VMware AirWatch App Wrapping
AirWatch App Wrapping, allows organizations to secure enterprise applications with little code changes.
App wrapping can add an extra layer of security and data loss prevention while offering a consistent user experience. Consistency comes from using Workspace ONE UEM options such as branding, single sign on SSO, and authentication.
Modifying your internal applications with app wrapping lets you access tools already available with Workspace ONE UEM by adding a layer of features over the application. Once the advanced features are applied, deploy the application to your enterprise app catalog for end-users to access.
Wrapping Process in On-Premises Environments
The SaaS-based app wrapping engine communicates with your Workspace ONE UEM on-premises environment in the background to wrap your apps.
Workspace ONE UEM wraps and stores modified applications within the SaaS infrastructure, and it does not keep any unmodified application files. The system securely stores and deletes internal application files and auxiliary files. All communication on port 443 is encrypted with AES-256, over SSL, and requiring HMAC token authentications.
| Component | Action |
|---|---|
| Administrator | Uploads the internal application and ancillary files, like provisioning profiles and signing certificates, to the Workspace ONE UEM console and initiates wrapping. |
| Console | Notifies the wrapping engine that it has a file. The console populates the download URL for the internal application file and ancillary files. |
| Wrapping Engine | Goes to the URL on the internal network device services server and retrieves the files. Unzips the files. Injects SDK functionality. Code-signs the application and recompresses the files. Sends the download URL of the wrapped application to the internal network device services server. |
| Device Services Server | Downloads the wrapped application. Stores the wrapped application in the Workspace ONE UEM database, along with auxiliary files. |
| Wrapping Engine | Securely deletes original application files, provisioning profiles, and signing certificates, depending on the scheduler task. |
File Storage
The app wrapping process deletes application binary files, provisioning profiles, and signing certificates from the app wrapping service when it completes wrapping. The system stores these files in the Workspace ONE UEM database.
When adding a version of the application, the code signing files automatically populate and you can change them if needed. However, the app wrapping service does not store the files you supply.
The app wrapping service uses the application binary, signing certificate, and provisioning profile temporarily to sign the wrapped application. After wrapping is complete, the system removes the files from the wrapping service and stores them securely in the Workspace ONE UEM database. If the wrapping fails or times out, the system automatically removes files from the wrapping service and stores them in the Workspace ONE UEM database.
The Storage of Data
The AirWatch App Wrapping system can log data about the wrapped application, but it does not store location data, analytics, or telecom data.
Deactivating Logging in Wrapping Profiles
To deploy a wrapped application, you assign it a profile. You can enable the logging payload and configure the logging level in that profile. When you apply the profile to the wrapped application, the system creates an application log.
If you do not want the console to log data about the application, ensure that this feature is deactivated. Find the setting in these places:
- In the default VMware Workspace ONE SDK settings in Settings and Policies
- In a custom VMware Workspace ONE SDK profile
Location Data, Analytics, and Telecom Data
The AirWatch App Wrapping system does not track location, analytics, or telecom data. Although, other sections of the console do if you configure the settings.
- The Workspace ONE Intelligent Hub tracks location data.
- The Workspace ONE SDK records analytics.
- The Telecom dashboard reports telecom data for devices.
Deactivate these features if you do not want to track this data.
Cluster Session Management in iOS and Reduced Flip Behavior for SSO with App Wrapping v5.4 or later
Causes of Flipping
iOS applications wrapped with the following components are in the same keychain group, also called a cluster.
- Apps wrapped with signing certificates from the same developer account
- Apps that share the same AppIdentifierPrefix
These applications can share session data like an app passcode and an SSO session. By sharing this session data, they do not have to flip to the Workspace ONE Intelligent Hub or to the anchor application every time authentication is required.
Applications wrapped with the listed components are in different keychain groups, or clusters.
- Apps wrapped with signing certificates from different developer accounts
- Apps that have a different AppIdentifierPrefix
These applications cannot take advantage of passcode sharing. These scenarios require flipping to the Workspace ONE Intelligent Hubor the anchor application to obtain data like the server URL. This flipping action occurs once per cluster.
Reduced Flipping
On iOS application wrapped with app wrapping engine v5.4+, only the first wrapped app flips to the anchor application on the first launch. It flips to retrieve environment information. It does not flip to retrieve account data or to lock and unlock operations. In older versions of the wrapping engine, applications had to flip to the anchor application to retrieve data and to lock and to unlock operations.
SSO Sessions and SDK-Integrated Apps
The SSO session is a time frame created at the time of SDK unlock. During this time frame the application can access allowed network resources. If you enable SSO, all SDK-integrated applications are unlocked and able to share keychain information between them.
