Trust Enterprise Apps

Created: Modified: Knowledge Base

GroundControl can now install Enterprise Apps to your devices. One additional step to fully complete installation: your device has to establish trust with the app developer in order for the apps to launch. There are three options to establish trust:

  1. Use MDM to convert the unmanaged app to a managed app
  2. Tap on the device to explicitly trust the app developer
  3. Restore a backup of a previously-trusted device as part of the workflow

Details for each method are below. We will add instructions for additional MDM in the future.

AirWatch will automatically and silently “trust” any enterprise app that it finds on a device, if you follow the following instructions. You must perform these steps for each enterprise app you wish to load, but you only need to perform these instructions once. We assume AirWatch is already pushing the apps to the intended devices.

In your AirWatch console click on Apps & Books > Applications > List View > Internal. Click on the pencil icon to edit the app. On the “Details” tab, scroll down and in the section “Make App MDM Managed if User Installed” select “Yes.”

Screen Shot 2016-05-31 at 5.40.39 PM

MobileIron Cloud will automatically and silently “trust” any enterprise app that it finds on a device, if you follow the following instructions. You must perform these steps for each enterprise app you wish to load, but you only need to perform these instructions once. We assume MobileIron Cloud is already set up to push the apps to the intended devices on enrollment.

In the MI Cloud console, click on Apps > App Catalog and click your app name. Click the App Configurations tab. Edit an existing app configuration by clicking the number next to the “plus” sign (probably “1”).
Screen Shot 2016-05-31 at 6.39.16 PM
From the “App Configurations Summary” window, click on an appropriate configuration, which may be named “Install Application configuration settings.”
Screen Shot 2016-05-31 at 6.42.14 PM
 In the “Configuration Setup” screen, click on “Edit” and select the “Convert to Managed App” check box. “Install on Device” must also be checked so that the process is performed on enrollment. Save your changes.
Screen Shot 2016-05-31 at 6.41.24 PM
MobileIron Core does not natively support the conversion from unmanaged apps to managed on device enrollment. With GroundControl, we’re able to call the appropriate Core APIs to perform this function on devices during the deployment process, using the Enroll MDM action. Similar to other MDMs, make sure your enterprise app is uploaded to Mobile Iron Core and assigned to device. 
You can manually trust a developer without MDM. On the iOS device, tap on on Settings > General > Profiles & Device Management. Look for the “Enterprise App” section and tap on the app name. Click on Trust to continue.

IMG_0002

Note that this method trusts the app developer, not just the app. Once the developer has been trusted, all other apps signed by the same developer are implicitly trusted.

You may use a backup of a master device to restore to your fleet, and the fleet will allow the app to launch.

  • If your devices are running iOS 11, your master device must be running 10.3 or later.
  • If your devices are all pre-iOS 11, you may use a master device running iOS 9.3.5 or iOS 10.x

Use the process described immediately above to trust the app developer on your master device. Next, using the instructions in our documentation, create a backup of your master device, and upload the backup to GroundControl.

Once your backup is ready, create a workflow that (a) restores the backup and (b) installs the enterprise apps.

Notes:

  • The device must confirm a valid app provisioning with Apple, so the device must have a WiFi or cellular network connection.
  • WiFi sometimes takes several minutes to obtain an IP address, during which time the app installation may fail. Splitting the deployment into two parts — first WiFi then app installs — may help with this issue.
  • Remember that iOS devices actually trust the app developer, not the specific app. So this method effectively trusts all apps signed by the same developer.