How to configure App Configuration Policies

Overview

Nine Work is a full-fledged email application for Android based on Direct Push technology to synchronize with Microsoft Exchange Server using Microsoft Exchange ActiveSync, and also designed for entrepreneurs or ordinary people who want to have efficient communication with their colleagues, friends, ‎and family members at anytime, anywhere. You may already have good experience with other E-Mail apps for Android. Regardless of your existing experience, we will give you a superb experience more than anything else. Leveraging E-Mail, Contacts, Calendar, Tasks and Notes on your mobile devices through wireless networks enhances your user experience and dramatically reduces your time.

Android Package Name: com.ninefolders.hd3.work

App availability

First, to get an AppConnect-enabled version of Nine Work for Android, please contact us at support@9folders.com and we will provide the Nine Work app.

When you receive the app package, you can deploy it to your registered employees in a few easy steps.

From your Core Admin Portal, head to Apps > App Catalog > Add+

You’ll be taken through a wizard to upload the apk file. Make sure to select “In-house App” so that you have the opportunity to upload the app package:

You do not have to fill out any other fields or provide any additional screenshots. After finishing the wizard, your app will be listed but not deployed to any devices. To send it to a certain user segment, you’ll have to apply a label to it:

In the case here, applying the “Android” label automatically sends the application down to all registered Android devices in this enterprise.

Device compatibility

Only devices running Android 4.0.3 (Ice Cream Sandwich) and up are supported by our app.

App-specific configuration

App Service Configuration allows the application to connect to the appropriate app web services for an organization.

* App Service Configuration allows the application to connect to the appropriate app web services for an organization.

Key	Required	Type	Example	Default	Description
AppServicePublisher	Y	String	(e.g. MobileIron)		MDM service provider
AppServiceHost	Y	String	(e.g. appserver.com)		Hostname used to communicate with the application’s primary server (e.g. myserver.com). Application should implement its own default value.
AppServiceSecondaryHost	N	String	(e.g. appserver.com)		Server address for the subordinate accounts
AppServiceSecondaryHosts	N	String	(e.g. appserver.com;example.com)		Server addresses for the subordinate accounts.
AppSecondaryEmailDomains	N	String	(e.g. appserver.com;example.com)		Email domains for the subordinate accounts.
AppServicePort	N	Integer	(e.g. 443)	443	Port number used to communicate with the application’s primary server (e.g. 443). Application should implement its own default value.
AppServiceUseSSL	N	Boolean	(e.g. True, False)	true	Determines if the application should use SSL when communicating to the applications’ server. Application should implement a default value.
AppServiceSSLTrustAll	N	Boolean	(e.g. True, False)	true	Accept all SSL certificates
AppDeviceIdPrefix	N	String	(e.g. MSFT, YHOO)	Nine	Prefix for distinguishing DeviceID, (4 alphabetic letters)
AppDeviceId	N	String	(e.g. $DEVICE_SN$)		Device ID that the ActiveSync server uses for the device. Important: Always use the variable $DEVICE_SN$
AppUserAgent	N	String	(e.g. Nine, MDM)		App name which is used in User Agent
AppUserAgentPrefix	N	String			Full text which is used in User Agent
AppDeviceType	N	String	(e.g. Android)	Android	Device Type
AppLoginCertificate	N	String			Select the SCEP or Certificate setting from the dropdown list. You configure these settings in Policy & Configs > Configurations. When you choose a SCEP or Certificate setting, Core sends the contents of the certificate as the value. If the certificate is password- encoded, Core automatically sends another key-value pair. The key’s name is the following string: <name of key for certificate>_MI_CERT_PW The value is the certificate’s password. Note: If you are not using certificates to authenticate the device to the Sentry, delete the AppLoginCertificate key from the AppConnect app configuration.
AppUseLoginCertificate	N	Boolean	(e.g. True, False)	true	Client CA
AppReqParamPlaintext	N	Boolean	(e.g. True, False)	False	"The query value format in the URI contains all of the ActiveSync URI parameters. e.g.) Base64: POST /Microsoft-Server-ActiveSync?jAAJBAp2MTQwRGV2aWNlAApTbWFydFBob25l HTTP/1.1 Plain text: POST /Microsoft-Server- ActiveSync?Cmd=Sync&User=rmjones&DeviceId=v140Device&DeviceType=SmartPhone HTTP/1.1"
AppUseModernAuthentication	N	Boolean	(e.g. True, False)	false	Modern Authentication (ADAL)
AppPasswordEnable	N	Integer	(e.g, -1, 0, 1)	-1	App password Enable -1 : Use Exchange Policy 0 : Disabled 1 : Enabled
AppPasswordComplexity	N	Integer	(e.g. 0, 1)	0	App password complexity (0 : Simple, 1: Alphanumeric)
AppPasswordMinLength	N	Integer	(e.g. 4)	0	App Password Minimum length
AppPasswordExpirationDays	N	Integer	(e.g. 90)	0	App Password expiration date
AppPasswordHistory	N	Integer	(e.g. 9)	0	App Password History counts
AppPasswordMaxFailed	N	Integer	(e.g. 10)	0	App Password Maximum failure counts
AppPasswordLockTime	N	Integer	(e.g. 60)	0	App Password Maximum Lock Time (Min.)
AppPasswordComplexChar	N	Integer	(e.g. 0)	0	App Password complex characters 0 : none 1,2 : letter + digit 3 : letter + digit + symbol 4 : letter (upper & lower) + digit + symbol
AppUserAgentDetails	N	String	Ex) $OS $VERSION $APP_VERSION $APP_VERSION_CODE		Extra information for UserAgent Eg> $OS $VERSION $APP_VERSION $APP_VERSION_CODE (Case sensitive) - SNINE4W-hero2ltexx/NRD90M (Android 7.0.1 4.0.3b 2402300)
AppLauncherShortcuts	N	String	[ "Mail", "Calendar", "Contacts", "Tasks", "Notes" ]		eg) Add Calendar and Tasks shortcuts as default. [ "Calendar", "Tasks" ]
AppSecureMailLoadRemoteImages	N	Integer	(e.g. -1, 0, 1, 2)	-1	-1: User can select the option 0: Do not load 1: Ask before displaying remote images 2: Always display remote images
AppLDAPConfigurations	N	String (JSON)	e.g. [ { "Description": "Default", "ServerAddress": "ldap.example.com", "ServerPort": "389", "TransportSecurity": 1, "SearchBase": "dc=mkt,dc=mainstore,dc=com", "BindDN": "", "BindPassword": "" } ]		Description : Title of the configuration (mandatory, unique) ServerAddress : LDAP server address or IP address (mandatory) ServerPort : LDAP server port (mandatory) TransportSecurity : 0: None, 1: SSL, 2: StartTLS SearchBase : LDAP Naming base DN (mandatory) BindDN : Leave empty for anonymous BindPassword : Leave empty for anonymous
AppSelectiveAuthentication	N	Boolean	(e.g. True, False)	false

* User Configuration allows the application to detect the user of the application, however does not authenticate the user.

Key	Required	Type	Example	Default	Description
UserName	Y	String	(e.g. wtillman)		Username of the user who is using the device. Value to be used by application to authenticate user. Typically, you use the Core variable $USERID$. If your ActiveSync server requires a domain, use <domain name>\$USERID$. For example: mydomain\$USERID$. You can also use combinations of these Core variables, depending on your ActiveSync server requirements: $EMAIL$, $USER_CUSTOM1$, $USER_CUSTOM2$, $USER_CUSTOM3$, $USER_CUSTOM4$.
UserEmail	Y	String	(e.g. will@company.com)		Email address of the user who is using the application Typically, this field uses the Core variable $EMAIL$. You can also use combinations of these Core variables, depending on your ActiveSync server requirements: $USERID$, $USER_CUSTOM1$, $USER_CUSTOM2$, $USER_CUSTOM3$, $USER_CUSTOM4$.
UserPassword	N	String	(e.g. ****)		Password for the user who is using the application If you provide a password, Nine Work does not prompt the device user for the password. Delete this key if you want the device user to enter the password when using Nine Work. MobileIron recommends deleting the key. You can use the Core variable $PASSWORD$ if you have checked Save User Password in Settings > Preferences. Core then passes the user’s password as the value to the device. Caution: If you plan to use the $PASSWORD$ variable, be sure to set Save User Password to Yes before any device users register. If a device user was registered before you set Save User Password, Nine Work prompts the user to enter the password manually.
UserDomain	N	String	(e.g. NADOMAIN)		Domain of the user who is using the application
UserDisplayName	N	String	(e.g. James)		User name which is displayed in Nine app
UserSignature	N	String	(e.g. ABC Company, James, CIO, +4081234567)		Email signature. If empty, use "Sent from Nine"
UserLicenseNumber	N	String	(e.g. 123456781234)		License key which is purchased in 9Folders web site
UserSMIMESignCertificate	N	String			This key specifies the certificate to use for signing S/MIME emails. Select the SCEP setting from the dropdown list. You configure these settings in Policy & Configs > Configurations. When you choose a SCEP setting, Core sends the contents of the certificate as the value. When Nine Work receives this key: • It imports the key into the keystore. • It selects the certificate as the signing certificate.
UserSMIMEEncryptCertificate	N	String			This key specifies the certificate to use for encrypting S/MIME emails. Select the SCEP setting from the dropdown list. You configure these settings in Policy & Configs > Configurations. When you choose a SCEP setting, Core sends the contents of the certificate as the value. When Nine Work receives this key: • It imports the key into the keystore. • It selects the certificate as the encryption certificate
UserEmailSyncRange	N	Integer			0: All 1: 1 Day 2: 3 days 3: 1 week 4: 2 weeks 5: 1 month
UserEmailDownloadSize	N	Integer			0: All 1: 10KB 2: 20KB 3: 50KB 4: 100KB
UserFontFamily	N	String	(e.g. Calibri, Arial, Helvetica, sans-serif)		Default font family for outgoing email.
UserFontSize	N	String	(e.g. 11.5)		Default font size for outgoing email.
UserFontColor	N	String	(e.g. #000000)		Default font color for outgoing new email.
UserReplyFontColor	N	String	(e.g. #1F497D)		Default font color for reply email.
UserInAppCalendarNotification	N	Boolean	(e.g. True, False)	True	Calendar notification settings
UserDefaultEditor	N	Integer	(e.g. 0, 1)	0	0: Rich Text Editor 1: Text Editor
UserMessageFormat	N	Integer	(e.g. 0, 1, 2)	1	0: TEXT 1: HTML 2: MIME
UserReFwdSeparatorStyle	N	Integer			0: No separator 1: 1px 2: 2px 3: Outlook 2016
UserSyncSystemCalendarStorage	N	Boolean	(e.g. True, False)	false	Default value for syncing to the system Calendar storage
UserSyncSystemContactsStorage	N	Boolean	(e.g. True, False)	false	Default value for syncing to the system Contacts storage
UserAutoAdvance	N	Integer		0	0: Open the previous item 1: Open the next item 2: Return to the current folder
UserBiometricUnlock	N	Boolean	(e.g. True, False)	false
UserNotesTemplate	N	String			Ex) "UserNotesTemplate": { "Title": "Memo", "Template": "To: \nFrom: \nDate: \nSubject: \n\n" }
UserContactsFieldsLevel	N	Integer	(e.g. 0, 1)	0	0: All Fields 1: Minimum Fields (Name Fields, Phone Fields, Photo Field)
UserDownloadableAttachmentsMaxSize	N	Integer		0	xx: xxMB Limited 0: Unlimited (Default) eg) 10: 10MB Limited 25: 25MB Limited
UserSyncWhenRoaming	N	Integer	(e.g. 0, 1)	0	0: Off 1: On
EnforceSyncWhenRoaming	N	Boolean	(e.g. True, False)	false

* Branding Configuration allows an application to customize the look and feel for a specific organization.

Key	Required	Type	Example	Description
BrandingLogo	N	String	(e.g.. http://myserver/image.png)	String representing HTTP URL of the image to download and display as the main wallpaper within the application. Each application could implement the visual representation differently. - Recommend format: PNG (Other formats are applicable) - Background color: #ff009688 - Recommend resolution: 720x264 (Max 1024x1024)
BrandingSplashLogo	N	String	(e.g.. http://myserver/image.png)	String representing HTTP URL of the image to download and display as the logo image in the splash screen. Images recommended to be in PNG format. Size: 720x264
BrandingName	N	String	(e.g. Company Name)	String representing the company name which could be displayed in the application.
BrandingColor	N	String	(e.g. #1F497D)	RGB(31, 73, 125)

* Security (or Custom) Settings allows an application to enable or disable certain security features

Key	Required	Type	Example	Default	Description
AllowEmailSync	N	Boolean	(e.g. True, False)	true	Allow Email sync
AllowCalendarSync	N	Boolean	(e.g. True, False)	true	Allow Calendar sync
AllowContactsSync	N	Boolean	(e.g. True, False)	true	Allow Contacts sync
AllowTasksSync	N	Boolean	(e.g. True, False)	true	Allow Tasks sync
AllowNotesSync	N	Boolean	(e.g. True, False)	true	Allow Notes sync
AllowPrint	N	Boolean	(e.g. True, False)	true	Allow print
AllowShareContents	N	Boolean	(e.g. True, False)	true	Allow to share the contents of Email/Tasks/Notes
AllowShareAttachment	N	Boolean	(e.g. True, False)	true	Allow to share the attachments to 3rd party app
AllowSaveAttachment	N	Boolean	(e.g. True, False)	true	Allow to save attachments into external storage
AllowGalShare	N	Boolean	(e.g. True, False)	true	Allow to deliver the GAL search results to 3rd party app
IgnoreExchangePolicy	N	Boolean	(e.g. True, False)	false	Disregard Exchange Policy. Instead, MDM controls the policy.
AllowDeleteOwnAccount	N	Boolean	(e.g. True, False)	true
AllowMultipleAccount	N	Boolean	(e.g. True, False)	false	Allow to set up multiple accounts
AllowReFwdFromDA	N	Boolean	(e.g. True, False)	true	Allow to forward or reply from a different account than the message originated from.
AllowAutoConfig	N	Boolean	(e.g. True, False)	false
AllowSyncSystemCalendarStorage	N	Boolean	(e.g. True, False)	true	Allow for Nine Calendar data to sync to system calendar storage. Users can see Nine Calendar data on the stock Calendar app.
AllowSyncSystemContactsStorage	N	Boolean	(e.g. True, False)	true	Allow for Nine Contacts data to sync to system contacts storage. Users can see Nine Contacts data on the stock Contacts app.
AllowSecondaryAccountEmailSync	N	Boolean	(e.g. True, False)	true	Allow to sync Email for the secondary accounts
AllowSecondaryAccountCalendarSync	N	Boolean	(e.g. True, False)	true	Allow to sync Calendar for the secondary accounts
AllowSecondaryAccountContactsSync	N	Boolean	(e.g. True, False)	true	Allow to sync Contacts for the secondary accounts
AllowSecondaryAccountTasksSync	N	Boolean	(e.g. True, False)	true	Allow to sync Tasks for the secondary accounts
AllowSecondaryAccountNotesSync	N	Boolean	(e.g. True, False)	true	Allow to sync Notes for the secondary accounts
AllowExportMessage	N	Boolean	(e.g. True, False)	true	Allow to export Message
AllowEWSConnectivity	N	Boolean	(e.g. True, False)	true	Allow EWS connectivity for the features such as Shared Calendar features.
AllowBiometricUnlock	N	Boolean	(e.g. True, False)	true	Allow Biometric authentication such as Fingerprint to unlock screen.
AllowChangePasswordBySelf	N	Boolean	(e.g. True, False)	false	Allow changing password by oneself

AppTunnel support

AppTunnel settings are not applicable for Nine Work. If you are using a Standalone Sentry, all communication with the ActiveSync server is through a secure connection to the Standalone Sentry.

ActiveSync server synchronization due to app configuration

Nine Work synchronizes all emails, tasks, notes, contacts and calendar items with the ActiveSync server when the device user first launches Nine Work. It also does a full synchronization or delete account if you change the values of the following keys in the app configuration:

AppDeviceId (Full synchronization)
AppDeviceIdPrefix (Full synchronization)
AppDeviceType (Full synchronization)
UserEmail (Delete account)
AppLoginCertificate (Delete account)

The full synchronization or delete account occurs the next time the device checks in after you have changed the app configuration.

User features

For more details on Nine Work for Android’s feature set in general, please see our listing on Google Play:

https://play.google.com/store/apps/details?id=com.ninefolders.hd3.work

Configuration tasks

Use the following high-level steps to configure AppConnect for the app.

Enable AppConnect.
Configure Standalone Sentry for email attachment control
Configure device and server authentication on Sentry
Configure an AppConnect global policy.
Configure a new AppConnect app configuration for the app.
Configure a new AppConnect container policy for the app.

Enable AppConnect

Before enabling AppConnect on your Core, confirm that your organization has purchased the required AppConnect licenses. Contact your MobileIron representative if you require additional details on AppConnect license purchases.

To enable AppConnect and AppTunnel functionality on the Core, navigate to the Settings page on the Core Admin Portal and check the boxes as shown below.

Select the option for “Enable AppConnect for third-party and in-house apps”.
Select the option of “Enable AppTunnel for third-party and in-house apps”.

Configure Standalone Sentry for email attachment control

If you are using a Standalone Sentry, configure the Standalone Sentry to deliver email attachments to Nine Work:

Go to Settings > Sentry in the MobileIron Core Admin Portal.
Select the Standalone Sentry that handles email for the devices.
Select the edit icon.
In the section Attachment Control Configuration, select Enable Attachment Control.
For iOS And Android Using Secure Apps, select Open With Secure Email App.
Click Save.

Configure device and server authentication on Sentry

If you are using a Standalone Sentry, the Standalone Sentry interacts with your enterprise’s ActiveSync server. A device authenticates to the Sentry (device authentication) and the Sentry authenticates the device to the ActiveSync server (server authentication). For details on setting up the authentication methods, see “Device and server authentication support for Standalone Sentry” in the MobileIron Sentry Guide.

If you are using certificates for device authentication, you create a SCEP or Certificates setting, as described in “Certificates settings” and “SCEP settings” in the MobileIron Core Device Management Guide or the Connected Cloud Device Management Guide.

Then, you specify that SCEP or Certificates setting in the AppConnect app configuration for Nine Work.

Configure an AppConnect global policy

An AppConnect global policy configures the security settings for all AppConnect apps, including:

Whether AppConnect is enabled for the devices that the policy is applied to
AppConnect passcode requirements.
Note: The AppConnect passcode is not the same as the device passcode.
out-of-contact timeouts
the app check-in interval
Note: The app check-in interval is independent of the MDM check-in timer and controls, and apps cannot be forced to check-in before the interval expires. The recommended configuration for the app check-in interval is 60 minutes.
the default end-user message for when an app is not authorized by default
whether AppConnect apps with no AppConnect container policy are authorized by default
data loss prevention settings

To modify an existing AppConnect global policy:

On the Core Admin Portal, go to Policies & Configs > Policies.
Select an AppConnect global policy.
Click Edit.
Edit the AppConnect global policy based on your requirements.
See the AppConnect and AppTunnel Guide for details about each field.

Configure a new AppConnect app configuration

The AppConnect app configuration defines the app-specific parameters that are automatically pushed down to the app, as well as configurations for establishing and authenticating an AppTunnel associated with the app. See the AppConnect and AppTunnel Guide for details about each field.

Also, for more on AppTunnel configuration, see “Adding AppTunnel Support” in the AppConnect and AppTunnel Guide.

Use the following steps to configure the app-specific configuration:

On the Core Admin Portal, go to Policies & Configs > Configurations > Add New > AppConnect > App Configuration.
Edit the AppConnect app configuration with the Name, Description, Application, AppTunnel configuration including the identity certificate, and App-specific key-value pair configurations required for the app.
Note: For the Application field, choose an application from the app distribution library, or for iOS apps, specify the iOS bundle ID. You can find the bundle ID by going to Apps > App Catalog, and clicking the hyperlink to edit the app. The bundle ID resides in the Inventory field in parenthesis.
AppTunnel: Click on the “Add+” button and enter the AppTunnel details. The AppTunnel service for this app must be pre-configured in order to use it here.
App Specific Configuration: Click on the “Add+” button to enter the key-value pair information.

Configure a new AppConnect container policy

An AppConnect container policy specifies data loss protection policies for the app. The AppConnect container policy is required for an app to be authorized unless the AppConnect global policy allows apps without a container policy to be authorized. Such apps get their data loss protection policies from the AppConnect global policy.

Details about each field are in the AppConnect and AppTunnel Guide.

To configure an AppConnect container policy:

On the Core Admin Portal, go to Policies & Configs > Configurations > Add New > AppConnect > Container Policy.
Enter the Name, Description, and Application.
Note: For the Application field, choose an application from the app distribution library, or for iOS apps, specify the iOS bundle ID. You can find the bundle ID by going to Apps > App Catalog, and clicking the hyperlink to edit the app. The bundle ID resides in the Inventory field in parenthesis.
Configure the data loss protection policies according to your requirements.