iManage Work Mobility for Intune Administration Help

Configure the following iOS Managed App Configuration settings.

In Intune, browse to Apps > Manage apps > Configuration.

NOTE: The following settings must be configured as shown for the iManage Work Mobility for Intune app to be deployed:

For Mobile Device Management (MDM) policies only:

IntuneMAMDeviceID (String) = {{deviceID}}

For either Mobile Application Management (MAM) or Mobile Device Management (MDM) policies, also configure the following:

IntuneMAMUPN (String) = {{userprincipalname}}
IntuneMAMOID (String) = {{userid}}
version = 2
allow_safari_for_login = false
enable_downloading
enable_printing
enable_airdrop
enable_native_email
open_in_send
open_in_receive
enable_privacy_curtain
enable_touch_id_for_passcode
number_of_passcode_retries_min_3_max_20_default_10
passcode_grace_period_seconds_min_10_max_999999999_default_60
show_demo_connection
server0_uuid
server0_name
server0_auth
server0_url

The following table lists all of the key-value pairs settings that can be specified:

NOTE: Identifiers are case-sensitive and must match exactly as defined.

Table: Key-value Pairs

Identifier	Type	Default	Description
IntuneMAMUPN	String	-	iManage Work Mobility for Intune is supported on managed devices or can be configured as a Managed App within the Device Enrollment Type settings in Intune. Include this application policy setting and set it to {{userprincipalname}} For more information, go to: https://docs.microsoft.com/en-us/mem/intune/apps/app-configuration-policies-use-ios https://learn.microsoft.com/en-us/intune/intune-service/apps/app-protection-policies#device-management-types
IntuneMAMOID	String	-	Include this application policy setting and set it to {{userid}} There must be no spaces after {{ or before }}
IntuneMAMDeviceID	String	-	Include this application policy setting and set it to: {{deviceID}} There must be no spaces after {{ or before }} NOTE: Configure this setting only when defining a Mobile Device (MDM) policy. Don't use this setting when configuring iManage Work Mobility in a Mobile Application (MAM) policy.
version	Integer	2	Specifies the format version for configuration and is required. It must be set to 2.
open_in_receive	Boolean	true	Use this policy to restrict users from receiving document(s) in iManage Work Mobility from other applications. true: Users can import documents to iManage Work Mobility for Intune from other applications. false: Prevents users from importing documents to iManage Work Mobility for Intune from other applications. NOTES: When set to true, the Intune App Protection Policy configuration controls whether an iManage Work Mobility user can open or import documents from other apps. When set to false, no option is presented in the application to open or import documents from other apps, regardless of Intune App Protection Policy. This feature may be restricted or disabled because of MDM policies.
open_in_send	Boolean	true	Use this policy to prevent users from sending document(s) in iManage Work Mobility for Intune to other applications. true: Lets users send documents from iManage Work Mobility for Intune to other applications through the Open In feature of iOS. false: Documents can't be sent from iManage Work Mobility for Intune to other applications. NOTES: This feature may be restricted or disabled because of MDM policies. When set to true, the Intune App Protection Policy configuration controls whether an iManage Work Mobility user can send documents to other apps. When set to false, no option is presented in the application to send documents to other apps, regardless of Intune App Protection Policy. AirPrint and AirDrop are automatically disabled as well. If the application receiving the file doesn't support the file type, this feature may be restricted.
enable_native_ email	Boolean	true	Use this policy to prevent users from sending documents as email attachments from iManage Work Mobility for Intune through the native email (Mail app) application. true: Lets users send an iManage Work document as an email attachment using the iOS Mail app. false: Prevents users from sending an iManage Work document as an email attachment. NOTES: Emailing a document is displayed when a user taps iOS Activity or Email. If you want to prevent emailing documents, then you must also set enable_open_in_send to false. This also restricts users from editing documents from iManage Work Mobility. NRLs aren't restricted by any application policies currently.
enable_airdrop	Boolean	true	Use this policy to prevent users from sharing documents in iManage Work Mobility for Intune using AirDrop. Apple's AirDrop feature enables the transfer of files between supported Macs and iOS devices without using mail or a mass storage device. true: Lets the user share the downloaded documents through AirDrop. false: Disables sharing the documents through AirDrop. NOTES: This feature may be restricted or disabled because of MDM policies. The Intune Policy for Sharing will filter out AirDrop in some settings. If open_in_send is set to false, AirDrop is always disabled.
enable_printing	Boolean	true	Use this policy to prevent users from printing documents from iManage Work Mobility for iOS. true: Lets users to print downloaded documents through iOS AirPrint. false: Disables the printing of documents. NOTES: The Intune Policy takes precedence over this setting. This feature may be restricted or disabled due to MDM policies. If open_in_send is set to false, AirPrint is always disabled. If your MDM policy configuration prevents emailing documents out of iManage Work Mobility for iOS, users can use Print Preview of a PDF as a workaround, as it can be distributed through the iOS Mail app. For more information, refer to Apple bug report 45524779.
enable_ downloading	Boolean	true	Use this policy to restrict users from downloading documents to their mobile devices from iManage Work Mobility. true: Documents may be downloaded to the device. false: Prevents bulk download of documents to the device.
enable_privacy_ curtain	Boolean	true	Privacy Curtain is a security feature that obscures the contents of iManage Work Mobility for Intune when the application isn't active. This setting isn't applicable to iManage Work Mobility for Intune. To set this in Intune, access Client Apps > App Protection Policies > Properties > Access Requirements.
enable_touch_id_ for_passcode	Boolean	true	Lets users sign in to iManage Work Mobility for Intune through Touch ID or Face ID on their mobile device. This setting isn't applicable for iManage Work Mobility for Intune. To set this in Intune, access Client Apps > App Protection Policies > Properties > Access Requirements.
show_demo_ connection	Boolean	true	NOTES: We recommend you disable the Demo connection for any production environments so that it isn't visible to users. After a user has signed in to the Demo connection, it can't be removed from the list of connections displayed in the sidebar. Controls the visibility of a public iManage Work demonstration environment, which can be used to test the iManage Work Mobility for iOS application before it's deployed in your environment. true: The Demo connection is displayed at the bottom of the servers list on the sign-in screen. false: The Demo connection isn't displayed.
number_of_ passcode_retries_ min_3_max_20_ default_10	Integer	10	The number of times the application passcode can be entered before all locally stored data is erased from the device (no data is impacted on the server). This setting isn't applicable to iManage Work Mobility for Intune. To set this in Intune, access Client Apps > App Protection Policies > Properties > Access Requirements.
passcode_grace_ period_seconds_ min_10_max_ 999999999_default_60	Integer	10	When switching away from the application, there's a time delay before the App Lock is enforced, requiring the user to enter the application passcode (or if configured, Touch ID). The minimum is 10 seconds and the maximum is 999999999 seconds (effectively requiring the user to enter the application passcode or use Touch ID only when the application starts or restarts). This setting isn't applicable for iManage Work Mobility for Intune. To set this in Intune, access Client Apps > App Protection Policies > Properties > Access Requirements.
prevent_copy_to_clipboard	Boolean	false	Use this policy to prevent users from copying content in iManage Work Mobility for Intune, and pasting it into a clipboard or pasteboard. This policy configuration secures iManage Work data. false: This setting is the default, and it allows users to copy text from an iManage document to other applications. true: The clipboard or pasteboard in iManage Work Mobility for Intune is cleared when a user copies text from any document. This effectively stops copying any data from iManage Work Mobility for Intune as the user can't paste any text into other application(s). NOTE: This feature may be restricted or disabled due to MDM policies.
view_mode	Boolean	false	Use this policy to offer users a View-Only experience in iManage Work Mobility. Disabled (default): This allows the user to: Edit documents using an external application Drag documents to a folder Upload documents to a folder using the upload option File an email Auto upload Use Experimental Conversion to PDF Settings Annotate documents Enabled: This setting prevents the user from performing the following activities: Open documents using an external application NOTE: Having open_in_send enabled (with View-only Mode also enabled) allows for previewing files in an external application. Any edits made to the document won't get saved to iManage Work. Drag documents to a folder Upload documents to a folder using the upload option File an email Auto upload Use Experimental Conversion to PDF Settings Annotate documents When enabled, this setting supercedes the open_in_receive and enable_app_extensions settings. Even if they're enabled, the app won't honor the settings when view_mode is enabled. NOTE: After this policy is enabled, when users edit a document and try saving it back to the iManage Work Mobility app, the following error message is displayed: "MDM Policy - Application policy prevents from receiving files."
web_authentication_mode	Integer	For existing deployments, no default (not set). allow_safari_for_login setting is used instead. For new deployments, the default is 2 (ASWebAuthenticationSession).	Use this policy setting to control which web-based authentication controller (embedded browser) is used when users are prompted to sign in to iManage Work. 0 – WKWebView: Enables the legacy embedded web-based authentication controller, WKWebView. Figure: Sign-in screen for WKWebView 1 – SFSafariViewController: Enables the Safari-based web-based authentication controller, SFSafariViewController. Figure: Sign-in screen for SFSafariViewController The primary difference to the user is the addition of the browser buttons at the top of the screen. 2 – ASWebAuthenticationSession: This is recommended by iManage. Enables Apple's latest ASWebAuthentication embedded web view controller for web-based authentication. NOTE: With option 2, the first time a user attempts to sign in to iManage Work, they're presented with a prompt. Users must tap Continue to proceed to the iManage Work sign in screen, as shown in the second figure below. Figure: User confirmation prompt during initial sign-in - ASWebAuthenticationSession Figure: Sign-in screen for ASWebAuthenticationSession 3 – Default browser: Rather than using an embedded web view or web view controller, the app switches to the iOS default browser, and when authentication is complete, the browser switches back to the Work 10 app. By default, the default browser is Safari, but the user can change this to any browser such as Edge or Chrome. 4 – Microsoft Edge browser (if installed): Similar to 3 above, but instead of loading the default browser, a specific URL for Microsoft Edge is used. If the user has specified a different default browser and authentication needs to be on Edge, use this setting. If Edge isn't installed, no sign-in screen is displayed and the user can’t sign in. 5 – Google Chrome browser (if installed): Similar to 3 above, but instead of loading the default browser, a specific URL for Google Chrome is used. If the user has specified a different default browser and authentication needs to be on Chrome, use this setting. If Chrome isn't installed, no sign-in screen is displayed and the user isn't able to sign in. 6 – AirWatch/VMware Workspace One browser (if installed): Similar to 3 above, but instead of loading the default browser, a specific URL for Workspace One is used. If the user has specified a different default browser and authentication needs to be on Workspace One, use this setting. If Workspace One isn't installed, no sign-in screen is displayed and the user isn't able to sign in. When set, this web_authentication_mode policy setting replaces the allow_safari_for_login policy setting. For customers who have already deployed iManage Work Mobility: If the web_authentication_mode policy setting is blank or not set, iManage Work Mobility uses the value set for allow_safari_for_login instead. For customers deploying iManage Work 10.20.2 or later for the first time: If both web_authentication_mode and allow_safari_for_login policy settings are blank or not set, iManage Work Mobility defaults to web_authentication_mode = 2 (ASWebAuthenticationSession). NOTES: The Web Authentication Mode policy setting is ignored if the Server0 Auth policy setting is set to 0 (Explicit Login). This uses a standard sign-in dialog instead of a web-based authentication controller. Regardless of this Web Authentication Mode setting, iManage Work Mobility uses the WKWebView embedded web controller when displaying pages directly from iManage Work Web, such as a document's Timeline, or for iManage Share pages.
allow_safari_for_ login	Boolean	true	IMPORTANT: For Intune deployments using web-based authentication (serverx_auth=1,2.3), you must set allow_safari_for_login to false. Intune doesn't support allow_safari_for_login. Use this policy to prevent users from signing in to the application using Safari in iManage Work Mobility for Intune. NOTE: If web_authentication_mode is set to any value, this allow_safari_for_login setting is ignored. true: This setting is the default. When users select Sign In on the Work Mobility application, they're directed to a new Safari window to sign in using their company credentials. NOTE: When set to true, Safari allows users to save their credentials in the secure iOS Keychain. false: When users select Sign In on the Work Mobility application, they're directed to an embedded web view window to sign in using their company credentials.
enable_analytics	Boolean	true	This policy controls whether a user will be prompted to opt in or out of sending analytics to iManage. It doesn't explicitly set up analytics on the app. This option is enabled by default. NOTES: We don't track the actual data, such as client and matter information, document names, and so on. Users opting in for analytics aren't tracked individually. Data collected isn't used to determine individual use.
login_user_account_auth0_only	String	-	Allows you to optionally enter a user ID in the sign-in dialog. This applies only when Server Authentication is set to 0 - Standard/Explicit.
force_user_interaction_on_edit_in_place	Boolean	false	Use this policy to control how the app responds when a user saves edits back to iManage Work. This setting is available in iManage Work 10 Mobility version 10.23.4 and later. false: The default setting. After editing a document opened from iManage Work, navigating back to the iManage Work Mobility app automatically saves the user's changes as a new version of the document. Additional edits to the open document are saved to the same version. When finished with their changes, the user must manually check in the file in iManage Work. true: After editing a document in iManage Work, navigating back to the iManage Work Mobility app prompts the user with the following dialog. This gives the user control over how they want to save their edits. Save as New Version: Saves the edits as a new version of the document in iManage Work. Save & Sync: Saves the edits to the existing version of the document in iManage Work. Figure: Unsaved document dialog

SERVER CONFIGURATION

These settings define the iManage Work environments to which users can connect. Multiple connections may be configured, including cloud and on-premises environments.

These are displayed in numerical order based on the integer in the identifier, starting with 0. For example, server2_uuid is the third connection option displayed.

NOTE: You must define at least one entry (server0) to allow users to connect to iManage Work.

Identifier	Type	Default	Description
server0_uuid	String	-	A universally unique identifier to uniquely identify this entry. These can be generated by visiting https://www.uuidgenerator.net/version4. Example: b985dc4b-3232-4719-9d1d-cf0162badc30 NOTES: After a UUID is assigned to a server, the mapping between the UUID and server can't be altered as this can cause connectivity issues for the clients. The UUID can't be blank or duplicated. If any of the servers have a duplicate or blank UUID, that .immconfig file is rejected and a previously passed file is implemented.
server0_name	String	-	The name that'll be displayed in the app in the list of available iManage Work connections.
server0_auth	Integer	-	The authentication type for the server. The valid values are: 0 - Standard: Supports both Work credentials and domain/username and password for explicit network authentication. 1 - ADFS (on-premises ADFS Server): Displays an embedded web view where the user must follow whatever authentication procedures the company has defined for the ADFS implementation. 2 - Common login: Provides single-sign-in for iManage Work 10 client applications. The login UI maintains information about the currently signed-in user in its session cookie. 3 - Use Oauth2 Refresh Token and Access Tokens: For more information, refer to Enable access request tokens. This option minimizes the number of times a user is prompted to sign in. Username, password, and access tokens and refresh tokens are stored in the iOS Keychain.
server0_url	Text	-	The iManage Work URL for users to access iManage Work via this app. For iManage Work at cloudimanage.com, enter cloudimanage.com For imanage.work or on-premises, enter the Work Server URL that matches the SSL certification. NOTE: Adding HTTPS or ports such as :8000 to this value is ignored. HTTPS and port 443 are always used. SSL/TLS is always used, in accordance with the most secure settings of iOS security.

The following figure shows an example of the configured settings in Intune.

Figure: Target App Config (example key-value pairs)