App Deployment Policy

BigFix MCM enables you to configure application policies to install applications from the App store on the Android, iOS, and iPadOS devices.

About this task

Before creating an app deployment policy, ensure the required Apps are added to the App Catalog.

Creating an app deployment policy

To create an app deployment policy, perform these steps:

Procedure

  1. Log in to BigFix WebUI.
  2. Go to Apps > MCM.
  3. Click Create Policy on the top right corner.
  4. From the list of policy types, select App Deployment. The following page appears.

  5. Under the General Settings section, enter app deployment Policy Name and Description.
  6. Select the Operating System.
  7. From the Assign Policy to Site drop-down, select the site.
  8. Configure the operating system specific settings. You can set the permissions globally for all the apps in the app policy. You can also set permissions for individual app in the policy as required by selecting the app and clicking . You can see the settings set for an app on the fly when you hover over the mouse on the icon.
    Android
    Default Settings for all apps:

    Distribute as an offer: If enabled, the apps become available for download or installation on Android devices through various methods, such as app marketplaces, websites, or direct distribution. Enable or disable the option to distribute the apps as an offer to the end users.

    Permission Settings
    • Default Permission Policy: The permission set as Default Permission Policy is applicable globally for all the applications that are installed through the app policy. Admins can choose from the following options when setting a default runtime permission policy for the managed Android apps.
      • Prompt - prompt the user to grant permission to install apps. This is the default option. Device users can either choose to allow installation of the apps or cancel it.
      • Grant - automatically grant permission to install the managed apps without user intervention
      • Deny - automatically deny permission to prevent unauthorized app installation
    • Manage Individual Permissions: Based on the Apps selected, WebUI displays the list of permissions. IT admins can remotely set permissions to prevent applications from gaining access to data or control over a device. For example, the ability to read the user's contacts, external storage or location are runtime permissions. The user has to explicitly grant these permission for the application. However, for managed Google Play applications, administrators can configure and enforce these permissions from WebUI. Select Prompt, Grant, or Deny for individual permissions. For more details on the permissions listed, see the official Android documentation at https://developer.android.com/reference/android/Manifest.permission.
    • Customise the permission by apps: If you want to configure per-app permissions, you can do that by selecting the app and clicking the edit icon for the app and selecting individual permissions.
    Note: Deployment of this Appstore policy removes any previously deployed work profile applications that are not specified in this policy.
    iOS/iPadOS
    Default Settings for all apps: The permission set as Default Settings is applicable globally for all the applications that are installed through the app policy.
    iOS default settings

    iOS default settings
    • Removed with MDM Profile: Enable this setting if you want to remove the app when MDM profile is removed.
    • Prevent Backup: Enable this setting to prevent backup of app data.
    • Assume Management: If enabled, once the MDM profile is installed, the device "assumes management." This means that BigFix can now manage the device's settings, security policies, app installations, and other configurations.
      Note: This option is applicable only for VPP apps. Enable this setting for delivering apps to supervised Apple devices only. Do not select this option if the app is to be delivered to an Apple user enrolled device, as that option is not allowed for BYOD enrollments. For more information, see Known limitations.
    • Install As Managed: If enabled,when the app configuration profile is applied to the devices, the apps are installed as "Managed" on those devices. That means, IT administrators can install and manage the apps specified in the policy. IT admins can remotely deploy and install applications on macOS devices; push specific configuration settings and preferences to the application; enforce security policies, compliance requirements, and access controls; track application usage; gather data for reporting; and perform troubleshooting or updates as needed; install updates and patches of the apps; remove the apps from devices when necessary.
    Individual app settings: If you want to configure per-app settings, you can do that by selecting clicking the edit button available for the respective app.
    iOS Individual app setting
  9. Select apps: This grid lists all the apps added to the app catalog. Select the desired app and configure settings as needed.
  10. Click Save.

Results

App deployment policy is created and is ready to deploy.

When the policy is deployed, the device receives a notification that a set permission or action is being performed on the device by the device manager. The permission manager in the device shows the permission that are applied.

Note: Android: When you deploy a new policy, it removes any work profile apps that are installed previously but are not specified in the new policy.