iOS Application Run Control

The easy availability of applications—games, consumer-oriented utilities and third party tools—for mobile devices results in end users installing and running unauthorized personal programs and recreational software on devices meant for business use. In addition to contributing to memory and battery life overhead, this situation also contributes to productivity losses. The installation of unauthorized and unapproved non-business applications contributes to a significantly higher volume of support calls, increasing the IT help desk's support burden. Most critically, it is imperative for security-conscious users to control and restrict the unauthorized installation of personal applications to ensure compliance with strict mobile data protection requirements.

MobiControl's application run control features reduce the risk of leakage of sensitive data and complement the existing network security model by preventing the introduction of malware and viruses into the network through the mobile devices. Additionally, it also allows memory management on the mobile devices to free up resources taken up by unnecessary processes, and allowing for better device performance. MobiControl integrates tightly with the operating system to prevent restricted applications from running entirely on the mobile device, making it much more efficient than competing white list and black list solutions which use CPU and battery-consuming processes to monitor for and destroy restricted applications.

To enable application run control for a device or group of devices, select Application Run Control Policy from the MobiControl Security Center. (Please see the iOS Device Security page.)

Application Run Control System Configuration

Application Run Control dialog box System Tab

The following table will describe the features provided on the System Tab.

Feature

Description

Disallow use of App Store

Removes the App Store icon from the device preventing the user from installing additional applications.

Important:

All applications, including both App Store and Enterprise applications will remain on the device and be available for the user to use.

Disallow use of iTunes Music Store

Prevents the user from purchasing music from the iTunes Music Store App.

Disallow use of YouTube

Prevents the user from viewing YouTube content via the YouTube App. The user will still be able to access www.YouTube.com unless Internet access is filtered

Maximum allowed content ratings

This setting sets the maximum rating of a Movie, TV Show or App allowed to be used on the device

Option	Description
Movies	Sets the maximum rating for movies to: Don't Allow Movies G PG PG-13 R NC-17 Allow All Movies
TV Shows	Sets the maximum rating for TV shows to: Don't Allow TV Shows TV-Y TV-Y7 TV-G TV-PG TV-14 TV-MA Allow All TV Shows
Apps	Sets the maximum rating for apps to: Don't Allow Apps Important: All App Store applications will be removed from the device. The user will still be able to view the App Store's content, however, they will not be able to download or install any applications from it. All Enterprise Apps will still be available for the user to use. 4+ 9+ 12+ TV-PG 17+ Allow All Apps

Disallow use of Internet Browser

Prevents the user from browsing the Internet.

Disable autofill

Prevents the user from using browser autofill.

Disable fraud warning control

Prevents the user from changing the fraud warning settings.

Disable JavaScript

Prevents the user from running JavaScript applications.

Sets the cookie settings to:

Always accept
From visited sites only
Never accept

Notes:

When logged in as Admin on the mobile device, application control enforcement is suspended.
Certain processes and applications are critical and necessary for stable device operation and normal execution of the MobiControl Device Agent. These processes are automatically protected through a built-in "permanent white list" and cannot be put on a black list. Applications that are included in a lockdown program menu are automatically on a white list, and cannot be put on a black list.

Application Run Control Blacklist Applications

Application Run Control dialog box Blacklist Tab

Control List Creation

Configuration of application run control begins with the creation of an application control list. An application control list is simply a listing of the names of the Bundle Identifiers that correlate to the application you may wish to disallow on the mobile device. For example, pword.exe corresponds to XXXXXXX.

Manual Mode

Manual list creation is provided for the device administrator who already knows exactly which Bundle Identifiers are to be put on the black list. This advanced feature is only recommended if you are aware of the names of the Bundle Identifiers that need to be allowed for correct device operation, and those that you wish to restrict.

You can manually create a new application control list by clicking the New button in the Application Run Control dialog box, and then choosing the Manually Create a New Control List option in the Select Control List Creation Method dialog box. The New Application Control List dialog pops up, allowing you to specify the application that you want to add to the list, and the platform for which this entry would be valid. This allows you to restrict applications on a device running a specific operating system (e.g. Windows Mobile 5), if you have a mix of devices with different operating systems in the same group.

Once created, the list may be applied to one or more devices or groups.

Creating a black list in manual mode

Note:

If you edit an application control list that is shared among device groups that are not subgroups of the group you are configuring, the changes will not be propagated to the other devices. The modified control list will only affect devices belonging to the group being configured or its subgroups.

Modifying or Deleting a Control List

An application control list can be edited whether it is currently in use or not, but its type (white list or black list) cannot be changed once created.

An application control list can only be deleted if it is currently not selected for any devices or device groups. A control list that is listed in the Selected field is considered in-use, even if the application run control is disabled for the given group or device.

Application Run Control Event Notification

Every time MobiControl's application run control feature detects an application that is not allowed to run by the security policy in effect, it will notify the server.

The Notify Server on Application Termination option will generate a log event on the server and display it in the Event Logs for that particular device when an attempt is made to run a blocked operation. Device logs can be viewed in the MobiControl Manager by highlighting the device or the group of devices and enabling the Logs tab. This allows the administrators using MobiControl Manager to track any attempts by the end users to run or install unauthorized applications and ensures a higher level of monitoring.