Enterprise Mobile Management


NetDocuments offers an additional variant of its iOS and Android mobile apps that can be used with any Enterprise Mobility Management (EMM) vendor’s management platform that supports the AppConfig standards, such as VMWare AirWatch, MobileIron and IBM Maas360.  

The EMM version of the iOS app was initially released on 18 July 2017 and has been continually updated. Get it on the iTunes app store.

A single version of the Android app was initially released on 8 December 2017 that includes EMM features. 

Get it on Google Play

On 11 December 2018, versions of the Android app for MaaS360 and AirWatch were released.

What is AppConfig?

Historically, when a mobile app developer needed to create a version of its app to support a specific EMM platform, the developer needed to use the EMM vendor's proprietary SDK, which required the creation of a custom version of the mobile app for each EMM vendor, in addition to the need to test and maintain each version of the app separately (plus the need to maintain separate AppStore listings), even though each EMM version of the mobile app provided essentially the same features and restrictions. 

The AppConfig Community was created to allow a mobile app developer to offer a single EMM version of its mobile app, using agreed-upon standards, that any EMM vendor could choose to support. Because the AppConfig standard has gained traction with leading EMM vendors, NetDocuments has determined to offer a version of its iOS and Android apps that supports AppConfig.  NetDocuments also has joined the AppConfig community.

How it Works

To restrict a repository to use only the EMM version of the app, the firm must configure device settings so that only the EMM version of the app can connect to their repository. See Mobile Device Management.


Any EMM platform that supports AppConfig can manage every AppConfig mobile app in specifically defined ways, like deployment and tunneling. (Other platforms that do not officially support AppConfig have also been used to manage the NetDocuments mobile apps, including Citrix XenMobile and Intune.)  In addition, each mobile app vendor can choose to add other restrictions that are specific to its mobile app, which restrictions can be configured from the EMM platform.  

Below are the settings that are applicable to the EMM version of both the iOS and Android app:

Configuration Key

(Each has a name and its String or Integer value.  Depending on the EMM platform, enter EITHER the name or the value, but not both.)


kMDM_APP_HOST (alternatively, kMDM_HOST for iOS)

ACPHOST_US = “US” (this is the default if this key is not set)


Set the default host location that the app will login to

kMDM_APP_LOGIN_VIEWER (or kMDM_LOGIN_VIEWER) (applicable to iOS only)

Classic = 0 (default)
New = 1

Use the New (1) setting to support certificates used as part of federated identity authentication, or for other, non-standard forms of authentication.



A string value The repository ID of client's repository, which will allow
users to bypass the normal login page and go directly to
the organization login page.  (For example: "CA-1AZ9MNOP".)  This may not work for every client.





Controls the Open In feature


An array of bundle IDs. Learn how to find an app's bundle ID

This is a list of apps that can be used to open documents





0 - Restricts copying from documents and pasting to other apps

1 - Allows users to use copy/paste

Note that the setting to allow copying and pasting to secured applications is no longer supported on iOS (value 2), because iOS cannot support it.  2 - Restricts copy/paste to only work between apps that are managed by their provider's profile. 

kMDM_APP_OFFICE365_POLICY (alternatively, kMDM_OFFICE365_POLICY for iOS)

ACOFFICE365_HIDDEN = 0: hide the “Edit Using” button and do not allow the user to enable the setting
ACOFFICE365_DISPLAYED = 1: always show the “Edit Using” button and do not allow the user to disable the setting
ACOFFICE365_HIDDEN_DEFAULT = 2: show but uncheck the “Edit Using” button by default, but allow the user to change the setting to display it
ACOFFICE365_DISPLAY_DEFAULT = 3: by default Open in Office is enabled, but the user can disable it.
Whether to show the “Edit using Office” button

ACAUTOLOGIN_AVAILABLE = 0: auto login is available (this is the default if this key is not set)
ACAUTOLOGIN_DISABLED = 1: auto login is disabled and cannot be enabled
ACAUTOLOGIN_ENABLED = 2:  auto login is enabled by default but can be disabled

Whether auto login is available 
kMDM_APP_PASSCODE_POLICY (alternatively, kMDM_PASSCODE_POLICY for iOS) ACPASSCODE_OPTIONAL = 0: no passcode required (this is the default if this key is not set)
ACPASSCODE_REQUIRED = 1: passcode required
Whether the passcode is optional or required


(Not yet available for Android)

An integer with a value of 4, 6 or 8 (the default is 4) The required passcode length, which cannot be changed by the end user.

EMAIL_POLICY_UNAUTHORIZED = 0: NO emails may be sent from the app. Neither the Email Link nor Email Copy options will be available in the Open In menu.
EMAIL_POLICY_DEFAULT_APP = 1: When emails are sent, use the default email app for the device (likely Mail for iOS). This is the default if this key is not set.
EMAIL_POLICY_MAAS360_SECURE_MAIL = 2 (iOS only): When emails are sent, the MaaS360 Secure Mail app will be used. If that app is not installed, no email will be sent.
EMAIL_POLICY_VMWARE_BOXER_MAIL = 3 (iOS only): When email links are sent, the VMWare AirWatch Boxer email app will be used. If that app is not installed, no email will be sent.  When this setting is used, the email copy feature will be disabled, because Boxer cannot be used to send attachments from another app.

Whether the app can send emails
kMDM_APP_EMAIL_LINK_POLICY EMAIL_LINK_POLICY_UNAUTHORIZED = 0: NO Email Links may be sent from the app. In that case, the Email Link option will not be shown in the Open In menu.
EMAIL_LINK_POLICY_AUTHORIZED = 1: Email Links may be sent from the app (this is the default if this key is not set).
Whether the app can send Email Links
kMDM_APP_EMAIL_COPY_POLICY EMAIL_COPY_POLICY_UNAUTHORIZED = 0: NO Email Copies may be sent from the app. In that case, the Email Copy option will not be shown in the Open In menu.
EMAIL_COPY_POLICY_AUTHORIZED = 1: Email Copies may be sent from the app (this is the default if this key is not set).
Whether the app can send Email Copies
kMDM_APP_SECURITY_CODE (alternatively, kMDM_SECURITY_CODE in iOS) A string value of at least 8 characters and no more than 50 characters

An optional code that
must match the same
code entered on the
Device Management page
of the repository to allow the app to connect to
that repository.

kMDM_OFFLINE_POLICY (applicable to iOS only)


To disable the ability to take content offline.  When offline mode is disabled, content previously taken offline will be removed from offline storage.

kMDM_APP_WHATS_NEW (applicable to iOS only) WHATS_NEW_ENABLED = 1 (default)
To disable the What's New dialog from appearing when a user installs a new version of the app.

Each EMM vendor has their own management console and method for configuring AppConfig apps.

For the iOS app, some vendors require an .xml configuration file to be uploaded, whereas others may be able to pull this information from the AppConfig website.

View a Sample XML Configuration file that can be used for the iOS app. 

Here is a .plist version of the Configuration file

Here is a sample XML file that can be used for Intune for iOS. 

(For the kMDM_APP_OPEN_IN_WHITE_LIST setting, that require an Array in Intune and can be supported only by configuring Intune using the XML file and not from the Intune GUI.) 

Note that different MDM platforms use different application configuration formats, so these samples may not work with every MDM platform.

In order to manage the Android app, use the following version of the app based on the MDM platform being used:

Optional Security Code
A new, optional EMM setting has been added (kMDM_APP_SECURITY_CODE, alternatively, kMDM_SECURITY_CODE for iOS) to support a new security feature.  This feature must to be used in conjunction with a new setting available on the NetDocuments web interface.  This new feature can be used to limit the NetDocuments EMM mobile apps that can connect to a firm’s repository:  only apps installed on devices managed by that firm.

To use this new feature, a Repository Administrator must enter a security code on the Repository Admin page.  Then, using a supported EMM platform (such as AirWatch or MobileIron), an Administrator will push out the same security code to the NetDocuments apps managed by their firm (if the app is version 2.3 or later).  Each managed EMM app will present this security code to the NetDocuments server on the next login.  The security code presented by the EMM app must match the security code configured on the server.  If there is no match, the EMM app will not be able to access the firm’s repository.  (If the server has not been configured to use a security code, any security code presented by the EMM app will simply be ignored.) 

Push the latest version of the app to all of your users to take advantage of this feature.  When a security code is added or changed from an EMM platform and pushed it out to devices, all v2.3 iOS apps/v1.1 Android apps will be logged out and users will be forced to reauthenticate, to ensure that the new security code is presented to the server.

Here are the specific steps for configuring this new feature.  Please note that these steps should be followed in this order and in a timely manner.

First, using your EMM platform, push out the latest version of the EMM app to all of your users or otherwise ensure that all of the apps are upgraded. 

Second, on the “ndSync Policies and Device Management” page, configure your repository to limit access only to the EMM version of the NetDocuments mobile apps.  A new “Security code” field will be shown when the “Only allow NetDocuments for EMM app” option is selected:

Security_Code_Device_Management_Page.pngEnter a security code and submit the page.  The security code must be between 8 and 50 characters.

Finally, using the new kMDM_APP_SECURITY_CODE setting from your EMM platform, push out the same security code to those apps.  This final step should be completed as soon as possible after adding the security code on the server. 

Do not set a security code on the server until you are ready to deploy it to your mobile apps.

After taking these steps, from the device management page, you can see if there are any mobile apps connected to your repository that are earlier than v2.3 for iOS and v1.1 for Android.  If you cannot upgrade these devices from your EMM platform, then use the Device Management page to remove them.  

Some of them may be older apps that are no longer installed on any device.