Nine Work Support Center

Contact Us

How to configure App Configuration Policies

Overview

Nine Work is a full-fledged email application for Android based on Direct Push technology to synchronize with Microsoft Exchange Server using Microsoft Exchange ActiveSync, and also designed for entrepreneurs or ordinary people who want to have efficient communication with their colleagues, friends, ‎and family members at anytime, anywhere. You may already have good experience with other E-Mail apps for Android. Regardless of your existing experience, we will give you a superb experience more than anything else. Leveraging E-Mail, Contacts, Calendar, Tasks and Notes on your mobile devices through wireless networks enhances your user experience and dramatically reduces your time.

Android Package Name: com.ninefolders.hd3.work

App availability

First, to get an AppConnect-enabled version of Nine Work for Android, please contact us at support@9folders.com and we will provide the Nine Work app.

When you receive the app package, you can deploy it to your registered employees in a few easy steps.

From your Core Admin Portal, head to Apps > App Catalog > Add+

You’ll be taken through a wizard to upload the apk file. Make sure to select “In-house App” so that you have the opportunity to upload the app package:

You do not have to fill out any other fields or provide any additional screenshots. After finishing the wizard, your app will be listed but not deployed to any devices. To send it to a certain user segment, you’ll have to apply a label to it:

In the case here, applying the “Android” label automatically sends the application down to all registered Android devices in this enterprise.

Device compatibility

Only devices running Android 4.0.3 (Ice Cream Sandwich) and up are supported by our app.

App-specific configuration

App Service Configuration allows the application to connect to the appropriate app web services for an organization.

* App Service Configuration allows the application to connect to the appropriate app web services for an organization.

Key
Required
Type
Example
Default
Description
AppServicePublisher

Y

String

(e.g. MobileIron)

MDM service provider
AppServiceHost

Y

String

(e.g. appserver.com)

Hostname used to communicate with the application’s primary server (e.g. myserver.com). Application should implement its own default value.
AppServiceSecondaryHost

N

String

(e.g. appserver.com)

Server address for the subordinate accounts
AppServiceSecondaryHosts
NString(e.g. appserver.com;example.com)

Server addresses for the subordinate accounts.
AppSecondaryEmailDomains
NString(e.g. appserver.com;example.com)

Email domains for the subordinate accounts.
AppServicePort

N

Integer

(e.g. 443)

443

Port number used to communicate with the application’s primary server (e.g. 443). Application should implement its own default value.
AppServiceUseSSL

N

Boolean

(e.g. True, False)

true

Determines if the application should use SSL when communicating to the applications’ server. Application should implement a default value.
AppServiceSSLTrustAll

N

Boolean

(e.g. True, False)

true

Accept all SSL certificates
AppDeviceIdPrefix

N

String

(e.g. MSFT, YHOO)

Nine

Prefix for distinguishing DeviceID, (4 alphabetic letters)
AppDeviceId

N

String

(e.g. $DEVICE_SN$)

Device ID that the ActiveSync server uses for the device.
Important: Always use the variable $DEVICE_SN$
AppUserAgent
N

String

(e.g. Nine, MDM)

App name which is used in User Agent
AppUserAgentPrefix
N

String



Full text which is used in User Agent
AppDeviceType

N

String

(e.g. Android)

Android

Device Type
AppLoginCertificate

N

String



Select the SCEP or Certificate setting from the dropdown list. You configure these settings in Policy & Configs > Configurations. When you choose a SCEP or Certificate setting, Core sends the contents of the certificate as the value.
If the certificate is password- encoded, Core automatically sends another key-value pair. The key’s name is the following string:
<name of key for
certificate>_MI_CERT_PW
The value is the certificate’s password.
Note: If you are not using certificates to authenticate the device to the Sentry, delete the AppLoginCertificate key from the AppConnect app configuration.
AppUseLoginCertificate

N

Boolean

(e.g. True, False)

true

Client CA
AppReqParamPlaintext
N

Boolean

(e.g. True, False)
False

"The query value format in the URI contains all of the ActiveSync URI parameters.

e.g.)

Base64:

POST /Microsoft-Server-ActiveSync?jAAJBAp2MTQwRGV2aWNlAApTbWFydFBob25l HTTP/1.1

Plain text:

POST /Microsoft-Server- ActiveSync?Cmd=Sync&User=rmjones&DeviceId=v140Device&DeviceType=SmartPhone HTTP/1.1"

AppUseModernAuthentication

N

Boolean

(e.g. True, False)

false

Modern Authentication (ADAL)
AppPasswordEnable
NInteger(e.g, -1, 0, 1)
-1

App password Enable

-1 : Use Exchange Policy

0 : Disabled

1 : Enabled

AppPasswordComplexity
NInteger
(e.g. 0, 1)
0App password complexity (0 : Simple, 1: Alphanumeric)
AppPasswordMinLength
NInteger
(e.g. 4)
0App Password Minimum length
AppPasswordExpirationDays
NInteger
(e.g. 90)
0App Password expiration date
AppPasswordHistory
NInteger
(e.g. 9)
0App Password History counts
AppPasswordMaxFailed
NInteger
(e.g. 10)
0App Password Maximum failure counts
AppPasswordLockTime
NInteger
(e.g. 60)
0App Password Maximum Lock Time (Min.)
AppPasswordComplexChar
NInteger
(e.g. 0)
0

App Password complex characters

0 : none

1,2 : letter + digit

3 : letter + digit + symbol

4 : letter (upper & lower) + digit + symbol

AppUserAgentDetails
NStringEx) $OS $VERSION
$APP_VERSION
$APP_VERSION_CODE

Extra information for UserAgent
Eg> $OS $VERSION $APP_VERSION $APP_VERSION_CODE (Case sensitive) - SNINE4W-hero2ltexx/NRD90M (Android 7.0.1 4.0.3b 2402300)
AppLauncherShortcuts
NString
[
"Mail",
"Calendar",
"Contacts",
"Tasks",
"Notes"
]

eg)
Add Calendar and Tasks shortcuts as default.
[
"Calendar",
"Tasks"
]
AppSecureMailLoadRemoteImages
NInteger(e.g. -1, 0, 1, 2)
-1-1: User can select the option
0: Do not load
1: Ask before displaying remote images
2: Always display remote images
AppLDAPConfigurations
NString (JSON)
e.g.
[
  {
    "Description": "Default",
    "ServerAddress": "ldap.example.com",
    "ServerPort": "389",
    "TransportSecurity": 1,
    "SearchBase": "dc=mkt,dc=mainstore,dc=com",
    "BindDN": "",
    "BindPassword": ""
  }
]

Description : Title of the configuration (mandatory, unique)
ServerAddress : LDAP server address or IP address  (mandatory)
ServerPort : LDAP server port (mandatory)
TransportSecurity : 0: None, 1: SSL, 2: StartTLS
SearchBase : LDAP Naming base DN  (mandatory)
BindDN : Leave empty for anonymous
BindPassword : Leave empty for anonymous
AppSelectiveAuthentication
NBoolean
(e.g. True, False)
false


* User Configuration allows the application to detect the user of the application, however does not authenticate the user.

Key
Required
Type
Example
Default
Description
UserName

Y

String

(e.g. wtillman)
 
Username of the user who is using the device. Value to be used by application to authenticate user.
Typically, you use the Core variable $USERID$.
If your ActiveSync server requires a domain, use <domain name>\$USERID$. For example: mydomain\$USERID$.
You can also use combinations of these Core variables, depending on your ActiveSync server requirements: $EMAIL$, $USER_CUSTOM1$, $USER_CUSTOM2$, $USER_CUSTOM3$, $USER_CUSTOM4$.
UserEmail

Y

String

(e.g. will@company.com)
 
Email address of the user who is using the application
Typically, this field uses the Core variable $EMAIL$.
You can also use combinations of these Core variables, depending on your ActiveSync server requirements:
$USERID$, $USER_CUSTOM1$, $USER_CUSTOM2$, $USER_CUSTOM3$, $USER_CUSTOM4$.
UserPassword

N

String

(e.g. ****)

Password for the user who is using the application
If you provide a password, Nine Work does not prompt the device user for the password.
Delete this key if you want the device user to enter the password when using Nine Work. MobileIron recommends deleting the key.
You can use the Core variable $PASSWORD$ if you have checked Save User Password in Settings > Preferences. Core then passes the user’s password as the value to the device.
Caution: If you plan to use the $PASSWORD$ variable, be sure to set Save User Password to Yes before any device users register. If a device user was registered before you set Save User Password, Nine Work prompts the user to enter the password manually.
UserDomain

N

String

(e.g. NADOMAIN)
 
Domain of the user who is using the application
UserDisplayName

N

String

(e.g. James)
 
User name which is displayed in Nine app
UserSignature

N

String

(e.g. ABC Company, James, CIO, +4081234567)
 
Email signature. If empty, use "Sent from Nine"
UserLicenseNumber

N

String

(e.g. 123456781234)
 
License key which is purchased in 9Folders web site
UserSMIMESignCertificate

N

String



This key specifies the certificate to use for signing S/MIME emails.
Select the SCEP setting from the dropdown list.
You configure these settings in Policy & Configs > Configurations.
When you choose a SCEP setting, Core sends the contents of the certificate as the value.

When Nine Work receives this key:
• It imports the key into the keystore.
• It selects the certificate as the signing certificate.
UserSMIMEEncryptCertificate

N

String



This key specifies the certificate to use for encrypting S/MIME emails.
Select the SCEP setting from the dropdown list.
You configure these settings in Policy & Configs > Configurations.
When you choose a SCEP setting, Core sends the contents of the certificate as the value.

When Nine Work receives this key:
• It imports the key into the keystore.
• It selects the certificate as the encryption certificate
UserEmailSyncRange

N

Integer



0: All
1: 1 Day
2: 3 days
3: 1 week
4: 2 weeks
5: 1 month
UserEmailDownloadSize

N

Integer



0: All
1: 10KB
2: 20KB
3: 50KB
4: 100KB
UserFontFamily

N

String

(e.g. Calibri, Arial, Helvetica, sans-serif)

Default font family for outgoing email.
UserFontSize

N

String

(e.g. 11.5)

Default font size for outgoing email.
UserFontColor

N

String

(e.g. #000000)

Default font color for outgoing new email.
UserReplyFontColor

N

String

(e.g. #1F497D)

Default font color for reply email.
UserInAppCalendarNotification

N

Boolean

(e.g. True, False)
True
Calendar notification settings
UserDefaultEditor

N

Integer

(e.g. 0, 1)
0
0: Rich Text Editor
1: Text Editor
UserMessageFormat
NInteger(e.g. 0, 1, 2)
10: TEXT
1: HTML
2: MIME
UserReFwdSeparatorStyle
NInteger

0: No separator
1: 1px
2: 2px
3: Outlook 2016
UserSyncSystemCalendarStorage
NBoolean(e.g. True, False)
falseDefault value for syncing to the system Calendar storage
UserSyncSystemContactsStorage
NBoolean(e.g. True, False)
falseDefault value for syncing to the system Contacts storage
UserAutoAdvance
NInteger
00: Open the previous item
1: Open the next item
2: Return to the current folder
UserBiometricUnlock
NBoolean(e.g. True, False)
false
UserNotesTemplate
NString

Ex) "UserNotesTemplate": {  
"Title": "Memo",  
"Template": "To: \nFrom: \nDate: \nSubject: \n\n"
}
UserContactsFieldsLevel

N

Integer

(e.g. 0, 1)
0
0: All Fields
1: Minimum Fields (Name Fields, Phone Fields, Photo Field)
UserDownloadableAttachmentsMaxSize
NInteger
0xx: xxMB Limited
0: Unlimited (Default)
eg)
10: 10MB Limited
25: 25MB Limited
UserSyncWhenRoaming
NInteger
(e.g. 0, 1)
00: Off
1: On
EnforceSyncWhenRoaming
NBoolean
(e.g. True, False)
false


* Branding Configuration allows an application to customize the look and feel for a specific organization.

Key
Required
Type
Example
Default
Description
BrandingLogo

N

String

(e.g.. http://myserver/image.png)
 
String representing HTTP URL of the image to download and display as the main wallpaper within the application. Each application could implement the visual representation differently.
- Recommend format: PNG (Other formats are applicable)
- Background color: #ff009688
- Recommend resolution: 720x264 (Max 1024x1024)
BrandingSplashLogo
NString(e.g.. http://myserver/image.png)

String representing HTTP URL of the image to download and display as the logo image in the splash screen. Images recommended to be in PNG format.
Size: 720x264
BrandingName

N

String

(e.g. Company Name)
 
String representing the company name which could be displayed in the application.
BrandingColor
NString(e.g. #1F497D)

RGB(31, 73, 125)


* Security (or Custom) Settings allows an application to enable or disable certain security features

Key
Required
Type
Example
Default
Description
AllowEmailSync

N

Boolean

(e.g. True, False)

true

Allow Email sync
AllowCalendarSync

N

Boolean

(e.g. True, False)

true

Allow Calendar sync
AllowContactsSync

N

Boolean

(e.g. True, False)

true

Allow Contacts sync
AllowTasksSync

N

Boolean

(e.g. True, False)

true

Allow Tasks sync
AllowNotesSync

N

Boolean

(e.g. True, False)

true

Allow Notes sync
AllowPrint

N

Boolean

(e.g. True, False)

true

Allow print
AllowShareContents

N

Boolean

(e.g. True, False)

true

Allow to share the contents of Email/Tasks/Notes
AllowShareAttachment

N

Boolean

(e.g. True, False)

true

Allow to share the attachments to 3rd party app
AllowSaveAttachment

N

Boolean

(e.g. True, False)

true

Allow to save attachments into external storage
AllowGalShare

N

Boolean

(e.g. True, False)

true

Allow to deliver the GAL search results to 3rd party app
IgnoreExchangePolicy

N

Boolean

(e.g. True, False)

false

Disregard Exchange Policy. Instead, MDM controls the policy.
AllowDeleteOwnAccount

N

Boolean

(e.g. True, False)

true


AllowMultipleAccount
N
Boolean
(e.g. True, False)

false

Allow to set up multiple accounts
AllowReFwdFromDA
N
Boolean
(e.g. True, False)

true

Allow to forward or reply from a different account than the message originated from.
AllowAutoConfig
NBoolean(e.g. True, False)
false
AllowSyncSystemCalendarStorage
N
Boolean
(e.g. True, False)

true


Allow for Nine Calendar data to sync to system calendar storage.


Users can see Nine Calendar data on the stock Calendar app.


AllowSyncSystemContactsStorage
N
Boolean
(e.g. True, False)

true


Allow for Nine Contacts data to sync to system contacts storage.
Users can see Nine Contacts data on the stock Contacts app.


AllowSecondaryAccountEmailSync
N
Boolean
(e.g. True, False)

true

Allow to sync Email for the secondary accounts
AllowSecondaryAccountCalendarSync
N
Boolean
(e.g. True, False)

true

Allow to sync Calendar for the secondary accounts
AllowSecondaryAccountContactsSync
N
Boolean
(e.g. True, False)

true

Allow to sync Contacts for the secondary accounts
AllowSecondaryAccountTasksSync
N
Boolean
(e.g. True, False)

true

Allow to sync Tasks for the secondary accounts
AllowSecondaryAccountNotesSync
N
Boolean
(e.g. True, False)

true

Allow to sync Notes for the secondary accounts
AllowExportMessage
N
Boolean
(e.g. True, False)

true

Allow to export Message
AllowEWSConnectivity
NBoolean(e.g. True, False)
trueAllow EWS connectivity for the features such as  Shared Calendar features.
AllowBiometricUnlock
NBoolean(e.g. True, False)
trueAllow Biometric authentication such as Fingerprint to unlock screen.



AppTunnel support

AppTunnel settings are not applicable for Nine Work. If you are using a Standalone Sentry, all communication with the ActiveSync server is through a secure connection to the Standalone Sentry.

ActiveSync server synchronization due to app configuration

Nine Work synchronizes all emails, tasks, notes, contacts and calendar items with the ActiveSync server when the device user first launches Nine Work. It also does a full synchronization or delete account if you change the values of the following keys in the app configuration:

The full synchronization or delete account occurs the next time the device checks in after you have changed the app configuration.

User features

For more details on Nine Work for Android’s feature set in general, please see our listing on Google Play:

https://play.google.com/store/apps/details?id=com.ninefolders.hd3.work

Configuration tasks

Use the following high-level steps to configure AppConnect for the app.

  1. Enable AppConnect.
  2. Configure Standalone Sentry for email attachment control
  3. Configure device and server authentication on Sentry
  4. Configure an AppConnect global policy.
  5. Configure a new AppConnect app configuration for the app.
  6. Configure a new AppConnect container policy for the app.

Enable AppConnect

Before enabling AppConnect on your Core, confirm that your organization has purchased the required AppConnect licenses.  Contact your MobileIron representative if you require additional details on AppConnect license purchases.

To enable AppConnect and AppTunnel functionality on the Core, navigate to the Settings page on the Core Admin Portal and check the boxes as shown below.

  1. Select the option for “Enable AppConnect for third-party and in-house apps”.
  2. Select the option of “Enable AppTunnel for third-party and in-house apps”.


Configure Standalone Sentry for email attachment control

If you are using a Standalone Sentry, configure the Standalone Sentry to deliver email attachments to Nine Work:

  1. Go to Settings > Sentry in the MobileIron Core Admin Portal.
  2. Select the Standalone Sentry that handles email for the devices.
  3. Select the edit icon.
  4. In the section Attachment Control Configuration, select Enable Attachment Control.
  5. For iOS And Android Using Secure Apps, select Open With Secure Email App.
  6. Click Save.

Configure device and server authentication on Sentry

If you are using a Standalone Sentry, the Standalone Sentry interacts with your enterprise’s ActiveSync server. A device authenticates to the Sentry (device authentication) and the Sentry authenticates the device to the ActiveSync server (server authentication). For details on setting up the authentication methods, see “Device and server authentication support for Standalone Sentry” in the MobileIron Sentry Guide.

If you are using certificates for device authentication, you create a SCEP or Certificates setting, as described in “Certificates settings” and “SCEP settings” in the MobileIron Core Device Management Guide or the Connected Cloud Device Management Guide.

Then, you specify that SCEP or Certificates setting in the AppConnect app configuration for Nine Work.

Configure an AppConnect global policy

An AppConnect global policy configures the security settings for all AppConnect apps, including:

To modify an existing AppConnect global policy:

  1. On the Core Admin Portal, go to Policies & Configs > Policies.
  2. Select an AppConnect global policy.
  3. Click Edit.
  4. Edit the AppConnect global policy based on your requirements.
    See the AppConnect and AppTunnel Guide for details about each field.

Configure a new AppConnect app configuration

The AppConnect app configuration defines the app-specific parameters that are automatically pushed down to the app, as well as configurations for establishing and authenticating an AppTunnel associated with the app. See the AppConnect and AppTunnel Guide for details about each field.

Also, for more on AppTunnel configuration, see “Adding AppTunnel Support” in the AppConnect and AppTunnel Guide

Use the following steps to configure the app-specific configuration:

  1. On the Core Admin Portal, go to Policies & Configs > Configurations > Add New > AppConnect > App Configuration.
  2. Edit the AppConnect app configuration with the Name, Description, Application,  AppTunnel configuration including the identity certificate, and App-specific key-value pair configurations required for the app.
    Note: For the Application field, choose an application from the app distribution library, or for iOS apps, specify the iOS bundle ID. You can find the bundle ID by going to Apps > App Catalog, and clicking the hyperlink to edit the app. The bundle ID resides in the Inventory field in parenthesis.
  3. AppTunnel:  Click on the “Add+” button and enter the AppTunnel details.  The AppTunnel service for this app must be pre-configured in order to use it here.
  4. App Specific Configuration:  Click on the “Add+” button to enter the key-value pair information.

Configure a new AppConnect container policy

An AppConnect container policy specifies data loss protection policies for the app.  The AppConnect container policy is required for an app to be authorized unless the AppConnect global policy allows apps without a container policy to be authorized. Such apps get their data loss protection policies from the AppConnect global policy.

Details about each field are in the AppConnect and AppTunnel Guide.

To configure an AppConnect container policy:

  1. On the Core Admin Portal, go to Policies & Configs > Configurations > Add New > AppConnect > Container Policy.
  2. Enter the Name, Description, and Application.
    Note: For the Application field, choose an application from the app distribution library, or for iOS apps, specify the iOS bundle ID. You can find the bundle ID by going to Apps > App Catalog, and clicking the hyperlink to edit the app. The bundle ID resides in the Inventory field in parenthesis.
  3. Configure the data loss protection policies according to your requirements.