Select to view content in your preferred language

Mobile Application Management and Esri's Field Apps

6249
12
08-06-2017 10:23 PM
JeffShaner
Esri Regular Contributor
4 12 6,249

Keeping track of mobile devices with access to your corporate network, maps and data is more important than ever. Organizations are implementing an Enterprise Mobility Management (EMM) solution that provides for management of devices, provisioning of mobile applications, and compliance with corporate policies, and authentication with proper network access control.

 

There are a number of Mobile Device Management (MDM) products that help you implement your EMM solution and they all include support for Mobile Application Management (MAM). Here are just a few that Esri Apps have been deployed with – MobileIron, AirWatch, XenMobile, MaaS360, Meraki, InTune.

 

Esri Apps and MDM Products

MDM products can connect directly to the Apple App Store or Google Play and you can manage and deploy applications to your mobile workforce. Esri apps like Explorer, Collector, Navigator and Workforce support per-app VPN so that you can secure device access to internal resources and reduce the inbound connection to a single app at the same time. When considering how you deploy Esri Apps through your MDM, please note that App wrapping is not supported.

 

Field Apps and Managed App Configuration

Talking with several customers deploying Esri Apps using an MDM, we are following the guidelines found within the AppConfig community.  Explorer, Collector, and Workforce on the iOS and Android platforms have started including settings that take advantage Managed App Configuration API's for each platform. Implementing the MobileAppConfig on iOS and the Backend Service Configuration on Android, you can now streamline app deployment be allowing your MDM to push down the URL of your ArcGIS Enterprise portal.

 

Implementing the portalURL key that is of Data Type: String, apps will bypass the Portal URL sign in screen and automatically present the OAuth screen from your portal, easing the sign in process for your field workforce.

 

With Mobile Iron, the following steps can be used to push the Portal URL (using Explorer for ArcGIS on the iOS platform as the example):

  1. In the Core Admin Portal, go to Policies & Configs and navigate through Configurations > Add New > iOS and OS X > Managed App Config.
  2. Edit the Managed App Configuration with the Name, Description, BundleID and select the external file (PLIST), that contains the App-specific key-value pair configurations required for the app.
    Note: You can find the bundle ID for iOS apps by going to Apps > App Catalog, and clicking the hyperlink to edit the app. The bundle ID resides in the inventory field in parenthesis.
  3. To create the PLIST file, create a text file with the following text (see picture below). Replace the value in the portalURL key (<string>value</string>) with your organizations portal url. Save this file as a “.plist file (ie explorerAppConfig.plist).

Mobile Iron PLIST

Here is how it works with Cisco Meraki, the following steps can be used to push the Portal URL:

  1. On Systems Manager, go to Apps > Add New > iOS app > Add App (Enter “Explorer for ArcGIS”) > Add.
  2. Within the Systems Manager, go to Settings > Add > New Meraki managed profile > Create New Profile > Add settings > Choose an app / Settings (see picture below) > Add Setting.

Meraki Config

If you are using another MDM product, please search their documentation for Managed App Config to find the necessary steps.

Moving forward, we are looking to expose more capabilities that follow the guidelines outlined by the AppConfig.org community. 

For more information about Esri's approach to Mobile Application Management, please read our patterns document on the ArcGIS Trust website.  

12 Comments
HECAdmin
Regular Contributor

Is this possible with an ArcGIS  tenant? We don't use portal but it would be nice if we could specify the ArcGIS organization url

HeatherMcCracken
Esri Contributor

Yes absolutely you can use this with your ArcGIS  org.  

Just specify your Organizations URL for the portalURL property.  For example, it might look something like this `https://myOrg.maps.arcgis.com` 

If you sign in just in the Web browser, you'll see your organizations URL in the address bar.

Hope this helps.

Thanks,

Heather

HECAdmin
Regular Contributor

Thanks for the quick reply Heather. I tried that in Explorer and I get a message box error that says "Sign In Failed. Unauthorized access". When I tap OK, I'm sent to the screen that prompts to sign in with ArcGIS  or ArcGIS Enterprise. If I tap ArcGIS  and then Enterprise Login, the URL is not filled out. I'm not sure if this matters or not, but my organization uses a mix of ArcGIS and Domain logins.

HeatherMcCracken
Esri Contributor

Ok HEC Admin (if that is in fact your real name?  )

Let me go through this workflow with a similar set up and report back.

Are you on iOS or Android?

Thanks,

Heather

HECAdmin
Regular Contributor

Of course it is!

We use iOS at my organization exclusively. FYI, I updated our org settings to use our domain logins only and still got the same error when I tried the app again. Let me know if you need any additional information from me.

Thanks again.

HeatherMcCracken
Esri Contributor

Also...

If you want to send an email to explorer4arcgis@esri.com (which comes to me and a couple of other folks on the Explorer dev team) - if you can send your Portal URL and I can try it (i don't need creds)

Then we can follow the investigation there, and then sum back to this thread.

Thanks,

Heather

PaulCone2
Frequent Contributor

 Hi Heather,

I watched your presentation at the 2019 Dev Summit and it was very informative -- thank you.  We are moving toward MDM (using Airwatch) later this year.  One question I have -- the people who will be doing the device management may be different than the people who are setting up the ESRI field apps.  Do you know if it is possible for Airwatch to use a group from ArcGIS Online or Enterprise as the group that should get an app and associated settings pushed out?

For example, if we have an inspector that is trained on a particular inspection type, then we add that person to an AGOL group that contains the map and Survey123 form.  Then can access the map via Explorer and the form via Survey123.  Then we would want them to automatically get the Explorer and Survey123 apps, plus an offline basemap, pushed to their device.  I'm not worried if we can't use an ESRI group to control who gets the apps but when it comes to pushing out an offline basemap we don't want to push that out to all mobile users across the organization, because the vast majority of them won't be using it.

Paul Cone

City of Portland, Oregon

HeatherMcCracken
Esri Contributor

Hi Paul,

Thanks for the feedback - and so glad you found the session informative.

To answer your question - you can use the same group to manage the AirWatch deployment as ArcGIS Online or Enterprise - if you use an Enterprise identity store (as opposed to the built in option).  Below are some help docs for AGOL and Enterprise for setting these up. You would just need to use the same identity store to define your Smart Groups in AirWatch.  Just double check that whatever IDP you choose is supported by both AirWatch and ArcGIS

- https://enterprise.arcgis.com/en/portal/latest/administer/linux/about-configuring-portal-authenticat...

https://doc.arcgis.com/en/arcgis-online/administer/enterprise-logins.htm

- https://docs.vmware.com/en/VMware-AirWatch/9.1/vmware-airwatch-guides-91/GUID-AW91-UserAuthenticatio...

Secondly, thanks for that overview of your workflow that you are hoping to achieve with AirWatch.  I would love a chance to talk with you to learn more - how you use all the field apps, the workflows you are targeting, and to talk through the want to push offline basemaps to the device.  Deploying offline basemaps onto the device via MDM is not something we currently support, it is something we are looking into.  You are not alone in this request.

Would you be interested in getting on a call at some point in the near future? Or if you are going to be at the Users Conference (July 8-12) we can set up a meeting there.

You can email me at the Explorer4ArcGIS@esri.com and we can go from there?

Thanks,

Heather

Philip Wilson Scott Ball

GarethBaker1
Frequent Contributor

For what it's worth I get the same error message when trying to log in to Explorer on iOS if the portalURL key value is set via Microsoft Intune. It's as if it is trying to log in before I've given it any credentials so perhaps not unexpectedly it fails.

ShanonLoughton
Esri Contributor

Yes and also happening for Explorer on iPads for VMWare AirWatch 9.1 using Basic User Accounts. Was there a resolution for"Sign In Failed. Unauthorized access" message?

NicolasGIS
Frequent Contributor

Does anyone know if it is possible to automatically deploy TPK on Collector with MDM ?

Thanks

PeterPhillips
Esri Contributor

Hi Heather

In your 2019 Dev Summit presentation you included a table of the current support for MDM in the field apps. This included portalUrl for most apps (coming soon for Survey123 and Tracker), and enableLocalAuthentication for Navigator.

Have things moved on since March - is there a link where I can find a definitive list of what's currently supported?

Also, is there any specific documentation anywhere for using InTune with the apps?

Thanks very much

About the Author
I am the Group Product Engineering Lead for our Field Apps team at Esri. I work with an amazing team building out our field solutions. Please feel free to ask me anything about ArcGIS Field Maps, Workforce, and Navigator.