Product Documentation

Automated Actions Example: Notifications for Blacklisted Apps

Dec 21, 2015

This topic is an example procedure that illustrates using Device Manager Automated Actions to set up an automatic notification to inform users when they install a forbidden (also known as "blacklisted") app on their device. You can manage user devices to make sure that a work device installs the approved list of apps only, and that the device does not have any forbidden apps installed.

This example shows the following tasks:

  • Configure the notification template you want to send.
  • Create an Applications Access policy to designate an iOS app named Word with Friends for Free as forbidden (blacklisted).
  • Create an Automated Action that sends a notification when a device violates a forbidden Applications Access policy.
  • Deploy the Automated Action and Applications Access policy to your device in a deployment package.
  • Install the Words with Friends for Free on your iOS device.
  • Receive the Notification.

To configure a notification template

When users install a forbidden app on their device, you can send the correct notification by using a template for the message that is sent when the non-compliant blacklist or whitelist trigger is correctly configured.

By default, all notification templates are configured to use the ${user.mail} macro, which uses the email address of the device owner who receives the notification. If you want notification emails to be sent to an administrative user; for example, to notify an administrator that a device has been jailbroken, you can enter the administrator email address in the To field.

  1. In Device Manager, click Options.
  2. In the Server Options dialog box, in the left pane expand Notification Templates.
  3. In the right pane, under Notification Templates, click Non Compliant Blacklist / Whitelist .
  4. In the Edit a Notifications Template dialog box, on the Settings tab, in Channels, select the channels of communication you want to use.
  5. Click the SMTP tab and do the following:
    1. In From, enter the name or email address from whom the notification is sent. This is not a mandatory field, however Citrix recommends adding the name or email address.
    2. In To, leave the command $({user.mail}. If you modify the To field, the email might not be sent correctly.
    3. In Message, you can modify the message except for the macros ${firstnotnull(device.TEL_NUMBER,device.serialNumber)} and ${outofcompliance.reason(whitelist_blacklist_apps_name)}. If you modify or remove the macros, the email might not be sent correctly.
  6. Click Update. When you click Update the template is ready for the Automated Action.

Next you will create a blacklist for an app, so you can use the blacklisted app as a trigger for your automated action later. This example uses the Words with Friends Free app.

To create an Applications Access policy for a forbidden app

  1. In the Device Manager web console, click the Policies tab.
  2. On the left side of the console, under App Policies, Global > Applications Access Policies.
  3. Click New Applications Access Policy.
  4. In the Add a new Applications Access Policy dialog box, type Words with Friends for Free.
  5. In Access policy, click Forbidden (blacklist).
  6. In OS type, select the iOS.
  7. Click New app.
  8. In the Add a new application dialog box, enter the following:
    1. In App Name, type the name of the app. For example, type Words with Friends Free.
    2. In App bundle ID, type the bundle name of the app. For example, type com.zynga.WordsWithFriendsFree.
  9. Click Create. This will create the application in the list. The app appears in the list in the Add a new application dialog box.
  10. Click Create again to create the Application Access Policy. Once created, you can add this policy to a deployment package and deploy to the devices you want to manage.

Next, you create an Automated Action that sends a notification email to users when they install a blacklisted app on their device.

To create an Automated Action

  1. In Device Manager, click the Policies tab.
  2. In the left pane, under Global, click Automated Actions and then in the right pane, click New.
  3. In the New automated action dialog box, do the following:
    1. In Name, enter Blacklist Notify.
    2. Under Trigger, in Trigger Type, select Applications and in Name, select Installed.
    3. Under Condition, in Condition, select Is and then in Value, enter WordsWithFriendsFree.
    4. Under Action, in Action, select Notify.
    5. Under Action, in Template, select Non Compliant Blacklist / Whitelist.
    6. Under Options, select Delay and then configure 10 minutes.
    7. Under Options, select Repeat wait and configure one hour. This option allows you to delay sending the notification message in the event that there is a communication failure between the device and Device Manager.
  4. Click Create.

In the last task, you will create a deployment package that contains Automated Actions and then push that deployment to user devices.

To deploy automated action and Applications Access policy to devices

Once on your device, you install the blacklisted app to trigger both the notification message that your device is out of compliance, and to trigger the Secure Mobile Gateway block on the server.

Citrix recommends that you create separate deployment packages for your Automated Actions and deploy them separately from other packages. Additionally, make sure you configure Deploy to anonymous users in the Groups of users page of the package, to include those users who may have removed their agents, or who have had their Active Directory account disabled.

You run the Create New Package wizard to deploy packages. During the wizard, you select the following:

  • Groups to which the policy is deployed.
  • Resources that include the Automated Actions you created and the Software Inventory resource.
  1. In Device Manager, click the Deployment tab, and then click New Package > New iOS Package.
  2. In the Create New Package wizard, in the Package Name window, enter a name for the package and then click Next.
  3. In the Groups of users window, select a group you want to deploy this policy to and then click Next.
  4. In the Resources to be deployed window, under Available Resources expand the Automated Actions section and select the two Automated Actions you previously created in the last step. Then, click the right arrow to add the resource to the deployment package.
  5. Next, in the Available Resources list, under Applications Access Policy, select the Forbidden policy you previously created and click the right arrow button to add it to the package. Click Next.
  6. In the Deployment schedule window, select the If not deployed Start Now option. Click Next.
  7. In the Deployment rules page, click Next.
  8. In the Package summary page, click Finish.
  9. When the wizard is complete, in Device Manager, click Deploy to deploy the packages.

When Device Manager finishes the deployment, select the deployment package, and then click the Details button to see information about the success of the package deployment. When the package shows as deployed, then you can move on to the next and step and install the blacklisted app on you iOS device.

When the users targeted in the deployment install the blacklisted app on their iOS device, Words with Friends Free, users receive a notification message that the app is not allowed.