Default SDK settings apply across AirWatch and wrapped applications, providing a unified user experience on devices. Because the configured SDK settings apply to all AirWatch and wrapped applications by default, you can configure the default SDK profile with the entire AirWatch and wrapped application suite in mind.

Before You Begin

Not all platforms or AirWatch applications support all available default SDK profile settings. A configured setting only works on the device when it is supported by the platform and app. This also means that an enabled setting might not work uniformly across a multi-platform deployment, or between applications. The SDK Settings matrix covers the available SDK profile settings and the apps and platforms they apply to.

Key Assumptions

The recommendations provided apply to an app suite that includes:

  • VMware Browser
  • AirWatch Inbox
  • VMware Content Locker
  • Enrolled devices
  • AirWatch or wrapped apps
  • SDK settings available as of MMMM yyyy.
  1. Navigate to Groups & Settings > All Settings > Apps > Settings and Policies > Security Policies.
  2. Configure Security Policies.
    Action Description Rec
    Authentication Type
    Passcode Prompt end users to authenticate with a user-generate passcode when the app first launches, and after an app session timeout.

    Enabling or disabling SSO determines the number of app sessions that get established.
    Username and Password Prompt end user to authenticate by re-entering their enrollment credentials when the app first launches, and after an app session timeout.

    Enabling or disabling SSO determines the number of app sessions that get established.
    Disabled Allow end user to open apps without entering credentials.
    SSO
    Enabled Establish a single app session across all AirWatch and AirWatch wrapped apps.
    Disabled Establish app sessions on a per app basis.
    Offline Access
    Enabled Allow end users to open and use AirWatch and wrapped apps when disconnected from Wi-Fi. Offline AirWatch apps cannot perform downloads, and end users must return online for a successful download. Configure the Maximum Period Allowed Offline to set limits on offline access.
    Disabled Remove access to AirWatch and wrapped apps on offline devices.
    Compromised Protection
    Enabled Override MDM protection. App level Compromised Protection blocks compromised devices from enrolling, and enterprise wipes enrolled devices that report a compromised status.
    Disabled Rely solely on the MDM compliance engine for compromised device protection.
      Data Loss Prevention
    Enabled Access and configure settings intended to reduce data leaks.
    Enable Copy And Paste
    Allows an application to copy and paste on devices when set to Yes.
    Enable Printing
    Allows an application to print from devices when set to Yes.
    Enable Camera
    Allows applications to access the device camera when set to Yes.
    Enable Composing Email
    Allows an application to use the native email client to send emails when set to Yes.
    Enable Data Backup
    Allows wrapped applications to sync data with a storage service like iCloud when set to Yes.
    Enable Location Services
    Allows wrapped applications to receive the latitude and longitude of the device when set to Yes.
    Enable Bluetooth
    Allows applications to access Bluetooth functionality on devices when set to Yes.
    Enable Screenshot
    Allows applications to access screenshot functionality on devices when set to Yes.
    Enable Watermark
    Displays text in a watermark in documents in the VMware Content Locker when set to Yes. Enter the text to display in the Overlay Text field or use lookup values. You cannot change the design of a watermark from the AirWatch Console
    Limit Documents to Open Only in Approved Apps
    Enter options to control the applications used to open resources on devices. (iOS only) You can use VMware AirWatch Configuration values to restrict users from importing files from third-party applications into Content Locker. For more information, see Configure Import Restriction in Content Locker section.
    Allowed Applications List
    Enter the applications that you allow to open documents.
    Disabled Allow end user access to all device functions.
  3. Save.
  4.  Navigate to Groups & Settings > All Settings > Apps > Settings and Policies > Settings.

  5. Configure Settings.

    Branding
    Enabled

    Apply specific organizational logo and colors, where applicable settings apply, to the app suite.

    Disabled Maintain the AirWatch brand throughout the app suite.
    Logging
    Enabled Access and configure settings related to collecting logs.
    Logging Level

    Choose from a spectrum of recording frequency options:

    • Error – Records only errors. An error displays failures in processes such as a failure to look up UIDs or an unsupported URL.
    • Warning – Records errors and warnings. A warning displays a possible issue with processes such as bad response codes and invalid token authentications.
    • Information – Records a significant amount of data for informational purposes. An information logging level displays general processes as well as warning and error messages.
    • Debug – Records all data to help with troubleshooting. This option is not available for all functions.
    Send logs over Wi-Fi only
    Select to prevent the transfer of data while roaming and to limit data charges.
    Disabled Do not collect any logs.
    Analytics
    Enabled Collect and view useful statistics about apps in the SDK suite.
    Disabled Do not collect useful statistics.
    Custom Settings
    Enabled Apply custom XML code to the app suite.
    Disabled Do not apply custom XML code to the app suite.
  6. Save.

For more topics about the SDK and mobile application management, see MAM Functionality With SDK Functions.

(iOS Only) Configure Import Restriction in Content Locker

You can use the configuration keys in UEM console to restrict import of content from third-party applications into the Content Locker. The configuration keys can be used to allow content import from only whitelisted set of native applications.

Use the following configuration keys to restrict or allow content import from third-party applications into Content Locker.

Configuration Key Value Type Supported Values Description
{"ContentImportRestriction"} Boolean

true = restriction enabled

false = restirction disabled

For example, {"ContentImportRestriction": true}.

When enabled, device users cannot import content from any non-whitelisted third-party applications including the native iOS applications into the Content Locker.
{"ContentImportAllowNativeApps"} Boolean

true = import from native applications are allowed

false = import from native applications are not allowed

For example, {"ContentImportAllowNativeApps": true}

When enabled,

the device users can import content from native applications when the import restriction is enabled.

The ContentImportRestriction and ContentImportAllowNativeApps configuration values can be used in combination to configure the import restriction as per your requirement. If you want to allow import of content from all native apps, enable the ContentImportAllowNativeApps key. The ContentImportAllowNativeApps key is enabled by default and allows import from all native apps such as iOS native Email, Files, Safari, AirDrop, and such. When enabled, the device users can open and import content from non-whitelisted apps into Content Locker using the web versions of the non-whitelisted applications (using Safari).

If you want to allow only specific applications, disable the ContentImportAllowNativeApps key and add the allowed applications in the whitelist.

If you want to restrict importing of content from specific native apps, disable the ContentImportAllowNativeApps key and add the allowed native applications in the whitelist.

Note:

The Limit Documents to Open Only in Approved Apps option must be enabled in the Data Loss Prevention settings before enabling the configuration key values. Safari and AirDrop cannot be whitelisted as there is no associated bundle ID.

If you are using SDK Default settings:

  1. Navigate to Group & Settings > All Settings.

  2. From All Settings, navigate to Apps > Settings&Policies > Settings.
  3. Select Enable Custom Settings and paste the configuration keys as per your requirement.

    For example, to allow import only from native apps, { "ContentImportRestriction": true, "ContentImportAllowNativeApps": true}.

  4. To allow importing from a specific list of apps (whitelist):
    1. Navigate to Settings and Policies > Security Policies.
    2. Select the Allowed Applications List text box and list the applications you want to allow the users to import content into the Content Locker.
  5. Select Save.

If you are using a custom SDK profile for Content Locker:

  1. Navigate to Group & Settings > All Settings.

  2. If you have an existing custom profile, navigate to Apps > Settings & Policies > Profiles > Custom Profile > Custom Settings.
  3. If you want to add a custom profile, navigate to Apps > Settings & Policies> Profiles > Add Profile > SDK Profile > iOS> Custom Settings.

  4. From Custom Settings, select Configure and paste the configuration keys as per your requirement.

    For example to allow import only from native apps, { "ContentImportRestriction": true, "ContentImportAllowNativeApps": true}.
  5. From the Restriction section, select Restrict documents to be opened in following apps and add the list of apps that you want to allow as per your requirement (whitelist).
  6. Select Save.

(iOS Only) Configure PDF Autosave in Content Locker

From Content Locker v4.13.2, the device users can enable or disable the PDF Autosave functionality by using the Enable PDF Autosave setting in the Content Locker app. The PDF Autosave setting is disabled by default. The PDF Autosave function can be set to 30 seconds, 60 seconds, and 120 seconds respectively using the Autosave time in seconds setting in the Content Locker. The administrators can use the configuration key provided by VMware AirWatch in the AirWatch Console to force enable the PDF Autosave functionality in Content Locker. When enabled using the configuration key, the device users cannot disable the PDF Autosave function and the Enable PDF Autosave setting is unavailable in the Content Locker. When the PDF Autosave function is enabled, the changes made to a PDF file when an autosave is in progress are not saved. After every instance of an autosave, the PDF document is reloaded.

Use the following configuration key to enable PDF Autosave function is Content Locker:

Configuration Key Value Type Supported Values Description
{ "ContentPDFAutoSaveEnabled" } Boolean

true = enabled

false = can be enabled or disabled by the device user

When set to True, the PDF Autosave functionality is enabled and the device users cannot disable the setting. The Enable PDF Autosave setting in the Content Locker is unavailable to the device users.

If you are using SDK Default settings:

  1. Navigate to Group & Settings > All Settings.

  2. From All Settings, navigate to Apps > Settings & Policies > Settings.
  3. Select Enable Custom Settings and paste the configuration keys as per your requirement.

    For example, to enable PDF Autosave, { "ContentPDFAutoSaveEnabled": true }.

  4. Select Save.

If you are using a custom SDK profile for Content Locker:

  1. Navigate to Group & Settings > All Settings.

  2. If you have an existing custom profile, navigate to Apps > Settings & Policies > Profiles > Custom Profile > Custom Settings.
  3. If you want to add a custom profile, navigate to Apps > Settings & Policies> Profiles > Add Profile > SDK Profile > iOS> Custom Settings.

  4. From Custom Settings, select Configure and paste the configuration keys as per your requirement.

    For example, to enable PDF Autosave, { "ContentPDFAutoSaveEnabled": true }.
  5. Select Save.

(iOS and Android Only) Configure Privacy Settings for Content Locker

Use the configuration keys in the UEM console to perform additional privacy disclosure and data collection practices. End users who are upgrading or are starting to use the latest version of Content Locker are presented with new privacy dialog screen upon the application launch. For more information about the privacy notice and data sharing settings, see https://support.workspaceone.com/articles/360005402834.

The privacy dialog screen lets the user know the following information:

  • Data collected by the app – Provides a summary of data that is collected and processed by the application. Some of this data is visible to administrators of the Workspace ONE UEM administration console.
  • Device Permissions – Provides a summary of device permissions requested for the app to enable product features and functionality, such as push notifications to the device.
  • Company's privacy policy – By default, a message is displayed to the user to contact their employer for more information. You can configure the privacy policy URL in the UEM console. Once configured, the user can access the employer’s privacy policy from the app.

Use the following configuration keys to enable privacy notice and data sharing settings in Content Locker:

Configuration Key Value Type Supported Values Description
{ "DisplayPrivacyDialog" } Integer

0 = disabled

1 = enabled (default)

When set to '1' (enabled), Content locker displays a privacy notice to the users about the data that is collected and the permissions that are required on the device for the optimal functioning of the app.

{ "PolicyAllowFeatureAnalytics" } Integer

0 = disabled

1 = enabled (default)

When set to '1' (enabled), Content locker displays a notice to the users about the option to opt-in to anonymous feature usage analytics that help VMware improve product functionality and invent new product capabilities. When set to '0', the data sharing notice is not displayed and no data is collected from the device to optimize the app experience.
{ "PolicyAllowCrashReporting" } Boolean

True = enabled

False = disabled

When set to True, app crashes are reported back to VMware.
{ "PrivacyPolicyLink" } String "https://www.url.com" Provide the Policy URL that you want your users to visit when Your company's privacy policy is selected from the Privacy notice.

If you are using SDK Default settings:

  1. Navigate to Group & Settings > All Settings.

  2. From All Settings, navigate to Apps > Settings & Policies > Settings.
  3. Select Enable Custom Settings and paste the configuration keys as per your requirement.

    For example, to enable Crash reporting, { "PolicyAllowCrashReporting": true}.

  4. Select Save.

If you are using a custom SDK profile for Content Locker:

  1. Navigate to Group & Settings > All Settings.

  2. If you have an existing custom profile, navigate to Apps > Settings & Policies > Profiles > Custom Profile > Custom Settings.
  3. If you want to add a custom profile, navigate to Apps > Settings & Policies> Profiles > Add Profile > SDK Profile > iOS> Custom Settings.

  4. From Custom Settings, select Configure and paste the following configuration keys as per your requirement.
  5. Select Save.