App Wrapping Guide

Applying a management layer to mobile apps using AirWatch v7.0

2014 AirWatch, LLC All Rights Reserved.

This document, as well as the software described in it, is furnished under license. The information in this manual may only be used in accordance with the terms of the license. This
document should not be reproduced, stored or transmitted in any form, except as permitted by the license or by the express permission of AirWatch, LLC
Other product and company names referenced in this document are trademarks and/or registered trademarks of their respective companies.

App Wrapping Guide | v.2014.01 | January 2014

Copyright 2014 AirWatch, LLC All rights reserved. Proprietary & Confidential.
Table of Contents
Introduction to App Wrapping 3
Overview 3
In This Guide 3
Before You Begin 4
Overview 4
In This Section 4
Supported Operating Systems 4
Supported Deployments 4
Requirements for iOS 4
Recommended Reading 5
Getting Started 5
Creating an App Wrapping Profile 6
Overview 6
In This Section 6
Creating an App Wrapping Profile, Default Application and Custom 6
Assigning an App Wrapping Profile 10
Overview 10
In This Section 10
Uploading the Application 10
Appendix B - Feature Matrix 12

App Wrapping Guide | v.2014.01 | January 2014

Copyright 2014 AirWatch, LLC All rights reserved. Proprietary & Confidential.

Page 2
 Introduction to App Wrapping

Introduction to App Wrapping

Overview
AirWatch Application Wrapping, or App Wrapping, allows organizations to inject AirWatch functionality into internal
applications. The feature requires no need for development or code changes. The process of App Wrapping an
application requires no code changes or development because AirWatch functionality App Wrapping initiates
functionality into applications directly from the AirWatch Admin Console. Once an application is wrapped, AirWatch can
perform a number of administrative actions on the application, increasing its security and value to your company.
Modifying your internal applications with App Wrapping reduces time and expenses spent on developing management
and security. It lets you access tools already available with AirWatch by simply adding a layer of features over the
application. Once the advanced features are applied, deploy the application to your enterprise application catalog for
end-users to access. App Wrapping offers the following functionality:
l Require authentication and a unique password for Single Sign On integration.

l Detect and prevent access to compromised devices.

l Prevent data-loss by disabling copy/paste, Bluetooth and camera (Android only).

l Control network access based on the type of network or by service set identifiers (SSIDs).

l Redirect traffic using App Tunneling with the AirWatch Mobile Access Gateway (MAG), a standard proxy or an F5
proxy.

In This Guide
This document discusses the process of configuring the App Wrapping feature for SaaS and on-premise deployments. It
is divided into the following sections where you will learn about the following processes:
l Before You Begin Read about supported components for App Wrapping, configuring the Mac Mini (only for on-
premise deployments) and about enabling the feature.

l Creating an App Wrapping Profile Use SDK functionality in your App Wrapping by creating a custom or shared App
Wrapping profile.

l Assigning an App Wrapping Profile Assign your custom or shared App Wrapping profile to complete the
configuration process.

l Appendix Feature Matrix View App Wrapping features and their release version.

App Wrapping Guide | v.2014.01 | January 2014

Copyright 2014 AirWatch, LLC All rights reserved. Proprietary & Confidential.

Page 3
 Before You Begin

Before You Begin

Overview
Before configuring App Wrapping, you should consider the following prerequisites, requirements, supporting materials
and helpful suggestions from the AirWatch team. Familiarizing yourself with the information available in this section will
help prepare you for configuring App Wrapping.

In This Section
l Supported Operating Systems View a list of supported operating systems.

l Supported Deployments View a list of the supported deployments.

l Requirements View the prerequisites for a successful configuration.

l Recommended Reading Review helpful background and supporting information available from other AirWatch
guides. Access all of these guides on the AirWatch Resources Portal (http://resources.air-watch.com).

l Getting Started - Set up App Wrapping using some recommendations and tips from the AirWatch team to streamline
configuration.

Supported Operating Systems

App Wrapping is available for Android 4.0+ and iOS 5+ devices.

Supported Deployments
l SaaS deployments Start in the section Creating an App Wrapping Profile.

l iOS, AirWatch SaaS Mac mini Start with the section entitled Enabling App Wrapping in the AirWatch Admin
Console.

Requirements for iOS

l iOS Enterprise Developer Account Use this account to get Xcode because you need Xcode to compile the
application after you wrap it. Go to https://developer.apple.com/xcode/ for information.

l Mobile Provisioning Profile Get this from Apple's Developer Portal. Upload this to AirWatch as proof of
authorization to create and run applications built for iOS devices. This profile is specific to your application and to the
Code Signing Certificate.

l Code Signing Certificate Get this from Apple's Developer Portal. Upload this to AirWatch as proof of your code
signing identity. This certificate is specific to the application and to the Mobile Provisioning Profile.

App Wrapping Guide | v.2014.01 | January 2014

Copyright 2014 AirWatch, LLC All rights reserved. Proprietary & Confidential.

Page 4
 Before You Begin

Recommended Reading
l Mobile Application Management (MAM) Guide Read about how to manage applications using the AirWatch Admin
Console.

l iOS Platform Guide Read about the ways AirWatch manages App iOS features for your mobile fleet.

l Android Platform Guide Read about the ways AirWatch manages Android features for your mobile fleet.

Getting Started
You can perform the following processes in preparation for configuring App Wrapping. For on-premise deployments,
configure your dedicated Mac mini. For both SaaS and on-premise deployments, enable the App Wrapping feature in the
AirWatch Admin Console.

Enabling App Wrapping in the AirWatch Admin Console

Enable the AirWatch App Wrapping feature to communicate with your network server in on-premise deployments. For
SaaS deployments, AirWatch configures this for you.
1. Navigate to Groups & Settings All Settings System Advanced Site URLs.

2. Select Enable App Wrapping in the App Wrapping section.

3. Complete the entry for your platform:

l iOS Enter one of the URLs for the Mac mini:

o The URL for the AirWatch SaaS Mac mini, https://appwrap01.awmdm.com/.

l Android Enter the URL for the server that hosts your Google Play integration system in the Android App
Wrapping Service Url field. Typically, this is the same as your AirWatch Admin Console Server and you can enter
http://localhost:9001/.

App Wrapping Guide | v.2014.01 | January 2014

Copyright 2014 AirWatch, LLC All rights reserved. Proprietary & Confidential.

Page 5
 Creating an App Wrapping Profile

Creating an App Wrapping Profile

Overview
Configure the App Wrapping feature by creating a profile using a custom profile or using the Settings and Policies section
in the AirWatch Admin Console.
Modifying your internal applications with App Wrapping reduces time and expenses spent on developing management
and security. It lets you access tools already available with AirWatch by simply adding a layer of features over the
application. Once the advanced features are applied, deploy the application to your enterprise application catalog for
end-users to access. App Wrapping offers the following functionality:

In This Section
Creating an App Wrapping Profile, Shared and Custom Create a default application or custom App Wrapping profile to
implement AirWatch functionality into your wrapped app. Also, configure VPN on demand for internal applications using
Cisco AnyConnect VPN and F5 VPN clients in combination with AirWatch App Wrapping.

Creating an App Wrapping Profile, Default Application and Custom

Shared or Custom App Wrapping Profile Configurations
You can apply AirWatch SDK functionality not only to your custom iOS and Android applications but also to other
AirWatch applications. You can choose to apply SDK profile settings and policies at an Organization Group (OG) level.
These options are shared across the OG. You can also customize SDK profiles for SDK, App Wrapped and other
AirWatchApplications. Options are mirrored in each area to offer the choice and flexibility to apply settings to service your
mobile environment.

Shared Profile Configurations

The first two sections of the Settings and Policies area, Security Policies and Settings, are options that you can share
with all the AirWatch applications in that OG (like the AirWatch Browser and the AirWatch Secure Content Locker), SDK
applications and App Wrapped corporate applications. Shared options offer ease of use and a single point of
configuration. See "Creating an App Wrapping Profile" on page 6.
The shared default policy is entitled iOS Default Settings @ [Organization Group] or Android Default Settings @
[Organization Group]. However, you can still use and apply your legacy policies to configurations. You do not have to
use the shared configurations.

Custom Profiles
The last section, Profiles, includes settings that you can apply to SDK applications, App Wrapped applications and other
AirWatch applications. You also use the Profiles section to edit SDK and App Wrapping profiles created before the
AirWatch v6.5 release. Profiles offer granular control for specific applications and the ability to override shared
configurations. However, they also require separate input and maintenance. See "Custom App Wrapping Profiles" on
page 8.

App Wrapping Guide | v.2014.01 | January 2014

Copyright 2014 AirWatch, LLC All rights reserved. Proprietary & Confidential.

Page 6
 Creating an App Wrapping Profile

Shared App Wrapping Configurations

Set shared configurations for wrapped applications to apply a single set of options across multiple applications in the
AirWatch Admin Console.
1. Navigate to Groups & Settings All Settings Apps Settings and Policies.

2. Authentication Select Security Policies Passcode Mode. Set the passcode as Numeric or Alphanumeric. This
option sets the passcode for the SSO feature. Complete the following options.
Passcode Mode sets a passcode requirement for the AirWatch applications in the AirWatchWorkspace and for
AirWatch applications that have the shared SDK profile applied to them. If you enable SSO, then the AirWatch
Workspace application applies the Passcode Mode settings across all AirWatch applications. If you do not apply SSO,
then end-users have to log in to each AirWatch application, separately.
l Passcode Timeout Sets the allowable time the passcode accesses applications before it ceases access due to
inactivity.

l Allow Simple Value Sets the passcode to allow simple strings.

l Minimum Passcode Length Sets the minimum number of characters for the passcode.

l Minimum Number Complex Characters(Alphanumeric) Sets the minimum number of complex characters for
the passcode.

l Maximum Passcode Age (days) Sets the time frame for using the passcode.

l Passcode History Sets the number of passcodes the AirWatch Admin Console stores so that users cannot re-
use passcodes for a specified time frame.

l Maximum Number Of Failed Attempts Sets the maximum times a user can login with the passcode before
having an action taken in response to the failed attempts.

3. Single Sign On Select Security Policies Singl Sign On. Applies a single identity, encrypted on the device, to access
all AirWatch applications.

Note: You must have the AirWatch Workspace application deployed for SSO configurations to work.

4. Integrated Authentication Select Security Policies Integrated Authentication. Allows access to corporate
resources, such as content repositories, through AirWatch Workspace using corporate credentials. These credentials
are not the same as the AirWatch SSO credentials.
Enter systems in the Allowed Sites field if you want to restrict AirWatch Workspace access to a specific set of sites.
This feature ensures that AirWatch does not expose credentials to non-trusted resources.

Note: Integrated Authentication works with only the AirWatch Browser at this time.

5. Restrictions Select Security Policies Data Loss Prevention. Some settings are not available for both Android and
iOS. The user interface displays labels identifying the supported platform. Complete the following options.

App Wrapping Guide | v.2014.01 | January 2014

Copyright 2014 AirWatch, LLC All rights reserved. Proprietary & Confidential.

Page 7
 Creating an App Wrapping Profile

l Enable Data Loss Prevention(iOS and Android) Sets restrictions on sensitive data on devices.

l Enable Printing(iOS) Allows printing data from wrapped applications.

l Enable Copy Paste (iOS and Android) Allows the copying and pasting of data in wrapped applications.

l Enable Camera(Android) Allows the use of the camera function in wrapped applications.

l Enable Bluetooth(Android) Allows the use of the Bluetooth function in wrapped applications.

l Limit Documents to Open Only in Approved Apps (iOS and Android) Authorizes only select applications to
open documents from wrapped applications. The feature requires the provision of the Bundle ID/Package ID of
the allowed application to open documents. Enter the allowed applications in the Applications field.

6. Network Access Select Security Policies Network Access Control. Enable Network Access to allow the use of
wrapped applications when a device connects to cellular and Wi-Fi systems. Add a list of allowed service set
identifiers (SSIDs) in the Allowed SSIDs field to restrict network access to defined wireless local-area network (WLAN).

7. Offline Access Select Security Policies Offline Access. Enable Offline Access to wrapped applications when the
device is not connected to the mobile network. Set a maximum time for offline access. This ensures the system has
access to the device periodically to check the compliance and security status.

8. Branding Select Settings Branding. Provide color branding to the Authentication page of the wrapped
application. You can set the color for the Authentication page background, for the text and for the toolbar among
other options.

Note: The AirWatch Solution supports Branding for the Authentication user interface when the Single Sign On
option is disabled.

9. Compliance Select Security Policies Compromised Protection. Enable compliance to block the device from
accessing the network when detects it is compromised.

10. Proxy Select Security Policies App Tunnel. Enable App Tunnel to redirect all the http and https traffic using a
proxy server. Select the type of proxy using the App Tunnel Mode setting.

Custom App Wrapping Profiles

If you want to create exceptions to your shared SDK configurations, use custom SDK profiles.
1. Navigate to Groups & Settings All Settings Apps Settings and Policies Profiles.

2. Select Add Profile and choose App Wrapping Profile and the applicable platform.

3. Configure General settings and then complete the settings for the applicable payload. The options in the shared SDK
configurations and the custom SDK profiles are the same.

VPNOn Demand
VPN on demand for is available for internal applications using Cisco AnyConnect VPN and F5 VPN clients in combination
with AirWatch App Wrapping. The following instructions outline the process:

App Wrapping Guide | v.2014.01 | January 2014

Copyright 2014 AirWatch, LLC All rights reserved. Proprietary & Confidential.

Page 8
 Creating an App Wrapping Profile

1. Create an app wrapping profile with the appropriate VPNdetails included by navigating to Groups &Settings All
Settings Apps Settings And Policies Profiles and selecting Add Profile, App Wrapping Profile, then Android.

2. Fill out General information as necessary, then select the VPNtab. Select Enable VPNOn Demand. Select Save to
save the app wrapping profile.

3. Upload an internal application. Under the Wrapping tab, select Enable App Wrapping and select the profile you
created.

4. Configure the VPNprofile. Select the VPNOn Demand check box, then select Add. Select the App Wrapping profile
you created from the list. Select Save &Publish.
Any internal application you wrap with the App Wrapping profile you created that are also under an Organization Group
with this VPNprofile will now use the VPN you configured for its network traffic.

App Wrapping Guide | v.2014.01 | January 2014

Copyright 2014 AirWatch, LLC All rights reserved. Proprietary & Confidential.

Page 9
 Assigning an App Wrapping Profile

Assigning an App Wrapping Profile

Overview
Now that your App Wrapping Profiles are established, you must assign the profile to your internal applications.

In This Section
Uploading the Application Assign your custom or shared profile to your internal applications to complete the
configuration process.

Uploading the Application

perform the following steps to assign the App Wrapping profile to internal applications:
1. Navigate to Apps & Books Applications List View Internal Add Application. Upload an .apk file for an
internal Android application or .ipa file for an internal iOS application. For more information, refer to the Mobile
Application Management (MAM) Guide.

2. Navigate to the Wrapping tab in the Add Application screen.

l Select the Enable App Wrapping option to enable the application for wrapping and to associate to the wrapping
profile. The below screen interacts with the Wrapping Engine at the background to perform the actual wrapping
process.

App Wrapping Guide | v.2014.01 | January 2014

Copyright 2014 AirWatch, LLC All rights reserved. Proprietary & Confidential.

Page 10
 Assigning an App Wrapping Profile

l Shared App Wrapping Profile

o For an Android application, select the Android Default Settings @ [Organization Group] profile .
o For an iOS application, select the iOS Default Settings @ [Organization Group] profile.

l Custom App Wrapping Profile

o For an Android application, select the applicable custom or legacy App Wrapping Profile and choose to
Require encryption, if applicable.
o For an iOS application, select the applicable custom or legacy App Wrapping Profile, upload the Mobile
Provisioning File and Code Signing Certificate to re-sign the wrapped application.

3. Click Save. When saving, the AirWatch Admin Console puts the .apk/.ipa file and its request to the wrapping engine.
Upon successful wrapping, the Internal Application page shows the status as Application Successfully Wrapped.

Note: If you want to wrap a distributed application, you need to upload the same application as a new version. Then
wrap, save and assign the application. If you edit an App Wrapping profile, saving it updates the AirWatch Admin
Console record and deploys it to the application. When you save an application in the AirWatch Admin Console and
do not wrap it, you cannot wrap the saved application. You must re-upload the application and wrap it again.

Now that your application is wrapped with extra security and additional management features, you can redeploy it to the
enterprise App Catalog.

App Wrapping Guide | v.2014.01 | January 2014

Copyright 2014 AirWatch, LLC All rights reserved. Proprietary & Confidential.

Page 11
 Appendix B - Feature Matrix

Appendix B - Feature Matrix

The AirWatch App Wrapping solution supports the following features beginning with the listed AirWatch releases.
Android iOS Apple
Support Support
Feature Description AirWatch AirWatch
Release Release
Version Version

Allows device users to sign in to one application and the same session lets
users access other AirWatch applications, SDK applications, wrapped
Singl Sign On applications and other whitelisted corporate resources in the same 6.5+ 6.5+
Organization Group.
Requires the AirWatch Workspace Application.
Requires users to authenticate when SSO is disabled. It also requires the
configuration of an application passcode.
Authentication 6.5+ 6.5+
Prompts users for the passcode periodically to access the wrapped
application.
Detects and prevents compromised devices from accessing the AirWatch
Compliance 6.4+ 6.4+
managed environment.
Allows a wrapped application to access corporate resources using the App
App Tunneling Tunneling feature provided by the AirWatch MAG.
AirWatch The AirWatch MAG offers protection against potential data loss and
6.4+ 6.4+
Mobile Access malicious attack by securing mobile communications with App Tunneling.
Gateway (MAG) App Tunneling allows only select applications to authenticate and securely
communicate with back-end resources in the corporate network.
App Tunneling Allows a wrapped application to access corporate resources using the App
6.4+ 6.5+
F5 Proxy Tunneling feature provided by F5 proxy architecture.
Data Loss
Prevention Controls the ability of a wrapped application to copy and paste content. 6.4+ 6.5+
Copy and Paste

Data Loss
Prevention Controls the ability of a wrapped application to access the device camera. 6.4+ 6.5+
Camera

Data Loss
Prevention Not
Controls the ability of a wrapped application to access Bluetooth capabilities. 6.4+
Available
Bluetooth

Data Loss
Prevention Authorizes only select applications to open documents from wrapped
Open applications. It requires the provisioning of the Bundle ID/Package ID of the 6.4+ 6.5+
Documents with allowed application to open documents.
Approved Apps

App Wrapping Guide | v.2014.01 | January 2014

Copyright 2014 AirWatch, LLC All rights reserved. Proprietary & Confidential.

Page 12
 Appendix B - Feature Matrix

Android iOS Apple

Support Support
Feature Description AirWatch AirWatch
Release Release
Version Version

Network Access
Controls whether the device can use a wrapped application when the device
Cellular In Planning 6.5+
connects to the network using a cellular system.
Connection

Network Access
Controls whether the device can use a wrapped application when the device
Wi-Fi In Planning 6.5+
connects to the network using a Wi-Fi system.
Connection

Network Access Controls the ability of wrapped applications to access networks based on
In Planning 6.5+
Allowed SSIDs service set identifiers (SSIDs).

App Wrapping Guide | v.2014.01 | January 2014

Copyright 2014 AirWatch, LLC All rights reserved. Proprietary & Confidential.

Page 13