows access to corporate
resources, such as content repositories, through AirWatch Workspace using corporate credentials. These credentials
are not the same as the AirWatch SSO credentials.
Enter systems in the Allowed Sites field if you want to restrict AirWatch Workspace access to a specific set of sites.
This feature ensures that AirWatch does not expose credentials to non-trusted resources.
Note: Integrated Authentication works with only the AirWatch Browser at this time.
5. Restrictions Select Security Policies Data Loss Prevention. Some settings are not available for both Android and
iOS. The user interface displays labels identifying the supported platform. Complete the following options.
Page 7
Creating an App Wrapping Profile
l Enable Data Loss Prevention(iOS and Android) Sets restrictions on sensitive data on devices.
l Enable Copy Paste (iOS and Android) Allows the copying and pasting of data in wrapped applications.
l Enable Camera(Android) Allows the use of the camera function in wrapped applications.
l Enable Bluetooth(Android) Allows the use of the Bluetooth function in wrapped applications.
l Limit Documents to Open Only in Approved Apps (iOS and Android) Authorizes only select applications to
open documents from wrapped applications. The feature requires the provision of the Bundle ID/Package ID of
the allowed application to open documents. Enter the allowed applications in the Applications field.
6. Network Access Select Security Policies Network Access Control. Enable Network Access to allow the use of
wrapped applications when a device connects to cellular and Wi-Fi systems. Add a list of allowed service set
identifiers (SSIDs) in the Allowed SSIDs field to restrict network access to defined wireless local-area network (WLAN).
7. Offline Access Select Security Policies Offline Access. Enable Offline Access to wrapped applications when the
device is not connected to the mobile network. Set a maximum time for offline access. This ensures the system has
access to the device periodically to check the compliance and security status.
8. Branding Select Settings Branding. Provide color branding to the Authentication page of the wrapped
application. You can set the color for the Authentication page background, for the text and for the toolbar among
other options.
Note: The AirWatch Solution supports Branding for the Authentication user interface when the Single Sign On
option is disabled.
9. Compliance Select Security Policies Compromised Protection. Enable compliance to block the device from
accessing the network when detects it is compromised.
10. Proxy Select Security Policies App Tunnel. Enable App Tunnel to redirect all the http and https traffic using a
proxy server. Select the type of proxy using the App Tunnel Mode setting.
2. Select Add Profile and choose App Wrapping Profile and the applicable platform.
3. Configure General settings and then complete the settings for the applicable payload. The options in the shared SDK
configurations and the custom SDK profiles are the same.
VPNOn Demand
VPN on demand for is available for internal applications using Cisco AnyConnect VPN and F5 VPN clients in combination
with AirWatch App Wrapping. The following instructions outline the process:
Page 8
Creating an App Wrapping Profile
1. Create an app wrapping profile with the appropriate VPNdetails included by navigating to Groups &Settings All
Settings Apps Settings And Policies Profiles and selecting Add Profile, App Wrapping Profile, then Android.
2. Fill out General information as necessary, then select the VPNtab. Select Enable VPNOn Demand. Select Save to
save the app wrapping profile.
3. Upload an internal application. Under the Wrapping tab, select Enable App Wrapping and select the profile you
created.
4. Configure the VPNprofile. Select the VPNOn Demand check box, then select Add. Select the App Wrapping profile
you created from the list. Select Save &Publish.
Any internal application you wrap with the App Wrapping profile you created that are also under an Organization Group
with this VPNprofile will now use the VPN you configured for its network traffic.
Page 9
Assigning an App Wrapping Profile
Overview
Now that your App Wrapping Profiles are established, you must assign the profile to your internal applications.
In This Section
Uploading the Application Assign your custom or shared profile to your internal applications to complete the
configuration process.
l Select the Enable App Wrapping option to enable the application for wrapping and to associate to the wrapping
profile. The below screen interacts with the Wrapping Engine at the background to perform the actual wrapping
process.
Page 10
Assigning an App Wrapping Profile
3. Click Save. When saving, the AirWatch Admin Console puts the .apk/.ipa file and its request to the wrapping engine.
Upon successful wrapping, the Internal Application page shows the status as Application Successfully Wrapped.
Note: If you want to wrap a distributed application, you need to upload the same application as a new version. Then
wrap, save and assign the application. If you edit an App Wrapping profile, saving it updates the AirWatch Admin
Console record and deploys it to the application. When you save an application in the AirWatch Admin Console and
do not wrap it, you cannot wrap the saved application. You must re-upload the application and wrap it again.
Now that your application is wrapped with extra security and additional management features, you can redeploy it to the
enterprise App Catalog.
Page 11
Appendix B - Feature Matrix
Allows device users to sign in to one application and the same session lets
users access other AirWatch applications, SDK applications, wrapped
Singl Sign On applications and other whitelisted corporate resources in the same 6.5+ 6.5+
Organization Group.
Requires the AirWatch Workspace Application.
Requires users to authenticate when SSO is disabled. It also requires the
configuration of an application passcode.
Authentication 6.5+ 6.5+
Prompts users for the passcode periodically to access the wrapped
application.
Detects and prevents compromised devices from accessing the AirWatch
Compliance 6.4+ 6.4+
managed environment.
Allows a wrapped application to access corporate resources using the App
App Tunneling Tunneling feature provided by the AirWatch MAG.
AirWatch The AirWatch MAG offers protection against potential data loss and
6.4+ 6.4+
Mobile Access malicious attack by securing mobile communications with App Tunneling.
Gateway (MAG) App Tunneling allows only select applications to authenticate and securely
communicate with back-end resources in the corporate network.
App Tunneling Allows a wrapped application to access corporate resources using the App
6.4+ 6.5+
F5 Proxy Tunneling feature provided by F5 proxy architecture.
Data Loss
Prevention Controls the ability of a wrapped application to copy and paste content. 6.4+ 6.5+
Copy and Paste
Data Loss
Prevention Controls the ability of a wrapped application to access the device camera. 6.4+ 6.5+
Camera
Data Loss
Prevention Not
Controls the ability of a wrapped application to access Bluetooth capabilities. 6.4+
Available
Bluetooth
Data Loss
Prevention Authorizes only select applications to open documents from wrapped
Open applications. It requires the provisioning of the Bundle ID/Package ID of the 6.4+ 6.5+
Documents with allowed application to open documents.
Approved Apps
Page 12
Appendix B - Feature Matrix
Network Access
Controls whether the device can use a wrapped application when the device
Cellular In Planning 6.5+
connects to the network using a cellular system.
Connection
Network Access
Controls whether the device can use a wrapped application when the device
Wi-Fi In Planning 6.5+
connects to the network using a Wi-Fi system.
Connection
Network Access Controls the ability of wrapped applications to access networks based on
In Planning 6.5+
Allowed SSIDs service set identifiers (SSIDs).
Page 13