I am in the process of enabling managed app configurations in my app so that if the device was enrolled in to a MDM program, it can the read managed configurations (as per AppConfig.org standards) and behave accordingly. My app is, however, distributed via. the Apple store and not via. MDM. For devices without MDM enrollment, there is a fall back behavior.
I have looked in to the documentation for Air Watch, Mobile Iron regarding the managed app configuration settings. Also, checked AppConfig.org but couldn't find answers to my questions.
My understanding of AppConfig and MDM is that MDM can securely deliver the configuration dictionary that is set in the MDM server to managed device's NSUserDefaults and the app can read from it. I am not sure what happens after this to the managed configurations settings in NSUserDefaults, if (a) the device gets un-enrolled from MDM (b) MDM un-installs/removes the app (c) User updates the app (assuming MDM allows it) from App Store (d) User temporarily disconnects/logs out from MDM client.
Once MDM writes to NSUserDefaults the configuration is available for use by the app, how does MDM control the delivered settings in the above scenarios?
In order for managed app config to work, the app must be managed by the MDM (EMM in AppConfig.org speak) - see step 3 under "App configuration" at https://appconfig.org/ios/
If the user already has the app installed prior to enrolling with the MDM then they will be prompted to allow it to be managed by the MDM.
To your specific questions:
a) If the user unenrolls then the recommended approach would be to remove the managed app and its data from the device. This will remove the managed configuration. If this option is not configured for the app on the MDM then the managed configuration may remain, as the MDM needs to explicitly remove it. The exact behaviour will depend on the MDM.
b) If the MDM or the user removes the app then all of the data, including the managed configuration will be deleted.
c) An app update won't affect the managed configuration. The configuration is not part of the bundle. Only the bundle is updated; app data is left intact during the update process. If your new version supports additional managed config keys then the MDM administrator may need to update their managed config and push an update to the devices. Your code should be flexible in handling the config keys; some may not be present initially if the admin has not configured them.
d) This is not an option; a device is either managed or it isn't. If the management profile is removed then it is case a.