The IBM MaaS360 Customer Success team recently hosted an Ask Me Anything about Application Compliance. You can expect more Ask Me Anything's in the future, with our next one planned for Nov 15, 2023! Have an idea for a topic, comment below or send a suggestion to the IBM MaaS360 Customer Success team at csmaas@us.ibm.com
Topics in the September 20, 2023 Ask Me Anything included:
- Where do Apps come from?
- What are Managed vs Unmanaged Apps?
- What controls are available?
- Open Q&A
If you have any additional questions, post them as a reply to this blog or you can also reach out to your account representative or you can contact the IBM MaaS360 Customer Success team by emailing csmaas@us.ibm.com.
For reference here are the answers to your questions that you posed during the session and a link to the presentation and replay. Thanks to all who joined us, we had a great discussion!
Link to Presentation
Link to Replay
Ask Me Anything Questions and Answers (the replay above also has demonstrations for each answer)
Q: How do you block the installation of the Outlook App on both iOS and Android? (30:31 on Video)
A: There are two ways for Android, do not add it to your MaaS360 App catalog and the end user will not get the option to install it. Or if it is preinstalled on devices, search for Outlook in the Google Play store and find the App ID: com.microsoft.office.outlook. Edit the Android Security policy, go to App Compliance, select Configure Disabled Apps, and type com.microsoft.office.outlook in the Apps to be disabled.
A: For iOS BYOD, edit the iOS Security Policy, go to Device Settings> Application Compliance . Select Configure Restricted Applications, search for Microsoft Outlook in the Application Name. The App will still show up on the device, but device will be marked Out of Compliance for the restricted app. You must then create a Compliance Rule with Application Compliance configurations to take actions, such as an alert to the device, selectively wiping the device, or changing the policy.
A: For iOS Supervised devices, edit the iOS Security Policy, go to Supervised Settings> Application Compliance. Select App Blocklist. In the Configure Blocked Apps, search and select Outlook. Conversely, you can create an App Allowlist and exclude Outlook.
Q: For android enterprise can you show how to create a bundle for example mail, docs and viewer so we don't have to push out individually? (40:00 Video)
A: In the portal, got to Apps> Bundles and create a bundle of individual Apps then distribute. https://www.ibm.com/docs/en/maas360?topic=overview-creating-app-bundle
Q: Is there a way to release all apps to an iOS device when a device is totally destroyed and can no longer connect to MaaS360? I release the apps and remove the device but the apps are still assigned to that device. (42:00 Video)
A: Go to Device Inventory. Click the Device view and the select More> Release App Licenses. This is for iOS VPP licenses only. Also, when you remove control or wipe the device, you will have the option to release the app licenses.
Q: With BYOD , are the controls the same and is the owners phone segregated from the companies information? Do the controls affect what they can install? (44:00 Video)
A: If an iOS device is enrolled as a managed phone but not supervised and is newer than iOS 13, we have little control over what's installed per Apples requirements. But it can still be flagged as out of compliance for a restricted application being installed and a compliance rule enforcement actions taken. This requires you to set up a Compliance Rule.
A; For Android Enterprise BYOD, also called Profile Owner mode, the policy enables you to restrict installation of specific Apps within the work profile.
Q: If an allowed system app is accidentally deleted, how can it be reinstalled if there is no App store? (46:00 Video)
A: The system apps cannot be added back on the device without access to the App store because Apple has not made the applications available for us to add to our Maas360 App catalog. The workaround for this is to change the user/device to a policy that allows them to install from the App Store temporarily, then toggle them back to a policy that doesn't allow it.
Q: When issuing a new phone to an employee, is there a way or app to best provide company contact information that will load automatically to their iPhone? Currently each employee has to manually add each contact into their phone unless a contact is shared and then they can save it. (47:30 Video)
A: Typically companies will have their employees log into their email - such as Exchange and all their contacts will show up. Outside of this, for iOS devices, you can go to your iOS Policy and select Advanced Settings>CardDav which is integration with something outside MaaS360. So if you already have a CardDav server, which is a contact server, you can use the policy configuration to push out the configuration. Another option is to take a Contacts file and add them to your MaaS360 Docs and distribute it to your end users if you are entitled to MaaS360 Content Management. If you are unsure if you are entitled to Content Management, reach out your account manager or csmaas@us.ibm.com.
Q: What would be the best option for creating new policies to make the phone remove all apps even apps such as contacts? I will use this policy when a remote employee leaves the company to make sure even if he has the phone he will not be able to do anything with the phone, and when I get the phone back, I will be able to change the policy back and see what that employee had download. (49:57 video)
A: On Android, the easiest workflow would be to use a Kiosk/COSU mode, by going to Android Policy and selecting COSU (Kiosk mode), Enable Kiosk Mode and limit to 1 App like the MaaS360 App.
A: For iOS Supervised device, go to the iOS policy and select Supervised Settings>Application Compliance and configure an App Allowlist and only include phone, MaaS360 app for example. OR
A: For iOS Supervised devices, go to Device inventory device view for a selected device and select More> Mark Devices Lost. That will put the device into a Lost mode which Locks the device and pings its last location. To get it out of Lost mode, you mark the Device as found.
Q: Is there a way to allow all apps from the Google Play store for an "Unrestricted" user? (52:18 Video)
A: There is an API through Google that we don't have implemented yet. This has been submitted as a request for enhancement, now called an Idea. You can vote for this idea or put in your own request by selecting the ? in the upper right of the portal and then select Submit an Idea. Once that is implemented there will be an option in the policy to allow use of whole Google Play store. Alternatively, in the interim you can allow that user to log in with their own Google account inside the profile or on the device and that will open up the whole Google Play store - this can be accomplished by assigning a policy to those unrestricted users that allows them to log into personal accounts.
Q: I have heard there are features to not allow users to copy and paste or forward email If yes, where are those controls? (54:28 Video)
A: Copy and Paste is going to be specific to the operating system. In the Android Policy, there are Allow Clipboard, Allow Clipboard Sharing, and Allow Clipboard Sharing between Apps settings. In the policy, search for 'clipboard' and they will be displayed. This can also be found by going directly to Security> Data Security.
A: For iOS, go to the iOS policy and select Restrictions > Device Functionality and there is the Allow Open from Managed to Unmanaged Apps and Allow Open from Unmanaged to Managed Apps settings. For email, go to Device Settings > Activesync select Prevent Moving Mail to other Accounts, Prevent Third Party Apps from Sending Mail.
A: If you have the MaaS360 Secure container for Mail, Browser, Docs, Apps you will have options within the WorkPlace Persona Policy to restrict copy paste and sharing there also.
Q: Do you recommend using bundles or specific apps??
A: This depends on your use case, a lot of customers find bundles useful when you have a set of apps for certain aspects of the business (sales, drivers etc) and want to keep control of specific apps for them. This also makes it easier for you to distribute all the Apps in the bundle at once versus having to distribute each App.
Q: On the dashboard - we have some phones that are showing risk exposure. How should we manage those with employees?
A: If you are referring to the Watson Advisor dashboard, you can select the Risk and a list of devices is displayed with the exposure. You can then message those devices with instructions to the user or create a device group of those devices which will enable you to take group actions or assignments on those devices. If you are referring to the User Risk Management security dashboard, we did an AMA around this feature, here is the recording https://community.ibm.com/community/user/security/blogs/margaret-radford/2023/04/27/youve-got-questions-weve-got-answers-maas360-user?CommunityKey=9d8b7835-e47a-4850-b400-d8c77708af84
Q: The iPhones do not get the alert notification for emails like the Androids. Checking if there is a setting that we are missing for this? (56:37 Video)
A: If you are using MaaS360 Secure Mail on iOS devices, this requires the use of the free Maas360 Cloud Extender with the Email Notification module configured. https://www.ibm.com/docs/en/maas360?topic=module-configuring-exchange-email-notifications. For native mail, notifications should be displaying.
Q: Are there any risks to the person's personal iPhone with a BYOD profile added? (59:00 video)
A: On iOS devices there is a newer enrollment mode called iOS User Enrollment which is true BYOD separating Work from Personal. This requires integration with Apple Business Manager to make Managed Apple IDs. So any of the settings in your iOS policy with UE, this refers to iOS User Enrollment. So no risk associated with the device with this enrollment method. Alternatively, for iOS BYOD most companies will do a standard enrollment through Safari which installs a management profile on the device which applies to the entire device. In this case, the Administrator has the option of wiping the device. You do have the option of creating custom Admin roles that do not allow the Wipe action.
Q: We use Gmail for company and personal contacts, but it allows users to circumvent and add apps not in compliance and MaaS360 does not flag them. Is there a way to stop this? (1:00:55 Video)
A: If a device is enrolled in Android Enterprise and you have allowed access to users to log in with their own Google account, then you are opening up the Google Play store to installing applications. You can then use the App Compliance settings in the Android policy to configure allowed or restricted apps.
Q: Is there a setting where you can keep the screen open without a timeout set on an iOS device ? (1:02:25 Video)
A: In the iOS policy, go to Device Settings > Passcode and select an Idle time before AutoLock and Grace Period for Device Lock.
Q: What would be shown on the end user computer when adding a new required app? Will it be automatically download or will they be prompted to downloaded on Mac OS? (1:04:18 Video)
A: When you add an macOS application to the MaaS360 App Catalog and distribute, you have option to notify the user via a device notification and or email to install.
Q: What setting allows users to download whatever app they want from the App store for iOS supervised devices? (1:06:20 Video)
A: In the iOS policy go to Supervised Settings> Restrictions & Network and select Allow Usage of App Store. They will need to use their own Apple ID so you will need to allow them to log in with their Apple ID.
Q: Do IOS corporate supervised devices require an iCloud login on the non- supervised side, or is there a way to not require or disable it? (1:07:36 Video)
A: There is no supervised non-supervised side on iOS. When an iOS device is enrolled as Supervised your controlling the whole device. There is no partition like you would see with iOS User Enrollment mode. If you are allowing the user to go to the store and install anything they want on a Supervised device then they will need an Apple ID to install those apps. If the Apps are coming from MaaS360 with Volume Purchase Program codes, then no Apple ID is needed for those Apps.
Q: If the user has access to settings on the iOS Supervised device. Is there a way to keep a user from applying their own iCloud account to the device? (1:09:00 Video)
A: In the iOS policy go to Supervised Settings> Restriction & Network and disable Allow Account Modification. This will disallow the user from being able to log into any account that is not being pushed by the MDM.
Q: If Outlook is pushed to the device from the MaaS360 App Catalog is there a way to have it autoconfigured for the Outlook client? (1:09:50)
A: Yes, go the Apps > App Configurations and you can add app configurations for the Outlook App by Platform. The Outlook App has to already be added to your MaaS360 App Catalog. https://www.ibm.com/docs/en/maas360?topic=configurations-creating-app-configuration
Q: I understand how to Allow or Block Apps such as YouTube. But what prevents staff from using the browser to go to Youtube.com? (1:11:41 Video)
A: For iOS supervised devices, if you are allowing use of Safari, you can go to Supervised settings in the iOS Policy and select Web content. Select Configure Web Content Settings, then you can control access to specific Websites.
A: For Android, go to the Android Policy and select Browser and configure block lists and exception lists as needed.
Q: If I manage over 100 devices, how do I uninstall an App from all the devices. (1:13:56 Video)
A: If it's an application you distributed, the easiest way is to select the App in the MaaS360 App Catalog. Make sure you have selected Remove on Stopping Distribution then click the X next to the Distributions in the App Summary to remove the distributions. This will stop the distribution and then the application will be automatically removed from the devices within 24 hours. Alternativel3y, you can use the Remove App action for a specific Device Group. in Devices>Groups.