You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: memdocs/intune/developer/app-sdk-ios.md
+8-8Lines changed: 8 additions & 8 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -502,7 +502,7 @@ The Intune MAM SDK provides support for the following save locations defined in
502
502
*`IntuneMAMSaveLocationSharePoint` - This location represents both SharePoint online and AAD Hybrid Modern Auth SharePoint on-prem locations. The identity associated with the SharePoint account should be passed in as the second argument.
503
503
*`IntuneMAMSaveLocationLocalDrive` - This location represents app-sandbox storage that can only be accessed by the app. This location should **not** be used for saving via a file picker or for saving to files through a share extension. If an identity can be associated with the app-sandbox storage, it should be passed in as the second argument. If there is no identity, `nil` should be passed instead. (For example, an app might use separate app-sandbox storage containers for different accounts. In this case, the account that owns the container being accessed should be used as the second argument.)
504
504
*`IntuneMAMSaveLocationCameraRoll` - This location represents the iOS Photo Library. Because there is no account associated with the iOS Photo Library, only `nil` should be passed as the second argument when this location is used.
505
-
*`IntuneMAMSaveLocationAccountDocument` - This location represents any organization location not previously listed that can be tied to a managed account. The organization account associated with the location should be passed in as the second argument. (e.g. Uploading a photo to a organization’s LOB cloud service that is tied to the organization account.)
505
+
*`IntuneMAMSaveLocationAccountDocument` - This location represents any organization location not previously listed that can be tied to a managed account. The organization account associated with the location should be passed in as the second argument. (e.g. Uploading a photo to an organization’s LOB cloud service that is tied to the organization account.)
506
506
*`IntuneMAMSaveLocationOther` - This location represents any non-organizational, not previously listed, or any unknown location. If an account is associated with the location, it should be passed in as the second argument. Otherwise, `nil` should be used instead.
507
507
508
508
##### Special considerations for save locations
@@ -529,7 +529,7 @@ The Intune MAM SDK provides support for the following open locations defined in
529
529
*`IntuneMAMOpenLocationCamera` - This location **only** represents new images taken by the camera. Because there is no account associated with the iOS camera, only `nil` should be passed as the second argument when this location is used. For opening data from the iOS Photo Library, use `IntuneMAMOpenLocationPhotos`.
530
530
*`IntuneMAMOpenLocationPhotos` - This location **only** represents existing images within the iOS Photo Library. Because there is no account associated with the iOS Photo Library, only `nil` should be passed as the second argument when this location is used. For opening images taken directly from the iOS camera, use `IntuneMAMOpenLocationCamera`.
531
531
*`IntuneMAMOpenLocationLocalStorage` - This location represents app-sandbox storage that can only be accessed by the app. This location should **not** be used for opening files from a file picker or handling incoming files from an openURL. If an identity can be associated with the app-sandbox storage, it should be passed in as the second argument. If there is no identity, `nil` should be passed instead. (e.g. an app might use separate app-sandbox storage containers for different accounts. In this case, the account that owns the container being accessed should be used as the second argument.)
532
-
*`IntuneMAMOpenLocationAccountDocument` - This location represents any organization location not previously listed that can be tied to a managed account. The organization account associated with the location should be passed in as the second argument. (e.g. Downloading a photo from a organization’s LOB cloud service that is tied to the organization account.)
532
+
*`IntuneMAMOpenLocationAccountDocument` - This location represents any organization location not previously listed that can be tied to a managed account. The organization account associated with the location should be passed in as the second argument. (e.g. Downloading a photo from an organization’s LOB cloud service that is tied to the organization account.)
533
533
*`IntuneMAMOpenLocationOther` - This location represents any non-organizational location, not previously listed, or any unknown location. If an account is associated with the location, it should be passed in as the second argument. Otherwise, `nil` should be used instead.
534
534
535
535
##### Special considerations for open locations
@@ -668,7 +668,7 @@ For more information about how to create a MAM targeted app configuration policy
668
668
App Protection Conditional Access blocks access to server tokens until Intune has confirmed app protection policy has been applied. This feature will require changes to your add user flows. Once a customer enables App Protection CA, applications in that customer's tenant that access protected resources will not be able to acquire an access token unless they support this feature.
669
669
670
670
### Dependencies
671
-
In addition to the Intune SDK, you will need these two components to enable App Protectoin CA in your app.
671
+
In addition to the Intune SDK, you will need these two components to enable App Protection CA in your app.
MAM-CA always applied | Ensure the user is targeted for both App Protection CA and MAM policy before enrolling in your app.| Verify that your app handles the remediation cases described above and the app can get an access token. |
800
-
MAM-CA applied after user enrolled | The user should be logged into the app already, but not targeted for App Protetion CA. | Target the user for App Protetion CA in the console and verify that you correctly handle MAM remediation |
801
-
MAM-CA noncompliance |Set up a App Protection CA policy, but do not assign a MAM policy. | The user should not be able to acquire an access token. This is useful for testing how your app handles IntuneMAMComplianceStatus error cases. |
800
+
MAM-CA applied after user enrolled | The user should be logged into the app already, but not targeted for App Protection CA. | Target the user for App Protection CA in the console and verify that you correctly handle MAM remediation |
801
+
MAM-CA noncompliance |Set up an App Protection CA policy, but do not assign a MAM policy. | The user should not be able to acquire an access token. This is useful for testing how your app handles IntuneMAMComplianceStatus error cases. |
802
802
803
803
## Telemetry
804
804
@@ -926,7 +926,7 @@ In iOS, web views can be used to surface a wide variety of web content without h
926
926
927
927
Because web views exist within the app, they expose it to potential data leaks. If a user is able to navigate to arbitrary external web pages within an app (either through intentional app design or by clever maneuvering through exposed links in the rendered web page's html content), then the user may be able to leak managed data from the app.
928
928
929
-
The Intune MAM SDK provides several APIs for handling different scenarios where both managed and unmanaged content is surfaced through web views within an app. **These APIs only need to be called if there is a managed user signed into the app.** Please see the table below as a quick guide on which API applies to which scenario.
929
+
The Intune MAM SDK provides several APIs for handling different scenarios where both managed and unmanaged content are surfaced through web views within an app. **These APIs only need to be called if there is a managed user signed into the app.** Please see the table below as a quick guide on which API applies to which scenario.
930
930
931
931
| Scenario | APIs |
932
932
|-|-|
@@ -979,12 +979,12 @@ If a web view is used to display user or organizational content but has a risk o
979
979
980
980
> The `setWebViewPolicyDelegate:forWebViewer:` method must be called directly on a WKWebView or SFSafariViewController.
981
981
982
-
Each time the web view navigates to a new page, the `isExternalURL:` delegate method will be called. Applications should determine if the URL passed to the delegate method represents an internal website where user or organizational data can be pasted in or an external website that could leak organizational data. Returning `NO` will tell the SDK that the website being loaded isa organizational location where user or organizational data can be shared. Returning `YES` will cause the SDK to open the URL in a managed browser rather than the WKWebView or SFSafariViewController if current policy settings require it. This will ensure that no user or organizational data from within the app can be leaked to the external website.
982
+
Each time the web view navigates to a new page, the `isExternalURL:` delegate method will be called. Applications should determine if the URL passed to the delegate method represents an internal website where user or organizational data can be pasted in or an external website that could leak organizational data. Returning `NO` will tell the SDK that the website being loaded isan organizational location where user or organizational data can be shared. Returning `YES` will cause the SDK to open the URL in a managed browser rather than the WKWebView or SFSafariViewController if current policy settings require it. This will ensure that no user or organizational data from within the app can be leaked to the external website.
983
983
984
984
985
985
### Web View APIs Example
986
986
987
-
An app is built with five web views (A, B, C, D, and E). Web views A, B, and C do not display user or organizational data. Web view D displays a organization page available to all users of the company. Web view E renders the user's documents which may contain links.
987
+
An app is built with five web views (A, B, C, D, and E). Web views A, B, and C do not display user or organizational data. Web view D displays an organization page available to all users of the company. Web view E renders the user's documents which may contain links.
988
988
989
989
Since the majority of web views are unmanaged (A, B, and C), we can set `TreatAllWebViewsAsUnmanaged` to reduce the number of times we need to call `setWebViewPolicy:forWebViewer:`.
0 commit comments