Trust Enterprise Apps

Mobile Access Management can now install Enterprise Apps to your devices. One additional step to fully complete installation: your device has to establish trust with the app developer in order for the apps to launch.

There are three options to establish trust:

  1. Use MDM to convert the unmanaged app to a managed app.

  2. Tap on the device to explicitly trust the app developer.

  3. Restore a backup of a previously-trusted device as part of the workflow.

Details for each method are below. We will add instructions for additional MDM in the future.

Omnissa Workspace ONE will automatically and silently "trust" any enterprise app that it finds on a device, if you follow the following instructions. You must perform these steps for each enterprise app you wish to load, but you only need to perform these instructions once. We assume AirWatch is already pushing the apps to the intended devices.

  1. In the Workspace ONE console, click on Apps & Books > Applications > List View > Internal.

  2. Click on the pencil icon to edit the app.

  3. On the Details tab, scroll down and in the section Make App MDM Managed if User Installed select Yes.

Ivanti Neuron (formerly MobileIron Cloud) will automatically and silently "trust" any enterprise app that it finds on a device, if you follow the following instructions. You must perform these steps for each enterprise app you wish to load, but you only need to perform these instructions once. We assume Ivanti Neuron is already set up to push the apps to the intended devices on enrollment.

  1. In the Ivanti Neuron console, click on Apps > App Catalog and click your app name.

  2. Click the App Configurations tab.

  3. Edit an existing app configuration by clicking the number next to the plus sign (probably "1").

  4. From the App Configurations Summary window, click on an appropriate configuration, which may be named Install Application configuration settings.

  5. In the Configuration Setup screen, click Edit and select the Convert to Managed App check box. Install on Device must also be checked so that the process is performed on enrollment. Save your changes.

Ivanti Endpoint Manager Mobile (formerly MobileIron Core) does not natively support the conversion from unmanaged apps to managed on device enrollment. Mobile Access Management is able to call the appropriate Ivanti APIs to perform this function on devices during the deployment process, using the Enroll MDM action. Similar to other MDMs, make sure your enterprise app is uploaded to Ivanti Endpoint Manager Mobile and assigned to device.

You can manually trust a developer without MDM.

  1. On the iOS device, tap on on Settings > General > Profiles & Device Management. Look for the Enterprise App section and tap on the app name.

    Click on Trust to continue.

NOTE:

This method trusts the app developer, not just the app. Once the developer has been trusted, all other apps signed by the same developer are implicitly trusted.

You may use a backup of a master device to restore to your fleet, and the fleet will allow the app to launch.

  • If your devices are running iOS 11, your master device must be running 10.3 or later.

  • If your devices are all pre-iOS 11, you may use a master device running iOS 9.3.5 or iOS 10.x

Use the process described immediately above to trust the app developer on your master device. Next, using the instructions in our documentation, create a backup of your master device, and upload the backup to Mobile Access Management.

Once your backup is ready, create a Workflow that (a) restores the backup and (b) installs the enterprise apps.

NOTE:

  • The device must confirm a valid app provisioning with Apple, so the device must have a Wi-Fi or cellular network connection.

  • Wi-Fi sometimes takes several minutes to obtain an IP address, during which time the app installation may fail. Splitting the deployment into two parts — first Wi-Fi then app installs — may help with this issue.

  • Remember that iOS devices actually trust the app developer, not the specific app. So this method effectively trusts all apps signed by the same developer.