We publish applications in the catalog, allow users to install applications on-demand but what applications they can access is based up what AD group is assigned to the apps. Not everyone needs to see EVERY application or access to download it. I do however have one smart group that is ' all' that is assigned to public applications like Aetna or Avis.
I recommend giving instructions for users to download the apps from the apple app store(for iOS devices) when possible. I am not a huge fan of the App Catalog/WS1 App Store for the simple reason that apps downloaded from there will be removed from users devices if: 1. They download apps from the App Catalog/WS1 App Store, then 2. You ever remove that app from the App Catalog/WS1 App Store. An example of this is Jones Pulse VPN changing to Pulse Secure. If users had previously installed Junos Pulse from the App Catalog/WS1 App Store, then we dleted the app from the App Catalog/WS1 App Store, then it got removed from user's devices. I prefer to have more control, so that I could remove Junos Pulse from the App Catalog/WS1 App Store, but not remove it from user's devices, then have the new Pulse Secure available in the app store, and then choose how/what timeframe to migrate users off of the old app. That said, there are scenarios that require the app to be in the app store. For example, if you wanted to use Boxer with specific settings/custom key values, then I believe you have to list it in the App Catalog/WS1 App Store. You can still get away with people downloading it from the Apple App Store, but I think it still needs to be listed in the App Catalog/WS1 App Store. Another scenario is if you only wanted to whitelist apps(probably would not want to do this in a BYO situation), then you would be forced to use the App Catalog/WS1 App Store anyway. I am not sure if the same limitations I mentioned apply to android as well or not. Also, everything I mentioned I apply to BYO and Corporate owned devices. TLDR only put apps in the App Catalog/WS1 App Store if you have to for specific configurations. Hope that helps in some way and I did not misunderstand your question!
So do you have AD groups based on role in the organization or AD groups per app? And are these individuals usually already in these groups so automatically get access to these apps when they enroll or are they added when they request access to something? Right now I was thinking of having our help desk go into WS1 and assign a user to a user based smartgroup say for email and then they would either get the app automatically or install it from the catalog.
My big challenge is almost none of the apps in our organization will work without additional configuration so say email is an option for everyone, they need to have activesync turned on before it will work, which here is a per user setting they need to request, so if they see and install Boxer it won't work.
Thanks as well John. Only challenge with your approach, and just info I eliminated this post, is we want to be able to remove any app considered a company app should they leave the organization. Any app they install themselves and isn't assigned to the device thru WS1 or taken over ownership of in WS1, will remain on the device. In some cases I can see this making sense for me as well. Like if we use an app like MobilePass that they also may use for other things than us. Some of our medical apps and email we want to make sure they remove. Then I'm torn by an inconsistent approach. For these apps you go download them yourself, for the other ones get from the catalog. Personally I still like pushing the apps to the user when assigned to them, but may take some concept of independent choice on their personal phones away from them.
Thanks for that additional info steve. I can see your conflict. I suppose you could still manage any corporate apps/add them to the App Catalog/WS1 App Store, make sure the ' make mdm managed if user installed' is selected, then still direct users to download directly from the Apple App store. You can then decide if you want to select the option of auto-removing the managed app on un-enroll or not. Also, since these are BYO, I assume they will not be supervised devices, which means the user would need to accept the MDM management of apps downloaded from the Apple App Store.
Thanks Beth. Don't know if I've ever done that before. Are you suggesting a SmartGroup set to DEVICES OR USERS and that auto sync's with an AD group? Haven't played with syncing AD to auto create users, but wasn't aware you could sync an AD Group to a SmartGroup.
Yeah, within the SmartGroup you can choose user groups that are part of the filter. Handy for assigning Apps. Allows other dept's etc to assign apps without having to access airwatch. Just add and remove the users to an AD group and let airwatch sync it. You just have to be aware of the sync times based on your scheduler and notify the people making changes in AD about the lag times in sync to Airwatch.
Create AD Group, add it to the console (Groups and settings > groups > user groups). Then create a smart group based up on the criteria of user group. Assign that smart group to Boxer and let the sync with AD do its thing. You can always manually sync the group if a user needs immediate access after being added to the group but if it can wait it's a hands-free type of deal. I love it!
You need to change user group by clicking the down arrow next to it and then select the AD group name that you added under ' user groups' . If it removes all of the devices, that means those users are not a part of that AD group you are using.
Any means that you are not specifying any AD group or ownership type. Think of all of them as a filter in excel.... If you haven't made a selection, it will not exclude/include any.