Security and Governance

Understand how your organization can control and protect your accounts.



Some customers might define privacy and security policies which require an extra layer of security for the devices – corporate or not – that their employees use for work purposes. This layer can imply actions like routing all the traffic of work apps through a VPN (Per-App VPN), restricting the available apps to a curated list defined by the customer or being able to wipe the device remotely.

In this kind of scenario, customers might make use of third party solutions that not only allow them to manage these devices, but also to supervise and control them. These solutions are commonly known as Enterprise Mobility Management (EMM) or Mobile Device Management (MDM).

Workplace, as an app for work, normally falls under the scope of the mentioned policies, and thus the EMM management.

Workplace and EMM

Workplace and EMM

Workplace features two mobile apps that are available on both iOS and Android – Workplace and Workplace Chat. For those customers that use an EMM solution, there are two different sets of configurations available for Workplace apps.

One of them is the set of features that are provided by most of the EMM solutions and that are natively supported by the mobile operating systems, and thus applicable to any app installed on the mobile devices, including Workplace. To know more, see the section on OS Supported Configurations.

The second one is the set of features that are specifically supported by Workplace apps, which can receive certain configuration values that can be deployed with the application to enable concrete features for the users.

This app supported configuration adheres to the specifications defined by the AppConfig Community, which is a standards body formed by many of the leading EMM vendors and application providers. AppConfig members include VMWare, SAP, MobileIron, IBM, SOTI, JAMF and Blackberry. The Workplace apps are configurable by any of these solutions. To know more, see the section on App Supported Configurations.

If your EMM solution is not a member of AppConfig, see the section on Support for non-AppConfig vendors.

Integrate with your EMM Solution

Integrate with your EMM Solution


Corporate devices must be registered and enrolled in an EMM solution. For Android devices, this means that they must have a work profile.

Once the device is enrolled, you have to follow these steps to configure and deploy Workplace Apps:

Register Workplace applications on EMM
In the apps section of the EMM solution, add Workplace and Workplace Chat as managed apps. Two applications per platform – iOS and Android – should be added.

Manage the access to the apps
Pick which users should have access to the Workplace applications.

Create a Configuration policy
In the app configuration section of the EMM solution, create a new Key Value (KV) pair configuration set following AppConfig guidelines.
See the section on OS Supported Configurations and App Supported Configurations for configuration values.

Assign the configuration policy
Assign the configuration policy created in the previous step to the Workplace apps and apply the policy to all the users of the Workplace apps.

Push the app to a device and test

For specific instructions, refer to the documentation of your own EMM:

Microsoft Intune
App Supported Configurations

App Supported Configurations

Workplace apps support the ability to be pre-configured with Key Value Pairs (KVPs).

Some keys should be mapped to a dynamic variable within the EMM solution representing the required value.

The KVPs (Key Value Pairs) that Workplace supports are listed below.


Expected Value





iOS, Android

Represents the Workplace username of the device’s assigned user.



iOS, Android

Defines whether the links on the Workplace apps should be opened with a predefined browser app or with the default in-app browser. Requires externalBrowserURLScheme to be set.


{external_browser_app_http-url_scheme} or {android_app_id}

iOS, Android

Defines which browser app should be used to open urls on the Workplace apps. Requires enableExternalBrowserSupport to be set to YES.

Email Address

Key: emailAddress

This configuration allows Workplace customers to pre-populate the Workplace account’s email that is going to be used in a given device.

If a customer knows that a corporate device belongs to a user, they can set this KV pair so the user doesn’t have to input their email address when login into the Workplace apps.

The field expects a string with the email of the user , i.e. john.doe@futureofwork.com.

Enable External Browser Support

Key: enableExternalBrowserSupport

By default, urls and links on Workplace apps are opened on an in-app browser. This configuration allows Workplace customers to define if the urls shared on Workplace should be opened with a different browser app, i.e. secure browser.

Managed/Secure browsers will frequently have different configuration and connection policies including per-app VPN, and that is why some customers may want to choose all Workplace linked traffic going to the corporate browser.

The field expects a string with YES in uppercase. It requires externalBrowserURLScheme KVP to be set.

External Browser URL Scheme

Key: externalBrowserURLScheme

This configuration allows Workplace customers to define which browser app should be used to open any url or link shared on Workplace.

For iOS, the field expects a string with the http-url scheme used by the external browser app in lowercase.

For Android, the field expects a string with the application ID used by the external browser app in lowercase.

It requires enableExternalBrowserSupport KVP to be set.

Below we offer a list of http-url schemes and Android application IDs for some of the most used browser apps. Check with browser vendors for further indications.


iOS http-url scheme

Android application ID

Apple Safari



Google Chrome



Mozilla Firefox






Microsoft Edge



Microsoft Intune Managed Browser



IBM MaaS360 Secure Mobile Browser



VMWare Airwatch Workspace ONE



Citrix Secure Browser



Blackberry Access



MobileIron Web@Work



OS Supported Configurations

OS Supported Configurations

In addition to providing many device security features, most EMM solutions provide application security capabilities that are natively supported by the mobile OS and that can be applied to Workplace. These include:

  • Remote wipe of the app.
  • Encryption of app data.
  • Restrict file export to managed apps.
  • Prevent backup of app data.
  • Route all app traffic through VPN (Per-App VPN).
  • Block screenshots (only Android).
  • Restrict copy-paste to managed apps (only Android).
  • Biometric/Pin Reauthentication (only Android).
  • Block jailbroken/rooted devices.

In some cases, customers may require that Workplace access be restricted to managed devices only. In these situations, there are two approaches that can be taken:

  • Certificate Based Authentication: Distribute a user certificate to the device through EMM and enable 2-factor authentication on the identity provider with the certificate as a required authentication factor.
  • IP Based Restriction: Configure the Workplace apps to use VPN through EMM and enable a policy on the identity provider limiting access based upon source IP address.
Support for non-appconfig.org vendors

Support for non-appconfig.org vendors

If your EMM solution is not a member of appconfig.org it may still support the use of app configurations, follow these steps:

Check with your EMM vendor on support for iOS managed app configurations.

Verify that the EMM vendor supports the use of a dynamic variable for user email address.

Create an iOS .plist file as shown below and replace the string variable with the email variable from your EMM solution.
<plist version="1.0">
<key> emailAddress </key>
<string> {EMM_Email_Variable} </string>

Upload the .plist file to the EMM solution and associate with the Workplace apps.

Push the app to a device and test.