Help Center
14 DAY FREE TRIAL
Search Close Search
Search result for "aa"
View all results

No Search Results

14 DAY FREE TRIAL

Category filter

Enterprise MAM Runbook: Enforcing App Protection Policies via Hexnode UEM

Jump To

Mobile Application Management (MAM) Configuration Guide

Mobile Application Management (MAM) provides granular security controls at the individual application layer. This allows organizations to secure corporate data without requiring full control over an end-user’s personal device (such as in BYOD environments).

Unlike traditional Device Management (MDM) profiles that control system-wide settings like hardware radios or full-device wipes, Hexnode’s MAM framework focuses on App Containerization, Data Leakage Prevention (DLP), and Encrypted Space Isolation.

This runbook details how to configure MAM boundaries for iOS and Android platforms, manage data flow restrictions, and troubleshoot enforcement failures.

1. iOS Application Protection: Enforcing Business Container Boundaries

On iOS, Hexnode applies MAM policies through operating system-level Business Containers. This process creates a strict logical separation between Managed Sources (corporate apps deployed via Hexnode or Apple VPP) and Unmanaged Sources (personal apps downloaded by the user from the public App Store).

The Underlying Security Logic

The iOS kernel enforces sandbox security boundaries between applications, meaning apps cannot inherently read/write to another app’s memory space. However, users can voluntarily move documents between apps using the native share sheet (Managed Open In). Hexnode’s Business Container policy intercepts this data-sharing loop at the OS framework level, actively blocking corporate assets from being pushed to personal destinations.

Step-by-Step Configuration in Hexnode UEM

To configure the iOS Business Container:

  1. Log in to the Hexnode UEM portal and navigate to Policies > New Policy > Create a fully custom policy.
  2. Go to iOS > Business Container and click Configure.
  3. Configure the defining corporate boundary constraints:
    • Documents from managed apps in unmanaged apps: Select Restrict. (This prevents an employee from opening an email attachment from a corporate email app inside a personal app like WhatsApp or a local unmanaged note app).
    • Documents from unmanaged apps in managed apps: Select Restrict. (This protects the corporate container from receiving unverified external data payloads).
  4. (Optional but Recommended) Uncheck Allow unmanaged apps to read from managed contacts accounts to prevent corporate contacts from syncing to personal messaging apps.
  5. Save the policy and assign it to your target devices or user groups.

iOS Data Flow Security Matrix:
[Managed App: Corporate OneDrive] ───> Click Share ───> Intercepted by Hexnode Policy ───X Blocked X───> [Unmanaged App: Personal Notes]

2. Android Enterprise Work Profile Containerization

For Android hardware (specifically in BYOD scenarios), Hexnode enforces MAM boundaries by invoking the Android Enterprise Profile Owner architecture. This creates an isolated, encrypted filesystem partition on the device, visually identified by a blue briefcase badge on managed application icons.

The Underlying Security Logic

The Android OS utilizes native Android Enterprise sandboxing to create a strict, OS-level boundary between personal and work data. The Work Profile acts as a completely separate, encrypted space on the device’s storage. Because of this architectural isolation, personal apps are entirely blind to corporate data stored inside the secure work boundary, and corporate apps cannot interact with personal files.

Step-by-Step Configuration in Hexnode UEM

  1. Navigate to Policies > New Policy > Android > Restrictions > Basic Restrictions.
  2. Locate the restriction parameter: Copy contents between normal and work profiles.
  3. Uncheck/Disable this setting. (This strips the system clipboard when text is copied from a work app, blocking the user from pasting sensitive corporate text into a personal interface).
  4. Navigate to Policies > Android > App Management > App Configurations.
  5. Click Configure, then select Add new configuration and choose your target Managed Google Play application.

Injecting Managed App Key-Value Payloads

MAM policies often require pre-configuring corporate application behaviors inside the container (e.g., defining a default server URL or disabling offline caching). Hexnode passes these rules using key-value pairs or structured JSON schemas.

  • Once the app is selected in the App Configurations menu, Hexnode will parse the app’s supported configuration schema.
  • Fill in the specific key-value pairs required by the app developer, save the configuration, and assign the policy to your target devices.

3. Integrating Hexnode with Microsoft Entra ID Conditional Access

To align your deployment with modern Zero Trust architecture, Hexnode UEM can act as the compliance authority for Microsoft Entra ID (formerly Azure AD). This allows Entra ID to enforce Conditional Access rules based on the device’s actual management and compliance state reported by Hexnode.

How the Integration Works

Instead of manually verifying device health, you establish a background sync between Hexnode and your Entra ID tenant. Once linked, Hexnode continuously feeds real-time device compliance statuses—such as whether a device violates a MAM DLP policy, is missing a passcode, or has a removed management agent—directly to Microsoft.

Entra ID then uses this data as a primary condition before granting a user access to corporate cloud apps.

Conditional Access Evaluation Sequence:

User Login
Entra ID
Queries Hexnode API
Is Device Compliant?
↙ YES
Grant Unrestricted Session
NO ↘
Block Access to M365 Data

Configuration Overview

Setting up this security gate requires actions in both portals:

  1. Link the Platforms (Hexnode): In the Hexnode UEM portal, navigate to Admin > Microsoft Entra ID. Set up the integration and ensure that Conditional Access – Device Compliance is properly configured and actively syncing.
  2. Define the Gate (Entra ID): In the Microsoft Entra ID Portal, navigate to Protection > Conditional Access and create a new policy. Target your corporate cloud apps (like Exchange Online or Teams), and under the Grant controls, check the box for Require device to be marked as compliant.

For the comprehensive, step-by-step configuration tutorial, refer to the official documentation: Set up Microsoft Entra Conditional Access integration in Hexnode.

4. Troubleshooting Common MAM Policy Enforcement Failures

1. Error: “Managed Configurations Failed to Apply” (Android)

The Symptom: You push an Android app to your devices along with specific settings (like a pre-filled server URL or default email address). The app installs correctly, but those settings are completely missing, leaving the user to type them in manually.

The Root Cause: Hexnode pushes settings to applications using the App Configurations policy, but the app must be explicitly built by its developer to accept these remote configurations. Additionally, the configuration method in Hexnode differs depending on whether it is a public store app or an internal company app.

The Fix: You need to verify that the app supports MDM configurations and that you are using the correct deployment method in Hexnode:

  1. Navigate to Policies > Android > App Management > App Configurations and click + Add new configuration.
  2. If it is a Managed Google Play app (Public App): When you select the app, Hexnode will automatically display a visual menu of customizable settings (e.g., fields for hostnames or true/false toggles). If no configuration options appear on this screen, the app does not support remote management. You cannot force settings onto it and must contact the app vendor to request Android Enterprise configuration support.
  3. If it is an Enterprise App (In-House APK): Hexnode will not automatically generate a visual menu. Instead, you must click on Advanced settings and upload a JSON file containing the exact configuration keys and values.
    • Note for In-House Developers: If you uploaded the JSON file but the settings still fail to apply on the device, your internal development team must verify that the app’s code is actually built to parse those keys (using Android’s App Restrictions framework).

2. Error: “App is already installed” / Fails to Manage (iOS)

The Symptom: You try to push a corporate application (like Microsoft Word) to an employee’s iPhone, but the installation fails. Alternatively, the app installs, but your “Managed Open In” data restrictions aren’t working on it.

The Root Cause: The employee already downloaded that exact app from the App Store using their personal Apple Account before you tried to deploy it. Because the device sees it as a “personal” app, it keeps it outside of your secure Hexnode Business Container, preventing your DLP restrictions from applying.

The Fix: You need to convert the personal app into a managed app. How you do this depends on the device’s supervision status:

For Supervised iOS Devices (iOS 9.0+)

You can silently convert the app without reinstalling it or alerting the user.

  1. In the Hexnode UEM portal, navigate to the Manage tab and select the target device.
  2. Go to the Applications sub-tab on the device summary page.
  3. Locate the unmanaged app in the list, click the gear icon next to it, and select the Manage App option.
  4. The app instantly and silently becomes managed, bringing it inside the Business Container.

For Unsupervised iOS Devices (Standard BYOD)

Apple’s MDM protocol does not allow silent takeover on unsupervised devices.

  1. The end-user must manually delete the personal application from their home screen.
  2. Once deleted, push the application again directly from the Hexnode portal. It will install as a managed app and adhere to your Business Container DLP rules.
Need more help?
Image of Raise a Ticket Raise a Ticket
Image of Ask Community Ask Community
Image of Chat With us Chat With us
Solution Framework