Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Administration Guide
VSP Version 5.7
Standalone Sentry Version 4.7
Integrated Sentry Version 4.2
Android Client Version 5.6
iOS Client Version 5.7
WP8 Client Version 5.7
Revised: August 7, 2013
Proprietary and Confidential
Do Not Distribute
Contents
Section I: Device Management - - - - - - - - - - - - - - - - - - - - 23
Chapter 1
28
28
28
29
29
29
30
32
32
32
Chapter 2
37
40
41
42
43
44
45
46
46
52
53
53
54
55
56
56
56
61
62
63
63
64
Chapter 3
66
67
69
69
72
73
73
74
75
75
77
77
78
78
91
91
91
92
96
96
97
99
99
Chapter 4
Chapter 5
Chapter 6
Chapter 7
Chapter 8
Chapter 9
Chapter 10
Chapter 11
................... 367
Chapter 12
Chapter 13
- - - - - - - - - - - - - - - 389
10
...................................................................... 443
Chapter 15
Chapter 16
Chapter 17
Chapter 19
Chapter 20
Chapter 21
15
Chapter 22
ip route ............................................................................................650
kparam ............................................................................................651
no ....................................................................................................651
ntp ..................................................................................................652
portalacl ...........................................................................................653
service .............................................................................................653
service support ..................................................................................653
software repository ............................................................................654
statichost ..........................................................................................654
syslog ..............................................................................................655
system user ......................................................................................655
INTERFACE mode commands .............................................................. 655
end ..................................................................................................656
ip address .........................................................................................657
no ....................................................................................................657
physical interface GigabitEthernet ........................................................657
shutdown ..........................................................................................658
Appendix B
Appendix C
Appendix D
Appendix E
Appendix F
Appendix G
Appendix H
Working with the MobileIron App and Related Agents for Android 759
Uninstalling the MobileIron app for Android ........................................... 760
Uninstalling the Samsung DM Agent .................................................... 763
Troubleshooting email setup on Android devices .................................... 764
How the Email Setup screen works .......................................................765
Device Administrator privileges for the Samsung email app .....................766
Troubleshooting based on results .........................................................767
Troubleshooting Wi-Fi setup on Android devices .................................... 768
Displaying the Wi-Fi Setup page ...........................................................769
Understanding and using the Wi-Fi Setup page ......................................771
Troubleshooting based on results .........................................................773
Certificate configuration support on the MobileIron for Android app .......... 774
Certificate Setup screen ......................................................................774
Certificate support for Wi-Fi setup ........................................................775
19
Appendix I
Appendix J
Appendix K
Appendix L
Appendix M
21
22
Company Confidential
23
Company Confidential
24
Chapter 1
Getting Started
Company Confidential
25
Getting Started
Administration tools
The VSP has the following administration tools:
Admin Portal
System Manager
Admin Portal handles the most common administrative tasks.
System Manager handles VSP configuration and system troubleshooting. See Section
III: System Management for information on using System Manager.
Installation
The MobileIron Admin Portal is installed as part of the system setup. See the Installation Guide for installation details.
Enter the URL for the MobileIron Admin Portal in a supported browser:
https://<fully_qualified_hostname>/mifs
2.
Enter a user ID and password having a role that provides access to at least a portion of the Admin Portal. The ID and password are case sensitive.
Note: The administrator user created during installation has an appropriate role.
See Assigning and removing roles on page 57.
3.
Company Confidential
26
Getting Started
Logging out
To log out of the MobileIron Admin Portal, click the Log Out link in the upper right corner. If you do not log out, your session will expire after a period of inactivity.
Company Confidential
27
Getting Started
Setup tasks
Setting the enterprise name
The company name entered during the MobileIron VSP installation is used as the
default enterprise name identifying your organization in email, SMSes, alerts, and certificates. If the company name you entered is not the one you want to use in these
contexts, you can change the name. Be sure to do so before you upload certificates,
or you may impact all registered devices. To change this name:
1.
2.
3.
In the Enterprise Name field, enter the text to use when referring to the enterprise.
4.
Click Save.
2.
3.
4.
In the External Host field, enter the fully-qualified domain name to be used for
accessing MobileIron.
Click Save.
Company Confidential
28
Getting Started
If you already have an MDM certificate, but have not uploaded it, you can upload it
from the same screen.
2.
3.
4.
Company Confidential
29
Getting Started
5.
Click Create new plist to generate the required property list in Apples .PLIST XML
format.
This may take a few minutes. Click the Refresh icon to update the status of this
task.
6.
Once the plist has been generated, click Download the plist.
7.
8.
Click the Apple Push Certificates Portal link to start the process of requesting the
MDM certificate.
9.
When you receive the certificate, click Display Upload Certificate Form.
10.
11.
2.
3.
Company Confidential
30
Getting Started
4.
5.
Company Confidential
31
Getting Started
6.
7.
2.
3.
2.
3.
Company Confidential
32
Getting Started
Element
Description
Main menu
Secondary menu
Login information
Information
center
System manager
Company Confidential
33
Getting Started
Number
Element
Description
Page
Details panel
To switch from the Admin Portal to the System Manager, select the System Mgr link at
the top of any page in the Admin Portal.
You will be prompted to enter a user ID and password. Enter the user ID and password for the local user created during setup or a local user created in the System
Manager under Security > Local Users.
Note: During setup, two local users having the same credentials are created, one for
Admin Portal and one for System Manager. If you have made changes to the roles or
password for the Admin Portal user, these changes will not affect the System Manager
user.
To switch from the System Manager to the Admin Portal, select the Admin Portal link
at the top of any page in the System Manager. Note that certain actions performed in
the System Manager may require you to log in again when you switch to Admin Portal
.
To display the panel and leave it open, click the double arrow button in the upper right
portion of the screen. To display the panel and have it close automatically when you
move the cursor away from the panel, click the ? button.
Company Confidential
34
Getting Started
License monitor
The Licensing link is available by clicking on the ? icon on the top right-hand corner of
the Admin Portal.
Note: The appearance of the link depends on configuration with MobileIrons internal
license tracking systems. Therefore, the link might not be visible immediately after
you upgrade.
Click the link to display:
Pre-requisites
The license monitor requires access to the MobileIron Gateway.
Company Confidential
35
Getting Started
Company Confidential
36
Supported features by OS
Each operating system has features and limitations that differentiate it from the other
operating systems. Depending on the devices operating system and native API, some
of the MobileIron features are available and some are not.
Below is information about the features available for each supported operating system:
iOSa
BlackBerry
10
OS Xa
WP7
WP8
Win RT/Pro
Per Device
yes
yes
yes
yes
Bulk
User Self-Service
(By Invitation)
yes
yes
yes
yes
yes
yes
yes
Android
iOSa
BlackBerry
10
OS Xa
WP7
WP8
Win RT/Pro
Device Inventory
yes
yes
yes
yes
Device Details
yes
yes
yes
yes
Provisioning
Asset Management
Ownership Status
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
Retire Device
yes
yes
yes
yes
Company Confidential
37
Send Message
yes
yes
partialq
Force Check-In
yes
yes
yes
Reprovision Client
yes
yes
Sync Policy
yes
yes
partial
yes
yes
yes
Android
iOSa
BlackBerry
10
OS Xa
WP7
WP8
Win RT/Pro
Lock
yes
yes
yes
Unlock
yes
yes
Wipe
yesb
yes
yesc
yes
yesc
yes
yesc
yesd
yesd
yesd
yesi
yes
yes
yesf, v
yesg,i
yest
yesh
yesi
N/A
Password Policy
yes
yes
yesc
yes
yesc
yes
yesc
Lockdown Policy
yesi
yesj
yesl
Privacy Policy
Block Registration
by OS
partialm
partialm
partialm
yes
yes
yes
yes
Locate
Email Attachment
Control
yes
yes
yesn
yesn
partialk,n
partialn
Android
iOSa
BlackBerry
10
OS Xa
WP7
WP8
Win RT/Pro
Device Inventory
yes
yes
yes
yes
yes
yes
Device Details
yes
yes
yes
yes
yes
yes
Allow / Block
yes
yes
yes
yes
yes
yes
Wipe
yes
yes
yes
yes
yes
yes
Register
yes
yes
yes
ActiveSync Policy
yes
yes
yes
yes
yes
yes
Android
iOSa
BlackBerry
10
OS Xa
WP7
WP8
Win RT/Pro
yes
yes
yesn,q
Security
Sentry Access
Control
Compliance Actions
yes
yes
Quarantine yes
yes
yes
yes
yes
yes
yes
Remove Configurations
yes
yes
Android
iOSa
BlackBerry
10
OS Xa
WP7
WP8
Win RT/Pro
yes
yes
App Management
Enterprise App
Storefront yes
Company Confidential
38
yes
yes
yes
yes
App Inventory
yes
yes
Install
yesi
yes
App Tunneling
yes
yes
yes
yesu
yes
yes
Android
iOSa
BlackBerry
10
OS Xa
WP7
WP8
Win RT/Pro
yes
yes
Android
iOSa
BlackBerry
10
OS Xa
WP7
WP8
Win RT/Pro
yesi,p
yes
partials
yes
Content
Management
Application Settings
Exchange
VPN
yes
yes
yes
Wi-Fi
yes
yes
yes
Android
iOSa
BlackBerry
10
OS Xa
WP7
WP8
Win RT/Pro
International
Roaming
yes
yes
Event Center
partial
partial
Android
iOSa
BlackBerry
10
OS Xa
WP7
WP8
Win RT/Pro
yes
yes
Android
iOSa
BlackBerry
10
OS Xa
WP7
WP8
Win RT/Pro
Register
yes
yes
yes
Alerting
Troubleshooting
Email Client Logs
MyPhone@Work
Portal
Lock
yes
yes
Wipe
yes
yes
yes
Find It
yes
yes
Company Confidential
39
Android
Bold text indicates that the feature is available on Android and not available on iOS.
Security
Asset Management
Application Management
Lock
Device Inventory
Unlock
Device Details
Wipe
Ownership Status
On-Device Inventory
Certificate Distribution
Install
Retire Device
Uninstall
Send Message
Silent Install/Uninstalllg
Force Check-In
Reprovision Client
AppConnect Wrapper
Password Policy
Lockdown Policyb,c,d
Privacy Policy (partial)e
Sync Policy
Group Actions (Labels)
Extended Lockdown Policyd
Block Registration by OS
Locate
App Tunneling
Sentry Access Control
MyPhone@Work Portal
Application Settings
Device Inventory
Register
Exchanged
Device Details
Lock
Wi-Fi
Allow / Block
Wipe
VPNh
Wipe
Find It
Kioskd
Compliance Actions
Alerting
Register
ActiveSync Policy
Provisioning
Company Confidential
40
Per Device
International Roaming
Bulk
Event Centeri
Quarantine
Block AppConnect Apps
Wipe AppConnect Apps
Remove Configurations
Troubleshooting
Content Management
BlackBerry 10
Security
Password Policya
Device Inventory
Encryption Policya
Device Details
Allow / Block
Selective Wipe
ActiveSync Policy
Company Confidential
41
iOS
Bold text indicates that the feature is available on iOS and not available on Android.
Security
Asset Management
Application Management
Lock
Device Inventory
Unlock
Device Details
Ownership Status
On-Device Inventory
Certificate Distribution
Install
Retire Device
Uninstall
Send Message
AppConnect Wrapper
Password Policy
Force Check-In
AppConnect SDK
Lockdown Policyb
Reprovision Client
Sync Policy
Block Registration by OS
Wipe
Selective
Wipea
Locate
Email Attachment Controld
App Tunneling
Sentry Access Control
MyPhone@Work Portal
Application Settings
Device Inventory
Register
Exchange
Device Details
Wipe
Wi-Fi
Allow / Block
Lock
VPN
Wipe
Find It
Register
ActiveSync Policy
Compliance Actions
Provisioning
Alerting
Per Device
International Roaming
Quarantine
Bulk
Event Centerf
Content Management
Company Confidential
42
a Selective wipe of email through security compliance actions, removing the device from the associated label, or retiring
the device; do not use the Selective Wipe command.
b Via iOS Restrictions settings.
c Only Location and Apps privacy settings currently apply.
d Through Docs@Work.
e Speed-test and user-reported dropped calls only.
f One or more significant parts of this feature are not supported. See the detailed documentation for this feature.
g Via iOS Data Protection.
Mac OS X
Security
Asset Management
Application Management
Lock
Device Inventory
On-Device Inventory
Unlock
Device Details
Wipe
Ownership Status
Certificate Distribution
Password Policy
Privacy Policy
Retire Device
Block Registration by OS
Force Check-In
Application Settings
Exchangeb
Wi-Fi
VPN
Provisioning
Per Device
Bulk
Company Confidential
43
Windows Phone 7
Security
Wipea
Device Inventory
Password Policya
Device Details
Allow / Block
Wipe
ActiveSync Policy
Company Confidential
44
Windows Phone 8
Security
Asset Management
Application Management
Device Inventory
Device Details
Certificate Distributionb
Ownership Status
Install
Retire Device
Password Policy
MyPhone@Work Portal
Application Settings
Device Inventory
Wipe
Exchange
Wipe
f
Sync Policy
Lockdown Policyd
Block Registration by OS
Device Details
Allow / Block
Wipe
Register
ActiveSync Policy
Compliance Actions
Provisioning
Per Device
Bulk
User Self-Service
tation)
(By Invi-
Company Confidential
45
Windows RT/Pro
Security
Wipea
Device Inventory
Password Policya
Device Details
Allow / Block
Wipe
ActiveSync Policy
Supported platforms
The following platforms are supported:
Android 2.2 and higher (minimum Android 2.3 for AppConnect features)
BlackBerry 10
iOS versions 4.0 and higher
OS X Lion, Mountain Lion
Windows Phone 7, 8
Windows RT/Pro
Supported iOS devices
iPhone 3gs and later
all iPads
iPod touch 4th generation
Company Confidential
46
Supported OS X devices
Model ID
Model Name
MacBook7,1
MacBook6,1
MacBook5,2
MacBook5,1
MacBook4,1
MacBook3,1
MacBook2,1
MacBookAir5,2
MacBookAir5,1
MacBookAir4,2
MacBookAir4,1
MacBookAir3,2
MacBookAir3,1
MacBookAir2,1
MacBookAir1,1
MacBookPro10,2
MacBookPro10,1
MacBookPro9,2
MacBookPro9,1
MacBookPro8,3
MacBookPro8,2
MacBookPro8,1
MacBookPro7,1
MacBookPro6,2
MacBookPro6,1
MacBookPro5,5
MacBookPro5,4
MacBookPro5,3
MacBookPro5,2
MacBookPro5,1
MacBookPro4,1
MacBookPro3,1
MacBookPro2,2
MacBookPro2,1
Company Confidential
47
Company Confidential
48
Chapter 2
Managing Users
Company Confidential
49
Managing Users
User sources
MobileIron supports local users and LDAP users. Local users are entities created in the
local MobileIron database. They are not known to the network or other corporate services. LDAP users are imported from your organizations LDAP server.
In most cases, you will configure an LDAP server and import LDAP users.
Local users are best for the following scenarios:
administration
testing
Local users created in the Admin Portal can be used for registering devices and
accessing Admin Portal and MyPhone@Work. Local users created in the System Manager can be used in the System Manager and the CLI.
misystem user
misystem is a default VSP user used for the following tasks:
Though these two users start with the same name and password, they are separate
users stored in separate databases. Changes made to one do not affect the other. For
Company Confidential
50
Managing Users
example, if you change the password for the Admin Portal user, the password for the
System Manager user does not change.
Super users
Help desk users
Device users
Super users have all roles assigned. Help desk users have a combination of Admin
Portal roles assigned that enable them to perform basic IT tasks. The combination of
roles may vary according to the organizations needs. Device users usually have limited roles assigned to enable registration and access to the MyPhone@Work user portal.
Required role
The User Management role is required for access to the user management screen.
Company Confidential
51
Managing Users
2.
3.
4.
In the Search by Name field, enter text that will match an LDAP user entry in the
selected category, based on first name, last name, or account name.
Company Confidential
52
Managing Users
You may use % as a wildcard. For example, to search for all users having smith at
the end of the user ID, you would enter %smith.
5.
LDAP does not report members for a group that is also the Primary Group for those
members. If you do not see the users you expect, examine your LDAP configuration.
Consider us OUs, instead.
Click the link next to an authorized LDAP entity to display the associated entities.
Company Confidential
53
Managing Users
2.
3.
Click Save.
whether to discard the LDAP sync data if the reloaded data set declines significantly
at what point the decline is considered significant
This option is enabled by default and set to 25%. This default ensures that abnormal
behavior on the part of the LDAP system will not result in unnecessary, disruptive
updates in the VSP and removal of configurations from registered devices. Consider
changing or disabling this setting if you are going to make major changes to your
LDAP system. Be sure to confirm that the changes are acceptable before disabling this
feature.
To change this option:
1.
2.
3.
To change the threshold at which the sync is discarded, enter a different percentage.
Company Confidential
54
Managing Users
4.
Click Save.
Did the issue first start at about the same time as a major change to the LDAP environment?
This would suggest that a valid change in the LDAP environment triggered the discard.
2.
If sync has failed once, try a manual sync. If sync has failed multiple times, determine
whether a change was made to the LDAP environment. If you are unable to find a
major change, consider changing the percentage for the Enable Sync Discard setting.
2.
3.
Company Confidential
55
Managing Users
Moving between the LDAP user display and the local user
view
To move back to the local user view, select Authorized Users from the To dropdown
list.
Company Confidential
56
Managing Users
Role
Description
User Portal
MyPhone@Work
Locate
MyPhone@Work
Lock
MyPhone@Work
Wipe
MyPhone@Work
Registration
User Management
Allows access to the Users link in the Users & Devices main
menu in the Admin Portal.
Company Confidential
57
Managing Users
Role
Description
All secondary menus, except Configurations, in the Policies & Configs main menu.
Note: The Apps & Configs role is required to access Configurations in the Policies & Configs menu.
Access to all secondary menus in the Policies & Configs
main menu requires the following roles:
Policies
Apps & Configs
Apps & Configs
Company Confidential
58
Managing Users
Role
Description
Logs
Logs
Events
API
Selective Wipe
Admin Wipe
Admin Locate
2.
Select Authorized Users from the To drop down list to select from existing user
accounts.
Select LDAP Entities from the To drop down list to select groups of users from
the configured LDAP server. (Roles assigned to an LDAP entity are inherited by
all members of the entity.)
Company Confidential
59
Managing Users
3.
If you selected LDAP Entities, select the type of entity in the Category dropdown:
4.
If the user or group you want to work with is not displayed, enter information in the
Search by Name field and click the search icon.
5.
Click the checkbox next to each user or entity you want to work with.
6.
7.
Select the roles you want to assign and clear the roles you want to remove.
8.
Click Save.
The new roles take effect the next time an affected user logs in. A user who is
logged in when the change is made must log out and log back in to see the effects
of the change.
Company Confidential
60
Managing Users
2.
3.
Company Confidential
61
Managing Users
Field
Description
User ID
First Name
Last Name
Display Name
Password
Enter a password for the user. The password has the following requirements:
4.
Click Save.
5.
Assign the necessary roles. See Assigning and removing roles on page 57.
2.
Click Users.
3.
Click the Edit icon for the user entry to display the Edit User dialog.
Company Confidential
62
Managing Users
4.
5.
6.
Click Save.
2.
Click the checkbox for the local user you want to match.
3.
Note: Existing roles for the local user are removed. The next time the user authenticates, roles will be applied based on the LDAP group of the corresponding LDAP user.
Company Confidential
63
Managing Users
2.
3.
2.
3.
Company Confidential
64
Managing Users
Company Confidential
65
Managing Users
Language support
MobileIron currently provides the following language support features:
iOS client
The MobileIron iOS client is available in the following languages:
English
French (France)
German
Japanese
Korean
Simplified Chinese
Traditional Chinese
Portuguese (Brazilian)
Spanish (Latin American)
See the release notes for the iOS Client for any recent additions to this list. Also see
iOS messages on page 68 for information on the languages supported for messages
sent to iOS devices from the VSP.
WP8 client
The MobileIron WP8 client is available in the following languages:
English
French (France)
German
Japanese
Korean
Simplified Chinese
Traditional Chinese
Portuguese (Brazilian)
Spanish (Latin American)
Company Confidential
66
Managing Users
Russian
The language for Mobile@Work is automatically set to the language setting of the
device. It defaults to United States English, if the language setting on the device is not
supported.
Android client
The MobileIron Android client is available in the following languages:
English
French (France)
German
Japanese
Korean
Simplified ChineseTraditional Chinese
Portuguese (Brazilian)
Spanish (Latin American)
See the release notes for the Android Client for any recent additions to this list. Also
see Android messages on page 68 for information on the languages supported for
messages sent to Android devices from the VSP.
Selecting languages
You may choose to enable or disable languages for the messages sent from the VSP to
devices. For example, if you have only Japanese-speaking users, you may prefer to
remove the other message templates from the Admin Portal.
To determine which languages are enabled:
1.
Company Confidential
67
Managing Users
2.
3.
Under Language Preferences, move the supported languages to the preferred list:
Disabled Languages or Enabled Languages.
Click Save.
iOS messages
The following languages are supported for messages sent to iOS devices:
English
French (France)
German
Japanese
Korean
Simplified Chinese
Traditional Chinese
Portuguese (Brazilian)
Spanish (Latin American)
Russian
Android messages
The following languages are supported for messages sent to Android devices:
English
French (France)
German
Company Confidential
68
Managing Users
Japanese
Korean
Simplified Chinese
Traditional Chinese
Portuguese (Brazilian)
Spanish (Latin American)
Russian
2.
3.
Company Confidential
69
Managing Users
4.
5.
Company Confidential
70
Chapter 3
Registering Devices
Company Confidential
71
Registering Devices
The process resulting from these methods may vary by device OS.
Note: Windows Phone 7 does not require registration.
Best for
This method is best for the following scenarios:
Prerequisites
The user (local or LDAP) associated with the device must be available for selection
at the time of registration.
For iOS, WP8, and Android, the User Portal role must be assigned to the user.
The following information must be available for the device:
phone number (if any)
country
platform
See
Registration by administrator: individual devices on page 79
Company Confidential
72
Registering Devices
Best for
This method is best for the following scenarios:
Prerequisites
LDAP users specified in the CSV file must be available for selection. Local users that
have not been created already will be created as part of the Bulk Registration process.
For iOS, WP8, and Android, the User Portal role must be assigned to the users.
The following information must be available for the device:
phone number (if any)
country
platform
See
Registration by administrator: multiple devices (bulk registration) on page 82
Best for
adding devices for users who do not require assistance
rolling out multiple devices into a production environment
Level of end-user interaction
High. Users must initiate the registration process, enter all required information, and
respond to installation prompts on the device.
Company Confidential
73
Registering Devices
Prerequisites
The user (local or LDAP) associated with the device must be available for selection
at the time of registration.
The user needs to know the following information for the device:
phone number (if any)
country
platform
See
Invite users to register on page 86
Best for
adding iOS or Android devices for users who do not require assistance
Level of end-user interaction
High. Users must download the app, initiate the registration process, and respond to
registration prompts.
Prerequisites
Configuring the Server Name Lookup preference (under Settings > Preferences in
Admin Portal) makes registration easier by automatically filling in the server
address for the user (Android/US only). This feature depends on access to the
MobileIron Gateway; therefore, the corresponding port must be properly configured. See the Pre-Deployment Checklist in the Installation Guide for details.
This feature depends on the presence of the mobile number on the SIM.
The user associated with the device must be known as an LDAP user or defined as
a local user.
Company Confidential
74
Registering Devices
Best for
adding devices for users who do not require assistance
Level of end-user interaction
High. The user initiates the registration process, enters registration information, and
responds to registration prompts on the device.
Prerequisites
Users must have the User Portal role assigned, with the MyPhone@Work Registration option enabled.
The user needs to know the following information for the device:
phone number (if any)
country
platform
See
MyPhone@Work User Guide
Best for
devices accessing email via ActiveSync
Level of end-user interaction
Medium. Users must respond to installation prompts on the device.
Prerequisites
MobileIron Sentry must be installed and configured.
The user (local or LDAP) associated with the device must be available for selection
at the time of registration.
For iOS, WP8, and Android, the User Portal role must be assigned to the user.
You need to know the following information for the device:
phone number (if any)
country code
Company Confidential
75
Registering Devices
platform
See
ActiveSync device registration on page 89
Company Confidential
76
Registering Devices
Registration considerations by OS
Before you begin registering devices, you should be aware of OS-specific features and
dependencies.
iOS
iOS registration currently depends on acquiring the MobileIron Client from the
iTunes App Store. Therefore, an iTunes account is required. You do not need a
credit card in order to establish an iTunes account; just start downloading the
MobileIron app to a PC or Mac, click Create New Account, and select None as your
payment method.
If you have configured a MobileIron Sentry to support iOS devices connecting via
ActiveSync, then you can initiate registration from the ActiveSync Devices screen.
By default, the user is required to enter a password to register the device. If you
prefer, you can change this behavior to require a MobileIron-generated Registration
PIN instead, or to require both a password and a Registration PIN. See Configuring
user authentication requirements for registration (iOS, Android, Windows Phone 8)
on page 94 for information on specifying behavior for this feature.
For MDM-enabled iOS devices, MDM features are not dependent on the MobileIron
Client after registration. Therefore, if a user uninstalls the MobileIron Client, features like app inventory will continue to function.
If you need to register many iOS devices on behalf of users, as when iPhones are
purchased by the corporation and rolled out in bulk, depot-style registration may be
preferable. See Web-based Registration for iOS and OS X Devices on page 683.
Android
Android registration currently depends on acquiring the MobileIron Client from the
Google Play (formerly Android Market).
For devices that cannot access Google Play, provide another way for the device
users to get the Mobile@Work for Android app. For example, email the app to the
device users. You can also place the app on a website and provide the URL to the
device users.
Configuring the Server Name Lookup preference (in Admin Portal under Settings >
Preferences) makes registration easier by automatically filling in the server address
for the user (US only). Note that the administrator must initiate registration or
invite the user to register.
By default, the user is required to enter a password to register the device. If you
prefer, you can change this behavior to require a MobileIron-generated Registration
PIN instead, or to require both a password and a Registration PIN. See Configuring
Company Confidential
77
Registering Devices
Windows Phone 8
Single device registration, bulk registration, and invitations to register are supported for Windows Phone 8 (WP8) devices.
Registration of the WP8 device is done through the WP8 native client.
The Mobile@Work app is installed as part of the registration process.
The User Portal role is required for WP8 device registration whether PIN-based registration is required or not.
If PIN registration is enabled on the VSP (in the Admin Portal, Setting > Preferences) the device user must first verify the PIN before registering the device.
The device user is required to enter a username (Email) and password to register
the WP8 device even when PIN registration is enabled.
Company Confidential
78
Registering Devices
2.
3.
Item
Description
User
Device Platform
Country
Mobile
Company Confidential
79
Registering Devices
Item
Description
Operator
Device Owner
Device Language
Email User
Clear this check box if you do not want the user to receive
email concerning registration status. For example, if you
are in possession of the phone, and notifying the user
about registration activities is not necessary, then clear
this option. Select this option if the device is in the
owners possession.
Why: Users may be confused if they begin receiving notifications about the phone if it is not in their possession.
4.
Click Register.
After a brief pause, a popup displays listing instructions for the next step. The content of this popup varies based on the OS and type of the device. Consider leaving
this message displayed until the registration has been completed. Also note that
the instructions also appear in the log.
Company Confidential
80
Registering Devices
device browser to complete the registration process. See the MobileIron end-user document for the specific OS for details on the input expected from the user.
If the user does not respond within 24 hours, MobileIron sends a reminder. After 120
hours, the registration expires. This expiration interval is configurable (Settings >
Preferences > Passcode Expiry). The maximum value is 4320 hours (6 months).
For BES 4.x devices deployed via BES, the user does not receive the SMS or email and
does not enter any input.
Company Confidential
81
Registering Devices
Description
Example
User ID
jdoe
Country Code
4085551212
Company Confidential
82
Sprint
Registering Devices
Field
Description
Example
OS
I: iOS
A: Android
M: WP8
Windows Phone 7 devices are
not supported for bulk registration.
Entries are case sensitive.
If the specified platform has
been disabled for registration,
then the registration will fail.
See Specifying eligible platforms for registration on
page 93.
E/C
C: Company
E: Employee
Source
L: Local
D: Directory (LDAP)
Entries are case sensitive.
First Name
John
Last Name
Doe
jdoe@mycompany.com
Password
p@$sW0rd
Company Confidential
83
Registering Devices
Field
Description
Example
Device Language
ja-JP
en-US: English
ja-JP: Japanese
ko-KR: Korean
fr-FR: French
de-DE: German
zh-CN: Chinese
zh-TW: Traditional Chinese
es-ES: Spanish
pt-BR: Portuguese (Brazil)
This field is optional.
User Display Name
Smith, Ken
Firstname Lastname
This field is optional.
Notify User
Company Confidential
84
Registering Devices
Local user IDs cannot contain spaces. Spaces are allowed for LDAP users.
The Platform field is case sensitive. Enter only uppercase letters in this field.
Phone numbers cannot contain spaces or non-numeric characters.
Loading the
multiple devices
registration CSV
2.
3.
Click the Browse button to select the CSV file containing the bulk registration data.
4.
5.
Click Apply.
6.
Review the Status column to confirm that each entry was successfully imported.
7.
If any items failed, scroll to the right and hover over the Message column to display
information about the reason the item was not applied successfully.
Company Confidential
85
Registering Devices
2.
Select Authorized Users from the To dropdown list to select from local user
accounts.
Select LDAP Entities from the To dropdown list to select users from the configured LDAP server.
3.
4.
5.
Review the default text for the invitation and make any changes.
The text is displayed here with HTML markup. The user will receive the formatted
version.
6.
Click Send.
Company Confidential
86
Registering Devices
Company Confidential
87
Registering Devices
Make sure that the user has a user record (local or LDAP) available in MobileIron.
See Managing Users on page 49.
Instruct the user on downloading the app and registering. The user will need the
following information:
user name
password and/or Registration PIN
server (and the port number, if you did not use the default port number for TLS)
See Overview of registration methods on page 72 for points to consider before using
this registration method.
In the Admin Portal, select the Preferences link in the Settings page.
Select Yes for the Enable Server Name Lookup option under iOS/Android In-App
Registration Preferences.
Note: Because this feature relies on a mobile number, it does not apply to iPads
using WiFi.
3.
Click Save.
The MobileIron Gateway must be accessible for server name lookup. See the Predeployment Checklist in the Installation Guide for information on the requirements for
MobileIron Gateway access. The mobile number must also be present on the SIM in
order for the Enable Server Name Lookup option to work.
Company Confidential
88
Registering Devices
Select the ActiveSync Associations link under the Users & Devices tab.
2.
3.
4.
Company Confidential
89
Registering Devices
Pending means that the users device has been registered on the MobileIron Server,
but the MobileIron Client download has not yet been completed.
Verified means that the user has confirmed that the download of the MobileIron Client should proceed.
Active means that the MobileIron Client has been successfully downloaded and connected back to the MobileIron VSP at least once.
Lost means that this phone has been manually marked as Lost. This status does
not affect other functionality.
Infected means that the MobileIron VSP detected a virus attached to a document
on the device and attempted to remove the virus.
Wiped means that the phone has been restored to factory defaults.
Note: If a BES-managed device does not change from the Verified state to the Active
state, consider resending the provision message.
Company Confidential
90
Registering Devices
Enabling operators
Enabling an operator displays it in the list of operators presented to users during registration.
1.
In the Admin Portal, select the Operators link under the Settings tab to display the
Operators screen.
By default, the Operators screen shows only Enabled operators.
2.
3.
4.
Click Enable.
2.
3.
Click the arrow button to move them to the Enabled Countries list.
4.
Click Save.
Disabling operators
Disabling an operator removes it from the list of operators presented to users during
registration.
1.
In the Admin Portal, select the Operators link under the Settings tab to display the
Operators screen.
By default, the Operators screen shows only Enabled operators.
2.
3.
Click Disable.
Company Confidential
91
Registering Devices
Filtering operators
You can use filters to display only those operators you want to work with in the Operators screen. You can:
2.
3.
Click the x that appears in the search field to return to the default display.
Enabled
Disabled
All
Company Confidential
92
Registering Devices
2.
3.
In the Enabled Platforms list, select the platform you want to exclude.
Shift-click platforms to select more than one.
4.
5.
Click the left arrow button to move the selected platforms to the Disabled Platforms
list.
Click Save.
All methods of registration now exclude the selected platforms.
Company Confidential
93
Registering Devices
2.
3.
4.
5.
Scroll down to the Registration PIN code Preferences, specify the minimum length
for the PIN (6-12 characters).
Click Save.
Username and password are always required for WP8 device registration.
The User Portal role is required for WP8 device registration whether PIN-based registration is enabled or not.
When a WP8 device is in Verified state, the device user can successfully register
another device using the same username.
Company Confidential
94
Registering Devices
Company Confidential
95
Registering Devices
registration SMS
registration email and reminder email
post registration email
These messages may vary by:
platform
language
In addition, messages may vary by device type:
phones
PDAs
To accommodate this range of messages:
Each registration template contains separate text for each registration message
type.
Each registration template contains separate text for phones and PDAs.
2.
3.
Click the View link for the template you want to view.
2.
Click the Edit icon for the template you want to edit.
Registration messages are displayed with the HTML markup that provides the basic
formatting for the content.
3.
Company Confidential
96
Registering Devices
4.
Click Save.
Supported Variables
$REG_LINK$
Registration Email
Subject (Phones)
Subject (PDAs)
Body (Phones)
$ENT_NAME$, $BRAND_COMPANY_NAME$,
$PHONE$, $INAPP_REG_STEPS$, $REG_LINK
Body (PDAs)
$ENT_NAME$, $BRAND_COMPANY_NAME$,
$PHONE$, $INAPP_REG_STEPS$, $REG_LINK$
$ENT_NAME$, $BRAND_COMPANY_NAME$,
$PHONE$, $INAPP_REG_STEPS$, $REG_LINK$
$ENT_NAME$, $BRAND_COMPANY_NAME$,
$PHONE$, $INAPP_REG_STEPS$, $REG_LINK$
$INAPP_REG_STEPS$
Server
$SERVER_URL$
Username
$USER_ID$
Password
$PASSCODE$, $PASSCODE_TTL$
Subject (PDAs)
Body (Phones)
$BRAND_COMPANY_NAME$, $PHONE$
Body (PDAs)
$BRAND_COMPANY_NAME$, $PHONE$
Supported Variables
$REG_LINK$
Registration Email
Subject (Phones)
Company Confidential
97
Registering Devices
Subject (PDAs)
Body (Phones)
$ENT_NAME$, $BRAND_COMPANY_NAME$,
$PHONE$, $PASSCODE$, $PASSCODE_TTL$,
$REG_LINK$
Body (PDAs)
$ENT_NAME$, $BRAND_COMPANY_NAME$,
$PHONE$,$PASSCODE$, $PASSCODE_TTL$,
$REG_LINK$
Subject (PDAs)
$BRAND_COMPANY_NAME$, $USER$,
$PHONE%
Body (Phones)
$BRAND_COMPANY_NAME$, $PHONE$
Body (PDAs)
$BRAND_COMPANY_NAME$, $PHONE$
Variable descriptions
The following table describes the variables used in registration messages.
Variable
Description
$BRAND_COMPANY_NAME$
An internal variable.
$ENT_NAME$
$INAPP_REG_STEPS$
$PASSCODE$
$PASSCODE_TTL$
$PHONE$
$REG_LINK$
The URL that users access to complete the registration process (i.e., https://server
name:port/i for iOS, https://server name:port/
a/ for Android, and https://server name:port/v/
passcode for others).
$SERVER_URL$
Company Confidential
98
Registering Devices
Variable
Description
$USER$
$USER_ID$
language
platform
To filter registration messages:
1.
2.
If you want to restrict the templates displayed based on language, select the preferred language from the Language list.
If you want to restrict the templates displayed based on device platform, select the
preferred platform from the Platform list.
In the Registration Templates page, select the template you want to restore.
2.
Company Confidential
99
Registering Devices
Registration notes
iOS profile fails to install
Removing old MobileIron profiles on iOS devices
During testing or in the event that the registration process is interrupted, you may
have expired profiles left on your iOS device. These profiles may interfere with your
efforts to complete the registration process. To address this issue, you should remove
the MobileIron profiles left on the device.
To remove MobileIron profiles from an iOS device:
1.
2.
Tap General.
3.
4.
Tap Profiles.
5.
6.
Company Confidential
100
Chapter 4
Managing Devices
Company Confidential
101
Managing Devices
Inventory management
Theft/loss protection
Basic maintenance
The Users & Devices page in the Admin Portal provides access to these features.
Required role
Users must have the Users & Devices role to access the Users & Devices page. See
Assigning and removing roles on page page 57.
Company Confidential
102
Managing Devices
Description
User
Number
Phone
OS
Country
Status
Pending means that the users device has been registered on the MobileIron Server, but the MobileIron Client download has not yet been completed.
Active means that the MobileIron Client has been successfully downloaded and connected back to the MobileIron VSP at least once.
Wiped means that the phone has been restored to factory defaults.
Last Check-In
E/C
Company Confidential
103
Managing Devices
Column
Description
Operator
Language
Company Confidential
104
Managing Devices
Alert Name
Description
Action
Data Protection
Disabled (iOS
only)
Data Protection:
MobileIron iOS
Multitasking is
Disabled
Unlocked Device
(iOS and
Android only)
Company Confidential
105
Managing Devices
Alert
Icon
Alert Name
Description
Action
Quarantined
(iOS only)
MDM Profile
Removed (iOS)
Company Confidential
106
Managing Devices
user name
user email
phone number
device model and capacity
OS version
operator
image of the device
Click the arrow for a category on the right to display additional details.
Company Confidential
107
Managing Devices
The following table summarizes the categories and information available on the right
side of the Device Details pane..
Category
Information Available
Policies
App Settings
Label Membership
Apps
iOS
(only if MDM is
enabled)
Details
Comment
For information about details displayed relating to AppConnect for Android, see
Device details for AppConnect apps on page 519.
user name
user email
phone number
device model and capacity
OS version
operator
image of the device
RAM used
storage used
MobileIron registration status
Company Confidential
108
Managing Devices
Information Available
Policies
App Settings
Label Membership
Backup snapshots
Apps
Details
Comment
For information about details displayed relating to AppConnect for Android, see
Device details for AppConnect apps on page 519.
2.
3.
Click Save.
Company Confidential
109
Managing Devices
The text displays in the Comment pane, followed by the date and time it was created or modified.
Basic searching
You can quickly search for devices based on the following criteria:
label
iOS MAC Address
iOS Serial Number
iOS UDID
User Principal/ID
User Email Address
User First/Last Name
To search by label, select the appropriate label name from the Labels list.
To search by the other criteria, use the following syntax in the Search by User or
Device field:
Company Confidential
110
Managing Devices
Advanced searching
In a large enterprise with hundreds or thousands of devices, you can use the
Advanced Search link to display records for all devices that meet specified criteria.
You can also assign a label to them for future filtering. The following criteria are available:
PLATFORM_NAME
STATUS
OPERATOR
LDAP_GROUP
LDAP_USER_ATTRIBUTE
DEVICE_OS
DEVICE_MODEL
DEVICE_MANUFACTURER
DEVICE_OWNER
4.
5.
6.
7.
Click the Search button to display the matching devices and their owners.
8.
If you want to create a filter label for the specified criteria, select an existing list
from the Assign Label to result dropdown, and click Save. See Using labels to
establish groups on page 130.
Note: You can search for devices for which the status field value is Blocked, which
means that the device is blocked from accessing the ActiveSync server. For iOS
Company Confidential
111
Managing Devices
devices, it also means that the device cannot access Docs@Work features. However,
the Status column does not show the value Blocked. Instead, the ActiveSync Devices
view shows this information. See Viewing ActiveSync associations on page 368.
Description
Status
Operating System
Company Confidential
112
Managing Devices
Pane
Description
Operator
Platform Breakdown
New Registrations
Pending Registration
Recent Wipes
Recent Infection
Detect
Company Confidential
113
Managing Devices
Description
Use Case
Reprovision Device
Troubleshooting incomplete
registration
Retire
Reprovision device
Android
iOS
Win 7
WP8
yes
yes
2.
Select the checkbox for the device in the All Devices page.
3.
Company Confidential
114
Managing Devices
Retire
Android
iOS
OS X
Win 7
WP8
yes
yes
yes
yes
Retiring a device archives the data for that phone, removes the configurations and
settings applied by the VSP., The entry for the device no longer appears in the Users &
Devices page (unless you click the Retired Devices link), and the user is notified that
the software has been removed.
If the retired device is also in the ActiveSync Devices view, it remains there. However,
because the device is retired, it can no longer access the ActiveSync server. You can
manually remove the device from the ActiveSync Devices page. See Removing
ActiveSync phones on page 375.
Also note:
Retiring an iOS device also removes from the device the documents and configurations related to Docs@Work. See Retire and wipe impact on documents on
page 472.
Retiring an Android device means the device user cannot access any AppConnect
apps or data.
For details, Lock, unlock, and retire impact on AppConnect on page 517.
Note
For BES 5.x devices deployed using the BES 5.x server, if you set the BES software
configuration to Required, then the Retire function in Admin Portal will not be able to
uninstall the MobileIron Client. As a result, the phone will be re-registered. In this
case, you must first use the BES Administration Service to either remove the software
configuration from the device or deactivate the device.
To retire a device:
1.
2.
Select the checkbox for the device in the All Devices page.
3.
Company Confidential
115
Managing Devices
4.
In the displayed dialog, confirm the user and device information and enter a note.
5.
Click Retire.
The user receives notification of the action.
iOS
Win 7
WP8
No longer supported.
Company Confidential
116
Managing Devices
Description
Use Case
Lock
Unlock
Wipe
Lost
Found
Locate
Block AppTunnels
Immediately removing
access to servers behind the
firewall
Lock
Android
iOS
OS X
Win 7
WP8
yes
yes
yes
Locking a device forces the user to enter a password to access the phone and prevents the user from reversing this restriction. The user is informed of this action via
email. If the user has set a password for the device, then that password must be
entered. Locking an Android device also causes the device user to be locked out of
AppConnect apps. For details, see Lock, unlock, and retire impact on AppConnect on
page 517.
To lock a device:
1.
2.
Select the checkbox for the device in the All Devices page.
3.
Company Confidential
117
Managing Devices
Note
If the MobileIron Client on the selected device is currently connected, then this action
will be applied immediately. However, if the MobileIron Client is not currently connected, the MobileIron VSP will first attempt to complete the operation using the
Syscomm phone, if one has been configured. If a Syscomm phone has not been configured, then the MobileIron VSP will attempt to complete the operation by means of
the operators SMTP service. If SMTP is used, it may take more time to execute the
operation, and the time required may vary by operator.
To remove the lock, create a new Security policy that specifies that passwords are
optional and assign it to the device. This task enables the user to remove the restriction on their phone. The phone will continue to request a password until the user turns
off the restriction on the phone. Also, because only one active policy of the same type
can be applied to a phone, you may choose to remove this policy from the phone once
the user has successfully turned off the lock. You can do this by applying the previous
policy or removing the phone from the policy used to remove the lock. See Using
labels to establish groups on page 130 for information on working with labels.
Unlock
Unlock
Passcode
to Unlock
Android
iOS
Win 7
WP8
yesc
yes
2.
3.
Notes:
This function does not apply to Android devices locked using face or pattern locks.
Because the MobileIron app cannot remove the passcode on an encrypted Android
device, the Unlock command sets the passcode to "un!ockm3!" on encrypted
devices.
On Android devices using AppConnect apps, unlock also removes the secure apps
passcode.
For details, see Lock, unlock, and retire impact on AppConnect on page 517.
Company Confidential
118
Managing Devices
Wipe
Android
xx
yes
iOS
yes
OS X
yes
xxx
Win 7
WP8
yes
Warning
Wiping a device returns it to factory defaults, which can result in loss of data.
Wiping a device returns its settings to the factory defaults and informs the user of this
action via email. The Wipe task differs considerably by OS due to the limitations of
each OS.
Note: The Admin Wipe role is required for this feature.
To wipe a device:
1.
2.
3.
Note: If the MobileIron Client on the selected device is currently connected, then this
action will be applied immediately. However, if the MobileIron Client is not currently
connected, the MobileIron VSP will first attempt to complete the operation using the
Syscomm phone, if one has been configured. If a Syscomm phone has not been configured, then the MobileIron VSP will attempt to complete the operation by means of
the SMTP configuration. If SMTP is used, it may take more time to execute the operation, and the time required may vary by operator.
Selective Wipe
Selective
Wipe
(Files)
Selective
Wipe
(Email)
Selective
Wipe
(SMS)
Android
iOS
Win 7
WP8
-f, g
-e, g
Company Confidential
119
Managing Devices
Block AppTunnels
Android
iOS
Win 7
WP8
yes
You can manually block the AppTunnel feature in AppConnect apps on a device. The
authorized AppConnect apps remain authorized, but the apps will no longer be able to
access the web sites configured to use the AppTunnel feature.
Note: For the Docs@Work features in Mobile@Work, blocking the AppTunnel feature
blocks access to all the Docs@Works features.
To manually block the AppTunnel feature in AppConnect apps on a device:
1.
2.
Select the checkbox for the device in the All Devices page.
3.
Select More Actions > Block App Tunnels from the Actions menu.
4.
Add a note.
5.
Lost
Android
iOS
Win 7
WP8
yes
yes
When a user reports a lost device, you can set its status to Lost. Setting this status
does not have a functional effect on the phone. It just flags the phone as lost for
tracking purposes and to ensure that it appears in the Lost Phones screen.
To designate a device as lost:
1.
2.
Select the checkbox for the device in the All Devices page.
3.
Company Confidential
120
Managing Devices
4.
In the displayed dialog, confirm the user and device information and enter a note.
5.
Click Lost.
The entry for this device will appear with a status of Lost. Use the Found action to
undo this status. See Found on page 121.
Found
Android
iOS
Win 7
WP8
yes
yes
If a user reports that a lost phone has been found, you can use the Found action to
remove the Lost indicator from the entry for the phone. Setting this status does not
have a functional effect on the phone.
To designate a lost device as found:
1.
2.
Select the checkbox for the device in the All Devices page.
3.
4.
In the displayed dialog, confirm the user and device information and enter a note.
5.
Click Found.
The entry for this device returns to Active status.
Locate
Android
iOS
Win 7
WP8
via Cell
Tower
yes
yes
via GPS
yes
Most registered phones can be located on a map using cell tower IDs. The MobileIron
Client records tower data until the next time data is synchronized between the MobileIron Client and the MobileIron VSP. See Working with security policies on page 147
for information on changing the Sync Interval setting. Using the Connect Now feature
on the device will result in immediate synchronization.
Exceptions currently include certain GSM phones, which do not provide the necessary
location data.
Note
The Admin Locate role is required for this feature.
2.
Select the checkbox for the device in the All Devices page.
Company Confidential
121
Managing Devices
3.
Select More Actions > Locate from the Actions menu to display the last known location of the phone.
Note: To ensure that old and misleading location information is eliminated, location
data expires after 72 hours.
4.
Click the phone icon on the map to display the date on which the location information was collected.
Company Confidential
122
Managing Devices
Description
Use Case
Send Message
Update Roaming
Settings
Change Ownership
Apply To Label
Managing groups
Managing groups
Send Message
Android
iOS
Win 7
WP8
yes
yes
You can send an SMS text, email or Push Notification (i.e., APNs or C2DM) to selected
devices.
Note: For SMS delivery from the MobileIron VSP, you may send up to the maximum
number of messages per month as permitted by MobileIron.
Note
If the phone is currently connected to the MobileIron VSP, then the message is sent
through the data channel.
2.
Select the checkbox for the device in the All Devices page.
3.
Company Confidential
123
Managing Devices
4.
SMS
Email
Push Notification (i.e., APNs for iOS or C2DM for Android)
Note: The character limit for SMS is 125. The character limit for Email and Push
Notification is 200. If you select SMS and another option, then the 125 character
limit applies.
5.
If you are sending email, enter a subject in the Subject field. (The Subject field is
applicable to email only.)
6.
7.
Click Send.
iOS
Win 7
WP8
yes
The Update Roaming Settings action allows you to enable or disable roaming for voice
and data on iOS devices (iOS 5 or later). Support for this feature varies by operator.
Note: The Apply settings option in the iOS MDM app setting must be selected, or this
feature will not work. This setting is selected in the default iOS MDM app setting. If
you have edited this setting or created your own iOS MDM app setting, make sure this
option is selected.
Company Confidential
124
Managing Devices
In the Devices page, select the iOS devices you want to work with.
2.
Select iOS Only > Update Roaming Settings from the Actions menu.
Company Confidential
125
Managing Devices
3.
4.
Select Enable Data Roaming if you want to enable data roaming, as well.
5.
Click Send.
In the Devices page, select the iOS devices you want to work with.
2.
Select iOS Only > Update Roaming Settings from the Actions menu.
Company Confidential
126
Managing Devices
Note that the check boxes remain unselected, regardless of whether roaming has
been enabled for the selected devices.
3.
Click Send.
Clicking Send without making changes in this dialog disables roaming on the
selected devices.
In the Devices page, select the iOS device you want to work with.
Find the Disable Voice Roaming and Disable Data Roaming settings in the Device
Details pane.
Company Confidential
127
Managing Devices
Note: N/A indicates that the operator for the selected device does not support this
feature. Also note that data roaming might display as enabled, but is effectively disabled if voice roaming is disabled.
Change Ownership
Android
iOS
Win 7
WP8
yes
yes
yes
When you register a device, you specify whether the phone is owned by the company
or the employee. Specifying ownership is important if you want to assign different policies or take actions based on whether a phone is company property or the property of
an employee.
To change this designation:
1.
2.
Select the checkbox for the device in the All Devices page.
3.
4.
5.
6.
Apply To Label
Android
iOS
Win 7
WP8
yes
yes
yes
Applying a device to a label tags the phone as part of the associated group. When you
specify a label for an action, you perform the action on all devices having the label.
See Using labels to establish groups on page 130 for more information on labels.
Company Confidential
128
Managing Devices
2.
3.
4.
5.
Click Apply.
iOS
Win 7
WP8
yes
yes
yes
Removing a device from a label removes the tag that makes it a part of the associated
group. See Using labels to establish groups on page 130 for more information on
labels.
To remove device from a label:
1.
2.
3.
4.
5.
Click Apply.
Company Confidential
129
Managing Devices
Default labels
MobileIron includes the following default labels:
Label
Description
All-Smartphones
All-Syscomm
Manually applied to the Syscomm phones during SMS configuration. A Syscomm phone becomes a designated proxy
for SMS messages.
Android
BlackBerry
No longer supported.
Company-Owned
Employee-Owned
iOS
OS X
Symbian
No longer supported.
Company Confidential
130
Managing Devices
Label
Description
WinMo
No longer supported.
Windows Phone 8
Filter
Manual
Filter labels use specific criteria to specify a group of devices. Manual labels have no
criteria associated with them; you select each device associated with a manual label.
When you initially create a label, it is stored as a filter label. If you use the Advanced
Search feature to specify the criteria for a label, then it remains a filter label. If you
select phones in a Admin Portal screen and apply a label to them, then the label
becomes a manual label.
Creating labels
To create a new label:
1.
2.
3.
Field
Description
Example
Name
Executive Team
Description
Provide additional
meaning and usage
information.
Company Confidential
131
Managing Devices
4.
Click Save.
You can now apply this label to devices. See Apply To Label on page 128.
2.
Company Confidential
132
Managing Devices
2.
3.
4.
5.
In the Assign Label to result list, select the label you created.
Company Confidential
133
Managing Devices
2.
3.
4.
Enter the first few characters of the LDAP group name to display matching groups.
5.
6.
In the Assign Label to result list, select the label you created.
2.
3.
4.
Enter the LDAP attribute and value to use in the field to the right of the dropdown
using the following format:
<attribute_name>=<attribute_value>
Example: mail=jsmith@mycompany.com
5.
In the Assign Label to result list, select the label you created.
Deleting labels
To delete a label:
1.
2.
3.
Click Delete.
Note
Default labels cannot be deleted. See Default labels on page 130.
Company Confidential
134
Managing Devices
3.
4.
Create a new sync policy that enables the Client is Always Connected option.
5.
6.
Company Confidential
135
Managing Devices
Company Confidential
136
Chapter 5
Managing Policies
Company Confidential
137
Managing Policies
Global HTTP Proxy (See Working with global HTTP proxy policies on page 183.)
You can create multiple policies for each policy type, but only one active policy of each
type can be applied to a specific device.
Policies page
Use the Policies page at Policies & Configs > Policies to specify and control aspects of
enterprise device behavior.
Each policy page displays the following information about the policies belonging to
the corresponding policy type:
Field
Description
Policy Name
Priority
Priority set for this policy in relation to other policies of the same type.
Status
Description
Type
Company Confidential
138
Managing Policies
Field
Description
Last Modified
# Phones
Labels
Watchlist
Required role
Users must have the Policies role to access the Policies page. See Assigning and
removing roles on page 57.
Company Confidential
139
Managing Policies
Displaying policies
To display policies:
1.
Click the corresponding link under Policies & Configs to display the policies you
want to work with:
Policies: the standard MobileIron policies, including default and custom policies
Default Policies: the standard MobileIron policies automatically assigned to
most devices
ActiveSync Policies: the specialized policies for devices that connect to the
enterprise via ActiveSync
2.
3.
If you selected the Policies link, you can filter the displayed policies by selecting
from the Policy Type list.
Select a policy to display the details of that policy in the right pane.
Editing policies
To edit an existing policy:
1.
2.
Click the corresponding link under Policies & Configs to display the policies you
want to work with.
If you selected the Policies link, you can filter the displayed policies by selecting
from the Policy type list.
3.
Select a policy to display the details of that policy in the right pane.
4.
Click the Edit button in the right pane to display editable settings for the policy.
5.
6.
Click Save.
Note
Policy changes may cause devices to which that policy is applied to prompt the user to
restart the device.
Company Confidential
140
Managing Policies
1.
Click the corresponding link under Policies & Configs to display the policies you
want to work with.
2.
3.
4.
5.
6.
Click Apply.
Click the corresponding link under Policies & Configs to display the policies you
want to work with.
2.
3.
4.
5.
6.
Click Remove.
2.
3.
4.
5.
6.
Click Save.
Apply the policy to the appropriate labels. If you do not complete this step, then the
policy will not affect any devices. See Applying policies to labels on page 140.
Company Confidential
141
Managing Policies
Deleting policies
To delete policies from the MobileIron Server:
1.
Click one of the filters under the Policies & Configs tab to display the policy you
want to delete.
2.
3.
2.
Note: Default policies are not included. See Working with default policies on
page 146.
Prioritizing policies
When you create a custom policy, you can assign a priority relative to the other custom policies of the same type. This priority determines which policy is applied if more
than one policy is associated with a specific device. For example, if you create a security policy for executives and a security policy for iOS devices, then an executive with
an iPhone would have two different possible policies applied. Because only one policy
of a given type can be applied to a device, the priority defined for the policies determines which is applied.
You can manage priorities for individual policies, or you can use the Modify Priority
screen to manage priorities for a policy type in a single screen. To manage priorities in
a single screen:
1.
2.
3.
Company Confidential
142
Managing Policies
4.
5.
Drag and drop policies until they reflect the priorities you want to set, with highest
priority of 1 appearing at the top of the list.
Click Save.
Partially Applied: One or more settings may have been rejected by the device. This
can mean that the feature is not supported by the device. For Android devices, use
the View Details button to see the verifiable results.
The following figure shows status displayed in the Device Details pane.
Company Confidential
143
Managing Policies
Click the View Details button for Android devices to see information on each policy.
Company Confidential
144
Managing Policies
Each link displays a table outlining the platform support for each policy feature.
Company Confidential
145
Managing Policies
Security
Privacy
Lockdown
Sync
Docs@Work
ActiveSync (See Working with ActiveSync policies on page 362.)
AppConnect global policy
Company Confidential
146
Managing Policies
Android
iOS
OS X
Win 7
WP8
yesj,h
yes
yes
yesh
yes
yes
yes
yes
yes
yes
Security policies specify how MobileIron addresses several areas of mobile security.
Use the following guidelines to create or edit Security policies.
Item
Description
Name
Company Confidential
147
Active
Managing Policies
Item
Description
Priority
Company Confidential
148
Managing Policies
Item
Description
Optional
Password
Password
Dont Care
Company Confidential
149
Managing Policies
Item
Description
30 minutes
For OS X:
Enter the maximum timeout interval that the device user can set for
the device before the screensaver
engages.
For iOS:
The Grace Period for Device Lock
option determines whether the
user must enter a password to
unlock the screen. Also consider
the case when the maximum inactivity timeout that you specify is
greater than the maximum inactivity timeout that the device supports. In this case, the inactivity
timeout that the user can specify is
limited by the devices maximum
inactivity timeout.
Minimum Number
of Complex Characters
Company Confidential
150
Managing Policies
Item
Description
Maximum Number
of Failed Attempts
For example, if you want to prevent users from repeating a password for the next four password
changes, enter 4.
Grace Period for
Device Lock
Data Encryption
Company Confidential
151
None
Managing Policies
Item
Description
Device Encryption
Off
Not supported.
none selected
File Types
Not supported.
none specified
SD Card Encryption
Off
Access Control
For the following options, select the compliance action you want to apply to
devices that trigger access control. For detailed information on the impact that
compliance actions have on devices, see Compliance actions for security policy
violations on page 154.
For All Platforms
Apply compliance
action when a
device has not connected to MobileIron in x days
Sending alert
Blocking email access if you are
using a Standalone Sentry for
email access.
Company Confidential
152
Managing Policies
Item
Description
Apply compliance
action when a policy has been out of
date for x day
Apply compliance
action when a
device violates following App Control
rules
Apply compliance
action when Data
Protection is disabled
Apply compliance
action when a compromised iOS
device is detected
Apply compliance
action for the following disallowed
devices
Apply compliance
action when device
MDM is deactivated
(iOS 5 or higher)
Company Confidential
153
Managing Policies
Item
Description
Apply compliance
action when
Android version is
less than x
Apply compliance
action when a compromised Android
device is detected
Apply compliance
action when Data
Encryption is disabled
Apply compliance
action when device
administrator is
deactivated
Company Confidential
154
Managing Policies
Note: To create the custom compliance actions, see Custom compliance actions on
page 156.
Company Confidential
155
Managing Policies
Description
Send Alert
Immediately blocks access to the web sites configured to use the AppTunnel feature.
Send alert
Block email access and AppConnect apps
Quarantine: block email access, block app tunnels, block AppConnect apps, and
wipe AppConnect app data
Company Confidential
156
Managing Policies
2.
Click Add.
Company Confidential
157
Managing Policies
3.
Description
Name
Select if you want to trigger a message indicating that the violation has occurred.
To configure the alert, see Policy violations
event on page 298.
Company Confidential
158
Managing Policies
Item
Description
Quarantine
Company Confidential
159
Managing Policies
Item
Description
iOS: Select if you want to remove the configurations (i.e., profiles) that provide access to corporate resources.
Android: Select to remove the following configurations:
Exchange
VPN
Wi-Fi
Docs@Work
: Select if you want to retain the Wi-Fi configurations for devices that do not have cellular
access. You might select this option to ensure
that you can still contact these devices.
iOS: The iOS version determines how MobileIron
decides whether a device supports Wi-Fi only.
Prior to iOS 4.2.6, the device model (e.g., iPod)
is used.
4.
iOS: Select if you want to retain the Wi-Fi configurations for any device, regardless of whether
it has cellular access. You might select this
option to preserve limited network access
despite the policy violation.
Click Save.
This new set of actions now appears in the drop down list for settings in the Access
Control section of security policies.
Company Confidential
160
Managing Policies
sync interval
time the device last checked in
battery level
number of changes already queued
the app checkin interval for AppConnect for iOS
Once the change reaches the device, the MobileIron VSP checks the device for compliance. If the device is out of compliance, then the action is performed.
Restoring configurations
MobileIron automatically restores the configurations once the device user addresses
the policy violation. For example, if the policy violation resulted from an old version of
iOS, then upgrading resolves the issue. The same factors that apply to establishing
the quarantine affect the amount of time required to release the device from quarantine.
Company Confidential
161
Managing Policies
Exception: If the WiFi configuration has been removed from a WiFi-only device, then
configurations must be restored manually.
Devices page
Configurations page
Devices page: quarantined devices
To see if an individual device has been quarantined:
1.
2.
Note devices that have been highlighted and appear with a quarantine icon.
3.
4.
Expand the App Settings section in the Device Details pane to see which configurations have been removed due to quarantine.
Company Confidential
162
Managing Policies
partial
iOS
OS X
g
partial
partial
Win 7
WP8
g Only Location and Apps privacy settings currently apply to iOS and Android. Only Apps privacy settings apply to OS X.
Privacy policies specify which files to synchronize with the MobileIron VSP and
whether activity or content should be synchronized for each type of data. Privacy policies also specify which information the MobileIron Client should include in its log.
Use the following guidelines to create or edit Privacy policies:
Item
Description
Name
Company Confidential
163
Active
Managing Policies
Item
Description
Priority
Calls
Sync Activity
Company Confidential
164
Sync Activity
Managing Policies
Item
Description
Data Traffic
Sync Activity
Sync Content
Company Confidential
165
Sync Inventory
Managing Policies
Item
Description
Documents
Sync Content
None
Company Confidential
166
None
Managing Policies
Item
Description
Music Files
None
Disabled
Company Confidential
167
All
Managing Policies
Item
Description
Location
/Windows, /system,
/Program Files, /Temp
Including subdirectories
Selected
Company Confidential
168
Managing Policies
yes
iOS
Win 7
WP8
partial
m Camera lockdown supported for Android 4.0 and later, and also on devices on which the Samsung SAFE APIs are present.
BlueTooth and WiFI lockdown are supported on devices on which Samsung SAFE APIs are present. Extended lockdown policies are supported with Android 4.0 and later if the device has Samsung SAFE APIs present and is running Mobile@Work
version 5.1.
n Supports only SD card.
Note: To lock down features on iOS devices, see App Settings > iOS > Restrictions.
Lockdown policies specify which features should be disabled in the event that device
access must be restricted.
Use the following guidelines to create or edit Lockdown policies:
Item
Description
Name
Company Confidential
169
Active
Managing Policies
Item
Description
Priority
Camera
Enable
Lockscreen Widgets
Enable
SD Card
Enable
Company Confidential
170
Managing Policies
Item
Description
Bluetooth
Android with Samsung Enterprise APIs only: Enable or disable access to Bluetooth
features. You can enable both
Audio and Data or just Audio.
Not supported.
Enable
WiFi
Enable
Android (Samsung
SAFE)
Android Browser
Enable
Copy / Paste
Enable
Factory Reset
Enable
Google Backup
Enable
Google Play
Enable
Enable
GPS
N/A
Management
Removal
Enable
Company Confidential
171
Managing Policies
Item
Description
Microphone
Enable
NFC
Enable
OTA Upgrade
Enable
Enable
Enable
Screen Capture
Enable
Setting Changes
Enable
Tethering Bluetooth
Enable
Tethering - USB
Enable
Tethering - Wi-Fi
Enable
USB Debug
Enable
Enable
Enable
YouTube
Enable
Company Confidential
172
Managing Policies
Note
Policy changes may cause devices to which that policy is applied to prompt the user to
restart the device.
Company Confidential
173
Managing Policies
iOS
Win 7
WP8
yes
partiala
Sync policies specify how the MobileIron Client behaves on the device and interacts
with the MobileIron VSP. These interactions include synchronization of profiles, configurations, and app inventory.
Use the following guidelines to create or edit sync policies:
Item
Description
Name
Priority
Active
Company Confidential
174
Managing Policies
Item
Description
Server IP/Host
Name
Use TLS
Company Confidential
175
selected
Managing Policies
Item
Description
Company Confidential
176
Enable
Managing Policies
Item
Description
Disable
Battery Level
20
60
Company Confidential
177
Managing Policies
Item
Description
Heartbeat Interval
14
Company Confidential
178
240
Managing Policies
Item
Description
15 minutes
Disabled
Not supported.
All Connections
Enabled
Company Confidential
179
Managing Policies
Each time the iOS Multitasking Sync Interval elapses, if the MobileIron app is
awake, the MobileIron app reports device details to the VSP. These details include
whether the SIM has been changed and whether the device has been compromised.
This sync interval is set to 15 minutes by default, but is configurable in the Sync
policy. The app does not wake up on its own.
Independently of the multitasking sync interval, the operating system may wake up
the app based on changes in cell tower location. In this case, the app determines if
device details have been sent to the VSP within the specified multitasking sync
interval. If device details have not been sent during that interval, then the app
sends those details to the VSP. If the app wakes up and determines that the device
has been compromised or the SIM state has changed, this information is immediately sent to the VSP.
Devices running Android versions prior to 4.0 that have no Google account configured.
Company Confidential
180
Managing Policies
iOS
Win 7
WP8
No longer supported.
Company Confidential
181
Managing Policies
iOS
Win 7
WP8
yes
Docs@Work policies specify settings that change the behavior of the Mobile@Work for
iOS app.
For information on configuring a Docs@Work policy, see For iOS: Set up Docs@Work
policies on page 467.
Company Confidential
182
Managing Policies
Select Policies & Configs > Policies > Add New > Single-App Mode.
2.
Status
Priority
Description
Identifier
3.
Click Save.
4.
Company Confidential
183
Managing Policies
1.
2.
On your PC or Mac, open the Mobile Applications folder in the iTunes library.
3.
4.
5.
Company Confidential
184
Managing Policies
Select Policies & Configs > Policies > Add New > Global HTTP Proxy.
2.
Status
Priority
Description
Company Confidential
185
Managing Policies
Proxy Type
Proxy Server
User Name
Password
3.
Click Save.
4.
Company Confidential
186
Managing Policies
Company Confidential
187
Managing Policies
Description
Policy
Endpoint Security
Company Confidential
188
Managing Policies
Pane
Description
Policy Activity
Company Confidential
189
Managing Policies
Troubleshooting policies
Troubleshooting: compliance actions
The application settings were not removed from the device.
1.
2.
3.
Confirm that the sync interval has elapsed since you made the change to policy.
Confirm that the device supports encryption (Android 3.0 or later or Samsung with
Enterprise APIs).
2.
3.
Confirm that the device has been applied to the correct label.
4.
5.
6.
Use the Force Device Check-In option to override the Sync Interval setting and
prompt the device to connect to the server.
Confirm that the battery level on the device is not below the sync threshold set in
the sync policy.
If the user insists that encryption has been enabled, the encryption may be delayed
by battery level constraints imposed by Android devices. Ask the device user to
plug in the device so that encryption can be implemented.
4.
5.
6.
The user has addressed the security policy violation, but the device is still quarantined.
Company Confidential
190
Managing Policies
1.
2.
Use the Force Device Check-In option to override the Sync Interval setting and
prompt the device to connect to the server.
Confirm that the battery level on the device is not below the sync threshold set in
the sync policy.
Company Confidential
191
Managing Policies
Company Confidential
192
Chapter 6
Company Confidential
193
Types
Android Samsung
Samsung Browser
Samsung Kiosk
Samsung Container
Infrastructure
Exchange
Email
Wifi
VPN
Bookmarks
Certificates
SCEP
MobileIron
AppConnect
Configuration
Container Policy
MobileIron Features
Docs@Work
Web@Work
General
Restrictions
iOS Only
Windows Phone 8
CalDAV
CardDAV
Web Clips
Configuration Profile
LDAP
Subscribed Calendars
APN
Provisioning Profile
Company Confidential
194
Configurations page
Use the Configurations page to create and manage configurations. It displays the
following information for each configuration.
Field
Description
Name
Setting Type
Description
# Phones
Labels
WatchList
Displays the number of devices for which this group of settings is queued. Click the link to display a list of the
devices.
Quarantined
Displays the number of devices that have had configurations removed due to policy violations. Click the link to display a list of the devices. See Creating custom actions
on page 157 for information on quarantining devices.
Required role
Users must have the Policies and Apps & Configs roles to access this page.
Default
The following table summarizes the default configurations packaged with the VSP:
Setting
Type
Description
System - iOS
Enrollment CA
Certificate
Certificate
System - iOS
Enrollment SCEP
SCEP
System - iOS
Enterprise AppStore
WEBCLIP
System - iOS
Enterprise AppStore
SCEP
SCEP
Company Confidential
195
Setting
Type
Description
MDM
Certificate
System - Multi-User
Secure Sign-In
WEBCLIP
APPENROLL
MENTTOKE
N
System - Windows
Phone Enrollment
SCEP
SCEP
priate arrow to move the access right to the Available list. The following table summarizes these access rights.
Access Right
Notes
Company Confidential
196
Access Right
Notes
5. If you want the VSP to indicate that the MDM profile has been removed from iOS 5
Note: Receipt of this alert is not guaranteed. Therefore, this setting does not
ensure notification upon removal of the profile.
6. If you want to automatically alert iOS 5 users when a new iOS MDM configuration is
7. Click Save.
Remove the MDM profile on the device and tap Update Configuration Profile in
Mobile@Work.
Push the web clip from the Devices page by selecting the device and clicking Push
Profiles.
Company Confidential
197
Applied: The VSP has confirmed that the verifiable settings appear to have been
applied to the device. For Android devices, use the View Details button to see the
verifiable results.
Partially Applied: One or more settings may have been rejected by the device. This
can mean that the feature is not supported by the device. For Android devices, use
the View Details button to see the verifiable results.
Click the View Details button for Android devices to see information on each configuration.
iOS
WP8
yesa,b
yes
yesc
iOS
Win 7
WP8
yesa,b
yes
yesc
Company Confidential
198
iOS
Win 7
WP8
yesa,b
yes
yesc
Company Confidential
199
Description
Auto Fill
Cookies
Javascript
Pop-ups
Smartcard Authentication
Company Confidential
200
Company Confidential
201
Item
Description
Authentication
Password Type
Max Character
Occurrences
Specify a limit for the number of times a specific character can occur in the passcode.
For example, to prevent a specific character from
occurring 3 or more times, enter 2.
Company Confidential
202
Item
Description
Forbidden Strings
Apps
Select the in-house apps to be installed in the container:
1. Click the + button.
2. Select an app from the Name list.
App Settings
Company Confidential
203
Item
Description
Browser
Exchange
Supported variables
The following variables are supported for Android Samsung Container s:
$EMAIL$
$USERID$
$FIRST_NAME$
$LAST_NAME$
$DISPLAY_NAME$
$USER_CUSTOM1$
$USER_CUSTOM2$
$USER_CUSTOM3$
$USER_CUSTOM4$
$NULL$
Company Confidential
204
Exchange settings
Android
a b
yes ,
iOS
OS X
Win 7
WP8
yes
yes
yes
Select Policies & Configs > Configurations > Add New > Exchange to specify the
settings for the ActiveSync server that devices use. The ActiveSync server can be a
Microsoft Exchange server, an IBM Lotus Notes Traveler server, Microsoft Office
365, or other servers.
For OS X: Only Contacts are synchronized, and ActiveSync is not supported.
For iOS:
If an Exchange profile already exists on the device, then attempts to distribute new
ActiveSync settings using MobileIron will fail.
For iOS and OS X:
iOS/OS X can take advantage of the optional Save User Password feature under
Settings to facilitate Exchange configuration.
For Android:
The Exchange configuration works with:
Android devices using the NitroDesk TouchDown email app and Android version 2.2
or later
Android devices using the Android Email+ email app and Android version 4.0 or
later
Samsung SAFE devices running the Samsung native email app and Android version
2.2. or later
Starting with version 5.1 of the Mobile@Work for Android app, the Exchange
configuration also works with:
HTC devices using HTC Sense 4.0 or later using the HTC native email app
Note: The HTC native email app does not work with Lotus Notes Traveler.
Motorola devices with Enterprise Device Management APIs and running Android 4.0
or later, and using the Motorola native email app
For more a detailed list of Motorola devices, see
http://developer.motorola.com/products/?filters=1425#filter
Note: The Motorola native email app does not work with Lotus Notes Traveler.
Consider the following behavior on Motorola devices:
On some Motorola devices, the native email app exits after each setup step. On
these devices, the device user must relaunch the native email app to continue with
the next setup step.
Company Confidential
205
The Exchange server or Sentry must use a trusted certificate. Motorola devices will
not configure an Exchange account to servers using untrusted certificates.
The following table describes the Exchange settings you can specify.
Item
Description
General
Name
Description
Server Address
Domain
Company Confidential
206
Item
Description
ActiveSync User
Name
Specify the variable for the user name to be used with this
Exchange configuration. You can specify any or all of the
following variables $EMAIL$, $USERID$, $PASSWORD$.
You can also specify custom formats, such as
$USERID$_US.
Typically, you use $USERID$ if your ActiveSync server is a
Microsoft Exchange Server, and you use $EMAIL$ if your
ActiveSync server is an IBM Lotus Notes Traveler server.
For WP8 devices, if the User Name setting is modified after
the Exchange setting is provisioned, the device cannot
sync. The workaround is to remove the Exchange setting
and reapply, or retire the device and register the device
with the new User Name.
ActiveSync User
Email
ActiveSync Password
Identity Certificate
Items to
Synchronize
NitroDesk TouchDown
However, the TouchDown app does not display this
information in its settings screen.
Enable S/MIME
Company Confidential
207
Item
Description
S/MIME Signing
identity
S/MIME Encryption
identity
ActiveSync
Sync during
Peak Time
Send/receive when
send
Peak Time
Peak Days
Start Time
Specify the beginning of the peak period for all peak days.
This feature is not supported for WP8 devices.
End Time
Specify the end of the peak period for all peak days.
This feature is not supported for WP8 devices.
Company Confidential
208
Item
Description
Recent Address
syncing
Android
Exchange App
Priority
General
Accept all SSL
certificates
Copy/Paste
Allow access to
secure info from
outside container
NitroDesk
TouchDown
HTML Email
SmartCard Authentication
Company Confidential
209
Company Confidential
210
iOS
OS X
Win 7
WP8
yes
yes
Select Policies & Configs > Configurations > Add New > Email to set up POP or IMAP
email.
The following table describes the email settings you can specify:
Item
Description
Name
Description
Account Type
User Email
Incoming Mail
Server Settings
Path Prefix
Specify the IMAP path prefix for the email client. A prefix is
generally required when all IMAP folders are listed under
the Inbox. ISPs that require prefixes usually provide
information on the specific prefix to configure.
Server Address
Server Port
Require SSL
User Name
Company Confidential
211
Item
Description
Use Password
Authentication
Password
Outgoing (SMTP)
Mail Server Settings
Server Address
Server Port
Require SSL
Require
Authentication
Use Password
Authentication
Password
Advanced Settings
Automatic Send/
Receive
Download Messages
Message Format
Message Download
Limit
Company Confidential
212
Item
Description
Download
Attachment
iOS 5 Settings
Block move/forward
messages to other
email accounts
Enable S/MIME
S/MIME Signing
identity
S/MIME Encryption
identity
Allow Recent
Address syncing
Supported variables
You can use the following variables in fields that support variables.
$USERID$
$EMAIL$
$PASSWORD$
$USER_CUSTOM1$ ... $USER_CUSTOM4$ (custom fields defined for LDAP)
Company Confidential
213
Wifi settings
Android
iOS
Win 7
WP8
yes
yes
Select Policies & Configs > Configurations > Add New > Wifi to configure wireless
network access.
The fields that appear in the New Wifi Setting dialog change based on values selected.
The following tables describe the fields required for each selection in the
Authentication field.
Open authentication
Use the following guidelines to set up Open authentication.
Item
Description
Name
Network Name
(SSID)
Description
Hidden Network
Authentication
Select Open.
Data Encryption
Network Key
Disabled
WEP
WEP Enterprise (Not Applicable for Android)
WEP encryption
Not Applicable for iOS. Enter the network key necessary
for accessing this network. The network key should be 5 or
13 ASCII characters or 10 or 26 hexadecimal digits.
Key Index
WEP encryption
If using multiple network keys, select a number indicating
the memory position of the correct encryption key.
Confirm Network
Key
Company Confidential
214
Item
Description
User Name
Password
Apply to Certificates
Trusted Certificate
Names
Allow Trust
Exceptions
Use Per-connection
Password
Company Confidential
215
Item
Description
EAP Type
EAP-FAST
EAP-SIM
LEAP
PEAP
TLS
TTLS
iOS 5 Settings
Auto Join
Proxy Type
Proxy Server
Proxy Password
Company Confidential
216
Shared authentication
Use the following guidelines to set up shared authentication:
Item
Description
Name
Network Name
(SSID)
Description
Hidden Network
Authentication
Select Shared.
Data Encryption
Network Key
Disabled
WEP
WEP Enterprise (Not Applicable for Android)
WEP encryption
Not Applicable for iOS. Enter the network key necessary
for accessing this network. The network key should be 5 or
13 ASCII characters or 10 or 26 hexadecimal digits.
Key Index
WEP encryption
If using multiple network keys, select a number indicating
the memory position of the correct encryption key.
Confirm Network
Key
User Name
Password
Apply to Certificates
Company Confidential
217
Item
Description
Trusted Certificate
Names
Allow Trust
Exceptions
Use Per-connection
Password
EAP Type
EAP-FAST
EAP-SIM
LEAP
PEAP
TLS
TTLS
iOS 5 Settings
Auto Join
Proxy Type
Company Confidential
218
Proxy Server
Description
Name
Network Name
(SSID)
Description
Hidden Network
Authentication
Data Encryption
AES
TKIP
User Name
Password
Apply to Certificates
Trusted Certificate
Names
Allow Trust
Exceptions
Company Confidential
219
Item
Description
Use Per-connection
Password
EAP Type
iOS 5 Settings
Auto Join
Proxy Type
Proxy Server
Description
Network Name
(SSID)
Description
Hidden Network
Company Confidential
220
Item
Description
Authentication
Data Encryption
AES
TKIP
User Name
Password
Apply to Certificates
Trusted Certificate
Names
iOS 5 Settings
Auto Join
Proxy Type
Proxy Server
Company Confidential
221
Description
Name
Network Name
(SSID)
Description
Hidden Network
Authentication
Data Encryption
AES
TKIP
Network Key
Confirm Network
Key
EAP Type
EAP-FAST
EAP-SIM
LEAP
PEAP
TLS
TTLS
Company Confidential
222
iOS 5 Settings
Auto Join
Proxy Type
Proxy Server
Company Confidential
223
VPN settings
Android
iOS
OS X
Win 7
WP8
yes
yes
yes
Select Policies & Configs > Configurations > Add New > VPN to configure VPN access.
The fields that appear in the New VPN Setting dialog change based on values selected.
The following tables describe the fields required for each selection in the Connection
Type field.
PPTP
Use the following guidelines to configure PPTP VPN.
Item
Description
Name
Description
Connection Type
Server
User Name
Password
Authentication
Encryption Level
Domain
Proxy
Company Confidential
224
L2TP
Use the following guidelines to configure L2TP VPN.
Item
Description
Name
Description
Connection Type
Server
User Name
Password
Authentication
Shared Secret
Confirm Shared
Secret
Proxy
IPSec (Cisco)
Use the following guidelines to configure IPSec (Cisco) VPN.
Item
Description
Name
Description
Connection Type
Company Confidential
225
Item
Description
Server
User Name
XAuth Enabled
Password
Authentication
Group Name
Shared Secret
Confirm Shared
Secret
Use Hybrid
Authentication
Identity Certificate
Certificate authentication.
Select the SCEP entry you created for supporting VPN, if
you are implementing certificate-based authentication.
Certificate authentication.
Select to prompt the user for a PIN.
Company Confidential
226
Item
Description
VPN on Demand
Certificate authentication.
Select to enable the VPN on Demand section. Click Add
New to specify a domain or hostname and the preferred
connection option.
Proxy
Cisco AnyConnect
Use the following guidelines to configure Cisco AnyConnect VPN.
Item
Description
Name
Description
Connection Type
Server
User Name
Password
Group
User Authentication
Identity Certificate
Certificate authentication.
Select the SCEP entry you created for supporting VPN, if
you are implementing certificate-based authentication.
VPN on Demand
Certificate authentication.
Select to enable the VPN on Demand section. Click Add
New to specify a domain or hostname and the preferred
connection option.
Proxy
Company Confidential
227
Juniper SSL
Use the following guidelines to configure Juniper SSL VPN.
Item
Description
Name
Description
Connection Type
Server
User Name
Password
Role
Realm
User Authentication
Identity Certificate
Certificate authentication.
Select the SCEP entry you created for supporting VPN, if
you are implementing certificate-based authentication.
VPN on Demand
Certificate authentication.
Select to enable the VPN on Demand section. Click Add
New to specify a domain or hostname and the preferred
connection option.
Proxy
F5 SSL
Use the following guidelines to configure F5 SSL VPN.
Item
Description
Name
Description
Company Confidential
228
Item
Description
Connection Type
Server
User Name
Password
User Authentication
Identity Certificate
Certificate authentication.
Select the SCEP entry you created for supporting VPN, if
you are implementing certificate-based authentication.
VPN on Demand
Certificate authentication.
Select to enable the VPN on Demand section. Click Add
New to specify a domain or hostname and the preferred
connection option.
Proxy
Item
Description
Name
Description
Connection Type
Server
Company Confidential
229
Item
Description
User Name
Password
Identifier
App Store identifier for the VPN app being configured. The
app creator should provide this information.
User Authentication
Identity Certificate
Certificate authentication.
Select the SCEP entry you created for supporting VPN, if
you are implementing certificate-based authentication.
VPN on Demand
Certificate authentication.
Select to enable the VPN on Demand section. Click Add
New to specify a domain or hostname and the preferred
connection option.
Custom Data
Proxy
Supported variables
You can use the following variables in fields that support variables.
$USERID$
$EMAIL$
$PASSWORD$
$NULL$
$USER_CUSTOM1$ ... $USER_CUSTOM4$ (custom fields defined for LDAP)
Company Confidential
230
must match the LDAP password in order for this feature to be of use.
Company Confidential
231
AppConnect settings
Configuring an AppConnect app can involve the following configurations:
AppConnect configuration
This configuration is necessary if the AppConnect app requires app tunneling or
app-specific configurations.
See Configuring an AppConnect app configuration on page 504.
Company Confidential
232
Company Confidential
233
Company Confidential
234
Bookmarks settings
No longer supported. See Web@Work for iOS on page 523 for information on creating bookmarks in Web@Work.
Company Confidential
235
Certificates settings
Android
iOS
OS X
Win 7
WP8
yes
yes
yes
yesa
Select Policies & Configs > Configurations > Add New > Certificates to configure the
necessary identity certificates for your organization.
The following table describes the Certificate settings you can specify:
Item
Description
Name
Description
File Name
Password
Confirm Password
Company Confidential
236
SCEP settings
Android
iOS
OS X
Win 7
WP8
yes
yes
yes
yes
Select Policies & Configs > Configurations > Add New > SCEP to specify settings that
allow the device to obtain certificates from a CA using Simple Certificate Enrollment
Protocol (SCEP).
Creating a SCEP entry is part of a larger process of setting up a SCEP server to support authentication for VPN on demand, Wifi, Exchange ActiveSync, and so on. A
default SCEP setting is included for the built-in SCEP server, which supports iOS and
OS X enrollment.
Item
Description
Name
Description
Enable Proxy
Cache locally
generated keys
User Certificate
Device Certificate
Setting Type
Company Confidential
237
URL
Certificate
Description
Application
Description
Subject
Subject Common
Name Type
Subject Alternative
Name Type
Company Confidential
238
Subject Alternative
Name Value
Key Usage
Finger Print
Challenge Type
Challenge
Challenge URL
User Name
Password
Issue test
certificate?
X.509 Codes
The Subject field uses an X.509 distinguished name. You can use one or more
X.509 codes, separated by commas. This table describes the valid X.509 codes:
Code
Name
Type
Max Size
Example
Country/Region
ASCII
C=US
DC
Domain Component
ASCII
255
DC=company, DC=com
State or Province
Unicode
128
S=California
Locality
Unicode
128
L=Mountain View
Organization
Unicode
64
OU
Organizational Unit
Unicode
64
OU=Support
CN
Common Name
Unicode
64
CN=www.company.com
Note: If the SCEP entry is not valid, then you will be prompted to correct it; partial
and invalid entries cannot be saved.
Company Confidential
239
Why proxy?
Choosing to enable SCEP proxy functions has the following benefits:
$USERID$
$FIRST_NAME$
$LAST_NAME$
$DISPLAY_NAME$
$EMAIL$
$USER_DN$
$USER_UPN$
$USER_LOCALE$
$NULL$
$USER_CUSTOM1$ ... $USER_CUSTOM4$ (custom fields defined for LDAP)
$DEVICE_UUID$
$DEVICE_UDID$
$DEVICE_IMSI$
$DEVICE_IMEI$
$DEVICE_SN$
Platform
Exchange ActiveSync
iOS and OS X
Company Confidential
240
Application
Platform
WiFi
iOS and OS X
NitroDesk TouchDown
Android
Prerequisites
A valid Symantec VeriSign Managed PKI account is required.
To configure SCEP settings for Symantec Managed PKI, select the Symantec Managed
PKI option in the New SCEP Setting dialog (Policies & Configs > Configurations > Add
New > SCEP).
Selecting this option displays the following Symantec-specific settings:
URL Mode: Specifies the mode and the corresponding URL supplied by Symantec.
CA-Identifier: Required information supplied by Symantec.
Upload Certificate: Used to upload the certificate supplied by Symantec.
Compatibility notes
This integration does not involve or support OpenTrust SCEP (decentralized) implementations. It is intended for those who want to deploy a non-SCEP implementation.
This integration does not support the pushing Certificate Authorities Bundles to
devices, which is offered by OpenTrust.
The VSP supports one certificate per OpenTrust configuration. OpenTrust supports
creating profiles having multiple credentials (called application in the OpenTrust
context). Therefore, the SCEP settings dialog automatically omits OpenTrust profiles that specify multiple credentials.
Pre-requisites
The information in this section assumes the following:
Company Confidential
241
OpenTrust).
If you do not see an expected profile, then it most likely contains multiple credentials, a configuration that the VSP does not currently support.
The Description and Application Description fields are populated automatically with
the corresponding OpenTrust content associated with the selected profile. In addition, Required Fields and Optional Fields for the certificate (as defined in the
selected MPS profile) are displayed. (MPS stands for the Mobile Provisioning Service
in OpenTrust.)
Company Confidential
242
Note: You can save the configuration before you have completed all required fields,
enabling you to enter and save the information in stages.
Supported variables
The following variables are supported for the required and optional fields in a SCEP
configuration for OpenTrust:
$EMAIL$
$USERID$
$FIRST_NAME$
$LAST_NAME$
$DISPLAY_NAME$
Company Confidential
243
$USER_DN$
$USER_UPN$
$USER_LOCALE$
$DEVICE_UUID$
$DEVICE_UDID$
$DEVICE_IMSI$
$DEVICE_IMEI$
$DEVICE_SN$
$DEVICE_MAC$
$USER_CUSTOM1$
$USER_CUSTOM2$
$USER_CUSTOM3$
$USER_CUSTOM4$
$NULL$
The Registration Authority (RA) certificate the VSP will use to authenticate to
the Symantec CA.
Company Confidential
244
Description
Name
Description
Enable Proxy
User Certificate
Device Certificate
Company Confidential
245
Setting Type
Server
Certificate: Upload
Certificate
Click Upload Certificate to navigate and select the RA certificate you received from Symantec. This is usually a
.p12 file.
Enter the password for the certificate when prompted.
Mobile Profiles
Description
The description is populated automatically with the corresponding content associated with the selected profile.
Application Description
The Required Fields and Optional Fields for the certificate are displayed based on
how the MDM (Web Service Client) profile was set up in the Symantec PKI manager.
Required Fields
Optional Fields
3. Click Save.
Company Confidential
246
Note: You can save the setting before you have completed all required fields,
enabling you to enter and save the information in stages.
Supported variables
The following variables are supported for the required and optional fields:
$EMAIL$
$USERID$
$FIRST_NAME$
$LAST_NAME$
$DISPLAY_NAME$
$USER_DN$
$USER_UPN$
$USER_LOCALE$
$DEVICE_UUID$
$DEVICE_UDID$
$DEVICE_IMSI$
$DEVICE_IMEI$
$DEVICE_SN$
$DEVICE_MAC$
$USER_CUSTOM1$
$USER_CUSTOM2$
$USER_CUSTOM3$
$USER_CUSTOM4$
$NULL$
Company Confidential
247
Docs@Work settings
Android
iOS
Win 7
WP8
yes
yes
Select Policies & Configs > Configurations > Add New > Docs@Work to configure
access to content servers.
For information about setting up the Docs@Work configuration, see Set up
Docs@Work configurations on page 463.
Company Confidential
248
Web@Work settings
Select Policies & Configs > Configurations > Add New > Web@Work to specify bookmarks and AppTunnel settings for the Web@Work app. See Configure AppTunnel and
Bookmarks for Web@Work on page 535.
Company Confidential
249
General
CalDAV
CardDAV
Web Clips
Configuration Profile
LDAP
General settings
Select Policies & Configs > Configurations > Add New > iOS and OS X> General to
specify the basic information for interactions with the iOS and OS X configuration profiles.
Note: General settings can be set once; if you want to use this screen to change these
settings, then the user must manually delete the profile.
Item
Description
Name
Description
Identifier
Organization
CalDAV settings
Select Policies & Configs > Configurations > Add New > iOS and OS X > CalDAV to
specify parameters for connecting to CalDAV-compliant calendar servers. CalDAV (or
Company Confidential
250
Description
Name
Description
HostName
Port
Principal URL
Use SSL
User Name
Password
iOS 4 supports only a single CalDAV setting. Therefore, only the first CalDAV
configuration applied to an iOS 4 will take effect.
Supported Variables
You can use the following variables in fields that support variables.
$USERID$
$EMAIL$
$NULL$
$USER_CUSTOM1$ ... $USER_CUSTOM4$ (custom fields defined for LDAP)
CardDAV settings
Select Policies & Configs > Configurations > Add New > iOS and OS X > CardDAV to
configure access to subscription address books compatible with this protocol.
Company Confidential
251
Note: This configuration is supported on iOS and OS X v10.8 and later. OS X v10.7
Lion is not supported.
Item
Description
Name
Description
HostName
Port
Principal URL
Use SSL
User Name
Password
Supported variables
You can use the following variables in fields that support variables.
$USERID$
$EMAIL$
$NULL$
$USER_CUSTOM1$ ... $USER_CUSTOM4$ (custom fields defined for LDAP)
Description
Description
Company Confidential
252
Description
Name
Enter brief text to describe the web clip. This is the text
that users will see.
Address/URL
Enter the address or URL for the target of the web clip.
Removable
Full Screen
Precomposed
Icon
LDAP settings
Select Policies & Configs > Configurations > Add New > iOS and OS X > LDAP to configure an LDAP profile for iOS and OS X devices.
Company Confidential
253
Use the following guidelines to complete this form. The iOS 5 Configuration Reference
may also be useful.
Item
Description
Name
Account Description
Account Username
Account Password
Optional. Password that corresponds to the Account Username value. The password applies to encrypted accounts.
Account Confirm
Password
Account Hostname
Use SSL
Search Settings
Should have at least one entry for the account. Each entry
represents a node in the LDAP tree from which to start
searching. Click the + button to add a new entry, then edit
the entry.
An entry consists of the following values:
Description: Explains the purpose of the search setting.
Scope: Select Base, Subtree, or One Level to indicate the
scope of the search. Base indicates just the node level,
Subtree indicates the node and all children, One Level
indicates the node and one level of children.
Search Base: The conceptual path to the specified note
(e.g., ou=people, o=mycorp).
Company Confidential
254
iOS settings
The following iOS-specific settings are available:
Restrictions
Subscribed Calendars
APN
Provisioning Profile
Restrictions settings
Select Policies & Configs > Configurations > Add New > iOS > Restrictions to specify
lockdown capabilities for iOS.
The following table summarizes the settings.
Item
Description
Name
Description
Device Functionality
Allow Installing Apps
Allow FaceTime
Allow Siri
Company Confidential
255
Item
Description
Allow multiplayer
gaming
Allow interactive
installation of
configuration profiles
and certificates
Allow Passbook
notifications while
locked
Applications
Allow Use of YouTube
Enable autofill
Enable Javascript
Block pop-ups
Accept cookies
Company Confidential
256
Item
Description
Allow iMessage
Force encrypted
backups
Content Ratings
Allow explicit music &
podcasts
Ratings region
Movies
Company Confidential
257
Item
Description
TV Shows
Apps
Description
Name
Description
URL
Use SSL
Company Confidential
258
Item
Description
User Name
Password
iOS devices accept settings for up to four subscribed calendars. Therefore, any
additional calendar settings applied to an iOS device will be ignored.
Supported Variables
You can use the following variables in fields that support variables.
$USERID$
$EMAIL$
$NULL$
$USER_CUSTOM1$ ... $USER_CUSTOM4$ (custom fields defined for LDAP)
APN settings
Select Policies & Configs > Configurations > Add New > iOS > APN to define parameters for access point interactions, which define how the device accesses the operators
network.
Item
Description
Description
User Name
Password
Proxy Server
Port
Company Confidential
259
Mac OS X
iOS
CalDAV
Exchange
web clip
Company Confidential
260
If you do not intend to specify browser behavior in the container, you can skip this
step.
See Android Samsung browser settings on page 200.
2. Create an Exchange configuration for the container.
If you do not intend to specify email client behavior in the container, you can skip
this step.
3. Create a Samsung Container configuration.
The Samsung Container configuration will specify the Samsung Browser configuration and the Exchange configuration you created for the container.
See Android Samsung Container settings on page 202.
4. Create one or more labels to identify the devices that will receive the Samsung
Container configuration.
Once the configuration is present on the device, then the device begins creating the
container as specified.
configuration.
Company Confidential
261
Company Confidential
262
Chapter 7
Managing Certificates
Company Confidential
263
Managing Certificates
Overview of certificates
MobileIron is capable of distributing and managing certificates.
Certificates are mainly used for the following purposes:
The certificate includes information that identifies the user, device, or server that
holds the certificate.
The MobileIron solution provides the flexibility to use the VSP as a local certificate
authority, an intermediate certificate authority, or as a proxy for a trusted certificate
authority.
Company Confidential
264
Managing Certificates
Types of certificates
MobileIron uses the following types of certificates:
Certificate type
Description
Client TLS
Portal
Identifies the Sentry to the client and secures communication, over port 443, between devices and the Sentry.
iOS MDM
Validates profile authenticity for iOS. Enables the MDM feature set for iOS devices. Uses port 2195 to communicate
with Apple APNS.
iOS enrollment
Windows Phone 8
(WP8) enrollment
Client identity
Verifies the identity of users and devices and can be distributed through SCEP/NDES.
The following diagram illustrates where each certificate type is used in the MobileIron
architecture:
Company Confidential
265
Managing Certificates
VSP as an Intermediate CAUse this option when your company already has its
own certificate authority. Using the VSP as an Intermediate CA gives your mobile
device users the advantage of being able to authenticate to servers within your
company intranet.
See the Local Certificate Authorities: Using the VSP as a CA tech note, available on the
MobileIron Support site.
MobileIron can detect and address certificate renewal and ensure that devices
cannot reconnect to enterprise resources if they are out of compliance with
company policies
Company Confidential
266
Managing Certificates
iOS
WP8d
ActiveSync
yesa-
yesb
yes
VPN
yesc
Wi-Fi
yes
yes
Android
iOS
WP8
MS SCEP
yes
yes
yes
Entrust
yes
yes
Local CA
yes
yes
yes
yes
yes
yes
yes
Open Trust
yes
yes
yes
yes
For information about how to create SCEP settings in the VSP, see See SCEP settings
on page 237.
Device and server authentication support for Standalone Sentry on page 328.
the Authentication Using Kerberos Constrained Delegation tech note, available on
the MobileIron Support site.
Company Confidential
267
Managing Certificates
More information
For detailed information about how to set up the VSP as a SCEP proxy in a managed
PKI environment, see Setting up Symantec VeriSign Managed PKI Integration tech
note, available on the MobileIron Support site.
For detailed information about how to set up certificate-based authentication for iOS,
see the Certificate-based Authentication for iOS tech note, available on the MobileIron
Support site.
For detailed information about managing certificates on Android devices, see the
MobileIron for Android Release Upgrade Guide for Android Client 4.5.6.
For detailed information about how to set up MobileIron to use Entrust, see the
Authentication Using Entrust Certificate Types tech note, available on the MobileIron
Support site.
Company Confidential
268
Chapter 8
Troubleshooting Devices
Company Confidential
269
Troubleshooting Devices
Company Confidential
270
Troubleshooting Devices
iOS
OS X
Win 7
WP8
yes
yes
yes
You can use the Force Device Check-in feature to force the device to connect to the
MobileIron Server. You might use this feature if the MobileIron Client has not connected for some time, or you want to override a long sync interval to download
updates.
You can use this feature to troubleshoot MobileIron operations.
Note: The Force Device Check-in feature does not sync the policies and app settings
related to AppConnect. The app checkin interval on the AppConnect global policy controls updates to those policies and app settings. See Configuring the AppConnect
global policy on page 484.
To force registered devices to check in:
1.
2.
Select the checkbox for the device in the All Devices page.
3.
4.
In the displayed dialog, confirm the user and device information and enter a note.
5.
Note that the phone user may have a Connect Now option that forces the MobileIron
Client to attempt to connect to the MobileIron Server.
Company Confidential
271
Troubleshooting Devices
Using logs
The following Log pages in the Admin Portal enable you to easily navigate through the
MobileIron log entries to find the information you need.
MDM Log
The MDM Log displays MDM-specific log entries.
Filter the log entries using the following criteria:
Actions
States
User
Device
Error text
Detail text
Date range
Viewing Errors
Errors result in the display of a View Error link i the Error column. Click the link to display error details.
Certificate Log
The Certificate Log displays certificate-related log entries. You can remove selected
certificates from the log and revoke selected certificates.
Filter the log entries using the following criteria:
User name
Setting name
Expiration date range
Removing a Certificate From the Certificate Log
To remove a certificate from the Certificate Log:
1.
2.
3.
Click Remove.
Company Confidential
272
Troubleshooting Devices
Revoking a Certificate
You can revoke certificates created using a Local Certificate Authority. Revoking a certificate adds the certificate to the CRL (Certificate Revocation List). When a device
authenticates with the VSP, the system first checks the CRL to verify that the certificate is not on the list. If the certificate is on the list, authentication fails.
To revoke a certificate:
1.
2.
3.
Click Revoke.
The certificate will be added immediately to the CRL so the next time the device
attempts to authenticate, authentication will fail.
2.
Company Confidential
273
Troubleshooting Devices
2.
3.
Description
Subject Related To
Actions
Requested
Completed
Status
Click Search.
Company Confidential
274
Troubleshooting Devices
LDAP
Sentry
Connector
To display the Service Diagnostic screen, select Settings > Service Diagnostics.
Click Verify All to recheck the listed services, or click the Verify button next to a specific service to verify just that service.
Company Confidential
275
Troubleshooting Devices
Company Confidential
276
Chapter 9
Company Confidential
277
About events
The Event Center enables MobileIron administrators to connect events to specific
alerts. For example, you can specify an SMS to be sent each time a user enters a different country, informing the user that different rates may apply.
The Event Center currently recognizes the following events:
Events page
Use the Events (Admin Portal > Logs & Events > Event Settings) page to manage the
events you are interested in and the corresponding actions you want to automate.
Required role
Users must have the Events role to access the Event Settings page. See Assigning
and removing roles on page 57.
Company Confidential
278
Managing events
Each event type recognized by the Event Center has settings specific to the event
type. See Event types on page 281 for information on specific settings. This section
explains tasks related to all event types:
Creating an event
Editing an event
Deleting an event
Setting alert preferences
Creating an event
To create an event:
1.
Click Logs & Events > Event Settings in the Admin Portal.
2.
3.
4.
5.
Click Save.
6.
For each type of alert (i.e., SMS, email, and push notification (i.e., APNs or C2DM),
you can select one of the following:
User only
User + Admin
Admin only
Company Confidential
279
If you select one of the Admin options, then a CC to Admins section displays in the
dialog.
Use this section to select those users, other than the device user, who should be notified. Only users having registered devices display in this list.
Editing an event
To edit a event:
1.
2.
3.
4.
5.
Click Save
Deleting an event
To delete an event:
1.
2.
3.
2.
3.
In the Alert Preferences section, enter the number of retries for SMS and email.
4.
Click Save.
Company Confidential
280
Event types
Each event type has specific settings that need to be configured. This section
describes the settings for each type.
The current event types are:
iOS
Win 7
WP8
yes
yes
Note that international roaming detection is not supported for dual-mode devices (i.e.,
devices that switch between GSM and CDMA).
To create an international roaming event:
1.
2.
3.
Company Confidential
281
4.
Description
Name
Description
Generate Alert
Maximum Alerts
Severity
Specifies the severity defined for the alert: Critical, Warning, and Information.
Company Confidential
282
Field
Description
Template
Send SMS
Specifies whether to send an alert in a text message, and whether to send it to the user, the
admin, or both. Specify users in the Apply to
Users section or by selecting a label in the Apply
to Labels section. If you select Admin only or
User + Admin, then the CC to Admins section
displays. Use this section to specify administrative users who should receive the alert.
Send Email
Apply to Labels
Search Users
Apply to Users
Company Confidential
283
5.
Field
Description
Exclude Labels
Search Users
Exclude Users
CC to Admins
Click Save.
Note: If more than one international roaming event applies to a device, only the last
one you edited and saved is triggered.
iOS
Win 7
WP8
Click the Logs & Events > Event Settings in Admin Portal.
2.
3.
Company Confidential
284
4.
Description
Name
Description
Threshold on
SMS
Specifies whether SMS usage is limited. If limited, specifies the number of text messages that
must be exceeded to trigger the notification. For
international events, the SMS count is reset
when international roaming stops. For total
usage events, the alert count is reset at the end
of the month.
Company Confidential
285
Field
Description
Voice
Specifies whether voice usage is limited. If limited, specifies the number of voice minutes that
must be exceeded to trigger the notification. For
international events, the voice minute count is
reset when international roaming stops. For total
usage events, the voice minute count is reset at
the end of the month.
Data
Specifies whether voice usage is limited. If limited, specifies the number of data MB that must
be exceeded to trigger the notification. For international events, the data MB count is reset when
international roaming stops. For total usage
events, the alert count is reset at the end of the
month.
Pre-threshold Action
Post-threshold
Action
Generate Alert
Severity
Specifies the severity defined for the alert: Critical, Warning, and Information.
Template
Company Confidential
286
Field
Description
Send SMS
Specifies whether to send an alert in a text message, and whether to send it to the user, the
admin, or both. Specify users in the Apply to
Users section or by selecting a label in the Apply
to Labels section. If you select Admin only or
User + Admin, then the CC to Admins section
displays. Use this section to specify administrative users who should receive the alert.
Send Email
5.
Apply to Labels
Search Users
Apply to Users
Exclude Labels
Search Users
Exclude Users
CC to Admins
Click Save.
Company Confidential
287
Note: If more than one threshold reached event applies to a device, only the last one
you edited and saved is triggered.
iOS
Win 7
WP8
yes
yes
For iOS devices that are not MDM-managed, the device user must start the MobileIron
app on the device to trigger this event.
To create a SIM changed event:
1.
2.
3.
4.
Description
Name
Description
Generate Alert
Severity
Specifies the severity defined for the alert: Critical, Warning, and Information.
Company Confidential
288
Field
Description
Template
Send SMS
Specifies whether to send an alert in a text message, and whether to send it to the user, the
admin, or both. Specify users in the Apply to
Users section or by selecting a label in the Apply
to Labels section. If you select Admin only or
User + Admin, then the CC to Admins section
displays. Use this section to specify administrative users who should receive the alert.
Send Email
Apply to Labels
Search Users
Apply to Users
Company Confidential
289
5.
Field
Description
Exclude Labels
Search Users
Exclude Users
CC to Admins
Click Save.
Note: If more than one SIM changed event applies to a device, only the last one you
edited and saved is triggered.
iOS
Win 7
WP8
yes
yes
2.
3.
Company Confidential
290
4.
Description
Name
Description
Generate Alert
Alert every
Severity
Specifies the severity defined for the alert: Critical, Warning, and Information.
Company Confidential
291
Field
Description
Template
Send SMS
Specifies whether to send an alert in a text message, and whether to send it to the user, the
admin, or both. Specify users in the Apply to
Users section or by selecting a label in the Apply
to Labels section. If you select Admin only or
User + Admin, then the CC to Admins section
displays. Use this section to specify administrative users who should receive the alert.
Send Email
Apply to Labels
Search Users
Apply to Users
Company Confidential
292
5.
Field
Description
Exclude Labels
Search Users
Exclude Users
CC to Admins
Click Save.
Notes:
Memory exceeded events are sent only once per week when the configured memory limit is reached.If more than one memory size exceeded event applies to a
device, only the last one you edited and saved is triggered.
System event
A system event generates an alert when components of a MobileIron implementation
is not working. To create a system event:
1.
2.
3.
Company Confidential
293
4.
Description
Name
Description
Sentry (standalone
and integrated) is
unreachable
Sentry (standalone
and integrated) cannot reach EAS
server
MobileIron gateway
is unreachable
Company Confidential
294
Field
Description
BES is unreachable
LDAP server is
unreachable
DNS server is
unreachable
Mail server is
unreachable
NTP server is
unreachable
Certificate Expired
Provisioning Profile
Expired
SMS Message
archive queue is full
Company Confidential
295
Field
Description
System storage
threshold has been
reached
Generates an alert if the system storage threshold has been reached. See Manually purging
data (system storage) on page 600 for information on setting this threshold.
Connector state
events
Connector requires
manual upgrade
Connector is
unreachable
Generate Alert
Maximum Alerts
Alert Every
Company Confidential
296
Field
Description
Severity
Template
Send SMS
Specifies whether to send an alert in a text message, and whether to send it to the user, the
admin, or both. Specify users in the Apply to
Users section or by selecting a label in the Apply
to Labels section. If you select Admin only or
User + Admin, then the CC to Admins section
displays. Use this section to specify administrative users who should receive the alert.
Send Email
Company Confidential
297
Field
Description
Apply to Labels
5.
Search Users
Apply to Users
Exclude Labels
Search Users
Exclude Users
Search Users
Enter the user ID to find users who act as telecom administrators and should receive the alert.
CC to Admins
Click Save.
iOS
Win 7
WP8
yes
yes
yes1
2.
3.
Company Confidential
298
4.
Description
Name
Description
Connectivity
Out-of-contact with
Server for X number of
days
Device Settings
Passcode is not compliant
App Control
Company Confidential
299
Field
Description
iOS
Disallowed iOS model
found
Select this option to send an alert when a compromised iOS is registered or connects to the
server. That is, an iOS device has been compromised by circumventing the operator and usage
restrictions imposed by the operator and manufacturer.
Android
Company Confidential
300
Field
Description
Disallowed Android OS
version found
Compromised Android
device detected
Actions
Generate Alert
Maximum Alerts
Alert Every
Severity
Template
Send SMS
Specifies whether to send an alert in a text message, and whether to send it to the user, the
admin, or both. Specify users in the Apply to
Users section or by selecting a label in the Apply
to Labels section. If you select Admin only or
User + Admin, then the CC to Admins section
displays. Use this section to specify administrative users who should receive the alert.inistrative users who should receive the alert.
Company Confidential
301
Field
Description
Send Email
5.
Apply to Labels
Search Users
Apply to Users
Exclude Labels
Search Users
Exclude Users
Search Users
Enter the user ID to find users who act as telecom administrators and should receive the alert.
CC to Admins
Click Save.
Company Confidential
302
The MobileIron Event Center sends emails, SMSes, and push notification messages
based on triggering events. When you configure events, you can use the default message template or create a new one. Event Center templates enable you to specify content and basic formatting using HTML markup.
Note: If more than one policy violations event applies to a device, only the last one
you edited and saved is triggered. Therefore, do not create a separate policy violations event for each type of security policy violation. Instead, apply only one policy
violations event to each device. In that one event, select all of the security policy settings that you want to trigger the event. Use the template variable $DEFAULT_POLICY_VIOLATION_MESSAGE in your message template to specify the security policy
violation that triggered the event.
2.
3.
Click the View link for the message template you want to view.
Either click the Create button in the event dialog or select the event type from Settings > Templates > Event Center Templates > Add New.
The following figure shows the event dialog.
Company Confidential
303
Company Confidential
304
Event Center messages are displayed with the HTML markup that provides the
basic formatting for the content.
2.
3.
In the Edit Template for field, select the language this template will be used for.
Note that only those languages that have been enabled for the system will be displayed in this list.
4.
5.
Click Save.
Required Variables
International Roaming
$CURRENT_COUNTRY
$HOME_COUNTRY
$PHONE_NUMBER
$SEVERITY
$USER_NAME
Threshold Reached
$PHONE_NUMBER
$SEVERITY
$THRESHOLD_ON
$THRESHOLD_TYPE
$THRESHOLD_UNIT
$THRESHOLD_VALUE
$USED_VALUE
$USER_NAME
SIM Changed
$CURRENT_PHONE_NUMBER
$NEW_PHONE_NUMBER
$SEVERITY
$USER_NAME
Company Confidential
305
Template Type
Required Variables
$FREE_MEMORY_SIZE
$MEMORY_SIZE_LIMIT
$PHONE_NUMBER
$SEVERITY
$TOTAL_MEMORY_SIZE
$USER_NAME
System Event
$DEFAULT_SYSTEM_MESSAGE
$SERVER_IP
$SERVER_NAME
$SEVERITY
Policy Violation
$DEFAULT_POLICY_VIOLATION_MESSAGE
$PHONE_NUMBER
$SEVERITY
$USER_NAME
Variable descriptions
The following table describes the variables used in Event Center messages.
Variable
Description
$CURRENT_COUNTRY
$CURRENT_PHONE_NUMBER
The phone number currently associated with the device in the VSP, but
not matching the phone number currently used by the device.
$DEFAULT_POLICY_VIOLATION_MESSAGE
$DEFAULT_SYSTEM_MESSAGE
$FREE_MEMORY_SIZE
$HOME_COUNTRY
$MEMORY_SIZE_LIMIT
Company Confidential
306
Variable
Description
$NEW_PHONE_NUMBER
$PHONE_NUMBER
$SERVER_IP
$SERVER_NAME
$SEVERITY
$THRESHOLD_ON
$THRESHOLD_TYPE
$THRESHOLD_UNIT
$THRESHOLD_VALUE
$TOTAL_MEMORY_SIZE
$USED_VALUE
$USER_NAME
Company Confidential
307
In Admin Portal, select Settings > Templates > Event Center Templates.
2.
Click the edit icon for the custom template you want to edit.
3.
4.
Click Save.
In Admin Portal, select Settings > Templates > Event Center Templates.
2.
3.
Click Delete.
Company Confidential
308
2.
3.
Click the View link for the message template you want to view.
Either click the Create button in the event dialog or select the event type from Settings > Templates > Event Center Templates > Add New.
The following figure shows the event dialog.
Company Confidential
309
Event Center messages are displayed with the HTML markup that provides the
basic formatting for the content.
2.
3.
In the Edit Template for field, select the language this template will be used for.
Company Confidential
310
Note that only those languages that have been enabled for the system will be displayed in this list.
4.
5.
Click Save.
Required Variables
International Roaming
$CURRENT_COUNTRY
$HOME_COUNTRY
$PHONE_NUMBER
$SEVERITY
$USER_NAME
Threshold Reached
$PHONE_NUMBER
$SEVERITY
$THRESHOLD_ON
$THRESHOLD_TYPE
$THRESHOLD_UNIT
$THRESHOLD_VALUE
$USED_VALUE
$USER_NAME
SIM Changed
$CURRENT_PHONE_NUMBER
$NEW_PHONE_NUMBER
$SEVERITY
$USER_NAME
$FREE_MEMORY_SIZE
$MEMORY_SIZE_LIMIT
$PHONE_NUMBER
$SEVERITY
$TOTAL_MEMORY_SIZE
$USER_NAME
Company Confidential
311
Template Type
Required Variables
System Event
$DEFAULT_SYSTEM_MESSAGE
$SERVER_IP
$SERVER_NAME
$SEVERITY
Policy Violation
$DEFAULT_POLICY_VIOLATION_MESSAGE
$PHONE_NUMBER
$SEVERITY
$USER_NAME
Variable descriptions
The following table describes the variables used in Event Center messages.
Variable
Description
$CURRENT_COUNTRY
$CURRENT_PHONE_NUMBER
The phone number currently associated with the device in the VSP, but
not matching the phone number currently used by the device.
$DEFAULT_POLICY_VIOLATION_MESSAGE
$DEFAULT_SYSTEM_MESSAGE
$FREE_MEMORY_SIZE
$HOME_COUNTRY
$MEMORY_SIZE_LIMIT
$NEW_PHONE_NUMBER
$PHONE_NUMBER
$SERVER_IP
$SERVER_NAME
Company Confidential
312
Variable
Description
$SEVERITY
$THRESHOLD_ON
$THRESHOLD_TYPE
$THRESHOLD_UNIT
$THRESHOLD_VALUE
$TOTAL_MEMORY_SIZE
$USED_VALUE
$USER_NAME
In Admin Portal, select Settings > Templates > Event Center Templates.
2.
Click the edit icon for the custom template you want to edit.
3.
4.
Click Save.
Company Confidential
313
In Admin Portal, select Settings > Templates > Event Center Templates.
2.
3.
Click Delete.
Company Confidential
314
Events
Use the Events screen to track the events that have triggered alerts. To display the
Events screen, go to Logs & Events > Events.
2.
Filtering events
You can filter the displayed events using the following criteria:
Read/Unread
Labels
User
Start Date/End Date
Event Type
Event Status
Description
Read/Unread
Labels
Select the preferred label from the Labels dropdown to filter based on the label specified in the
event.
User
Event Type
Event Status
Company Confidential
315
Dispatch Failed: The process of generating the alert failed. This is usually the result
of an SMTP problem. Check the SMTP configuration in System Manager, as well as
the health of your SMTP server.
Expired: Another event occurred that makes the alert obsolete, resulting in expiration before dispatch.
Adding a note
You can add a note to one or more events to help track the work that has been done
in response. Each event can hold one note; adding another note replaces the existing
note. To add a note:
1.
2.
3.
4.
Click Add.
5.
Press F5 to refresh the screen and confirm that the note displays in the Note field
for the selected events.
Company Confidential
316
Chapter 10
Company Confidential
317
MobileIron Sentry
MobileIron Sentry is a component of a MobileIron deployment that interacts with your
companys ActiveSync server. The ActiveSync server provides employees access to
their email, contacts, calendar, and tasks. Sentry, with input from the VSP, protects
the ActiveSync server from wrongful access from the devices.
The Sentry is either a Standalone Sentry or an Integrated Sentry. Standalone Sentry
is a separate appliance, whereas Integrated Sentry is a software module on the Microsoft Exchange Server.
You perform Sentry-related configuration as follows:
On the VSP, use the Admin Portal for configuration pertaining to connectivity,
devices, policies, and security.
On Standalone Sentry, use the Sentry System Manager for Standalone Sentry system management.
Before continuing with Sentry configuration using the Admin Portal, see the following:
For details about Sentry and an overview of the configuration tasks that you do, see
the MobileIron Sentry Administration Guide.
For information on Sentry installation if you are using an on-premise VSP, see the
MobileIron Installation Guide.
For information on Sentry installation if you are using ConnectedCloud, see Getting
Started with the MobileIron Connected Cloud.
In the Admin Portal, you configure the following information pertaining to Sentry configuration:
Device authentication (how the device authenticates to the Standalone Sentry) and
server authentication (how the Standalone Sentry authenticates the device to the
server).
See Device and server authentication support for Standalone Sentry on
page 328.
Sentry preferences.
See Setting Sentry preferences on page 355.
You also use the Admin Portal to manage ActiveSync associations. See Working with
ActiveSync Phones via MobileIron Sentry on page 359.
Company Confidential
318
2.
Admin Portal.
For information about filling in this form, see Installing Integrated Sentry in the
Company Confidential
319
2.
3.
Description
Sentry Host / IP
Sentry Port
Enter the port that the VSP will use to access the Standalone Sentry. The default is 9090.
Device Authentication
Company Confidential
320
Item
Description
ActiveSync Configuration
This section of the form displays only if you choose Enable ActiveSync.
Server Authentication
ActiveSync Servers
Company Confidential
321
Item
Description
Check this option to choose the ActiveSync protocol version that the device and Microsoft Exchange use to communicate with the Standalone Sentry.
If Enable Redirect Processing (451) is disabled, the Standalone Sentry does not handle redirection, and passes the
redirect URL to the device.
Enable Background
Health Check
Interval
Live Threshold
Specify the number of times the ActiveSync server background health check is successful before the server is
marked as live.
The valid range is 1 through 10. The default is 3.
Company Confidential
322
Item
Description
This section of the form displays only if Enable App Tunneling is checked.
This section only displays if the Kerberos option is specified for server authentication either for the ActiveSync configuration or for an AppTunnel service.
Company Confidential
323
Item
Description
Scheduling
Dead Threshold
Failure Window
Dead Time
Advanced Configuration
This feature provides you the addition flexibility to configure Standalone Sentry
session timeouts. You may want to configure the session timeouts to manage
server resources. For example, you may want to configure larger timeouts when
using Lotus Notes Traveler with Standalone Sentry.
Note: Do not make changes to the settings unless specifically instructed in the
documentation or by MobileIron Professional Services.
Company Confidential
324
Item
Description
Socket read/write
timeout
Server connection
timeout
Server response
timeout
4.
5.
Click Save.
Perform this step if you configured the Sentry for app tunneling and the Sentry
uses a self-signed certificate:
In the Settings > Sentry page, for the Sentry configured for app tunneling, click the
View Certificate link.
This makes the Sentrys certificate known to the VSP.
2.
3.
4.
5.
Click Save.
Company Confidential
325
To verify that the changes are pushed to the Sentry, check that the Status shows
Success.
For information about editing Integrated Sentry configuration, see Installing Integrated Sentry in the MobileIron Installation Guide.
2.
3.
Click Delete.
4.
Caution: Do not remove a Standalone Sentry entry without first making sure that no
devices are using Exchange app settings that use that Standalone Sentry. Devices
with such Exchange app settings are still accessing the Standalone Sentry. These
devices can continue to access the ActiveSync server even if they violate their security
policy or if you manually attempt to block them. See Exchange settings on
page 205.
Company Confidential
326
2.
Select the Sentry to edit, and click the edit icon next to the entry.
3.
4.
Click Save.
Company Confidential
327
Device authentication
Device authentication specifies how the device authenticates to the Standalone Sentry.
Standalone Sentry supports the following types of device authentication:
Device Authentication
Description
Pass Through
Group Certificate
A user name and password or a properly configured Kerberos implementation for authenticating the device to
the server.
Server authentication
Server authentication specifies how the Sentry authenticates the device to the backend server. This can be the ActiveSync server or the app server.
Company Confidential
328
Standalone Sentry supports the following types of server authentication. These are
supported for both ActiveSync and AppTunnel.
Server Authentication
Description
Pass Through
Kerberos
2.
3.
Company Confidential
329
4.
5.
Pass Through
See Authentication using Pass Through on page 330 for next steps.
Group Certificate
See Authentication using a group certificate on page 330 for next steps.
Identity Certificate
See Authentication using an identity certificate and Pass Through on page 331 for
next steps.
OR
See Authentication using an identity certificate and Kerberos constrained delegation on page 333 for next steps.
Company Confidential
330
For device authentication with group certficate, Pass Through is the only option available for server authentication.
2.
3.
Click Upload.
Note: The certificate is uploaded at this time, but does not persist until you click
Save.
4.
If you want to validate the certificates presented by the device against the Certificate Revocation List (CRL) published by the CA, then select Check Certificate Revocation List (CRL).
Note that only HTTP- and HTTPS-based CRLs are supported. Some CAs create
LDAP-based CRLs by default that will not work with Sentry.
For CRL validation to work, Sentry requires network connectivity to the CRL Distribution Point (CDP), usually the CA that issued the certificate, through an HTTP or
HTTPS port.
5.
If you are configuring the Sentry for ActiveSync, in the ActiveSync Server Configuration section, Server Authentication defaults to Pass Through.
If you are configuring the Sentry for AppTunnel, in the App Tunneling Configuration
section, select Pass Through for Server Auth for the AppTunnel Service.
6.
Click Save.
Note: The Sentry restarts when you click Save.
Company Confidential
331
3.
4.
If you want to validate the certificates presented by the device against the Certificate Revocation List (CRL) published by the CA, then select Check Certificate Revocation List (CRL).
Note that only HTTP and HTTPS based CRLs are supported. Some CAs create LDAPbased CRLs by default that will not work with Sentry.
For CRL validation to work, Sentry requires network connectivity to the CRL Distribution Point (CDP), usually the CA that issued the certificate, through an HTTP or
HTTPS port.
Note: The Certificate Field Mapping fields are used only if the server authentication is
done with Kerberos.
5.
If you are configuring the Sentry for ActiveSync, in the ActiveSync Server Configuration section, Server Authentication defaults to Pass Through.
If you are configuring the Sentry for AppTunnel, in the App Tunneling Configuration
section, select Pass Through for Server Auth for the AppTunnel Service.
6.
Click Save.
Note: The Sentry restarts when you click Save after uploading the certificate.
Company Confidential
332
For AppTunnel, Sentry does not support Kerberos with CIFs enabled content servers.
If you select Identity Certificate for device authentication, additional configuration
fields display in the Device Authentication Configuration section.
3.
Company Confidential
333
4.
If you want to validate the certificates presented by the device against the Certificate Revocation List (CRL) published by the CA, then select Check Certificate Revocation List (CRL).
Note that only HTTP- and HTTPS-based CRLs are supported. Some CAs create
LDAP-based CRLs by default that will not work with Sentry.
For CRL validation to work, Sentry requires network connectivity to the CRL Distribution Point (CDP), usually the CA that issued the certificate, through an HTTP or
HTTPS port.
5.
Use the Subject Alternate Name Type list to select the field in the client certificate
that will be used to identify the user for Kerberos Constrained Delegation.
The Type is the same type that you specified when generating the client certificate.
This is often the NT Principal Name.
6.
Use the Value list to select the value used in the Subject Alternate Name field.
Usually, the User UPN (user principal name) is used to identify the user.
2.
If you used the fully-qualified domain name of the ActiveSync server as the
basis for the Service Principal Name of the server in the ActiveSync Server(s)
field above, then select Derive SPN From FQDN Of ActiveSync Server.
Company Confidential
334
2.
Enter the Service Principal Name (SPN) for each server listed in the Server List.
The Server SPN List applies only when the Service Name is not <ANY> and the
Server Auth is Kerberos.
If each server in the Server List has the same name as its SPN, you can leave
the Server SPN List empty. However, if you include a Server SPN List, the number of SPNs listed must equal the number of servers listed in the Server List.
The first server in the Server List corresponds to the first SPN in the Server SPN
List, the second server in the Server List corresponds to the second server in
the Server SPN List, and so on.
Note: When the Service Name is <ANY> and the Server Auth is Kerberos, the
Standalone Sentry assumes that the SPN is the same as the server name received
from the device.
For details on configuring AppTunnel, see Adding AppTunnel support on page 482.
2.
3.
4.
Click Upload.
The keytab file provides the required Kerberos authentication information. For
information about generating a keytab, see Authentication Using Kerberos Constrained Delegation on the MobileIron Support site.
5.
Company Confidential
335
6.
Click Save.
Note: The Sentry restarts when you click Save
Realm
The Kerberos administrative domain. The realm is usually the company domain
name, in all uppercase characters.
Password
Password for the Sentry service account.
2.
3.
Click Save.
Note: The Sentry restarts when you click Save.
Company Confidential
336
The portal certificate that Sentry presents to browsers to identify itself as a trusted
server.
For more information, see Certificate Management in the MobileIron Sentry
Administration Guide.
The Standalone Sentry certificate can be one of the following:
2.
Company Confidential
337
3.
4.
2.
Company Confidential
338
3.
4.
5.
Field
Description
Common Name
Company
Department
City
State
Country
Key Length
Click Generate.
A message similar to the following displays.
Company Confidential
339
6.
7.
Copy the content between BEGIN CERTIFICATE REQUEST and END CERTIFICATE
REQUEST to a text file.
Copy the content between BEGIN RSA PRIVATE KEY and END RSA PRIVATE KEY to
another text file.
8.
Click OK.
9.
2.
Company Confidential
340
3.
Click the Browse button and select a file to be uploaded. If there are additional
files, click the Add another file link.
Select the certificates as indicated in the following table:
4.
Field
File to Select
Key file
The file created in step 8 of Generating a CSR for Sentry on page 338.
Server certificate
CA certificate
2.
Company Confidential
341
Supported devices
The devices that Standalone Sentry supports for email attachment control are listed in
the Docs@Work chapter in Supported devices on page 456.
Important: On iOS devices, Sentry supports email attachment control only for the iOS
native email client. It does not support third-party iOS email clients. If you are using
attachment control, and some iOS devices use the third-party iOS email clients, configure a separate Sentry for those devices. On that Sentry, do not enable attachment
control.
iOS devices
using the iOS
native email
client
Android with
Secured Email
Other Platforms
(Including
Android using
unsecured apps)
Remove attachment on
page 343
Supported, but
typically not
used
Supported
Supported
Supported
Not supported
Not supported
Supported
Not supported
Not supported
Company Confidential
342
iOS devices
using the iOS
native email
client
Android with
Secured Email
Other Platforms
(Including
Android using
unsecured apps)
Supported, but
typically not
used
Not supported
Supported
Not supported
Supported
Not supported
Remove attachment
The Remove attachment option causes the Standalone Sentry to remove attachments from emails, replacing each attachment with another file. The name of the
replacement file is the original attachment file name appended with removed.html.
For example, myDocument.pdf is replaced with myDocument.pdf.removed.html.
The replacement file contains the following text message:
"The original attachment was removed as required by the security policies of your
administrator."
On iOS devices, the message is translated according to the language setting of the
device. The following languages are supported:
The language defaults to United States English if the language setting is not one of the
supported languages.
Supported devices: This option is available on non-iOS and iOS devices.
Note: Typically, you wont use this option on iOS devices or on Android devices that
use secure apps . Other options are available on these devices that are less intrusive,
but still keep the attachments secure.
Company Confidential
343
The Standalone Sentry appends the file name of the attachment with .secure. For
example, myDocument.pdf is renamed myDocument.pdf.secure. Mobile@Work is the
only app that can open files with the .secure file extension.
If Mobile@Work does not support viewing a particular file type, it presents an error
message when the user tries to view the attachment. See Supported files in the
Mobile@Work for iOS app on page 475.
Supported devices: This option is available only on iOS devices.
It does not support the file type. In this case, it presents an error message when
the user tries to view the attachment.
See Supported files in the Mobile@Work for iOS app on page 475.
Its encryption key does not match the attachments encryption key.
For more information about this case and how to avoid it, see Regenerate the
encryption key if it is compromised on page 350.
Note: When the device user saves a local copy of an email attachment, the saved copy
is protected by the devices data encryption.
When to use encryption
The encryption protection provides additional access control for the attachment, making it prohibitively difficult for a malicious app to view the content. However, encryption protection has an impact to Standalone Sentry performance.
Therefore, use the encryption option only if the following statements are true:
Company Confidential
344
Deliver as is
The Deliver as is option delivers all email attachments in their original form. The
device user views attachments with any available apps that work with the type of
attachment.
Supported devices: This option is available on non-iOS and iOS devices.
Consider the following:
Typically, you wont use this option on iOS devices, because other options that keep
the attachments secure are available for iOS devices.
Company Confidential
345
Therefore, in most email environments, Standalone Sentry performs attachment control for files with commonly used file extensions. For example, some of these file types
are:
.png
.jpeg, .jpg
.gif
.tiff
.bmp
.txt
.html
.log
Company Confidential
346
Remove
attachments
Image files
Not applied
Not applied
Applied
Text files
Not applied
Not applied
Applied
Microsoft RMS
encrypted files
Not applied
Not applied
Applied
Other files
Applied
Applied
Applied
an iOS device user has enabled S/MIME in the iOS Mail app
the iOS Mail app receives an S/MIME email through Standalone Sentry
Encrypted emails
S/MIME can also be used to encrypt emails, although this use of S/MIME is not common. Standalone Sentry passes along an S/MIME encrypted email with no impact to
the email.
Company Confidential
347
2.
3.
iOS devices
Android devices with Secured Email
Other devices
If you require different options for different users, use a different Standalone Sentry
for each set of users.
Before you configure Open only with Docs@Work or Open only with Docs@Work
and protect with encryption options for iOS devices, make sure you have enabled
Docs@Work as described in Enable Docs@Work on page 462. The default setting for
Attachment Control is Disabled. If Attachment Control is set to Disabled, Standalone
Sentry uses the Deliver As Is option for iOS and non-iOS devices.
To configure email attachment control options:
1.
2.
3.
4.
For iOS, select the type of attachment control that you want to use.
For a description of the options, see Email attachment control options on
page 342.
Note: Make sure you have enabled Docs@Work as described in Enable
Docs@Work on page 462 if you choose Open only with Docs@Work or Open
only with Docs@Work and protect with encryption.
Note: Select Open only with Docs@Work and protect with encryption only if you
are using the large configuration for the Standalone Sentry. For the small and
medium configurations, configuring and saving this option results in an error. To
check for this error, see Checking for configuration errors on page 349
Company Confidential
348
5.
For Other Platforms, select the type of attachment control that you want to use.
The only options are Remove Attachments and Deliver As Is. See Email attachment control options on page 342.
6.
Click Save.
The Standalone Sentry restarts when you click Save. A restart can cause a brief
interruption in email service to device users.
7.
If you changed to or from the option Open only with Docs@Work and protect with
encryption, you see the following:
resynch its emails, calendar items, tasks, and contacts. For example, the email app
removes all emails from its email folders and then re-fetches the emails from the
ActiveSync server.
in some cases, prompt the device user to reenter his password for accessing email.
Company Confidential
349
The easiest way to re-push an Exchange app setting to a device is to make a simple
change, such as adding a space at the end of the Description field. The next time each
device checks in, the VSP will send the Exchange app setting to the device.
you can make the change during a planned maintenance period or non-peak operating hours.
3.
Click Edit.
4.
5.
Click Save.
6.
Repeat steps 2 through 5 for each Exchange app setting that uses the Standalone
Sentry with the changed attachment control option.
Company Confidential
350
Key regeneration causes a restart for all Standalone Sentries that are using encryption for attachment control.
A restart can cause a brief interruption in email service to device users.
resynch its emails, calendar items, tasks, and contacts with the ActiveSync
server. For example, the email app removes all emails from its email folders and
then re-fetches the emails from the ActiveSync server.
in some cases, prompt the device user to reenter his password for accessing
email.
The easiest way to re-push an Exchange app setting to a device is to make a simple
modification, such as adding a space at the end of the Description field. The next
time each device checks in, the VSP will send the Exchange app setting to the
device.
2.
Company Confidential
351
3.
Click Yes if you are sure you want to regenerate the key.
4.
5.
Select an Exchange setting that uses a Standalone Sentry configured with the
attachment control encryption option.
6.
Click Edit.
7.
8.
Click Save.
9.
Repeat steps 5 through 8 for each Exchange setting that uses a Standalone Sentry
configured with the attachment control encryption option.
Note: If a Standalone Sentry is not available when you regenerate the key, its entry in
Sentry > Settings displays an error:
Company Confidential
352
To send the new encryption key when the Standalone Sentry is available again:
1.
2.
3.
Company Confidential
353
2.
3.
Description
Interval
Live Threshold
Specify the number of times the ActiveSync server background health check is successful before the server is
marked as live.
The valid range is 1 through 10. The default is 3.
Company Confidential
354
Using Settings > Sentry > Preferences, you can also regenerate the encryption key
that Standalone Sentries use when they encrypt email attachments.
See Regenerate the encryption key if it is compromised on page 350.
2.
Click Sentry.
3.
Click Preferences.
4.
For other methods for blocking devices from accessing the ActiveSync server, see the
following:
The VSP gets the Microsoft Exchange servers ActiveSync policies and devices from
Integrated Sentry.
The VSP gives its ActiveSync policies to Integrated Sentry to give to the Microsoft
Exchange server.
Company Confidential
355
2.
Click Sentry.
3.
Click Preferences.
4.
2.
Click Sentry.
3.
Click Preferences.
4.
In the Service Account Notification Email field, entry one or more email addresses.
Separate the email addresses commas.
Company Confidential
356
2.
3.
Set the default behavior. The settings are described in the following table.
Item
Description
Click Save.
Company Confidential
357
Company Confidential
358
Chapter 11
Company Confidential
359
Use the VSP Admin Portal to configure information relating to the Sentries that the
VSP works with. See Working with MobileIron Sentry on page 317.
Once you have configured your Sentrys and understand ActiveSync devices in a MobileIron deployment, use the VSP Admin Portal to manage the ActiveSync devices. You
can do the following tasks:
Company Confidential
360
Company Confidential
361
iOS
Win 7
WP8
yes
yes
yes
yes
Working with security policies on page 147 for detailed information about security
policies.
Working with policies on page 140 for information on general procedures for creating, editing, and applying policies.
To work with ActiveSync policies, from the Admin Portal go to Policies & Configs >
ActiveSync Policies.
Company Confidential
362
Description
Name
Description
Active
Password
Password
Optional
Minimum Password
Length
Company Confidential
363
Simple
Item
Description
Maximum Password
Inactivity Timeout
Minimum Number
of Complex Characters
Maximum Password
Age
Maximum Number
of Failed Attempts
Password History
Lockdown
Text Messaging
Enable
POP/IMAP Email
Enable
DesktopSync
Enable
HTML Email
Enable
Browser
Enable
Security
Company Confidential
364
Item
Description
Policy Refresh
Interval
Block ActiveSync
connection for
smartphone when
Data Encryption
Require Device
Encryption
Off
Company Confidential
365
Off
Item
Description
Search Mailboxes
None
Starting with Standalone Sentry version 4.5, mailboxes configured in an ActiveSync policy
only enforce the number of
devices set in the Per-Mailbox
smartphone count exceeds
field.
To manage devices with the
ActiveSync policy, you must
manually apply the ActiveSync
policy to each device.
In earlier versions of the Sentry, the ActiveSync policy is
automatically applied to
devices with mailboxes configured in the policy. The Default
ActiveSync Policy is automatically applied to devices that do
not have mailboxes configured
in an ActiveSync policy.
Note: This field does is not
available for the default
ActiveSync policy for Standalone Sentry.
In the ActiveSync Policies page, the # Phones for an ActiveSync Policy displays the
number of devices to which the policy is applied. Since we don't recommend assigning
an ActiveSync policy to iOS, Android, and WP8 devices, you may only see devices
other than iOS, Android, WP8.
The ActiveSync policy is assigned to a device in the ActiveSync Association page.
Company Confidential
366
iOS
OS X
Win 7
WP8
yes
a. Only the first account can be configured by the VSP. The device user must manually configure additional accounts. Also,
only Android Email+ is supported. NitroDesk TouchDown does not support multiple Email accounts.
Standalone Sentry and Integrated Sentry support multiple Email accounts on the
same device for the following use cases:
For iOS devices only, the admin creates a new Exchange setting and pushes it to
the device.
Before creating the Exchange setting, set a custom attribute, $User_Custom$, for
the user on the ActiveSync Server. In the Exchange setting, in the ActiveSync User
Name field, enter $USER_CUSTOM1$.
For information on how to create an Exchange setting, see Working with Exchange
Settings in the VSP Administration Guide for Version 5.6.
No actions are required by the device user. To access the email account, the device
user requires the password for the Email account.
OR
For iOS and Android devices, the device user manually adds the ActiveSync email
account to the device.
To add the Email account, the device user requires the following information:
The user name and password for the ActiveSync email account.
The Sentry FQDN.
Note: If multiple mailboxes are registered on a device and each uses a different
Exchange profile, in the ActiveSync Association page:
The second mailbox displays as the same User as the first mailbox.
The Mailbox ID for the second mailbox displays correctly.
Company Confidential
367
iOS
Win 7
WP8
yes
yes
yes
To display the users and the devices that connect via ActiveSync:
1.
2.
Description
DeviceID
User
Number
Phone
OS
Status
Mailbox ID
Domain
Indicates whether the device connects via Integrated Sentry or Standalone Sentry.
Company Confidential
368
You can filter the ActiveSync Devices list by these additional criteria:
Item
Description
Registered(linked)
Displays records that are associated with a registered device on the VSP.
Unregistered(unlinked)
The following table summarizes the information available in the ActiveSync Details
pane.
Label
Description
User
Phone
Company Confidential
369
Label
Description
Device Details
Mailbox Details
Comment
Company Confidential
370
The wipe behavior differs depending on the platform. For example, for any Android
device, the Email+ client does not support ActiveSync Wipe.
The Apply Policy and Revert Policy actions are applied to the device, not to the user.
Additional users on the Samsung native client display as unregistered in the
ActiveSync Associations page. To register the user, select the record, then click Link
To to link to the corresponding device.
You can take the following actions on ActiveSync associations:
Allow
Block
Wipe
Register
Remove
Link To
Assign Policy
Revert Policy
Note: Allow, Block, and Wipe actions override the VSPs automatic decision-making
about a devices ability to access the ActiveSync server. For more information, see
Overriding and re-establishing VSP management of a device on page 375.
Note: We recommend applying ActiveSync actions to devices other than iOS, Android,
and WP8 devices. Wipe, Assign Policy, and Revert Policy are ActiveSync actions.
Allow
Android
iOS
Win 7
WP8
yes
yes
yes
yes
Use the Allow button to allow blocked ActiveSync devices to access the ActiveSync
server. The Allow button also allows blocked iOS devices to access the Docs@Work
features as described in Block impact on documents on page 473.
Do the following:
1.
In the Admin Portal, click the ActiveSync Associations link under the Users &
Devices tab.
Company Confidential
371
2.
3.
4.
5.
Note: When you select Allow, you are overriding any VSP logic that wipes the device
or allows or blocks the devices access to the ActiveSync server. For more information,
see Overriding and re-establishing VSP management of a device on page 375.
Block
Android
iOS
Win 7
WP8
yes
yes
yes
yes
Use the Block button to block selected ActiveSync devices from accessing the
ActiveSync server.
Company Confidential
372
For iOS devices, the Block button also keeps the selected ActiveSync devices from
accessing the Docs@Work features as described in Block impact on documents on
page 473.
The behavior when blocking access to the ActiveSync server is different depending on
whether you are using Standalone Sentry or Integrated Sentry (available only with an
on-premise VSP), as given in the following table..
Sentry type
Standalone Sentry
Block by mailbox.
Block by device.
For Integrated Sentry, once a single phone has been blocked, you need to use the
Allow command to grant connections to future phones.
Complete the following steps to block an ActiveSync phone:
1.
In the Admin Portal, click the ActiveSync Associations link under the Users &
Devices tab.
Company Confidential
373
2.
3.
4.
5.
Note: When you click Block, you are overriding any VSP logic that wipes the device or
allows or blocks the devices access to the ActiveSync server. For more information,
see Overriding and re-establishing VSP management of a device on page 375.
Wipe
Android
iOS
Win 7
WP8
yes
yes
yes
yes
Wiping an ActiveSync phone sends an ActiveSync Wipe command to the phone, which
removes all data from the phone, returning the phone to factory defaults. Once you
wipe a phone, its status changes to Wiped, and the only valid action you can apply is
Remove.
Warning
Returning the phone to factory defaults removes all data. Once a wipe has started, do
not restart your phone. Interfering with the wipe process can render your phone nonfunctional.
Note: Apply this action only to devices other than iOS, Android, and WP8 devices.
To wipe an ActiveSync phone:
1.
Select the ActiveSync Devices view under the Users & Devices tab.
2.
3.
Company Confidential
374
Note: When you click Wipe, you are overriding any VSP logic that wipes the device or
allows or blocks the devices access to the ActiveSync server. For more information,
see Overriding and re-establishing VSP management of a device on page 375.
iOS
Win 7
WP8
yes
yes
Select the ActiveSync Devices view under the Users & Devices tab.
2.
3.
4.
5.
For more information about using Remove, see Overriding and re-establishing VSP
management of a device on page 375.
2.
3.
4.
Company Confidential
375
whether the maximum number of devices per mailbox has been exceeded
whether you specified to auto block unregistered devices
However, once you select the Allow, Block, or Wipe button for the device, the VSP no
longer automatically makes these decisions. You can only manually make these decisions using the Allow, Block, or Wipe buttons. To cause the VSP to once more automatically make these decisions, click the Remove button. The next time the device
attempts to access its email, the VSP and Sentry resync information about the device,
and the VSP again makes these decisions automatically.
For example, consider the scenario where an executives device is being blocked from
accessing email due to the devices security policy. Take the following steps:
1.
Select the Allow Button on the ActiveSync Devices view for the executives device.
This action immediately allows the executive to access email, without waiting for
your further actions.
2.
Use the VSP Admin Portal to update the devices security policy.
For example, exclude the device from using the existing security policy, and create
a new security policy for executives.
3.
You can determine if a device was recently blocked or allowed, and if it was a manual
or automatic action. Using the VSP Admin Portal, do the following
1.
2.
Look for Block or Reinstate (which means allowed) in the Action column.
The message column indicates if the action was due to the security policy. If the action
was manual, the message column is either empty, or contains a note added by the
administrator who performed the manual action.
Company Confidential
376
2.
3.
4.
5.
2.
3.
4.
Company Confidential
377
(Optional) Download the self-signed certificate and its signing certificate, the CA
certificate.
Perform this step if your Sentry uses a self-signed certificate. If your Sentry has a certificate signed by a third-party CA, go to step 4.
The specific steps differ slightly for each browser type. The following steps detail how
to download the certificates using the Chrome browser.
On Mac OSX
Click the self-signed certificate, then drag the certificate icon from the panel to
your desktop.
Go to step 3.
On Windows
Click Next.
Select the format you want to use as Base-64 encoded X.509 (.CER), click
Next.
Company Confidential
378
Enter a name for the file and click Save, then Next, then Finish.
Note: Other formats are recognized by Windows Phone 7 as valid certificates, but
other formats will not work with an Exchange ActiveSync account.
Click Next.
Select the format you want to use as Base-64 encoded X.509 (.CER), then click
Next.
3.
Email the two certificates (self-signed and CA) to an email account on the
device, for example, a GMail or a Yahoo account.
On the device, tap Settings > email + accounts > add an account > advanced
setup.
Company Confidential
379
Company Confidential
380
Chapter 12
Company Confidential
381
Company Confidential
382
Chapter 13
Company Confidential
383
3.
4.
5.
6.
Remove the firewall rules that are no longer necessary for LDAP integration with
the VSP.
2.
3.
4.
Select Connector.
5.
Select the Connector of interest to display additional details in the pane on the
right.
Company Confidential
384
2.
3.
4.
5.
Company Confidential
385
2.
3.
4.
5.
6.
7.
8.
Click Save.
9.
Click OK.
2.
Select Connector from the left panel to open the Connector Settings page.
3.
4.
5.
6.
Click Apply.
Note: Apply saves the configuration in the current session only. It is not
persistent after the machine reboots.
7.
Click Yes.
A dialog appears informing the status.
8.
Click OK.
9.
Company Confidential
386
https://<fully-qualified_domain_name>.
2.
3.
Click Preferences.
The current time interval is displayed.
4.
5.
Click Save.
Company Confidential
387
Company Confidential
388
Company Confidential
389
Company Confidential
390
Chapter 14
Company Confidential
391
For Windows Phone 8 (WP8), you can provide users with links to recommended apps
on the Windows Store, or links to internally-developed apps they can download from
the MobileIron app distribution library.
Company Confidential
392
Company Confidential
393
Company Confidential
394
This web clip provides access to the Apps@Work enterprise app storefront.
Apps@Work displays lists of apps that you have configured for download from the
Apple App Store or the VSP. Apps that reside on the Apple App Store are also called
recommended apps. Custom apps that reside on the VSP are called in-house apps.
For comprehensive information on in-house app development, see the Apple website.
The device user must have an iTunes account to download these apps.
Prerequisites
Complete app functionality, including updates to badges resulting from inventory data,
requires:
iOS MDM certificate (See Enabling iOS MDM support on page 28.)
iOS MDM profile enabled (Settings > Preferences)
Company Confidential
395
If you intend to develop and manage in-house apps, then participation in Apples iDEP
program is required. See the materials posted on the MobileIron Support site.
AppConnect apps
For information about AppConnect apps, see AppConnect on page 477.
You upload iOS AppConnect apps created with the AppConnect wrapping technology to
the app distribution library as in-house apps. AppConnect apps created with the SDK
can be distributed as either in-house apps or recommended apps. The process for
adding an AppConnect app to the app distribution library is the same as for any iOS
app.
When you upload an iOS AppConnect app as an in-house app to the app distribution
library, in some cases the VSP automatically creates an AppConnect container policy
and AppConnect app configuration. The VSP takes this action when the app has specified its desired default values for the policy and configuration in its IPA file. You can
override these values by editing the apps AppConnect container policy or AppConnect
app configuration. The VSP keeps in sync the labels that you apply to the app and the
labels that you apply to the AppConnect container policy and AppConnect app configuration.
Company Confidential
396
requires end-users to enter their MobileIron username and password to download apps
2.
3.
4.
Because the Apps@Work web clip is deployed like any other configuration, there might
be considerable lag between device registration and the appearance of the web clip.
2.
3.
4.
5.
6.
Click Save.
If neither authentication option is selected, then iOS devices will not have access to
your enterprise app storefront.
Company Confidential
397
2.
3.
4.
5.
Click Apply.
2.
3.
4.
5.
In the App Store list, select the country for the App Store you want to search.
6.
In the Limit field, enter the number of entries you want to retrieve.
To improve search performance, the default is set to 20. You can enter a number
between 20 and 200.
7.
8.
Click the Import or Update link for an app to import the relevant information.
Import indicates an app that does not yet exist in the app distribution library.
Update indicates an app that exists in the app distribution library, but has an
update available for download.
9.
10.
11.
12.
Click Save.
Company Confidential
398
13.
Select Actions > Apply To Label to specify the device groups that should see this
app.
2.
3.
4.
Click Next.
5.
6.
Description
iTunes ID
App Name
iPad Only
Company Confidential
399
Item
Description
Prevent backup of
the app data
Send installation
request on device
registration or signin
7.
Click Next.
8.
Description
App Name
Display Version
Description
Featured
Company Confidential
400
Item
Description
App Updates
Hide in App
Storefront
Category
Select a category if you would like this app to be displayed in a specific group of apps on the device. Click the
here link to define new categories.
9.
Click Next.
10.
11.
Item
Description
App Icon
iPad screenshots
Click Next.
If the graphics you specified are accepted, the Congratulations screen displays.
Company Confidential
401
12.
Click Finish.
The app is displayed in the App Distribution Library screen with an icon that identifies the app as a recommended app.
13.
Associate the app with a label to have that app listed on iOS devices.
See Publishing apps in Apps@Work for iOS devices on page 407.
Open iTunes.
2.
3.
4.
Company Confidential
402
5.
6.
7.
8.
Company Confidential
403
2.
3.
4.
Click Next.
In-house App is selected by default.
5.
Description
App Upload
iPad Only
Set to Yes if the app is designed only for iPads, set the
iPad Only option to Yes. This ensures that the app is not
displayed in Apps@Work for other iOS devices.
6.
Prevent backup of
the app data
iOS 5 and later: Set to Yes to ensure that the app will not
remain on the device if device management is disabled.
No further action is necessary to apply this restriction.
iOS 5 and later: Set to Yes to enable configured compliance actions to remove the app if a policy violation
results in a quarantined device or the device signs out in
multi-user mode. This option does not apply unless the
corresponding option has been specified in a compliance
action, and that compliance action has been selected for
one or more policy options in the security policy for a
device. Once the device is no longer quarantined, the app
can be downloaded again.
Send installation
request on device
registration or signin
Click Next.
The Add App Wizard examines the selected bundle to ensure that it meets requirements for in-house apps distributed for iOS devices. If the bundle is acceptable, the
following screen displays.
Company Confidential
404
Note: Downloads of iOS in-house apps over 3G should be limited to 20 MB. Use
WiFi for downloading larger in-house apps.
7.
Description
App Name
Displays the App Name defined for the app bundle. You
can edit this text to display a different name to users.
Note that app names longer than 25 characters will be
truncated when displayed on the device.
Note: An iOS app is packaged as a bundle. A bundle is a
directory in the file system that groups related resources
together in one place. An iOS app bundle contains the
app executable file and supporting resource files such as
app icons, image files, and localized content.
Display Version
Bundle Version
Description
Override URL
If you are implementing an alternate URL for downloading in-house apps, enter that URL here. The URL must
point to the in-house app in its alternate location. See
Override for in-house app URLs on page 449 for the
requirements for this configuration.
Featured
Data Protection
Required
Company Confidential
405
Item
Description
App Updates
Hide in App
Storefront
Provisioning Profile
Displays the identifier for the provisioning profile incorporated in the bundle.
Note: The provisioning profile is a text document containing verification information for the app. Apps are not
usable on iOS without a current provisioning profile.
Category
8.
Select a category if you would like this app to be displayed in a specific group of apps on the device. Click the
here link to define new categories.
Click Next.
Company Confidential
406
9.
Description
App Icon
iPad screenshots
10.
Click Next.
11.
Click Finish.
The app is displayed in the App Distribution Library screen with an icon that identifies the app as an in-house app.
The provisioning profile for the app is also stored on the VSP and is displayed in the
App Settings page. It is displayed for viewing only, and is automatically deleted
from the VSP if the app is deleted from the VSP.
12.
Associate the app with a label to have that app listed on iOS devices.
See Publishing apps in Apps@Work for iOS devices on page 407.
2.
3.
Company Confidential
407
4.
5.
6.
7.
If the user deletes a published app, that app will not become available for reinstalling
again until the next sync interval causes the MobileIron VSP to be updated. You can
address user concerns by using the Force Device Check-in command to force the
MobileIron app to update the VSP.
Company Confidential
408
2.
3.
4.
Click Delete.
A message displays warning that deleting the app from the VSP will delete it from
devices running iOS 5 or later.
5.
2.
3.
Click the edit icon next to the app you want to work with.
4.
Select the corresponding inventory app name from the Inventory Apps list.
5.
Click Save.
Once the link is established, the # of Devices Installed column in the App Distribution screen displays the correct number. You should consider changing the app
name as specified in any app control rules to ensure it matches the official name.
Upgrading apps
When an upgrade for an app becomes available, you can just add it to the app distribution library and assign it to appropriate labels like any other app. The VSP detects
that it is an update and indicates its availability in the form of a badge that appears on
the corresponding tab in Apps@Work. The VSP also replaces the app entry displayed
in the apps lists on the devices.
Company Confidential
409
Tapping the entry for the app having an update displays an UPDATE tag instead of an
INSTALL tag.
Updates to featured apps are published in the same way to all devices in the labels
assigned to the apps. You can also send a message to devices to announce the availability of updates to featured apps.
name
version
description
featured option
Note: The iTunes ID is not editable. If you entered the wrong ID when you added this
app to the app distribution library, then you need to delete the app entry and create a
new one.
To change app information:
1.
2.
3.
Click the edit icon next to the app you want to work with.
4.
5.
Click Save.
Company Confidential
410
2.
3.
4.
Click the edit icon next to the app you want to work with.
5.
6.
7.
Click Save.
2.
3.
4.
5.
Enter a category name (up to 64 characters) and description (up to 255 characters).
6.
Click Save.
7.
2.
3.
4.
5.
Click Save.
Company Confidential
411
employee must delete the app and reinstall it from the Prepaid tab in Apps@Work.
Otherwise, the app will remain unmanaged.
2.
3.
4.
Click Message.
5.
7.
Click Send.
Company Confidential
412
Again, the message is sent only for apps configured as featured apps in the app
distribution library.
2.
Click the edit icon for the template you want to edit.
The app distribution message is displayed.
3.
4.
Click Save.
2.
3.
Click Edit.
4.
5.
6.
To display a different name with the web clip, enter your preferred name in the
Name field.
To select an alternate icon, click Browse.
In general, you should not edit the URL.
7.
Click Save.
2.
3.
4.
Company Confidential
413
5.
Select the labels from which you want to remove the app.
6.
Click Remove.
The app is immediately removed from the apps list on the devices associated with
the given label.
Company Confidential
414
Your Program Facilitator searches for and purchases apps at the App Store Volume
Purchase Portal.
The Program Facilitator receives app purchase codes (also called tokens or credits)
in the form of a payment file and distributes these codes to device users.
Device users redeem codes and download apps.
3.
4.
Program Facilitators can upload each payment file into the MobileIron app distribution library.
End users having a device managed by MobileIron can select a recommended app
from the list of Prepaid apps displayed in the MobileIron app on the device. The app
can be purchased using one of the uploaded purchase codes.
The MobileIron VSP records the use of the purchase code and updates the count of
remaining codes.
An optional alert warns the Program Facilitator (or other designated person) when
the number of remaining codes falls below a specified threshold.
Setup tasks
Setup for VPP support requires the following tasks:
1.
2.
Company Confidential
415
If the app to which the payment file applies is not already present in the MobileIron
app distribution library, then add it now.
If the app is an iOS 5 Managed App, be sure to select No for This App Store app is
free in the App Wizard.
2.
Once the app is present in the app distribution library, select Apps > App Distribution Library.
3.
4.
5.
6.
Click the Browse button and select the file to payment XLS.
7.
8.
Click OK.
The entry for the app now displays the number of codes (or tokens) purchased and
the percentage that have been used (i.e., redeemed for apps).
Company Confidential
416
In the Admin Portal, select Logs & Events > Event Settings.
2.
Select Add New > System Event or select an existing system event entry.
3.
4.
Make sure the option is selected and specify the percentage threshold.
5.
6.
Select the labels and/or users to which the alert should be applied.
7.
8.
Click Save.
Company Confidential
417
It eliminates any dependency on the device user for app install and uninstall.
Company Confidential
418
You can protect in-house apps and associated data by using the VSP Admin Portal
to uninstall in-house apps if a device is lost or stolen.
Some devices prevent the user from uninstalling the app. On other devices, if the
device user uninstalls the in-house app, it is automatically reinstalled.
This feature automatically uninstalls an in-house app when:
2.
3.
4.
Click Next.
5.
Company Confidential
419
6.
Description
App Name
Package Name
viz.docstogo&feature=top-free
7.
Click Next.
8.
Description
App Name
Description
Company Confidential
420
Item
Description
Featured
Category
Select a category if you would like this app to be displayed in a specific group of apps in the Google Play
Apps list on the device. Click the here link to define new
categories.
9.
Click Next.
10.
Description
App Icon
Android Screenshots
11.
Click Next.
If the graphics you specified are accepted, the Congratulations screen displays.
12.
Click Finish.
The app is displayed in the App Distribution Library page with an icon that identifies
the app as a recommended app.
Note that the App Version field will remain blank until the app is installed on a
device.
13.
Associate the app with a label to have that app listed on Android devices.
See Publishing apps in Apps@Work for iOS devices on page 407.
Company Confidential
421
2.
3.
4.
Click Next.
In-house App is selected by default.
5.
Select Yes for Silently Install if you want Samsung SAFE devices to silently install
and uninstall the app.
For more information, see Silent install and uninstall on Samsung SAFE devices
on page 418.
6.
Click Browse and navigate to the in-house app (.apk) you want to upload.
Note: You cannot upload an in-house app that exceeds 2.15 GB.
7.
Click Next.
The Add App Wizard examines the selected package to ensure that it meets requirements for in-house apps distributed for Android devices. If the package is acceptable,
the following screen displays.
8.
Description
App Name
Display Version
Displays the version number defined by the app developer. This is the version that displays to device users.
This field is not editable.
Code Version
Description
Override URL
If you are implementing an alternate URL for downloading in-house apps, enter that URL here. The URL must
point to the in-house app in its alternate location. See
Override for in-house app URLs on page 449 for the
requirements for this configuration.
Company Confidential
422
9.
Item
Description
Featured
Category
Select a category if you would like this app to be displayed in a specific group of apps on the device. Click the
here link to define new categories.
Click Next.
Note: The icon for Android in-house apps is defined by the app developer. However,
after you finish adding the app, you can edit the entry for the app and change the
icon.
10.
If you would like to provide screenshots of the app, click the Browse button and
select the files. The supported dimensions are 480x800 pixels and 480x854 pixels.
GIF, JPG, and PNG are supported. We recommend PNG for best resizing.
Once you upload the first screenshot, a + icon displays. Click this icon to upload
additional screenshots.
11.
12.
Click Finish.
The app is displayed in the App Distribution Library screen with an icon that identifies the app as an in-house app.
Company Confidential
423
1.
2.
3.
4.
Click Next.
In-house App is selected by default.
5.
6.
Click Browse and navigate to the AppConnect app (.apk) you want to upload.
Note: You cannot upload an AppConnect app that exceeds 2.15 GB.
7.
Click Next.
The Add App Wizard examines the selected package to ensure that it meets
requirements for in-house apps distributed for Android devices. It also recognizes
that the app is an AppConnect app. If the package is acceptable, the following
screen displays.
8.
Description
App Name
Display Version
Displays the version number defined by the app developer. This is the version that displays to device users.
This field is not editable.
Note: The version number for AppConnect apps includes:
Company Confidential
424
Item
Description
Description
NitroDesk TouchDown
NitroDesk TouchDown provides secure access to your
company email, contacts, calendar, and tasks.
File Manager
File Manager allows you to securely navigate and
manage your company files.
9.
Override URL
If you are implementing an alternate URL for downloading secure apps, enter that URL here. The URL must
point to the secure app in its alternate location. See
Override for in-house app URLs on page 449 for the
requirements for this configuration.
Featured
Category
Click Next.
Note: The icon for Android secure apps is defined by the app developer. However,
after you finish adding the app, you can edit the entry for the app and change the
icon.
10.
If you would like to provide screenshots of the app, click the Browse button and
select the files. The supported dimensions are 480x800 pixels and 480x854 pixels.
GIF, JPG, and PNG are supported. We recommend PNG for best resizing.
Once you upload the first screenshot, a + icon displays. Click this icon to upload
additional screenshots.
11.
Click Finish.
The app is displayed in the App Distribution Library screen with an icon that identifies the app as an in-house app.
Note: You know the app is an AppConnect app by looking at its version number. The
version number for an AppConnect app is a concatenation of the original apps version number and a version number from wrapping the app.
Company Confidential
425
2.
3.
4.
5.
6.
Select the label that represents the Android devices on which you want the selected
app to be listed.
Click Apply.
If the user deletes a published app, that app will not become available for reinstalling
again until the next sync interval causes the MobileIron VSP to be updated. You can
address user concerns by using the Force Device Check-In command to force the
MobileIron Client to update the VSP.
Company Confidential
426
1.
2.
3.
Confirm that you have applied the app to a label to which the device has been
added.
Confirm that the device meets the minimum OS requirement you specified when
you added the app.
If the MobileIron app is running, select Refresh from the app menu.
A newly-added app does not display in the in-house apps list on the device.
1.
2.
3.
4.
Confirm that you have applied the app to a label to which the device has been
added.
Confirm that the device meets the minimum OS requirement you specified when
you added the app.
Confirm that the device has been configured to accept apps from outside the Google Play (formerly Android Market). (On the device, select Settings > Applications >
Unknown sources).
If the MobileIron app is running, select Refresh from the app menu.
Company Confidential
427
Company Confidential
428
Company Confidential
429
Registering your WP8 device with MobileIron and installing the Mobile@Work app.
Installing certificates on your WP8 device.
Downloading apps to your WP8 device.
2.
3.
4.
5.
In the App Store list, select the country for the App Store you want to search.
6.
In the Limit field, enter the number of entries you want to retrieve.
To improve search performance, the default is set to 20. You can enter a number
between 20 and 50.
7.
8.
Click the Import link for the app you want to import.
The app information is imported into the App Distribution Library page.
9.
10.
11.
12.
The app is pushed to the devices to which the label is applied.Click Apply.
The app is now available to device users to download from the Mobile@Work client
on their WP8 device.
Company Confidential
430
Before you develop in-house apps for WP8 devices on page 431
Adding the AET and applying a label on page 432
Adding in-house and third-party apps for distribution to WP8 devices on page 432
Removing the label on page 434
Upgrading to a new version of an app on WP8 devices on page 434
Editing WP8 app information on page 434
Deleting a Windows Phone 8 app from the VSP on page 435
Review the certificates and tokens required for in-house apps for WP8 devices at:
http://msdn.microsoft.com/en-us/library/windowsphone/develop/jj206943.aspx
2.
3.
4.
Generate the application enrollment token (AET) using the AETGenerator tool provided by the Windows Phone SDK 8.0.
For more information see
http://msdn.microsoft.com/en-us/library/windowsphone/develop/jj735576.aspx
You upload the AET (.aetx file) to the VSP. See Adding the AET and applying a
label on page 432.
Company Confidential
431
Format
Size
Number
App
XAP
100 MB maximum
Icon
PNG
Screen shots
PNG
480x800 pixels
OR
480x854 pixels
2.
Click Add New > Windows Phone 8 > Enrollment Token (AET).
The New Application Enrollment Token window displays.
3.
4.
5.
Click Save.
6.
7.
2.
3.
4.
Click Next.
5.
Company Confidential
432
6.
7.
For Application Enrollment Token, select the token associated with the Symantec
Enterprise Certificate used to sign the app.
Click Next.
The app information, extracted from the .xap file, displays.
8.
Description
App Name
Version
Author
Description
Featured
Select No if you do not want to list the app in the Featured list
on the device.
Category
Select the category from the drop-down list. The app appears
under that category on the device.
To add a new category, click the provided link.
Silent Upgrade
Click Next.
10.
(Optional) Click Browse to navigate and select the icon and screenshots for the app.
You can upload one icon and up to 4 screenshots per app.
11.
Click Finish.
The app information appears in the App Distribution page.
12.
13.
Company Confidential
433
2.
3.
In the App Distribution page, select the app to remove the label.
4.
5.
6.
Click OK
When you remove the label, the app is no longer pushed to devices associated with
that label. The app is not deleted from the VSP or from the devices on which it is
already installed.
When a new version of an app becomes available, follow the steps described in
Adding in-house and third-party apps for distribution to WP8 devices on page 432
to add the app to the App Distribution list for Windows Phone 8 devices.
2.
3.
Click the edit icon next to the app you want to work with.
You can edit the following information:
Item
Description
App Name
Description
Featured App
Category
Company Confidential
434
4.
Item
Description
App Icon
Windows Phone 8
Screenshots
Click Save.
2.
3.
4.
Click Delete.
This action deletes the app from the VSP, but does not delete it from the device.
Company Confidential
435
Company Confidential
436
Company Confidential
437
iOS
Win 7
WP8
yes
yes
You can set up app control to enhance visibility into the apps being installed on managed devices and help enforce corporate app policy. Setting up app control involves
the following tasks:
1.
2.
3.
Configure alerts for when a device violates the app control rules in its security policy.
Define app control rules.
Select app control rules for the Access Control settings in the security policies
assigned to target devices.
This order of tasks is strongly recommended to ensure that alerts are generated if
devices are already in violation when they receive the corresponding policy from
MobileIron. Otherwise, these devices will not generate an alert until one of the following actions occurs:
The app control rule defines which apps you want to control. Security policies specify
which devices the rules are applied to and the actions to associate with a rule violation. The alert determines the information that is sent as the result of rule violation,
as well as the recipients of the information.
Company Confidential
438
Use Required rules to ensure that certain apps are installed on designated devices.
The absence of one of these apps is considered a policy violation. For example,
since MDM-enabled iOS devices report inventory even if the MobileIron Client has
been uninstalled, you can create a Required rule to ensure that the removal of the
MobileIron Client results in the appropriate response. Note that Required rules take
precedence over Disallowed rules in the case of a conflict.
Use Allowed rules to specify a small set of apps that are allowed on designated
devices. The presence of an app not on this list is considered a policy violation. For
example, you might create a set of Allowed rules for use by temporary employees
to ensure that they are not installing personal apps on a corporate device.
Use Disallowed rules to specify a small set apps that are forbidden on designated
devices. The presence of a disallowed app is considered a policy violation. For
example, you might use a set of Disallowed rules to help lower exposure to apps
with known security issues. Note that Required rules take precedence over Disallowed rules in the case of a conflict.
Company Confidential
439
In the Admin Portal, select Logs & Events > Event Settings.
2.
3.
4.
Confirm that the app control alerts you want to generate have been selected.
The following table summarizes these alerts:
Item
Description
5.
6.
Click Save.
2.
Click Add.
3.
4.
For the Type option, select the type of rule you want to define:
Company Confidential
440
Required: This rule specifies criteria for apps that MUST be installed.
Allowed: This rule specifies criteria for apps that MAY be installed, exclusive of
all other apps.
Disallowed: This rule specifies criteria for apps that MUST NOT be installed.
5.
Under Rule Entries, specify one or more criteria to match the name of the app you
want to control:
In the App Search String, enter the app name text you want to match. Do not
enter wildcards. If you know the official name for the app, enter it here. If you
do not, enter text you will be able to identify with this app. Once you have
installed the app once, the App Inventory screen will display the official name.
You can then change this field to match.
In the Device Platform list, select the platform to which you want to apply this
entry.
In the optional Comment field, you can enter a note about the purpose of the
entry.
6.
7.
8.
Specify the rule in the appropriate security policies to apply the rule to managed
devices.
Company Confidential
441
2.
3.
4.
Scroll down to the Access Control section of the Edit Security Policy screen.
5.
6.
In the dropdown list, select the action you want to perform if the rule is violated.
You can select from:
Block Email, AppConnect apps, and Send Alert: Prevents the device from
accessing email via ActiveSync and generates a policy violation alert, if configured. This selection also unauthorizes AppConnect apps, blocks app tunnels,
and blocks access to Docs@Work features in Mobile@Work on iOS devices.
Under Rule Type: Required, select the rules you want to apply, if any, and click the
arrow button to move them to the Enabled list.
To apply allowed-type or disallowed-type rules, select either Rule Types: Allowed or
Rule Types: Disallowed. You may not select both in the same security policy.
Select the allowed-type or disallowed-type rules you want to apply and click the
arrow button to move them to the Enabled list.
10.
Click Save.
11.
Description
Select the entry for a device in violation to see details in the device details pane.
Company Confidential
442
iOS
OS X
Win 7
WP8
yes
yes
yes
yesa
The Device App Inventory page displays the apps that MobileIron has detected on
managed devices. Only apps that were installed after the manufacturers image was
loaded are listed.
To display the app inventory, in the Admin Portal, select Apps > Device App Inventory.
Company Confidential
443
Platform
Label
App name
For example, to display iOS apps that are on company-owned devices and contain the
letter A, you would select iOS from the Platforms list, select Company-Owned from
the Labels list, and enter A in the Search by App field. Clicking the search icon in the
Search by App field applies the search.
Company Confidential
444
iOS
OS X
Win 7
WP8
yes
yes
yes
You can use the Device App Inventory page to help manage the apps that are appearing in your enterprise. We recommend the following approach:
Company Confidential
445
2.
3.
Company Confidential
446
Company Confidential
447
Company Confidential
448
This alternative enables you to specify an override URL, per app, to be used for inhouse app distribution. The VSP routes download requests to this alternate location.
The following diagram illustrates a typical deployment.
This feature uses unauthenticated URLs. Therefore, a trusted and secure internal network is an absolute requirement. This feature is intended for use behind the firewall.
In Admin Portal on the VSP, select Apps > App Distribution Library.
2.
3.
As you complete the forms in the Add App Wizard, include an appropriate URL in
the Override URL field.
The URL must point to the in-house app in its alternate location.
4.
When you complete the Add App Wizard, assign an appropriate label to the app.
Company Confidential
449
Company Confidential
450
Consider configuring debug mode for MIFS logs (in System Manager).
Debug logs will capture successful configuration. Otherwise, you will have no indication if you mistype the license key for the reputation service.
2.
3.
4.
5.
Description
Reputation Service
Authentication Key
Rating Threshold
Check Interval
Click Save.
An initial sync begins shortly after initial configuration. Thereafter, the Check Interval setting determines when the VSP contacts the reputation service.
Company Confidential
451
Description
Not Rated
OK
Risky
Company Confidential
452
Chapter 15
Docs@Work
Company Confidential
453
Docs@Work
About Docs@Work
The Docs@Work feature gives device users an intuitive way to access, store, and view
attachments (from email) and documents from content servers, such as Microsoft
SharePoint sites. It also lets administrators establish data loss prevention controls to
protect these documents from unauthorized distribution. Docs@Work uses certain
aspects of AppConnect, including passcode access and app tunneling; however, you do
not require an AppConnect license for Docs@Work.
For Android
Docs@Work for Android is a solution involving separate AppConnect-enabled apps that
work together. See The SharePoint Client App for Android on page 747 for information on using Docs@Work once it is configured on an Android device.
Company Confidential
454
Docs@Work
attachment as a local file. Like the attachments, the local files are available for viewing only in Mobile@Work.
The device user can view email attachments using any app that works with the attachment type. Configuring attachment control allows you to restrict viewing email attachments to Mobile@Work. This containerization secures the attachment from
applications which could leak the attachment outside of the device. For additional
access control, you can encrypt the email attachments.
The content server must support authentication using Kerberos Constrained Delegation (KCD).
Docs@Work must use the AppTunnel feature, configured so that the Standalone
Sentry uses KCD to authenticate the user to the content server.
The content server must be either a Microsoft SharePoint server or IIS-based WebDAV content repository. MobileIron does not support KCD with CIFS-based content
repositories.
For iOS only, Docs@Work also supports Apache-based WebDAV content repositories.
To determine whether a specific content repository will function with Docs@Work, contact the vendor for information on the basis for the WebDAV or CIFS implementation.
Company Confidential
455
Docs@Work
Note: The Android SharePoint Client app supports IIS-based WebDAV content repositories starting with Android Secure Apps 5.6.0.1. It supports Microsoft SharePoint
2013 and CIFS-based content repositories starting with Android Secure Apps 5.7.
Basic
Digest
NTLM
KCD
Basic
NTLM, starting with Android Secure Apps 5.6.0.1
KCD
Supported devices
iOS devices
To support Docs@Work, including full email attachment control, an iOS device must
have:
Company Confidential
456
Docs@Work
Windows Phone 7
Windows Phone 8
Docs@Work requirements
The Docs@Work feature requires the following versions of MobileIron products:
File viewers
For iOS devices, Mobile@Work uses the native file viewer to display the contents of
different file types. See Supported files in the Mobile@Work for iOS app on
page 475.
For Android devices, the ThinkFree Viewer displays the contents of different file
types. See Document types supported by ThinkFree Document Viewer on
page 516.
SharePoint Pre-requisites
To access a SharePoint site from Mobile@Work, a device user must have a SharePoint permission level for the SharePoint site that includes the following SharePoint
site permission:
Browse Directories - Enumerate files and folders in a Web site using SharePoint
Designer and Web DAV interfaces.
The contribute permission level includes this site permission by default. Therefore, device users with this permission level or higher can access the SharePoint
site. The read permission level does not include this site permission by default.
However, you can change the read permission level to include this site permission. Another option is that you can create another read permission level that
includes this site permission.
Company Confidential
457
Docs@Work
For more information about SharePoint permission levels, see SharePoint documentation.
Each time the device user views local copies of files on the content server,
Mobile@Work syncs the local files so that their contents reflect the latest corresponding file on the content server.
The device user cannot cut and paste data from documents or email attachments
that they view in Mobile@Work into any other app.
Company Confidential
458
Docs@Work
Company Confidential
459
Docs@Work
2.
3.
4.
Company Confidential
460
Docs@Work
2.
3.
4.
5.
Company Confidential
461
Docs@Work
2.
3.
Click Save.
Caution: For iOS devices, if you disable Docs@Work after it has been enabled, the
Mobile@Work app on each registered iOS device does the following:
Removes all content server configurations, whether the device user added them
manually or you configured them with Docs@Work app settings on the VSP
Removes all local copies of content server files and email attachments
Removes the list of recent attachments
1.
2.
Complete the steps for configuring AppConnect for these in-house apps.
See How to configure AppConnect on page 482.
Note: Some of the apps might be duplicates of apps you have already uploaded to
support another MobileIron product. If the app upload fails with a message stating
that the app is already uploaded, skip to the next app.
Company Confidential
462
Docs@Work
3.
Description
Name
Description
URL
$USERID$
$EMAIL$
$USER_CUSTOM1$
$USER_CUSTOM2$
$USER_CUSTOM3$
$USER_CUSTOM4$
Company Confidential
463
Docs@Work
Item
Description
User Name
Specify the user name that the device user uses to access
the content server.
Enter one of the following variables: $EMAIL$, $USERID$,
$USER_CUSTOM1$, $USER_CUSTOM2$,
$USER_CUSTOM3$, $USER_CUSTOM4$, or $NULL$.
You can also enter a combination of one or more variables
and text, such as $USERID$:$EMAIL$ or
$USERID$_$EMAIL$.
When the device user attempts to access the content
server, the app on the device that handles content server
access fills a user name field with the users information
based on the variables you specify in this field. On iOS
devices, the app is Mobile@Work for iOS. On Android
devices starting with Mobile@Work 5.5 for Android, the
app is the SharePoint Client app.
Enter $NULL$ if you want the app on the device that
handles SharePoint access to leave the user name field
empty, requiring the device user to manually enter the
user name.
Company Confidential
464
Docs@Work
Item
Description
Password
Select this field to give the device user the option to save
content server passwords on the device. If the user
chooses to save a content server password, the app on the
device that handles content server access does not
present a login screen to the user when the user next
accesses the content server.
On iOS devices, the app that handles content server
access is Mobile@Work for iOS. On Android devices
starting with Mobile@Work 5.5 for Android, the app is the
SharePoint Client app.
If this option and the Save User Passwords option
(Settings > Preferences) are enabled, then the Remember
Password option is automatically selected in the Remote
Shares screen on the device.
4.
Click Save.
5.
6.
7.
Company Confidential
465
Docs@Work
A SharePoint site
A SharePoint subsite
A SharePoint library
A SharePoint folder
The URL includes a hierarchical list of names that drills down to the site, subsite,
library, or document you want the device user to access. This URL is not the same as
the URL that you see in a web browser open to the same site, subsite, library, or document.
For example, use:
https://companySharePointSite.com
This example specifies the root SharePoint site.
https://companySharePointSite.com/Marketing
This example specifies the Marketing subsite in the root SharePoint site.
https://companySharePointSite.com/Marketing/Demo
This example specifies the Demo subsite within the Marketing site.
https://companySharePointSite.com/Marketing/NewProductDocuments
This example specifies the NewProductDocuments library in the Marketing site.
https://companySharePointSite.com/Marketing/NewProductDocuments/TopFeatures
This example specifies the TopFeatures folder in the NewProductDocuments library.
Note:
Do not copy the URL you see in a browsers URL address bar into this field. The URL
in this field is not the same as the browsers URL. For example, for the root site on
Microsoft SharePoint 2010, the browsers URL field appears as:
https://companySharePointSite.com/SitePages/Home.aspx
In this field, you specify:
https://companySharePointSite.com
A valid URL does not contain spaces or certain special characters. For example, a
space is entered in a valid URL as %20. That is, instead of entering:
https://companySharePointSite/Shared Documents
Enter:
https://companySharePointSite/Shared%20Documents.
Such substitutions are known as URL encoding.
Company Confidential
466
Docs@Work
https://companySharePointSite.com/$USER_CUSTOM1$/$USERID$.
When using these variables, make sure the URL still specifies a SharePoint site,
subsite, library, or folder.
1.
In the VSP Admin Portal, select Policies & Configs > Policies.
Edit the default Docs@Work policy, or select Add New > Docs@Work to create a
new one.
Use the following guidelines to configure the Docs@Work policy:
Item
Description
Name
Default Docs@Work
Policy
Company Confidential
467
Active
Docs@Work
Item
Description
Priority
Specifies the priority of this custom policy relative to the other custom policies
of the same type. This priority determines which policy is applied if more
than one policy is associated with a specific device. Select Higher than or
Lower than, then select an existing
policy from the dropdown list. For example, to give Policy A a higher priority
than Policy B, you would select Higher
than and Policy B. See Prioritizing
Policies in the MobileIron VSP Administration Guide or the MobileIron Connected Cloud Administration Guide.
Because this priority applies only to custom policies, this field is not enabled
when you create the first custom policy
of a given type.
Description
Default
Allow Open In
Not selected
Company Confidential
468
Docs@Work
Item
Description
AppTunnel
URL Wildcard
None
Company Confidential
469
None
Docs@Work
Item
Description
Sentry
Select a Sentry configured for app tunneling from the drop-down list.
None
Service
None
This service name specifies an AppTunnel service configured in the App Tunneling Configuration section of the specified
Sentry.
Note: If you entered a URL with wildcards in the URL Wildcard field, you can
only select <ANY> or <CIFS_ANY> as
the service. The <ANY> or <CIFS_ANY>
service must be configured in the App
Tunneling Configuration section of the
Sentry configured for app tunneling.
If the service on the Sentry is configured
with its Server Auth set to Kerberos,
Docs@Work uses Single Sign On. That
is, the device user does not enter any
further credentials when Docs@Work
accesses the content server.
Identity Certificate
None
For more information, see SCEP settings on page 237 and Certificates settings on page 236.
5.
Click Save.
6.
7.
8.
2.
3.
Click Save.
Caution: If you plan to use the $PASSWORD$ field in any configurations, be sure to
set Save User Password to Yes before any device users register. Device users who reg-
Company Confidential
470
Docs@Work
istered before you set Save User Password to Yes will have to log in to the
MyPhone@Work web portal. Logging in to the MyPhone@Work web portal provides the
users password to the VSP.
Company Confidential
471
Docs@Work
Prevents the user from accessing the Docs@Work features of the Mobile@Work
app. That is, Mobile@Work makes the Local Files and Remote Files tabs unavailable.
Removes all local copies of content server files and email attachments
Removes the list of recent attachments
Removes the content server entries that you created with Docs@Work configurations on the VSP, depending on the compliance action that you configured.
When you create a compliance action that specifies quarantine, you can choose
whether to remove the configurations from the device. Removing the configurations
includes removing any Docs@Work configurations. Since the Docs@Work configurations specify content servers, Mobile@Work removes the content server entries.
If the user had saved the content server password, Mobile@Work removes it, too.
See Set up Docs@Work configurations on page 463.
When the device is no longer quarantined, Mobile@Work makes the Local Files and
Remote Files tabs available again. Docs@Work configurations are restored, and the
user can once again access the content servers that you configured. However, if the
user had saved the content server password, Mobile@Work no longer has it. The user
will have to re-enter it.
You can also create a quarantine action that retires AppConnect apps on iOS devices.
Retiring an AppConnect app makes it unauthorized and deletes (wipes) all its secure
data. This compliance action also blocks and wipes the data of the Docs@Work features in Mobile@Work.
Removes all content server configurations, whether the device user added them
manually or you created them with Docs@Work configurations on the VSP
Removes all local copies of content server files and email attachments
Removes the list of recent attachments
Company Confidential
472
Docs@Work
Configure a security policy to automatically block a device if it violates certain settings in the policy. This action blocks email and AppConnect apps.
Prevents the user from accessing the Docs@Work features of the Mobile@Work
app. That is, Mobile@Work makes the Local Files and Remote Files tabs unavailable.
Removes all local copies of content server files and email attachments
Removes the list of recent attachments
When the device is no longer blocked, Mobile@Work makes the Local Files and Remote
Files tabs available again.
Prevents the user from accessing the Docs@Work features of the Mobile@Work
app. That is, Mobile@Work makes the Local Files and Remote Files tabs unavailable.
Removes all local copies of content server files and email attachments
Removes the list of recent attachments
Mobile@Work notifies the VSP that the device is jailbroken. The VSP takes further
actions depending on the security policy that you configured.
When the device is no longer jailbroken, Mobile@Work makes the Local Files and
Remote Files tabs available again.
Company Confidential
473
Docs@Work
Company Confidential
474
Docs@Work
.gif, .tiff)
If a user tries to open a file that Mobile@Work does not support, Mobile@Work displays an error message.
Some files that the device user cannot view in Mobile@Work are:
Company Confidential
475
Docs@Work
Company Confidential
476
Chapter 16
AppConnect
Company Confidential
477
AppConnect
About AppConnect
AppConnect is a MobileIron feature that containerizes apps to protect data on the
device. Each AppConnect-enabled app becomes a secure container whose data is
encrypted, protected from unauthorized access, and removable. Because each user
has multiple business apps, each app container is also connected to other secure app
containers. This connection allows the AppConnect-enabled apps to share data, like
documents. The MobileIron VSP uses policies to manage the AppConnect-enabled
apps.
Company Confidential
478
AppConnect
See the MobileIron AppConnect App Developers Guide for details on wrapping and on
using the SDK.
Use the AppTunnel feature, configured for authenticating the user to the enterprise
server using Kerberos Constrained Delegation (KCD).
Note: MobileIron does not support KCD with CIFS-based content servers.
Company Confidential
479
AppConnect
Company Confidential
480
AppConnect
For devices running a Mobile@Work for iOS release starting with iOS 5.7:
AppConnect apps built starting with the AppConnect for iOS SDK version 1.5 support encryption without dependencies on a device passcode. For these apps, the
app determines which files are secure. The app encrypts the data in those files, but
file names and paths are not encrypted.
This data encryption is supported when Mobile@Work for iOS is registered with VSP
5.5 or later.
The encryption key is not stored on the device. It is programmatically derived, in
part from the device users AppConnect passcode. Encrypted files cannot be
decrypted without the AppConnect passcode or the user's full VSP login credentials.
Company Confidential
481
AppConnect
Basic configuration
Complete the following steps to implement a basic AppConnect configuration:
1.
2.
3.
4.
2.
4.
5.
Company Confidential
482
AppConnect
6.
7.
3.
4.
Company Confidential
483
AppConnect
In-house app
Recommended app
Android
Not supported
iOS
MobileIron
Company Confidential
484
AppConnect
The VSP applies a default AppConnect global policy automatically to all devices. You
can modify the default AppConnect global policy. You can also create custom AppConnect global policies and apply those to specific devices.
Note: Make sure only one AppConnect global policy applies to each device.
In the AppConnect global policy, you configure:
default policies for these data loss prevention features: copy/paste, print, document interaction, screen capture, accessing camera photos, accessing gallery
images, and streaming media to media players.
Configuration steps
To configure an AppConnect global policy:
1. In the VSP Admin Portal, select Policies & Configs > Policies.
2.
Edit the default AppConnect global policy, or select Add New > AppConnect to create a new one.
Description
Default Value
Name
Default AppConnect
Global Policy
Company Confidential
485
Active
AppConnect
Item
Description
Priority
Specifies the priority of this custom policy relative to the other custom policies
of the same type. This priority determines which policy is applied if more
than one policy is associated with a specific device. Select Higher than or
Lower than, then select an existing
policy from the dropdown list. For example, to give Policy A a higher priority
than Policy B, you would select Higher
than and Policy B. See Prioritizing
policies on page 142.
Default Value
Because this priority applies only to custom policies, this field is not enabled
when you create the first custom policy
of a given type.
Description
Default AppConnect
Global Policy
AppConnect
Disabled
AppConnect
Passcode
Passcode
Required
Company Confidential
486
Not required
AppConnect
Item
Description
Default Value
Passcode Type
Specify whether the passcode can contain only simple numeric input, or can
contain alphanumeric and special characters. When the type is complex, the
passcode must contain at least one digit
and one letter.
Complex
iOS only: If the user exceeds the maximum, he must enter his user credentials
and then create a new AppConnect passcode. If the user exceeds the maximum
attempts in entering his user credentials, he must wait 10 minutes before he
can try again.
Android only: If the user exceeds the
maximum, he can no longer access
secure apps. Send an unlock command
to the device. The unlock command
removes both the device passcode and
the secure apps passcode. The user can
then create both passcodes again.
If the maximum is greater than 6, 7, or
8, after the 6th, 7th, and 8th failed
attempt, the user cannot attempt to
enter the secure apps passcode for 1, 5,
and 15 minutes respectively. For each
failed attempt after that, he cannot
attempt to enter the secure apps passcode for 1 hour.
Inactivity Timeout
Out Of Contact
Company Confidential
487
15 minutes
AppConnect
Item
Description
Default Value
Out-of-contact
block timeout
10 days
App
Authorization
Company Confidential
488
30 days
AppConnect
Item
Description
Default Value
App Check-in
Interval
iOS only:
60 minutes
when the device user uses the Connect Now feature in Mobile@Work on
the device.
Unauthorized
Message
None
Not selected
Company Confidential
489
AppConnect
Item
Description
Default Value
Copy/Paste To
iOS only:
Not selected
All Apps
Select All Apps if you want the device
user to be able to copy content from
the AppConnect app and paste it into
any other app.
AppConnect Apps
This feature is under construction. Do
not select.
Print
Not selected
iOS only:
Select Allow if you want AppConnect
apps to be allowed to use print capabilities by default. You can override this
option in each apps individual AppConnect container policy.
Company Confidential
490
AppConnect
Item
Description
Default Value
Open In
iOS only:
Not selected
All Apps
Select All Apps if you want the app to
be able to send documents to any
other app.
AppConnect Apps
Starting with Mobile@Work for iOS
version 5.7:
Select AppConnect Apps to allow an
AppConnect app to send documents
to only other AppConnect apps.
Whitelist
Select Whitelist if you want the app to
be able to send documents only to the
apps that you specify.
Enter the bundle ID of each app, one
per line, or in a semi-colon delimited
list. For example:
com.myAppCo.myApp1
com.myAppCo.myApp2;com.myAppCo.myApp3
Company Confidential
491
AppConnect
Item
Description
Default Value
Camera
Not selected
Company Confidential
492
Not selected
AppConnect
Item
Description
Default Value
Media Player
Not selected
Not selected
Click Save.
If you created a new policy, apply the appropriate labels to the AppConnect global
policy.
If you are using the default AppConnect global policy, it automatically applies to all
devices.
If the lockdown policy prohibits camera use, AppConnect apps cannot use the camera. Camera use is prohibited even if you allow camera access on the AppConnect
global policy.
If the lockdown policy allows camera use, AppConnect apps can access photos from
the camera only if you allow camera access on the AppConnect global policy.
Company Confidential
493
AppConnect
The following table summarizes this interaction of the lockdown policy and the
AppConnect global policy:
AppConnect global policy:
Camera access allowed
Lockdown policy:
Camera enabled
Lockdown policy:
Camera disabled
Company Confidential
494
AppConnect
For iOS AppConnect apps built with the AppConnect for iOS SDK:
The VSP takes this automatic action only if the app has specified its desired default
values for the policy in its IPA file. Also, this automatic action does not occur when
you specify an Apple App Store AppConnect app as a recommended app.
Note: In the VSP Admin Portal, on Policies & Configs > Configurations, the name of
the app, not the name of the AppConnect container policy, displays in the name column.
You can override these values by editing the apps AppConnect container policy. The
VSP keeps in sync the labels that you apply to the app and the labels that you apply to
the AppConnect container policy that the VSP automatically created.
Configuration tasks
To configure an AppConnect container policy:
1.
2.
In the VSP Admin Portal, select Policy & Configs > Configurations.
Select the existing container policy for the app, or select Add New > AppConnect >
Container Policy to create a new one.
Company Confidential
495
AppConnect
Description
Name
Application
iOS only:
Select this option if you want to allow the device user to
use the app without entering the AppConnect passcode.
iOS only:
Select Allow if you want AppConnect apps to be allowed to
use print capabilities.
Company Confidential
496
AppConnect
Item
Description
Copy/Paste To
iOS only:
Select Allow if you want the device user to be able to copy
content from the AppConnect app to other apps.
When you select this option, then select either:
All Apps
Select All Apps if you want the device user to be able to
copy content from the AppConnect app and paste it into
any other app.
AppConnect Apps
This feature is under construction. Do not select.
Open In
iOS only:
Select Allow if you want AppConnect apps to be allowed to
use the Open In (document interaction) feature.
When you select this option, then select either:
All Apps
Select All Apps if you want the app to be able to send
documents to any other app.
AppConnect Apps
Starting with Mobile@Work for iOS version 5.7:
Select AppConnect Apps to allow an AppConnect app to
send documents to only other AppConnect apps.
Whitelist
Select Whitelist if you want the app to be able to send
documents only to the apps that you specify.
Enter the bundle ID of each app, one per line, or in a
semi-colon delimited list. For example:
com.myAppCo.myApp1
com.myAppCo.myApp2;com.myAppCo.myApp3
3.
Click Save.
4.
5.
6.
Select the labels to which you want to apply this AppConnect container policy.
7.
Click Apply.
Company Confidential
497
AppConnect
Be sure to apply one of the labels that you selected to the device. To check the
devices labels:
1.
2.
3.
2.
3.
4.
Click Apply.
2.
3.
4.
Click Save.
Also see VSP licensing options for Android secure apps on page 515.
2.
Company Confidential
498
AppConnect
3.
4.
Click Save.
Also see VSP licensing options for Android secure apps on page 515.
2.
Edit the entry for the Standalone Sentry you intend to use for app tunneling.
3.
Description
Host / IP
Port
Enter the port that the Standalone Sentry is listening on. The
default is 9090.
Enable
ActiveSync
Enable App
Tunneling
Company Confidential
499
AppConnect
Item
Description
Note: See Device and server authentication support for Standalone Sentry on
page 328 for authentication information for both ActiveSync and AppTunnel.
Device Authentication
Upload Certificate
Select Check Certificate Revocation List (CRL) if you want to validate the certificates presented by the device against the Certificate Revocation List (CRL) published by the CA.
Note that only HTTP and HTTPS based CRLs are supported.
Some CAs create LDAP-based CRLs by default that will not work
with Sentry.
For CRL validation to work, Sentry requires network connectivity
to the CRL Distribution Point (CDP), usually the CA that issued
the certificate, through an HTTP or HTTPS port.
Use the Subject Alternate Name Type list to select the field in
the client certificate that will be used to identify the user for Kerberos Constrained Delegation.
The Type is the same type that you specified when generating
the client certificate. This type is often the NT Principal Name.
Value
Use the Value list to select the value used in the Subject Alternate Name field.
Usually, the User UPN (user principal name) is used to identify
the user.
Company Confidential
500
AppConnect
Item
Description
Service Name
SharePoint
Human Resources
A service name cannot contain these characters: 'space' \ ; *
? < > " |.
For app tunnels that point to CIFS-based content servers, the
service name must begin with CIFS_.
<ANY>
Select <ANY> to allow tunneling to any URL that the app
requests. Typically, you select <ANY> if an AppConnect apps
app configuration specifies a URL with wildcards for tunneling,
such as *.myCompany.com. The Sentry tunnels the data for
any URL request that the app makes that matches the URL
with wildcards.
The Sentry tunnels the data to the app server that has the
URL that the app specified. The Server List field is therefore
not applicable when the Service Name is <ANY>.
For example, consider when the app requests URL
myAppServer.mycompany.com, which matches *.mycompany.com in the app configuration. The Sentry tunnels the
data to myAppServer.myCompany.com.
Web@Work typically uses the <ANY> service, so that it can
browse to any of your internal servers.
Note: Do not select this option for tunneling to CIFS-based
content servers. Select <CIFS_ANY>, instead.
<CIFS_ANY>
Select <CIFS_ANY> to allow tunneling to any URL for a CIFSbased content server. Typically, you select <CIFS_ANY> if the
URL for a CIFS-based content server contains wildcards for
tunneling, such as *.myCompany.com.
Note: The order of the Service Name entries does not matter.
Company Confidential
501
AppConnect
Item
Description
Server Auth
Pass Through
The Sentry passes through the authentication credentials,
such as the user ID and password (basic authentication) or
NTLM, to the app server.
Kerberos
The Sentry uses Kerberos Constrained Delegation (KCD).
KCD supports Single Sign On (SSO). SSO means that the
device user does not have to enter any credentials when the
AppConnect app accesses the app server.
The Kerberos option is only available if you selected Identity
Certificate for Device Authentication.
MobileIron does not support Kerberos for CIFS-based content
servers.
Server List
TLS Enabled
Select TLS Enabled if the app servers listed in the Server List
field require SSL.
Note: Although port 443 is typically used for https and requires
SSL, the app server can use other port numbers requiring SSL.
Company Confidential
502
AppConnect
Item
Description
Enter the Service Principal Name (SPN) for each server, separated by semicolons. For example:
sharepoint1.company.com;sharepoint2.company.com.
The Server SPN List applies only when the Service Name is not
<ANY> and the Server Auth is Kerberos.
If each server in the Server List has the same name as its SPN,
you can leave the Server SPN List empty. However, if you
include a Server SPN List, the number of SPNs listed must equal
the number of servers listed in the Server List. The first server
in the Server List corresponds to the first SPN in the Server SPN
List, the second server in the Server List corresponds to the second server in the Server SPN List, and so on.
Note: When the Service Name is <ANY> and the Server Auth is
Kerberos, the Standalone Sentry assumes that the SPN is the
same as the server name received from the device.
If you select Kerberos for the Server Auth field for an AppTunnel service, this section appears. For Kerberos authentication information for both ActiveSync and
AppTunnel, see Authentication using an identity certificate and Kerberos constrained delegation on page 333.
Use keytab file
Realm
If you do not upload a keytab file, enter the Kerberos administrative domain. The realm is usually the company domain name,
in all uppercase characters.
Sentry Service
Principal
If you do not upload a keytab file, enter the service principal for
the Sentry service account, preceded by HTTP/ if you do not
upload a keytab file. For example, if the user name of the service account is sentry1_kcd, the service principal would be HTTP/
sentry1_kcd.
Password
If you do not upload a keytab file, enter the password for the
Sentry service account.
4.
5.
Click Save.
If the Sentry uses a self-signed certificate, in the Settings > Sentry page, for the
Sentry configured for app tunneling, click the View Certificate link.
This makes the Sentrys certificate known to the VSP.
Company Confidential
503
AppConnect
For iOS AppConnect apps built using the AppConnect for iOS SDK:
The VSP takes this automatic action only if the app has specified configuration
requirements in its IPA file. Also, this automatic action does not occur when you
specify an Apple App Store AppConnect app as a recommended app.
Note: In the VSP Admin Portal, on Policies & Configs > Configurations, the name of
the app, not the name of the AppConnect app configuration, displays in the name column.
You can override these values by editing the apps AppConnect app configuration. For
example, if the configuration includes a server key, you provide the appropriate
servers domain name.
The VSP keeps in sync the labels that you apply to the app and the labels that you
apply to the AppConnect app configuration that the VSP automatically created.To keep
the labels in sync, the VSP adds these configuration keys to each automatically created AppConnect app configuration: MIAPP_DEFAULT, APPCATALOGNAME, and
APPCATALOGIDS. Do not remove or change these entries.
Company Confidential
504
AppConnect
Configuration tasks
To configure an AppConnect app configuration:
1.
2.
In the VSP Admin Portal, select Policy & Configs > Configurations.
Edit the app configuration for the secure app, or select Add New > AppConnect >
Configuration to create a configuration, if necessary.
Company Confidential
505
AppConnect
Description
Name
Application
Company Confidential
506
AppConnect
Item
Description
URL Wildcard
Enter the port number that the app should connect to.
If the app requests to access a URL and port number that
matches the URL Wildcard field and this port number, the
app data is tunneled.
Sentry
Company Confidential
507
AppConnect
Item
Description
Service
Identity Certificate
Configurations
Specify app-specific configuration settings as key-value
pairs.
To add a key-value pair, click + .
To delete a key-value pair, click - .
Company Confidential
508
AppConnect
Item
Description
Key
Enter the key. The key is any string that the app
recognizes as a configurable item.
For example: userid, appURL
Value
a string
The string can have any value that is meaningful to the
app. It can also include one or more of these VSP variables: $USERID$, $EMAIL$, $USER_CUSTOM1$,
$USER_CUSTOM2$, $USER_CUSTOM3$, $USER_CUSTOM4$.
If you do not want to provide a value, enter $NULL$.
The $NULL$ value tells the app that the app user will
need to provide the value.
For example:
$USERID$
https://someEnterpriseURL.com
Click Save.
4.
5.
6.
Select the labels to which you want to apply this AppConnect app configuration.
7.
Click Apply.
Be sure to apply one of the labels that you selected to the device. To check the
devices labels:
1.
2.
3.
2.
3.
Company Confidential
509
AppConnect
4.
Click Apply.
Enabling AppTunnel
If you are deploying secure apps developed by your organization or a third party, you
need to enable an additional product to use app tunnels with these apps:
1.
2.
3.
4.
Click Save.
2.
3.
4.
5.
Company Confidential
510
AppConnect
Immediately block access to the web sites configured to use the AppTunnel feature.
Unauthorize AppConnect apps.
Delete (wipe) the secure data of AppConnect apps.
For details about compliance actions that impact AppConnect apps, see Compliance
actions for security policy violations on page 154.
To specify a compliance action:
1.
2.
3.
Click Edit.
4.
5.
6.
Click Save.
Company Confidential
511
AppConnect
Managing AppTunnel
Manually blocking the AppTunnel feature on a device on page 512
You can block all the AppConnect apps of a particular device from using the
AppTunnel feature.
2.
Select a device.
3.
4.
Add a note.
5.
2.
Select a device.
3.
4.
Add a note.
5.
Company Confidential
512
AppConnect
Description
Application Name
User
Model
Status
State
Creation Time
App Bundle
2.
3.
Description
Allow
Block
Remove
Company Confidential
513
AppConnect
The device user has been authenticated through the MobileIron VSP.
The user must use the Mobile@Work for Android app to register a device with the
MobileIron VSP. Registration authenticates the device user.
NitroDesk TouchDown
The AppConnect version of the NitroDesk TouchDown email app provides a consistent user experience across a broad range of Android devices. Working with the
AppConnect versions of ThinkFree Document Viewer and File Manager, emails and
their attachments are available only in the AppConnect container. This combination
of secure apps provides the secure email attachment capability of the Docs@Work
solution.
Company Confidential
514
AppConnect
For example, ThinkFree Document Viewer displays email attachments opened with
secure email client apps. It also displays documents opened with the secure SharePoint Client app.
The ThinkFree Document Viewer has no shortcut on the homescreen. It launches
automatically when the device user selects a document for viewing from an
AppConnect app, if the document is a type that ThinkFree Document Viewer supports.
File Manager
This secure File Manager app is part of the Docs@Work solution. It allows a user to
save, browse, and manage files in the secure container. For example, the user can
browse saved email attachments or SharePoint documents. The user can also save
documents from any other AppConnect app.
Docs@Work
AppConnect for third-party and in-house apps
The following table shows which Android secure apps you can deploy for each license
option. Select each option only if your organization has purchased it.
Company Confidential
515
AppConnect
NitroDesk TouchDown
NitroDesk TouchDown
FileManager
FileManager
SharePoint Client
If the device user tries to view a document type that is not in this list, the Android OS
indicates that no app is available to open the selected file.
Note: AppConnect apps can use other secure file viewers if they are also AppConnect
apps.
Company Confidential
516
AppConnect
The SharePoint Client is part of the secure File Manager. Therefore, the SharePoint Client does not appear as a separate app in the list of secure apps that the device user
installs. It also does not appear as a separate app in the app distribution library on the
VSP. When a device user installs the secure File Manager, they also install the SharePoint Client.
Set up the AppTunnel as described in Adding AppTunnel support on page 482. Part of
that process is to set up the tunneling section of the AppConnect app configuration.
Because the SharePoint Client app is part of the secure File Manager, you set up
SharePoint tunneling in the AppConnect app configuration for the File Manager app.
Lock impact
Locking a device causes the device user to be locked out of AppConnect apps. The
user must reenter the secure apps passcode to access AppConnect apps. The Secure
Apps Manager prompts the user to reenter the passcode when the user launches:
Unlock impact
Unlocking a device removes the device passcode and also removes the secure apps
passcode. The Secure Apps Manager notifies the device user to create a new secure
apps passcode when the user launches:
You enabled secure apps in an AppConnect global policy and applied it to a device.
The device user installed the secure apps and created the secure apps passcode.
Later, you disable secure apps and repush the policy to the device. Finally, you
reenable secure apps and repush the policy to the device. The device user cannot
access the secure apps until you send an Unlock command to the device. Then, the
device user creates a new secure apps passcode and can access the secure apps.
You change the secure apps passcode requirements in an AppConnect global policy,
and repush the policy to the device. The device user does not have to update his
secure apps passcode to meet the new requirements. However, you can send an
Company Confidential
517
AppConnect
Unlock command to the device, which results in prompting the device user to create a new secure apps passcode. The new passcode must adhere to the new policy
requirements.
Retire impact
Retiring a device unregisters the device from the VSP.
Retiring a device impacts AppConnect apps as follows:
The device user cannot open any AppConnect apps or the Secure Apps Manager.
Data that the AppConnect apps saved to device storage is deleted.
However, the device user must manually uninstall the AppConnect apps and the
Secure Apps Manager.
Retiring a device, therefore, retires the AppConnect apps on the device. For more
information about retiring AppConnect apps, see AppConnect app authorization on
page 494.
You disable AppConnect in the AppConnect global policy for the device (starting
with Android Secure Apps 5.7).
The device user uninstalls Mobile@Work or the Secure Apps Manager on the device
You retire the device.
The out-of-contact wipe timeout in the AppConnect global policy expires.
You remove the Secure Apps Manager in Apps > App Distribution Library (starting
with Android Secure Apps 5.7).
You remove the label for a device from the Secure Apps Manager on Apps > App
Distribution Library (starting with Android Secure Apps 5.7).
You quarantine the device due to a compliance action (starting with Android Secure
Apps 5.7).
Browsers
Tapping a link in an AppConnect app launches a browser.
Company Confidential
518
AppConnect
Maps
Tapping a meeting location in an AppConnect email app launches a maps app.
Phone calls
Tapping a phone number in any AppConnect app will make a phone call.
SMS
An AppConnect app such as TouchDown can allow the device user to send an SMS
to a corporate contact.
2.
3.
Description
not installed
The device user has not yet installed all the secure
apps.
installed
The device user has installed all the secure apps.
However, he has not yet created the secure apps
passcode and has not yet started TouchDown
setup.
ready
The device user has installed the secure apps, created the secure apps passcode, and at least started
TouchDown set up.
Company Confidential
519
AppConnect
The device user has been authenticated through the MobileIron VSP.
The user must use the Mobile@Work for iOS app to register the device with the
MobileIron VSP. Registration authenticates the device user.
the Mobile@Work capabilities to view and store documents from content servers
and email attachments. These Docs@Work features of Mobile@Work for iOS are
essentially an AppConnect app within Mobile@Work.
Web@Work, which is a MobileIron iOS app that allows your users to easily and
securely access your organization's web content
Note: You do not have to purchase the AppConnect feature that supports third-party
and in-house apps to use Web@Work or the Docs@Work features of Mobile@Work.
Company Confidential
520
AppConnect
maximum time between app checkins while an AppConnect app is running. See
Configuring the AppConnect global policy on page 484.
AppConnect app configurations for each of the AppConnect apps that have run on
the device.
the current authorization status for each of the AppConnect apps that have run on
the device.
Mobile@Work does an app checkin in the following situations:
The device user launches an AppConnect app for the first time.
In this situation, Mobile@Work finds out about the app for the first time, and adds it
to the set of AppConnect apps for which it gets updates.
The AppConnect passcode inactivity timeout expires while the device is running an
AppConnect app.
Note: If the device user is interacting with the app, the inactivity timeout does not
expires. This case occurs only when the device user has not touched the device for
the duration of the timeout interval.
The device user used Mobile@Work to log out of AppConnect apps, and then
launches an AppConnect app.
The VSP administrator has changed the complexity rules of the AppConnect passcode, and an app checkin occurs.
Company Confidential
521
AppConnect
In each of these situations, Mobile@Work launches, and presents the device user with
a screen for entering his AppConnect passcode. After the device user enters the passcode, the device user automatically returns to the AppConnect app.
Company Confidential
522
Chapter 17
Web@Work overview
Web@Work has the following features:
Web@Work can securely access web sites hosted on servers behind your firewall,
without requiring the device user to use VPN.
To provide this secure access, Web@Work uses AppConnect and AppTunnel capabilities. Note, however, that you can use Web@Work without purchasing AppConnect
for third-party or in-house apps and without purchasing AppTunnel.
For more information, see Secure enterprise web site access using AppTunnel on
page 526.
For configuration information, see Configure AppTunnel and Bookmarks for
Web@Work on page 535.
Company Confidential
523
The device user registers Mobile@Work with the VSP by entering his VSP credentials. Then, the device user can use Web@Work to access an enterprise app server
without having to enter any further credentials. This support depends on your environment being set up to use KCD, plus the necessary AppTunnel configuration.
Web@Work uses iOS web technologies to provide web content presentation and
interaction similar to that of Safari.
Because Web@Work uses these iOS web technologies, Web@Work automatically
inherits any related iOS security updates that are installed on the device.
All Web@Work browser data is encrypted while the device is locked with a passcode. This data includes the browser cache, HTML5 local storage, cookies, URL history, and bookmarks.
Web@Work does not allow the device user to open a downloaded document in
another app. This behavior protects secure documents from leaking to unsecured
apps.
Web@Work can prevent the device user from pasting into other apps any data that
the user copied from Web@Work.
For more information, see Pasteboard data loss prevention handling on page 526.
To enable or disable this Allow Copy/Paste To data loss prevention policy, see
Configure an AppConnect container policy for Web@Work on page 534.
Web@Work supports bookmarks that you specify on the VSP Admin Portal.
See Configure AppTunnel and Bookmarks for Web@Work on page 535.
Web@Work supports URL schemes that open web pages automatically, and only, in
Web@Work.
See Web@Work URL schemes on page 525.
Company Confidential
524
Note: If the device is not authorized to use Web@Work, the device user cannot use
it even for accessing public web sites.
Company Confidential
525
2.
3.
4.
Mobile@Work launches to prompt the device user for his AppConnect passcode.
At this point, although Web@Work exited, it did not clear the URL from the pasteboard, since the URL was not copied from inside Web@Work. The device user can
still paste the content into any app, secured or not.
5.
6.
When the device user returns to Web@Work, the URL is still available on the pasteboard.
The device user pastes the URL into the Web@Work address bar.
The device is not in compliance and you have specified in the compliance action for
the particular non-compliance case to delete data.
Web@Work distribution
You can make Web@Work available to device users as a recommended app in the app
distribution library in the VSP Admin Portal. The device user uses the Apps@Work web
clip or the Apps@Work web container app to discover and install Web@Work from the
Apple AppStore.
Company Confidential
526
Set up Web@Work to access enterprise web sites without requiring the device user
to set up VPN.
Company Confidential
527
Enable Web@Work.
Enable Web@Work support on the VSP by indicating that you have a license to
deploy it.
See Enabling Web@Work on page 529.
2.
Set up a SCEP setting or certificates setting for authenticating devices to the Sentry.
See Certificates settings on page 236 or SCEP settings on page 237.
Be sure to assign labels to distribute the setting to the appropriate devices.
3.
4.
5.
6.
7.
8.
9.
Company Confidential
528
Web@Work from accessing the web sites configured to use AppTunnel. The compliance action also blocks the device from using AppConnect apps, which include
Web@Work. The action can also delete (wipe) all of Web@Works sensitive data and
close its tabs.
SeeWorking with security policies on page 147.
Enabling Web@Work
Enable Web@Work only if your organization has purchased it. Enabling Web@Work
means that the VSP supports it.
To enable Web@Work:
1.
2.
3.
4.
Click Save.
2.
3.
Description
Host / IP
Port
Enter the port that the Standalone Sentry is listening on. The
default is 9090.
Enable App
Tunneling
Company Confidential
529
Item
Description
Note: See Device and server authentication support for Standalone Sentry on
page 328 for authentication information for both ActiveSync and AppTunnel.
Device Authentication
Upload Certificate
Select Check Certificate Revocation List (CRL) if you want to validate the certificates presented by the device against the Certificate Revocation List (CRL) published by the CA.
Note that only HTTP and HTTPS based CRLs are supported.
Some CAs create LDAP-based CRLs by default that will not work
with Sentry.
For CRL validation to work, Sentry requires network connectivity
to the CRL Distribution Point (CDP), usually the CA that issued
the certificate, through an HTTP or HTTPS port.
Use the Subject Alternate Name Type list to select the field in
the client certificate that will be used to identify the user for Kerberos Constrained Delegation.
The Type is the same type that you specified when generating
the client certificate. This type is often the NT Principal Name.
Value
Use the Value list to select the value used in the Subject Alternate Name field.
Usually, the User UPN (user principal name) is used to identify
the user.
Company Confidential
530
Item
Description
SharePoint
Human Resources
The following characters are invalid: 'space' \ ; * ? < > " |.
The Service Name is used in the AppConnect app configuration.
Server Auth
Pass Through
The Sentry passes through the authentication credentials,
such as the user ID and password (basic authentication) or
NTLM, to the enterprise server.
Kerberos
The Sentry uses Kerberos Constrained Delegation (KCD).
KCD supports Single Sign On (SSO). SSO means that the
device user does not have to enter any credentials when
Web@Work accesses the enterprise server.
The Kerberos option is only available if you selected Identity
Certificate for Device Authentication.
Company Confidential
531
Item
Description
Server List
TLS Enabled
Company Confidential
532
Item
Description
If you select Kerberos for the Server Auth field for an AppTunnel service, this section appears. For Kerberos authentication information for both ActiveSync and
AppTunnel, see Authentication using an identity certificate and Kerberos constrained delegation on page 333.
Use keytab file
Realm
If you do not upload a keytab file, enter the Kerberos administrative domain. The realm is usually the company domain name,
in all uppercase characters.
Sentry Service
Principal
If you do not upload a keytab file, enter the service principal for
the Sentry service account, preceded by HTTP/ if you do not
upload a keytab file. For example, if the user name of the service account is sentry1_kcd, the service principal would be HTTP/
sentry1_kcd.
Password
If you do not upload a keytab file, enter the password for the
Sentry service account.
4.
5.
Click Save.
If the Sentry uses a self-signed certificate, in the Settings > Sentry page, for the
Sentry configured for AppTunneling, click the View Certificate link. This makes the
Sentrys certificate known to the VSP.
3.
Click Edit.
4.
5.
6.
Click Save.
7.
Repeat steps 2 through 6 for all security policies that apply to devices that you
want to run Web@Work.
Company Confidential
533
For detailed information about security policies, see Working with security policies
on page 147.
3.
4.
5.
2.
3.
Enter a name for the policy. For example, enter Web@Work container policy.
4.
5.
6.
Select the data loss protection settings you want for Web@Work.
Note: Web@Work supports only the Allow Copy/Paste To option. Enabling the other
options has no impact on Web@Work. Regarding the open in feature, Web@Work
does not allow the device user to open a downloaded document in another app.
Company Confidential
534
7.
Select Save.
8.
9.
10.
11.
Click Apply.
Be sure to apply one of the labels that you selected to the device. To check the
devices labels:
1.
2.
3.
2.
3.
4.
Click Apply.
2.
Description
Name
Description
Company Confidential
535
Item
Description
Application
AppTunnel
URL Wildcard
Typically, for the Web@Work AppTunnel, enter, for example, *.yourcompanyname.com or www.yourcompanyname.com*.
Do not include a URI scheme, such as http:// or https://,
in the URL Wildcard field.
Note: You can enter a wildcard * in this field only if you
configure a service name <ANY> or <CIFS_ANY> on the
Standalone Sentry.
The Standalone Sentry tunnels the Web@Work data to any
servers that Web@Work requests that match the value
that you enter here. If Web@Work requests a server that
does not match the value of any of the AppTunnel entries
in the Web@Work app setting, tunneling does not occur. In
this case, if the requested server is behind your firewall,
Web@Work informs the device user that it cannot access
the requested server.
If you want finer granularity regarding what requests the
Standalone Sentry tunnels, configure multiple AppTunnel
entries.
Port
Sentry
Company Confidential
536
Item
Description
Service
Select thea Service Name from the drop-down list. Typically, for Web@Work, the service is <ANY> or
<CIFS_ANY>.
This is the name of the AppTunnel service configured in
the Standalone Sentry configured for AppTunnel for
Web@Work.
This service name specifies an AppTunnel service configured in the App Tunneling Configuration section of the
specified Sentry.
If the service on the Sentry is configured with its Server
Auth set to Kerberos, Web@Work uses Single Sign On for
the enterprise server. That is, the device user does not
enter any further credentials when Web@Work accesses
the enterprise app server.
Identity Certificate
Bookmarks
Specify the bookmarks that you want to appear
automatically in the Bookmarks screen of Web@Work.
To add a bookmark, click + .
To delete a bookmark, click - .
The bookmarks appear in the Bookmarks screen of
Web@Work in the same order that they appear in the
Web@Work app setting. To change the ordering, drag the
bookmarks in the Web@Work app setting.
Bookmark
Address
3.
Click Save.
4.
5.
6.
Select the labels to which you want to apply this Web@Work app setting.
7.
Click Apply.
Be sure to apply one of the labels that you selected to the appropriate devices.
Company Confidential
537
You can make Web@Work available to device users as a recommended app in the
app distribution library in the VSP Admin Portal. For information about adding iOS
apps to the app distribution library, see Working with apps for iOS devices on
page 395.
Company Confidential
538
Company Confidential
539
Company Confidential
540
Chapter 18
Company Confidential
541
Company Confidential
542
Getting started
Starting System Manager
To start System Manager:
1.
2.
3.
Company Confidential
543
Logging out
Select the Sign Out link in the upper right corner to exit.
Saving a configuration
If you want to save configuration settings in the System Manager, click the Save link in
the upper right corner of the System console.
Why: System Manager does not automatically save changes you make to system settings. Though these settings are retained if you log out, rebooting the MobileIron VSP
without saving these settings would return the VSP to its previously-saved configuration.
Company Confidential
544
Chapter 19
Company Confidential
545
Overview
The Settings page in System Manager contains links for configuring the VSP. The following table summarizes the tasks associated with each link.
Network: Interfaces
Network: Routes
Static Hosts
CLI
Syslog
SNMP
Email Settings
Configure SMTP settings for communication between the VSP and devices
Port Settings
Data Purge
Services
Company Confidential
546
Interfaces
The Settings > Interfaces screen enables you to change parameters for the network
interface points for the VSP:
Company Confidential
547
2.
Description
IP
3.
Mask
ACL Name
Admin State
Click Save.
Company Confidential
548
2.
3.
Description
VLAN ID
IP Address
Mask
Physical Interface
ACL Name
Admin State
Click Save.
2.
Company Confidential
549
Routes
The Settings > Network > Routes screen enables you to create and maintain static
network routes within the enterprise.
Click Add.
2.
3.
Field
Description
Network
Mask
Gateway
Click Save.
Company Confidential
550
1.
2.
Click Delete.
Company Confidential
551
1.
2.
Description
Host name
Default Domain
Click Save.
Company Confidential
552
Static Hosts
The Static Hosts page enables you to edit the hosts file. Use this feature in the following cases:
Adding hosts
To add a host:
1.
2.
Description
IP Address
FQDN
Alias
Company Confidential
553
3.
Click Save.
Editing hosts
To edit a host, click the IP address for the host displayed in the Static Hosts screen.
Deleting hosts
To delete a host:
1.
2.
Company Confidential
554
Description
Time Source
Secondary Server
Company Confidential
555
Field
Description
Tertiary Server
2.
Date
Time
Click Save.
Company Confidential
556
CLI
The CLI screen displays the command line interface access settings specified during
configuration. Use this screen to alter these settings.
1.
Description
Enable Secret
Confirm Enable
Secret
SSH
Company Confidential
557
2.
Field
Description
Telnet
Click Save.
Company Confidential
558
Syslog
Use the Syslog screen to configure any remote log servers you have set up on your
network. Logs are then written to both the syslog location and the local log location.
Click Add.
Field
Description
Server
Log Level
Admin State
Company Confidential
559
SNMP
Use the SNMP screen to manage SNMP trap receivers. MobileIron currently supports
link up/down traps and the host-resources MIB file.
2.
Click Apply.
2.
Click Apply.
Company Confidential
560
2.
3.
Click Save.
In the SNMP screen, select the link for the trap receiver you want to edit:
2.
3.
Click Save.
In the SNMP screen, select the link for the trap receiver you want to delete.
2.
Click Delete.
Company Confidential
561
Email Settings
Use the Email Settings screen in the System Manager portion of the portal to set up
the SMTP server access required for MobileIron email alerts, such as policy violation
alerts. In the US and certain other countries, the SMTP server settings are also
required for alerts sent via SMS. In a few cases, the SMTP server may be used to
transmit a control command to certain devices.
1.
From the Settings screen, click the Email Settings link in the navigation pane.
2.
Description
From Email
SMTP Server
Protocol
Authentication
Required
User Name
Company Confidential
562
Field
Description
Password
Confirm Password
3.
4.
5.
Click OK.
6.
7.
Click Save.
Company Confidential
563
Port Settings
Use the Port Settings screen to change settings, if necessary, for the following MobileIron services:
Sync Service
Sync TLS
Help Desk
Provisioning
Each must have a unique port. Changes to the default settings are seldom necessary.
Making changes to these settings requires re-registering phones, so use caution when
making changes.
Provision protocol (http/https) is also specified in this screen. Port 443 is entered
automatically for https and cannot be changed. Note that changing this protocol does
not automatically change the associated port. You must manually specify 443 for the
https provisioning port, or 8080 for the http provisioning port.
Modifying the values for the Provision Protocol or Provisioning Port fields updates the
Local CA URLs for the CRL distribution point and the CA certificate access location for
newly issued certificates. Previously generated certificates will continue to reference
the old location.
To use the new values for these fields, remove the previously issued certificates from
MIFS > Log > Certificate Log. VSP pushes the updated setting to the device(s) on the
next device check-in.
If you change the provisioning port after generating a certificate signing request, you
must generate a new CSR and replace the old certificate with the newly returned
certificate in Admin Portal in Settings > Local Certificate Authorities.
Company Confidential
564
configure the sync service to use 9999, then you must open port 9999.
Note: The Provisioning Protocol and Provisioning Port settings do not apply to
Windows Phone 8 (WP8)devices. WP8 devices use https and port 443.
Company Confidential
565
Data Purge
The MobileIron VSP stores significant amounts of data, such as:
call records
SMS records
data records
backup snapshots
log files
client logs
notification tables
Every four hours, the VSP automatically purges client logs and notification tables. You
can automatically or manually purge the remaining stored data. Purging enables you
to:
You can configure auto-purging based on either the amount of system storage used or
the age of the data stored. To configure auto-purging:
1.
Company Confidential
566
2.
3.
4.
5.
b.
Use Purge Daily at to specify the time of day at which the purge should happen.
Note that the selected time is based on the VSP system time.
6.
7.
Click Apply.
See Specifying what gets purged on page 567 for information on selecting the
types of data to be purged.
Company Confidential
567
Select or clear checkboxes to indicate whether the following types of data should be
purged:
Call Records
SMS Records
Data Records
Log Files
2.
In System Manager, go to Settings > Data Purge or Maintenance > System Storage.
Hover over the System Storage bar to see a popup indicating the actual storage
usage and capacity.
2.
3.
Manual purging
You can perform ad hoc data purging. See Manually purging data (system storage)
on page 600 for information.
Company Confidential
568
Services
Use the Settings > Services screen to enable or disable the following MobileIron services:
Company Confidential
569
Company Confidential
570
Chapter 20
Company Confidential
571
Overview
The Security page in System Manager contains links for configuring aspects of VSP
access. The following table summarizes the tasks associated with each link.
Identity Source:
Local Users
Certificate Mgmt
Company Confidential
572
2.
Company Confidential
573
3.
Description
User ID
First Name
Last Name
Password
Group
4.
Click Apply.
5.
Click Save.
2.
Select the user ID of the entry to display the information for that user.
3.
4.
Click Apply.
5.
Click Save.
Company Confidential
574
2.
3.
Click Delete.
Note: You cannot delete the user ID you logged in with.
4.
Click Save.
Company Confidential
575
Certificate Mgmt
Use the Certificate Mgmt feature to fulfill certificate requirements your organization
may have for the MobileIron appliances or the TLS client. You can:
You should also use this page to upload the required certificates.
Note: When you update a certificate, you are prompted to confirm that you want to
proceed because the HTTP service needs to be restarted, resulting in service disruption.
In the MobileIron System Manager, select Certificate Mgmt from the Security page.
Company Confidential
576
2.
For the VSP, click the Manage Certificate link for Portal HTTPS. For the MobileIron
Client, click the Manage Certificate link for Client TLS.
3.
4.
Company Confidential
577
Requirements
Appliance
Sentry Standalone
Sentry Integrated
Without password
Client
To generate a CSR:
1.
2.
In the MobileIron System Manager, select Certificate Mgmt from the Security page.
For the VSP, click the Manage Certificate link for Portal HTTPS. For the MobileIron
Client, click the Manage Certificate link for Client TLS.
Company Confidential
578
3.
4.
Description
Common Name
Company
Department
Company Confidential
579
5.
Field
Description
City
State
Country
Key Length
Click Generate.
A message similar to the following displays.
6.
7.
Copy the content between BEGIN CERTIFICATE REQUEST and END CERTIFICATE
REQUEST to a text file.
Copy the content between BEGIN RSA PRIVATE KEY and END RSA PRIVATE KEY to
another text file.
8.
Click Close.
9.
Uploading certificates
When you receive the CA certificate from the certifying authority:
1.
In the MobileIron System Manager, select Certificate Mgmt from the Security page.
Company Confidential
580
2.
For the VSP, click the Manage Certificate link for Portal HTTPS. For the MobileIron
Client, click the Manage Certificate link for Client TLS.
3.
4.
5.
Field
File to Select
Key file
Server certificate
CA certificate
Viewing certificates
To view a Portal HTTPS or Client-TLS certificate:
1.
In the MobileIron System Manager, select Certificate Mgmt from the Security page.
Company Confidential
581
2.
Click the View Certificate link for the certificate type you want to view.
Company Confidential
582
Each ACL consists of one or more access control entries (ACEs). Configuring ACLs
requires the following tasks:
1.
2.
3.
Create an ACL.
To add an ACL:
1.
Click Add.
2.
3.
In the Description field, enter text to clarify the purpose of the ACL.
4.
Click Save.
The lower portion of the screen is now enabled.
Company Confidential
583
5.
6.
Description
Source Network
Destination Network
Company Confidential
584
7.
Field
Description
Service
Action
Connections Per
Minute
Description
Click Save.
Editing an ACL
To edit an existing ACL:
1.
2.
3.
4.
5.
To insert and ACE, select the ACE above which you want to insert a new ACE and
click Insert.
Click Save.
Copying an ACL
To start a new ACL based on an existing one:
1.
2.
3.
4.
Click OK.
Deleting an ACL
To delete an ACL:
1.
2.
Click Delete.
Company Confidential
585
Click Add.
2.
3.
Field
Description
Name
Description
Type
Network/Host
Click Save.
Company Confidential
586
This host or network will now be available for ACLs configured in the ACLs screen.
Company Confidential
587
Network Services
Use the Network Services screen to manage available services. MobileIron prepopulates this screen with common services.
To add a service:
1.
Click Add.
2.
Description
Name
Description
Type
Source Port
Destination Port
Enter the number of the destination port for this service. Enter 0
to allow any destination port.
Company Confidential
588
3.
Click Save.
Company Confidential
589
Company Confidential
590
Portal ACLs
Use Portal ACLs to further restrict access to various portals within the VSP.
To enable an ACL:
1.
Select the checkbox for the component you want to work with. The following table
describes each component.
Component
Description
Sentry Connection
API Connection
Company Confidential
591
2.
Component
Description
iOS MDM
The iReg service that enables provisioning iOS devices without installing
the MobileIron iOS app.
Enter the IP address or network/mask pair to specify servers or networks that may
access this component. Separate the entries with spaces.
Examples:
100.0.0.0 150.0.0.0
101.0.0.0 10.0.0.0/255.255.255.0
You must use the expanded form of the mask. Do not specify an entry similar to
10.0.0.0/24.
If your VSP is behind a NAT, enter the IP of the NAT network.
Note: Remember that the Sentry must be able to access the VSP. If it does not
have access, then the ActiveSync Devices page will not display devices.
Company Confidential
592
Chapter 21
Company Confidential
593
Overview
Company Confidential
594
See the upgrade documentation for a specific release for instructions on when and
how to use this screen.
Company Confidential
595
2.
Click Export.
Company Confidential
596
Importing a configuration
You can import a MobileIron Server configuration from a local XML file or FTP site:
1.
2.
3.
Click Import.
Company Confidential
597
2.
Company Confidential
598
Rebooting
You can reboot the MobileIron Server to clear the current configuration settings and
restart all server modules:
1.
2.
Company Confidential
599
2.
Specify the age of the data to be purged in the Delete data older than field.
3.
See Specifying what gets purged on page 567 for information on selecting the data
to purge.
Company Confidential
600
Pre-requisites
NFS
SCP
FTP
CIFS
Ports 137 (UDP), 138 (UDP), and 139 (TCP) open from the VSP to
the Windows share server
Backup settings
Complete the following steps to configure the destination and schedule for backups:
1.
Company Confidential
601
2.
Use the following guidelines to complete the System Backup Configuration section.
Notification Email
Start backup at
Backup using
Server
Company Confidential
602
User
Password
Password
Confirmation
Server Path
3.
Click Save.
Enabling backups
To enable the backup configured backup schedule, select Enabled in the System
Backup Control section.
2.
Click Run.
Backup file
The name of the resulting file has the following format:
<VSP_FQDN>-backup-YYYY-MM-DD--HH-MM-SS.tgz
where <VSP_FQDN> is the fully-qualified domain for the VSP.
Company Confidential
603
Company Confidential
604
Procedure
Complete the following steps to restore your VSP from a backup:
1.
Configure a new VSP or reset the existing VSP to the factory default state.
2.
Move the backup file to a location that is reachable from System Manager.
3.
4.
5.
Click Browse.
6.
7.
Click Restore.
When the process is complete, a message displays prompting you to reboot.
8.
9.
10.
Company Confidential
605
Restoring a system in this manner does not provide a replacement VSP. You can use
this restored system to view data or as the basis for a replacement system.
Company Confidential
606
Chapter 22
Troubleshooting
Company Confidential
607
Troubleshooting
Overview
Use the Troubleshooting page in the System console to investigate possible problems
with MobileIron operation. In most cases, you will use this page under the direction of
MobileIron Customer Support.
Company Confidential
608
Troubleshooting
2.
Select the checkboxes for the modules you want to place in debug mode:
Module
Description
MICS
MIFS
Employee
Click Save.
Company Confidential
609
Troubleshooting
Disabling debugging
You can disable all debugging or you can select the modules for which you want to disable debugging.
Clear the checkbox next to each module you want to remove from debug mode.
2.
Click Save.
Viewing logs
The Troubleshooting screen enables you to view the contents of debug logs directly
from the console. Debugging must be enabled. The following table lists the available
logs:
Log Name
Description
MICS
MIFS
System
Employee
Device
Catalina
Catalina2
Catalina3
Catalina4
System Backup
High Availability
LDAP
To view a log:
1.
In the View Logs section, click the link for the log you want to view.
Company Confidential
610
Troubleshooting
The displayed window shows the most recent log entries. The window scrolls
dynamically as the MobileIron Server adds entries to the log.
2.
2.
Select User or Phone to specify whether you want to view logs by user or device.
3.
4.
Exporting logs
You can now upload logs directly to the default support site or a designated alternate
site.
To upload logs:
1.
2.
Company Confidential
611
Troubleshooting
3.
4.
5.
6.
Host/IP or URL
Host/IP, enter the server name. For example, support.mobileiron.com.
URL, enter the FQDN. For example, https://support.mobileiron.com
User Name
Password
Confirm Password
7.
Company Confidential
612
Troubleshooting
Remote logs
If your system includes Sentries, you can configure and view the logs for each Sentry
from the Remote Logs section of the Troubleshooting page.
Note that changing the debug mode (log verbosity) here, overrides the settings
configured in the Sentry user interface.
2.
Select the Change Debug Mode link for the Sentry you want to troubleshoot.
The Change Debug Status dialog appears.
3.
4.
Sentry 3.3
Sentry
Sentry HTTP
Packet Trace
Click Submit.
The updated debug status is communicated to the Sentry and reflected in the Sentry
user interface the next time you refresh the Sentry Logs page.
If you selected Sentry, the Sentry is set to log at Level 1 and becomes enabled.
If you selected Sentry HTTP Packet Trace, the Sentry is set to log at Level 2 and
becomes enabled.
Company Confidential
613
Troubleshooting
2.
Click the View Logs link for the Sentry you want to troubleshoot.
The log window appears.
Company Confidential
614
Troubleshooting
Network monitor
The Network Monitor screen enables you to produce a TCP dump for one of the MobileIron Server physical interfaces. The information provided might assist in troubleshooting device connectivity problems. Click Download to store the results in a pcap
file.
Description
Interface
Filter
Not implemented.
Snap Length
Not implemented.
Company Confidential
615
Troubleshooting
Service diagnosis
You can use the Service Diagnosis page under Troubleshooting to check the health of
the following services:
NTP
BES
Sentry
Email
DNS
MobileIron Gateway
SCEP
MapQuest
APNs
MobileIron support site
Click Verify All to recheck the listed services, or click the Verify button next to a specific service to verify just that service.
Company Confidential
616
Company Confidential
617
Company Confidential
618
Chapter 23
About CLI
EXEC mode commands
EXEC PRIVILEGED commands
CONFIG commands
INTERFACE mode commands
About CLI
The CLI, or command line interface, enables authorized administrators to access certain functions from the command line in a terminal window.
Logging in
1.
2.
3.
Logging out
Use Ctrl-d to terminate the CLI session and close the terminal window. You can also
enter one of the following commands:
logout
exit
Help commands
Two commands are available to help you use the CLI:
help
?
Enter help to display a description of the interactive help system, including:
Company Confidential
619
Auto-complete keys
Movement keys
Deletion keys
Enter ? to list available commands in the current mode or details for the current command.
For example, the following command lists all commands in the current mode:
>?
Note that the list of available commands varies according to the mode you are in. See
Modes on page 621.
Auto-complete keys
The following keys provide auto-completion capabilities:
Enter
Auto-completes the command line, performs syntax checking, and executes the
command if no syntax error exists. If a syntax error exists, help text is displayed.
Spacebar
Auto-completes the command.
Movement keys
Deletion keys
Company Confidential
620
Modes
The CLI uses the following modes:
EXEC
Default mode established when you log in successfully.
EXEC PRIVILEGED
Privileged mode, enabling commands that affect device management.
CONFIG
Configuration mode, enabling commands that affect network management. In this
mode, you can use the Tab key to cycle through the available commands and subcommands.
INTERFACE
Mode for configuring physical and VLAN interfaces.
Entry to each mode is sequential: EXEC, EXEC PRIVILEGED, CONFIG, INTERFACE. To
access each mode, enter the mode from the previous mode. For example, to access
the CONFIG mode, you must be in the EXEC PRIVILEGED mode.
To access the different modes:
Mode
Accessible through...
Command to access
Return to the
previous mode
EXEC
Not applicable
exit
Exits the CLI
session.
EXEC
PRIVILEGED
EXEC mode
enable
disable
CONFIG
EXEC PRIVILEGED
mode
configure terminal
end
INTERFACE
CONFIG mode
interface GigabitEthernet n
end
interface vlan n
Company Confidential
621
Description
enable
exit
help
host
logout
ping
show
show banner
show clock
show hostname
show interfaces
show ip
show log
show logging
show logtail
show memory
show ntp status
show processes
show service
show software repository
show tcp
show timeout
show version
timeout
traceroute
enable
Enables EXEC PRIVILEGED mode for access to advanced commands.
Company Confidential
622
Prompts for the enable-secret password, which is the system password initially set
during installation. Entering the correct password changes the command line prompt
from > to #.
See enable secret on page 647.
Example:
> enable
Password:
#
exit
Exits the EXEC mode and closes the terminal window.
help
Displays a description of the interactive help system, including:
Auto-completion keys
Movement keys
Deletion keys
See Help commands on page 619.
host
Queries Internet name servers to perform a DNS lookup. Specify one of the following
parameters:
Parameter
Description
hostname
IP address
This command returns the hostname of the server if you specify an IP address, and it
returns the IP address if you specify the hostname.
Note: This command executes the Linux command nslookup. See Linux man pages for
more information.
Example:
>host yahoo.com
Server:
172.16.0.1
Address:
172.16.0.1#53
Company Confidential
623
Non-authoritative answer:
Name:
yahoo.com
Address: 98.137.149.56
Name:
yahoo.com
Address: 98.139.180.149
Name:
yahoo.com
Address: 209.191.122.70
Name:
yahoo.com
Address: 72.30.2.43
logout
Exits from the EXEC mode and closes the terminal window.
ping
Sends echo messages. This command pings the destination server that the parameter
specifies.
Specify one of the following parameters:
Parameter
Description
hostname
IP address
Example:
>ping yahoo.com
show banner
Displays the banner that was displayed when you logged on to the command line
interface.
Example:
>show banner
************************************************************
*
MobileIron VSP CLI
*
*
*
*
*
************************************************************
Welcome user it is Tue Dec 13 21:27:03 UTC 2011
show clock
Displays the current system date, time, and time zone.
Company Confidential
624
Example:
> show clock
Displaying system clock details
Tue Dec 13 21:25:12 UTC 2011
show hostname
Displays the hostname for the VSP.
Example:
>show hostname
appname.domain.com
show interfaces
Displays the configuration of the network interfaces configured for the VSP.
Example:
>show interfaces
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:0c:29:6b:c6:23 brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop qlen 1000
link/ether 00:0c:29:6b:c6:2d brd ff:ff:ff:ff:ff:ff
4: eth2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop qlen 1000
link/ether 00:0c:29:6b:c6:37 brd ff:ff:ff:ff:ff:ff
5: eth3: <BROADCAST,MULTICAST> mtu 1500 qdisc noop qlen 1000
link/ether 00:0c:29:6b:c6:41 brd ff:ff:ff:ff:ff:ff
show ip
Displays IP information.
Specify one of the following parameters:
Parameter
Description
arp
domain-name
Company Confidential
625
Parameter
Description
interface brief
Displays IP interface status and configuration. Add the following parameters to the command:
<ifacename> <interfaceid>
The <ifacename> is either GigabitEthernet or VLAN.
The <interfaceid> has the value 1 to 4 for GigabitEthernet
and 1 - 4094 for VLAN.
These interfaces are configured using the System Manager
in the Admin Portal. See Managing network interfaces on
page 547.
name-server
route
Example:
>show ip domain-name
+-----------------Domain Name
+-----------------mydomain.com
>show ip interface brief GigabitEthernet 1
+----------------+-----------+--------------+-------------+------------------Interface
IP Address
Mask
Hw Addr
Admin State
+----------------+-----------+--------------+-------------+------------------GigabitEthernet1
10.10.17.152 255.255.0.0
00:50:56:91:22:7e
up
>show ip route
192.168.57.0/24 via 10.10.1.1 dev eth0
10.10.0.0/16 dev eth0 proto kernel scope link src 10.10.17.80
default via 10.10.1.1 dev eth0
Note: In the show ip route output, default means that the network and mask are
both 0.0.0.0.
show log
Displays the log file that the parameter specifies.
Consider the following when viewing log files:
Company Confidential
626
Description
mi.log
startup.log
cron
rpmpkgs
boot.log
suspend.log
Not used.
mysqld.log
messages
dmesg
secure
mivmstat.log
mics.log
employee.log
WARN, INFO, and ERROR messages about employee device registration activity.
mifs.log
mai.log
catalina.out
catalina2.out
catalina3.out
catalina4.out
Example:
> show log mifs.log
> --log 'tomcat/mifs.log' --
Company Confidential
627
show logging
Displays the configured syslog server information:
IP address
log level
state
This information is configured in the System Manager, in Settings > Syslog. See Syslog on page 559.
The log level values displayed by this command correspond to the configured log levels as follows:
Log level value
Emergency
Alert
Critical
Error
Warning
Notice
Info
Debug
Example:
>show logging
+--------------+--------------+--------------IP Address
+ Loglevel
+
State
+--------------+--------------+--------------myLogserver.com
5
enable
show logtail
Displays the last ten lines (the tail) of the specified log. The command takes one
parameter that is the name of the log file. See show log on page 626 for the list of
available log files.
To exit from the show logtail command, enter Ctrl-C.
Example:
>show logtail mifs.log
--log 'tomcat/mifs.log' --tail -/mi/tomcat2/webapps/mics/WEB-INF/pages/include.jsp
/mi/tomcat2/webapps/mics/WEB-INF/pages/index.jsp
/mi/tomcat2/webapps/mics/WEB-INF/pages/styles
/mi/tomcat2/webapps/mics/WEB-INF/pages/styles/mobir.css
Company Confidential
628
/mi/tomcat2/webapps/mics/WEB-INF/pages/listRadius.jsp
/mi/tomcat2/webapps/mics/WEB-INF/pages/micsLogin.jsp
/mi/tomcat2/webapps/mics/WEB-INF/remoting-servlet.xml
/mi/tomcat-properties/license.properties
/mi/tomcat-properties/datapurge.properties
/mi/tomcat-properties/mifs.properties
show memory
Displays information about free and used memory on the VSP.
This command executes the Linux command free. See Linux man pages for more
information.
Example:
> show memory
total
used
Mem:
2135892
-/+ buffers/cache:
Swap:
4192956
free
2065440
1462300
12
shared
70452
673592
4192944
buffers
0
cached
146848
456292
Example:
>show ntp status
+-----------+--------------------+
Index
+
NTP Server
+
+-----------+--------------------+
0
172.16.0.1
show processes
Displays the processes running on the VSP.
Note: This command executes the Linux command ps auxwww. See Linux man pages
for more information.
Example:
>show processes
Company Confidential
629
show service
Displays the status for configured services such as Telnet, SSH, and NTP. You can
enable these services and set the maximum number of sessions using the System
Manager in the Admin Portal. See CLI on page 557.
Example:
>show service
+------------+-----------+--------------Servicename + Enabled
+ Max.Sessions
+------------+-----------+--------------ssh
yes
5
telnet
yes
5
ntp
yes
Example:
>show software repository
+------------------------------------------+---------------+----------Software repository
Username
Password
+------------------------------------------+---------------+----------myRepositoryServer.com
RepositoryUserId
show tcp
Lists information about all active TCP ports. This information provides traffic statistics
and can help identify network problems.
Note: This command executes the Linux command netstat -nat. See Linux man
pages for more information.
Example:
>show tcp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address
Foreign Address
tcp
0
0 127.0.0.1:8005
0.0.0.0:*
tcp
0
0 127.0.0.1:199
0.0.0.0:*
tcp
0
0 127.0.0.1:3306
0.0.0.0:*
.
.
.
Company Confidential
630
State
LISTEN
LISTEN
LISTEN
Description
Proto
Recv-Q
Send-Q
Local Address
Foreign Address
State
show timeout
Displays the currently configured idle timeout for the CLI in minutes. The value 0 indicates no timeout. The timeout value is configured using the System Manager in the
Admin Portal. See CLI on page 557.
Example:
>show timeout
+--------------------------Cli Idle Timeout in Minute(s)
+---------------------------
Company Confidential
631
show version
Displays the currently installed version of the VSP software.
Example:
>show version
VSP 4.5.0 Build 47
timeout
Sets the idle timeout for the CLI. Enter the number of minutes between 0 and 9999.
Example:
>timeout 150
You can also set the CLI idle timeout using the System Manager in the Admin Portal.
See CLI on page 557.
traceroute
Displays the network route to the specified destination.
Specify one of the following parameters:
Parameter
Description
hostname
IP address
Examples:
>traceroute 173.194.33.43
traceroute to 173.194.33.43 (173.194.33.43), 30 hops max, 40 byte packets
1 10.10.1.1 (10.10.1.1) 4.808 ms 5.481 ms 6.112 ms
2 * * *
.
.
.
>traceroute google.com
traceroute to google.com (173.194.33.45), 30 hops max, 40 byte packets
1 10.10.1.1 (10.10.1.1) 5.268 ms 5.933 ms 6.564 ms
2 * * *
.
.
.
Company Confidential
632
Description
clear arp-cache
configure terminal
dbcleanup app_inventory
disable
end
failover
grubupdate
install rpm
no install rpm
poweroff
reload
service
setup
show
show portalacl
show portalacl
show running-config
show statichost
show system
show tech
show kparams
Company Confidential
633
Command
Description
software checkupdate
software update
ssh
telnet
write
clear arp-cache
Clears the ARP cache on the VSP, listing each cleared ARP entry. The ARP cache stores
a mapping of IP addresses with link layer addresses, which are also known as Ethernet
addresses and MAC addresses. If the mapping in the cache is stale, use this command
to clear the cache. A mapping can become stale, if, for example, an IP address has
moved to a new host.
Example:
#clear arp-cache
Deleting Arp Entry for 100.10.10.10
Deleting Arp Entry for 10.10.19.21
configure terminal
Enters configuration mode. See CONFIG commands on page 644 for the commands
you can enter in configuration mode.
Example:
#configure terminal
Enter configuration commands, one per line.
/config#
dbcleanup app_inventory
Deletes duplicate and unused rows from app inventory tables. Requires portal service
restart.
Example:
#dbcleanup app_inventory
Requires portal service restart. Proceed? (y/n)y
Stopping tomcat:
AppInventry cleanup...
Company Confidential
634
OK
disable
Returns to EXEC mode.
Example:
#disable
>
end
Returns to EXEC mode.
Example:
#end
>
exit
Terminates the CLI session and closes the terminal window.
failover
Commands to assist with managing VSP failover. Failover allows a secondary VSP to
take over if the primary VSP fails when your installation requires high availability. For
more information about implementing a high availability solution, contact MobileIron
Technical Support.
Note: High availability is a non-standard VSP feature.
grubupdate
Updates the grub configuration. Requires a reload.
Note: This command should not be used VMs. It should be used only for the physical
box.
Example:
#grubupdate
install rpm
Installs VMware Tools. If your VSP runs in VMware, use this command to install the
VMware Tools installation package. The installation package is an RPM file or a .tar.gz.
The parameter specifies where to find the file.
Company Confidential
635
Warning: Use this command only to install third-party RPM or tar files that MobileIron
has approved, such as VMware Tools.
Parameter
Description
cdrom
file
Unused.
url
info
Examples:
The following example shows the initial output when installing VMwareTools from CD
ROM. Although not shown here, the installation continues with VMwareTools configuration.
#install rpm cdrom
mount: block device /dev/cdrom is write-protected, mounting read-only Select
rpm/tar file to install 0. None - Do not install any thing 1
/mnt/VMwareTools-4.0.0-171294.tar.gz
Enter your selection: 1
Installing /mnt/VMwareTools-4.0.0-171294.tar.gz
Creating a new VMware Tools installer database using the tar4 format.
Installing VMware Tools.
In which directory do you want to install the binary files?
[/usr/bin]
What is the directory that contains the init directories (rc0.d/ to rc6.d/)?
[/etc/rc.d]
What is the directory that contains the init scripts?
[/etc/rc.d/init.d]
In which directory do you want to install the daemon files?
[/usr/sbin]
In which directory do you want to install the library files?
[/usr/lib/vmware-tools]
The path "/usr/lib/vmware-tools" does not exist currently. This program is going
to create it, including needed parent directories. Is this what you want?
[yes]
In which directory do you want to install the documentation files?
[/usr/share/doc/vmware-tools]
Company Confidential
636
no install rpm
Uninstalls a MobileIron-approved third-party RPM. See install rpm on page 635.
For the list of no commands possible in CONFIG mode, see no on page 651.
poweroff
Turns off the VSP. This command not only logs you out of the CLI, but shuts down the
operating system and powers off the VSP.
Example:
#poweroff
System configuration may have been modified. Save? [yes/no]: yes
Configuration saved.
Proceed with power-off? [yes/no]
reload
Halts the VSP and performs a cold restart.
Example:
#reload
System configuration mat have been modified. Save? [yes/no]: yes
Configuration saved.
Proceed with reload?
Company Confidential
637
service
Performs operations on the Tomcat and iptables services. You can start and stop these
services, and check their status.
The parameters are:
Parameter
Description
service name
operation
Example:
#service tomcat start
Starting tomcat: Using TOMCAT_ALLOCATION_MB=11235
.
.
.
[OK]
#service iptables start
Applying iptables firewall rules:
[OK]
setup
Runs the setup wizard to reconfigure an installation. This command takes you through
the initial configuration of the VSP.
Company Confidential
638
Example:
#setup
VSP 4.5.2 Build 32 (Branch r4.5.2)
Welcome to the Mobile Iron Configuration Wizard
Use the - character to move back to the previous field
Continue with configuration dialog? [yes/no]:
show portalacl
Displays the configured portal Access Control Lists (ACLs), which restrict access to
various portals of the VSP. The access is restricted to certain servers or networks by
specifying their IP addresses or network/mask pairs.
For more information, see Portal ACLs on page 591, which describes how you configure the portal ACLs in the System Manager, Security > Access Control List > Portal
ACLs.
Example:
#show portalacl
+----------------------------------------------------------------------Module
+ Access Allowed From
+----------------------------------------------------------------------MyPhoneAtWork
10.10.17.12
show running-config
Displays the configuration under which the VSP is currently running.
The following table lists the configuration information that this command displays. It
also shows where in the System Manager of the Admin Portal to configure this information, and a reference to the corresponding documentation.
System Manager User
Interface
More Information
Network interfaces
Managing network
interfaces on page 547
DB config
Not used.
Network routes
DNS servers
Configuration Displayed
Company Confidential
639
Configuration Displayed
More Information
NTP servers
Portal ACLs on
page 591
Example:
#show running-config
show statichost
Displays the configured static hosts. The static hosts are configured using the System
Manager, in Settings > Static Hosts or with the CLI command statichost. See Static
Hosts on page 553 and statichost on page 654.
Example:
#show statichost
+------------------+------------------------------------IP Address
FQDN
+------------------+------------------------------------172.16.80.2
mysentry.mycompany.com
show system
Displays system information as specified by the parameter. Most parameters result in
displaying output from Linux commands. For more information about Linux command
output, see the Linux man page description available on the Web.
Company Confidential
640
Description
disk
top
toprt
uptime
Examples:
#show system disk
Filesystem
Size
/dev/sda3
80G
/dev/sda1
99M
tmpfs
7.9G
Used
3.0G
12M
8.0K
Avail
73G
82M
7.9G
Use%
4%
13%
1%
Company Confidential
641
Mounted on
/
/boot
/dev/shm
show tech
Gets VSP logs and database dumps for diagnostics. This command transfers the diagnostic files to a server that you specify, using either HTTP(S) or SFTP.
Specify the following parameters:.
Parameter
Description
http sftp
URL
host
alllogs
Enter No. Enter Yes only if the VSP had restarted since
the issue occurred.
username
support-ticket-number
For more information about the logs, see Working with logs on page 609.
Example:
#show tech http https://support.mobileiron.com/uploads No mysupportusername
Enter Password for user mysupportusername:
software checkupdate
Checks the configured software repository for available updates to the VSP. The repository information is configured using the System Manager, in Maintenance > Software
Updates. See Getting MobileIron server software updates on page 595.
Company Confidential
642
Example:
#software checkupdate
software update
Installs the updates located using software checkupdate. Use the reload command
after using the software update command. See Getting MobileIron server software
updates on page 595.
Example:
#software update
...
#reload
ssh
Opens an ssh connection.
Specify the following parameters:
Parameter
Description
user
server
Example:
#ssh miadmin 100.10.10.10
miadmin@100.10.10.10s password:
telnet
Opens a telnet connection.
Specify the following parameters:
Parameter
Description
server
Example:
#telnet 100.10.10.10
login: miadmin
password:
Company Confidential
643
write
Saves configuration changes.
The changes you make in your CLI session are not saved across reboots of the VSP,
although they are remembered between CLI sessions. Therefore, to ensure your
changes are not lost, use the write command to save your changes.
If you do not save your changes, a reboot will return the VSP to its previously-saved
configuration.
Example:
#write
CONFIG commands
The commands specific to the CONFIG mode are summarized in the following table,
and then listed in detail in alphabetical order.
In addition, the EXEC mode commands exit, help, and timeout are also available in
CONFIG mode...
Command
Description
banner
certificate client
certificate portal
clock set
do
enable secret
end
eula
hostname
interface GigabitEthernet
Company Confidential
644
Command
Description
interface VLAN
ip arp
ip domain-name
ip name-server
ip route
kparam
no
ntp
portalacl
service
service support
software repository
statichost
syslog
system user
banner
Defines the text to appear in the CLI login banner. You can specify two strings. The
strings cannot include spaces.
Specify the following parameters:
Parameter
Description
bannername
Example:
certificate client
Generates a self-signed certificate for the MobileIron client for use with TLS.
Company Confidential
645
For more information, see Certificate Mgmt on page 576, which describes how to do
this task in the System Manager, in Security > Certificate Mgmt.
Example:
/config#certificate client
Tlsproxy service will be disrupted.
Would you like to proceed? [y/n]:
/config#
Note: The CLI does not provide a confirmation that the certificate was generated.
certificate portal
Generates a self-signed certificate for MobileIron Sentry configurations.
For more information, see Certificate Mgmt on page 576, which describes how to do
this task in the System Manager, in Security > Certificate Mgmt.
Example:
/config#certificate portal
Services will be disrupted.
Would you like to proceed? [y/n]: y
/config#
Note: The CLI does not provide a confirmation that the certificate was generated.
clock set
Sets the date and time on the VSP.
Specify the following parameters:
Parameter
Description
time
day
month
year
Example:
/config#clock set 10:34:59 23 February 2012
/config#
Company Confidential
646
do
Runs EXEC or EXEC PRIVILEGED commands from CONFIGURE mode.
Use the do command when you are in CONFIGURE mode and want to run a command
from EXEC PRIVILEGED mode, but dont want to have to exit and reenter CONFIGURE
mode. After the keyword do, enter the command. For example:
config#do ping someWebSite.com
The following table lists the commands you can run using do:
Command
Description
clear arp-cache
clock set
disable
help
host
logout
ping
poweroff
reload
show
telnet
timeout
traceroute
write
Example:
/config#do show banner
enable secret
Changes the enable-secret password. This password allows you to change from EXEC
mode to EXEC PRIVILEGED mode in the CLI.
For more information, see CLI on page 557, which describes how to do this task in
the System Manager, in Settings > CLI.
Company Confidential
647
Example:
/config#enable secret NewPwd123
end
Returns to EXEC PRIVILEGED mode.
Example:
/config#end
eula
Sets the End User License Agreement (EULA) information.
Specify the following parameters:
Parameter
Description
companyname
contactname
contactemail
Example:
/config#eula My Company Joe Doe jdoe@mycompany.com
hostname
Configures the VSPs fully-qualified host name.
Specify the following parameter:
Parameter
Description
hostname
For more information, see DNS and Hostname on page 552, which describes how to
do this task in the System Manager, in Settings > DNS and Hostname.
Example:
/config#hostname myhost123
Company Confidential
648
interface GigabitEthernet
Switches to INTERFACE mode to configure a physical interface. Specify 1, 2, 3, or 4 to
specify which interface.
For more information, see Managing network interfaces on page 547, which
describes configuring the physical interfaces in System Manager, in Settings > Interfaces.
Example:
/config#interface GigabitEthernet 2
/config-if#
interface VLAN
Switches to INTERFACE mode to configure virtual Local Area Network (VLAN) interfaces. Specify a number between 1 and 4094 for the VLAN ID.
For more information, see Managing network interfaces on page 547, which
describes configuring the VLAN interfaces in System Manager, in Settings > Interfaces.
Example:
/config#interface vlan 2
/config-vlan#
ip arp
Updates the ARP cache on the VSP. The ARP cache stores a mapping of IP addresses
with link layer addresses, which are also known as Ethernet addresses and MAC
addresses.
Typically, the ARP cache is updated automatically, making this command unnecessary.
Specify the following parameters:
Parameter
Description
IP address
Mac address
Company Confidential
649
Parameter
Description
Interface type
Interface ID
Example:
/config#ip arp 10.10.15.41 00:50:56:91:71:1B GigabitEthernet 1
ip domain-name
Sets the default domain name. This value is shown in the System Manager, in
Settings > DNS and Hostname.
For more information, see DNS and Hostname on page 552.
Example:
/config# ip domain-name mycompany.com
/config#
ip name-server
Sets the preferred DNS server.
For more information, see DNS and Hostname on page 552, which describes configuring the DNS servers in System Manager, in Settings > DNS and Hostname.
Example:
/config# ip name-server 10.10.15.6
/config#
ip route
Configures a static network route. This command specifies the subnet mask and gateway to use for routing from a network IP address.
Description
IP address
Network IP address.
mask
Subnet mask.
gateway
Company Confidential
650
For more information, see Routes on page 550, which describes configuring the
static network routes in System Manager, in Settings > Network > Routes.
Example:
/config#ip route 192.168.57.0 255.255.255.0 10.10.1.1
kparam
Configures kernel parameters.
Specify the following parameters:
Parameter
Description
name
Example:
/config#kparam rp_filter
no
Deletes, resets, and disables various system configurations, as described in the following table.
Command
Description
no banner
no hostname
no ip domain-name
no kparam <name>
4094>
Company Confidential
651
Command
Description
no portalacls
no service support
ntp
Configures the time sources. The time sources are Network Time Protocol (NTP) servers. An NTP server figures out how much the system clock drifts and smoothly corrects it.
You can configure the NTP servers in the System Manager, in Settings > Date and
Time (NTP). See Date and Time (NTP) on page 555.
Specify the following parameters:
Parameter
Description
server
index
Example:
/config# ntp 172.16.0.1 0
Company Confidential
652
portalacl
Configures the portal Access Control Lists (ACLs), which restrict access to various portals of the VSP. Access is restricted to servers or networks by specifying their IP
addresses, network and mask pairs, or hostname.
Parameter
Description
module
host
MyPhoneAtWork
SmartphoneManagerPortal
SystemManagerPortal
SentryConnection
APIConnection
iOSMDM
iOSiRegURL
AppStorefrontConnection
Example
/config#portalacl MyPhoneAtWork 10.101.1.119
service
Enables the service ssh, telnet, or ntp. For telnet and ntp, this command also sets the
number of instances allowed for the service.
Parameter
Description
name
instances
Example:
/config#service telnet 4
service support
Unlocks and resets the password for the support account. This command allows onetime access to the misupport Linux user account, using the displayed account password.
Company Confidential
653
Warning: Do not access the Linux misupport account unless you are working closely
with MobileIron Technical Support. MobileIron cannot help you recover if you damage
your system when working on your own in the Linux command shell.
Example:
/config#service support
One-time-password for account misupport set to XRXFHT1str
software repository
Configures the software repository URL. This URL specifies the location of software
updates for the VSP. You can also configure the software repository in the System
Manager, in Maintenance > Software Updates. See Getting MobileIron server software updates on page 595.
Specify the following parameter:.
Parameter
Description
urlstring
statichost
A static host configuration maps a fully-qualified domain name to an IP address. This
static mapping is useful in the following cases:
Description
ip
fqdn
Example:
/config#statichost 172.16.80.2 mysentry.mycompany.com
Company Confidential
654
syslog
Configures syslog server information.
Parameter
Description
server
loglevel
The log level value you specify in this command corresponds to the log levels as follows:
Log level value
Emergency
Alert
Critical
Error
Warning
Notice
Info
Debug
For more information, see Syslog on page 559, which describes configuring the syslog servers in System Manager, in Settings > Syslog.
system user
Creates a System Manager user account. Specify the following parameters:.
Parameter
Description
username
User name
password
For more information, see Identity Source > Local Users on page 573.
GigabitEthernet
Company Confidential
655
VLAN
Configures the virtual Local Area Network (VLAN) interfaces.
You enter each INTERFACE mode from the CONFIG mode using the commands interface GigabitEthernet on page 649 or interface VLAN on page 649. For example:
/config# interface GigabitEthernet 2
/config-if#
Each INTERFACE mode has its own set of commands that are applied to the specified
interface, such as GigabitEthernet 2 in the above example. Most commands are
shared by both modes.
The commands specific to the INTERFACE modes are summarized in the following
table, and then listed in detail in alphabetical order.
Command
Description
do
end
exit
ip address
no
shutdown
end
Returns to CONFIGURE mode.
Example:
/config-if#end
/config#
/config-vlan#end
/config#
Company Confidential
656
ip address
Configures the IP address and mask of the interface you specified in the interface
command. The interface is one of the following:
Description
IP address
mask
Example:
/config#interface GigabitEthernet 2
/config-if#ip address 10.10.17.27 255.255.255.0
no
Use the no command in INTERFACE mode as described in the following table.
Command
Description
no ip address
no shutdown
Enables the GigibitEthernet or VLAN interface that you specified in the interface
command.
Company Confidential
657
Description
GigabitEthernet
interface number
A value between 1 and 4 that specifies the GigabitEthernet interface on which to create the VLAN
interface.
Example:
/config#interface vlan 1
/config-vlan#
/config-vlan#physical interface GigabitEthernet 1
shutdown
Disables the VLAN or physical interface that you specified in the interface command.
To enable the interface, use no shutdown. See no on page 657.
Examples:
The following command disables a physical interface:
/config#interface GigabitEthernet 1
/config-if#shutdown
/config-if#
Company Confidential
658
Section V: Appendixes
Company Confidential
659
Company Confidential
660
Appendix A
Company Confidential
661
Known issues
Android: Manually removing the MobileIron app from the device does not reenabled a camera that has been locked down on devices having the Samsung
Enterprise APIs.
Android: When the native email client is configured and then TouchDown is
installed, the email on the native client will not be de-provisioned.The user must
manually remove the Exchange account from the native client. This will remove all
of the associated data.
There are known issues with NitroDesks TouchDown software. See http://
www.nitrodesk.com/updates.aspx for information if you are having issues with your
TouchDown installation.
VS-8271: Changing the booting order of hard drives after upgrading from Sentry
3.2-MR1 to Sentry 3.3.1 causes the server to hang on reboot.
VS-8231: After an upgrade from Sentry 3.2 to Sentry 3.3.1, ACLs having the Action
field set to "Log and Deny" do not function. Attempting to apply a new ACL with
"Log and Deny" results in an error.
AL-9: When configuring Kerberos Constrained Delegation on Sentry, if you list multiple Key Distribution Centers using hostnames (as opposed to IP addresses) and
the first Key Distribution Center in the list is invalid or not reachable, subsequent
Key Distribution Centers in the list are not contacted. Workaround: Use IP
addresses in the Key Distribution Center field.
VS-7108: iOS: Intermittent email issues have been reported, including errors when
resyncing email, missing subject content, and email with a received date of 1969.
These issues are not related to MobileIron software.
VS-3679: During tomcat restarts, severe errors reported by the tomcat servlet
cleanup can be ignored.
VS-7234: Attempts to clear all Sentry logs from the Troubleshooting screen result
in only the current log being cleared.
VS-7277: Errors found during the file system check after a scheduled reboot result
in a prompt for user intervention. Contact Support. Note that this is a rare occurrence.
VS-936: If a NAT with a small source port range is positioned between Sentry and
mobile devices, Sentry might drop a connection that reuses a source port from a
previously established connection.
Company Confidential
662
IOS-105: On iPhone 4S devices, the MobileIron app occasionally fails to report the
operator to the VSP.
IOS-101: The MobileIron app prompts device users to update the configuration if
the MobileIron app is open when the administrator retires the device.
IOS-100: If an APNs message arrives while the device user is performing a connection speed test, then the MobileIron app may exit to the home screen.
VS-8009: The VSP does not generate SIM change events when the latest MobileIron app for iOS is installed.
VS-8266: tomcat occasionally fails to start after a power outage or after successive
reboots. Workaround: Manually start the midb process first, then manually restart
tomcat.
VS-7618: iOS: The badge count shown on the app storefront Featured tab may
become inconsistent with the MyPhone@Work badge count if the administrator
publishes updates to non-featured apps.
VS-7566: The iOS app storefront displays "Page does not exist" or does not
respond when a device user requests a prepaid app and all VPP codes for that app
have been used.
VS-7830: Upgrading a 4.5 VSP to 4.5.4 using the recommended upgrade procedure
(that is, performing the upgrade for each release between 4.5 and 4.5.4) does not
result in the expected distribution of certificates to Android 3.x devices. Workaround: Remove and re-apply the labels associated with the certificates.
VS-7742: Android: The VSP indicates that the security policy has been applied,
though the device user has not yet initiated the SD card encryption process.
VS-7659: Device users having iOS versions prior to 5.1 might notice a slight flicker
when navigating between tabs in the iOS app storefront.
VS-7644: The iOS app storefront sometimes displays the UPDATE flag when there
is no update available for the given app. This is a result of inconsistent version
reporting by app vendors.
VS-7564: Featured apps that are published to non-MDM iOS devices incorrectly
cause the new app badge on the Featured tab to display.
VS-7254: After the MDM profile has been removed and replaced on an iOS device,
the VSP generates an alert incorrectly indicating that the MDM profile is missing.
This issue resolves itself after the device checks in again.
VS-7685: The APN app setting for iOS does not accept a URL in the Proxy Server
field.
VS-8072: Adding a BES 5.0.3 server on a VSP results in the following error: "Could
not connect to URL: Couldn't create SOAP message due to exception: XML reader
error". Workaround: Run the BAS in compatibility mode.
AC-926: When a Samsung device is upgraded to the Android 4.5.3 client and then
retired, the Samsung DM agent remains activated.
Company Confidential
663
VS-5799: Android: If two Exchange app settings are applied to an Android device,
then the VSP shows both as partially applied, and View Details displays details for
only one of them. The Android client is designed to handle this situation by applying
neither configuration.
VS-5965: Android: VPN profile status is not supported when the profile is applied
via Symantec Managed PKI.
VS-4921: Android: Devices that are already compliant with the password policy
upon registration trigger a false non-compliance alert.
VS-7114: iOS: Devices may have a 30-minute MDM check-in delay after initial registration.
VS-7267: When multiple LDAP servers are configured, attempts to register a device
can fail if the specified user ID was previously imported from a different LDAP
server and then deleted from the VSP.
VS-6410: When the Enterprise Connector service is running, the Preferences link is
not displayed under Settings > LDAP. Workaround: Disable the Enterprise Connector service temporarily. Do not forget to re-enable the Enterprise Connector before
exiting.
VS-7050: The Enterprise Connector for the on-premise VSP erroneously displays
the Sentry service.
VS-7161: The Service Diagnosis page fails to verify the Entrust SCEP server.
VS-6849: If a user enters an incorrect value for the challenge specified under an
Entrust SCEP implementation, then the error message returned is not helpful.
VS-6434: Blocking of devices based on mailbox count has inconsistent results due
to several factors, including OS and interaction with other policies.
VS-6163: Any in-house app having an incorrectly configured icon will still prompt
for a username and password, despite having certificate-based authentication configured.
VS-6754: Devices that are blocked from syncing email because they are unregistered continue to be blocked after the Sentry setting for blocking unregistered
devices is disabled.
VS-4848: Pushing two identical LDAP settings having different names to the same
device produces errors in the MDM log. There is no functional impact.
VS-5443: The wrong operator is reported for MCC=232, MNC=01. This pair should
result in Austria / A1.
VS-5412: iOS: The VSP does not provide a way to set the Auto Lock option to
Never.
Company Confidential
664
VS-5384: Provisioning requests time out during device registration if the VSP has
Exchange configured via SCEP settings.
VS-7205: iPad users who receive an APNs message concerning an available app are
not automatically routed to app details.
VS-6806: The VSP truncates MDM logs older than 2 days and does not prune nonessential rows first.
VS-6428: Editing a WiFi app setting causes the status for the setting to remain in
the Sent state. There is no functional impact.
VS-6168: Filtering by the Company-owned label in the App Inventory page displays
devices that do not have that label applied.
VS- 6079: The LDAP Sync History feature in System Manager incorrectly reports
the amount of time it took for the LDAP synchronization to complete.
VS-5679: If the automatic upgrade of the Connector from 4.3 to 4.5.2 fails, do not
upgrade manually. Reinstall, instead.
VS-5963: Uploading new screenshots for an existing app in the app distribution
library clears the rest of the data from the Edit App form.
VS-6061: iOS: The SSID entry is dropped when the VSP pushes a WiFi profile created in the iPhone Configuration Utility.
VS-5971: iOS: Waiting more than 15 minutes after accessing the web app storefront results in the following message when an in-house app download is
attempted: "The manifest for the app at _____ could not be validated." Workaround: Close all Safari sessions, restart the MobileIron app, and retry the app
download.
VS-5947: Existing unregistered devices are not immediately blocked when the
AutoBlock option is enabled.
VS-5308: iOS: When a user attempts to access the web app storefront via an APNs
message sent by the administrator, access to the app storefront occasionally fails.
Workaround: For iOS 5, click the APNs message again. For iOS 4, the administrator
must resend the APNs message.
VS-5287: iOS: Attempts to use the webclip to access the app storefront on devices
that do not have MDM enabled fail with the following message: "Cannot Open
Apps@Work. The URL can't be shown"
VS-6028: The Exclude User option does not work for Security Policy Violation
events.
VS-5965: Android: VPN profile status is not supported when the profile is applied
via Symantec Managed PKI.
VS-5899: The Password field under App Settings > Email cannot be modified once
the setting is saved.
VS-5898: iOS: Changes in Email app settings require the device to be rebooted.
Company Confidential
665
VS-5888: iOS: Email settings are removed from iPhone 4 (iOS 5) when the email
profile is updated via App Settings > Email.
VS-5959: Using the Compatibility View with Internet Explorer 8 results in missing
controls. Workaround: Turn off Compatibility View.
VS-5484: MobileIron fails to report an LDAP sync failure if the failure is due to an
incorrect or expired password.
VS-5457: iOS: "Profile could not be decrypted" displays intermittently during registration.
VS-5437: iOS: Attempting to reinstall an app that was removed as the result of
quarantine produces an HTTP 401 error instead of a proper message.
VS-5445: iOS: Logs do not indicate that a managed app has been removed from a
quarantined device.
VS-5313: iOS: After upgrading the MobileIron app for iOS to 4.5.x, the web App
Storefront is not available. Workaround: Exit and reopen the MobileIron app.
VS-5307: iOS: iOS 5 devices cannot use the link in an APNs message sent from the
App Distribution page.
VS-4936: iOS: Some images are not displayed correctly for recommended apps
that have been imported from the Apple App Store.
VS-5197: iOS: The first time an iTunes import is attempted, a server communication error is displayed.
VS-5151: iOS: MobileIron removes the new App Storefront webclip from quarantined devices.
VS-5150: iOS: The App Storefront does not change the app button to Update if
there is a new version of an installed app available.
VS-5109: iOS: The App Storefront opens on a different tab each time it is launched.
VS-4956: iOS: Clicking the link to the Apple Push Certificates portal sometimes
results in a web page without content. Workaround: Exit the portal, close the
browser, and retry.
VS-4730: The Admin Portal allows administrators to open the LDAP page and other
tabs simultaneously.
VS-4684: In the device count and watchlist popups, clicking the top checkbox
selects only the last device in the list instead of all devices in the list.
VS-4534: The VSP installation script switches to CONFIG mode if you enter an NTP
server that cannot be parsed. Workaround: Type end. You can then type reload and
Company Confidential
666
continue the installation process. When you complete the installation, use System
Manager to enter the proper NTP information.
VS-4459: iOS5: In the iOS 5 settings for WiFi configuration, the Proxy Server and
Proxy Password fields are not properly validated.
VS-4409: Some device images in the MyPhone@Work employee portal are incorrect.
VS-4253: Distributing Wi-Fi profiles to 10,000 devices or more is taking much longer than expected. Distribution to 20,000 devices can take up to four hours.
VS-3713: iOS: The security policy fails to block ActiveSync access if the MobileIron
app is the last third-party app removed from the device.
VS-3631: Android with Samsung Enterprise APIs: Exchange configuration sometimes fails. This appears to be an issue with the Samsung API.
VS-3605: In the ActiveSync Devices page, the content of the Action Reason column
cycles through multiple values when a device is blocked for multiple reasons.
VS-3292: Deleting an event leaves the event name blank for existing entries in the
Event History page.
VS-3117: The Location API has the following issues: no error when phone/UUID is
empty, no error for invalid date, no error for invalid phone number.
VS-3027: iOS: In the MobileIron app, caps lock does not work in the Password
field.
VS-1639: Attempting to use the Locate function for all devices on a page produces
a pop-up that has no scrollbar and that displays only 13 of the 20 devices on the
page.
VS-1342, 15010: Performance issues have been reported for the Admin Portal on
Internet Explorer.
VS-1327: On Standalone Sentry, attempting to use an email address as a username when creating a user via the CLI results in an error.
VS-1310: Under Firefox, the dropdowns in the Access Control section of the security policy sometimes fail to populate with compliance actions.
VS-1286: iOS: For devices that are not MDM-enabled, wiping via ActiveSync prevents later configuration of Exchange settings via MobileIron app settings.
Company Confidential
667
VS-1222: Policy violation alerts are not generated if all managed devices are in violation.
VS-315: When two new security policies are added, editing and saving the one with
higher priority increases the priority of the second.
15053: Changing carriers for a device can result in duplicate entries for the device
in MobileIron.
15033: The Mobile Activity Intelligence process can cause 100% CPU utilization.
15015: Assigning a policy to a label containing a device that has already had the
policy applied via a different label causes the policy to be reapplied to that device.
14844: iOS: After upgrading to 4.1 or higher, assigning a non-iOS app to a label
containing iOS devices can result in the following error message on iOS devices:
Unable to refresh App Store. Remove the association between the non-iOS app
and the label to resolve this problem.
14842: Android: After upgrading MobileIron, you may need to re-save app settings
for Android devices to ensure that the settings are applied.
14836: Upgrading MobileIron does not always update the Language column for
existing devices in the All Devices page. You can manually update this column using
More Actions > Change Language.
14834: Changing the timezone for Mobile Activity Intelligence causes an incorrect
MAI processing time to be displayed.
14803: Android: Device type displays as "GRD" instead of "CDMA" for Motorola
Xoom.
14596: Changing the alert interval for a system event has no effect.
MobileIron Sentry does not support connection pooling via load balancer. Turn off
your load balancers connection pooling before deploying.
IE9 is not currently supported. There are known issues with this version of the
browser, including failure to register devices from the Admin Portal.
9424: iOS: Marking dropped calls or running the speed test occasionally causes the
device to stop responding.
11075: Changing the external hostname results in a SCEP URL and verify URL that
still point to the old hostname.
11402: The antivirus scan does not always activate the Infected flag upon first
detection of a virus.
11525: If an error occurs when you add a new entry in the Sentry page, the entry
may still be stored in the database. After resolving the original error, you may see a
duplicate entry in the Sentry page.
11772: MyPhone@Work does not display activity that falls into the Unknown category, but includes the Unknown category data in the total. The Unknown category
represents activity that has been detected, but is missing the information neces-
Company Confidential
668
sary to place it in one of the activity types (e.g., international roaming). As a result,
there may be a discrepancy in the displayed data.
11830: Under Mobile Activity Intelligence > Settings > Toll Numbers, the Directory
assistance entry is sometimes loaded without the dashes. Workaround: In the Toll
Numbers screen, click Directory assistance to display the Edit Toll Number dialog
and enter the dashes.
13509: iOS: If the device user is running a speed test on the MobileIron Client
when the administrator attempts to retire the device, an Application Reset message displays, but the reset is not completed. As a result, the device is left in an
unusual state. Consider removing and reinstalling the client.
The Infected status should revert to Active once the detected virus has been
removed from the device. However, sometimes the device remains in the Infected
state. Workaround: Set the status to Lost, then set the status to Found.
If an attempt to remove an app setting fails, there is no function available for trying
again. Workaround: Assign the device to a label and then remove the association
between the device and the label (i.e., More Actions > Remove from Label.
14386: If a phone does not report a phone number, then Event Center messages
sent to the device user will display Not Available in place of the phone number,
regardless of the language selected for the device.
AC-1211: The MobileIron app erroneously resets the device passcode for the HTC
Evo (Android 2.3.5) when the administrator issues the Unlock command.
AC-771: Pushing a policy that specifies decrypting a devices results in an alert that
specifies decryption, but the button on the screen is labeled "Set Encryption".
AC-1091: The MobileIron app does not report successful encryption for Samsung
Galaxy S3 devices.
AC-218: The Cisco AnyConnect app must be installed before the MobileIron app to
ensure successful provisioning of VPN settings.
AC-1424: On Samsung Galaxy S2 devices running Android 2.3, the MobileIron app
and VSP fail to report encryption compliance.
AC-1451: Manually removing the VPN setting on the device does not cause the VSP
to push another VPN profile.
AC-1421: If Google Play Store has not been accessed previously, the first attempt
to view a recommended app displays the Play Store terms of service, after which
the selected app is not displayed.
AC-1393: Powering off the device when the password reset notification displays
resets the password age and restores the expired password.
Company Confidential
669
AC-895: Exchange app settings containing a custom attribute for the username or
password do not result in a properly configured device.
AC-1417: The VSP does not report successful Exchange configuration when SCEP is
used.
AC-1318: If the device user delays accepting the terms of service while configuring
email on Android 4.0, then the VSP will not show successful email configuration
until the device checks in again.
AC-1259: Sending a second WiFi profile and certificate to a Samsung Android 4.0
device on which the certificate is already installed results in an unexpected certificate notification.
AC-1246: Removing the certificate specification from the WiFi app settings does not
result in the expected changes to the WiFi settings on the device.
AC-867: When the Sync on Low Battery option is turned off on the VSP, devices
continue to sync with the VSP when battery power is low.
VS-7153: Revising an incorrect override URL does not repair app installations that
failed on iOS 5.x devices due to an incorrect override URL. The device user must
delete the app icon manually before attempting to reinstall. This behavior is determined by the device operating system.
VS-5372: ActiveSync policies are not applied to Android devices having the TouchDown client installed. This is expected behavior.
Company Confidential
670
Usage notes
General
The following notes apply to MobileIron, regardless of the client OS:
VS-6018: In Active Directory, if the user is a member of multiple groups, and one
of the groups is a primary group, then if we sync users of a particular group from
the VSP, all the users having this group as a primary group will be excluded from
the sync. This is a known issue from Microsoft. See the following article from the
Microsoft site: http://support.microsoft.com/?kbid=275523.
Avoid creating user IDs that include _MIxx, where xx is a number. This sequence is
reserved for user IDs requiring special processing, which includes stripping the _MI
sequence and all characters following it.
Do not lock down WiFi for devices that have only WiFi access. There will be no way
to undo the setting if there is not way to communicate with the device.
VS-1187: For larger LDAP systems, the LDAP browser in Admin Portal (Settings >
LDAP) may cause the following prompt on Internet Explorer:
A script on this page is causing your browser to run slowly.
Click No to ensure that the data displays appropriately.
VS-1017: As a result of upgrading to 4.2 or higher, you may observe that CPU
usage increases to 100% every 15 seconds. This behavior is expected as a result of
the resolution for an issue with the contact sync feature.
VS-2250: The amount of time it takes to apply an event to a label depends on the
number of devices identified by the label. Therefore, it may take some time for the
label name to display as selected for the event.
Most variables are currently required. For example, you might prefer to remove
the user name from the registration email subject, but that is not currently supported.
MobileIron drops any unsupported variables you add to a message without indicating the lack of support.
You cannot edit the default Event Center messages; you can only add new
ones. However, you cannot add new registration messages; you can only edit
the existing ones.
If multiple LDAP servers are configured in MobileIron, but one is not reachable at
the time that the user attempts to display LDAP users, then the user will receive an
error message. Increasing the timeout configured for the LDAP server in the System Manager should resolve the problem.
Installation of the MobileIron Client will fail if the time set on the phone is older
than the certificate time.
Company Confidential
671
Selecting Link to LDAP for a local user in the User Management screen removes the
roles assigned to the local user. The next time the user authenticates, roles will be
applied based on the LDAP group of the corresponding LDAP user.
Changing the External Host setting under Settings > Preferences requires regeneration of any self-signed certificates or uploading matching portal-HTTPS and clientTLS certificates. Rebooting is also required.
Privacy settings specified by the end user in MyPhone@Work override the corresponding settings in the privacy policy. For example, if the end user specifies that
SMS content should not be synchronized, then setting the SMS option to Sync Content in the privacy policy will have no effect.
MyPhone@Work users should set their browsers to accept mixed content to ensure
that all data is displayed in the Activity page.
The ActiveSync Devices page does not reflect the new mobile number for a device
in the event of a SIM change.
Sentry: The success of ActiveSync policies, like browser and IMAP lockdown, is
dependent on the implementation of the ActiveSync client on the device. Therefore,
Sentry might send the correct provisioning policy, but the ActiveSync client might
not support portions of the policy.
Android
VS-4451, VI-31: Android: Deactivating the Samsung DM agent or removing the
MobileIron app does not remove the lockdown policy applied by MobileIron. This is
a Samsung issue.
VS-5909: Android: The Wipe function may appear to be only partially effective for
devices that are configured to restore their content from Google Cloud.
Android: Cisco AnyConnect must be installed before the MobileIron app is installed
if you intend to use MobileIron to manage the AnyConnect profile.
AC-455: Android: SD cards for certain models cannot be wiped because of devicespecific limitations that prevent deletion of files from the SD card.
VS-1470: Android: An ActiveSync wipe causes TouchDown to wipe its email profile,
not the device data.The result is recurring "Email configuration is ready" messages
on the device.
VS-3865: Android: Data decryption is initiated when the Exchange profile is pushed
to the device if the default ActiveSync policy pushed to the device does not specify
that encryption is required.
VS-784: Android: Apps are not synced from devices when the privacy policy is
changed to None and then changed back to Sync Inventory. Installation of an additional app or rebooting the device causes app sync to resume.
Company Confidential
672
Certain Sprint devices are shipped with an app called Exchange Email, which cannot
be un-installed and is not compatible with NitroDesks TouchDown for Android.
Attempting to install TouchDown on these devices results in a duplicate provider
authority error.
13701: The Samsung Galaxy tablet experiences problems during attempts to provision the Exchange configuration via the native ActiveSync client. Workaround: If
the situation does not resolve itself, try removing and reapplying the Exchange configuration.
12649: Android: Android devices that do not have NitroDesks TouchDown installed
may be displayed in the ActiveSync Devices page with unexpected device types.
This is a result of the implementation on the device.
The Samsung SAFE (Android 4.0) email app uses ActiveSync 14.1, which is supported by Sentry 3.3. Make sure you have installed Sentry 3.3 or later.
In the VSP Exchange app setting, make sure the "Using Sentry Standalone" checkbox is NOT checked. This is true even if you are using Sentry Standalone. Checking
this box causes identifying text to be appended to the ActiveSync User Name,
which causes interoperability issues with the Samsung SAFE email app (Android
4.0).
The Samsung email app on Samsung devices running Android 4.0.3 exhibits several issues. Configuration of the app by MobileIron is successful, but the email app
often does not fully provision itself. We recommend against using it.
If you are using Identity certificates for Exchange authentication, make sure the
identity certificate being used can be validated by the device using the CA trust
chain. If you are using a private CA, then the Root CA certificate must be installed
on the device prior to provisioning e-mail. If you are using the VSP Local CA functionality, you can download the CA certificate from the VSP. Go to Settings > Local
Certificate Authorities > Local Certificate Authorities and click the Edit icon to display the Cert URL.
Exchange places a limit on the number of devices that can be associated with a
given email account. Confirm you have not exceeded the maximum phone partnership count on Exchange.
AC-1420: Encryption is not supported for some older devices, including the Samsung Galaxy Tab running Android 2.3.5. This is a vendor issue.
VI-83: The provisioning of p12 certificates can get stuck during the certificate
extraction process.
Workaround: Rotate the device, which should cause the alias installation screen to
display. If that fails, try locking and unlocking the device.
VI-88: For Samsung devices running Android 4.0, removing the association
between the Exchange app setting and a label does not remove the entry for the
corresponding email account from the Accounts and Sync listing.
Company Confidential
673
VI-104: The Samsung Native Email client for Android 4.0 displays an "Update Security Settings" notification when properly configured. However, the notification often
disappears when the device user attempts to tap it.
Workaround: Dismiss the email app with the Home button, then relaunch it. It will
usually crash when you do this, but relaunching results in another prompt for security settings.
VI-86: The Samsung S3 often indicates that Device Administrator needs to be activated, though it is already activated.
VI-85: The email client on the Samsung S3 sometimes crashes after being configured by the VSP.
VI-74: Samsung devices running Android 4.0 display the following error during
attempts to connect to a website that requires an identity certificate: "Connection
problem - A secure connection could not be established."
VI-73: HTC One X and HTC One S devices fail to populate the Certificate Installation dialog with aliases for P12 certificates.
VI-89: When configuring email in the MobileIron client, entering an incorrect email
password on Samsung devices running Android 4.0.3 or Android 4.0.4 requires the
user to clear the email configuration data before they can successfully configure
email.
See Workarounds for VI-89.
Launch Email.
The Upgrade accounts screen appears.
Company Confidential
674
2.
Tap Delete for the misconfigured email account (the first in the list).
3.
On your Samsung device, tap Settings > Security > Device administrators.
2.
3.
Company Confidential
675
4.
2.
3.
Tap Email (you may have to scroll through a very long list of apps).
Company Confidential
676
4.
5.
Tap OK.
6.
7.
iOS
iOS: If a user downloads an in-house app, removes the MDM profile, and then reregisters the device, the VSP does not push a new provisioning profile, resulting in
an in-house app that stops working. Workaround: The user must download the inhouse app again.
IOS-107: The Server Name Lookup feature is no longer supported for iOS. If you
want to continue to use in-app registration, then you must communicate the server
address to device users. Using an alternate method of registration, such as bulk
registration, is also an option.
VS-4610: iOS: iPhone 4S devices from Sprint and Verizon registered as WiFi-only
devices report the MNC as SPR or VZW instead of the expected numerical value,
resulting in incorrect country display. Once MDM is enabled, the information is
updated appropriately.
Company Confidential
677
VS-2308: iOS: If you are manually zipping an IPA file, we recommend using the
Mac zip operation with r and y flags to create the IPA file.
14421: iOS: If a user disables location tracking before registering a device, and
then enables it after registering the device, multitasking for the MobileIron app is
not automatically enabled. The user must manually start the MobileIron app before
multitasking takes effect. Also, if the user does not allow the MobileIron app to
enable iOS Location Service when prompted after registration, the user must turn
on iOS location support and restart the MobileIron app before multitasking takes
affect for the MobileIron app.
14263: iOS 4.1: If the MobileIron app is removed and reinstalled on an iOS 4.1
device, the location feature may fail. This is due to an issue in iOS 4.1 that was
addressed in iOS 4.2.
The MDM field that provides information on whether an iOS device has been compromised isnt taken into account for our Compromised check for iPhone 3G, iPod
touch 3rd generation, and iPod touch 4th generation. For these models, we rely on
the information provided to us by the MobileIron Client, whereas with other models
(when MDM is enabled), we use both MDM and the information from the MobileIron
Client.
iOS: If you configure your MobileIron appliance using the internal hostname, then
users who attempt to register iOS devices may receive the following error:
The server certificate hostname did not match. Please contact your
administrator."
This error occurs because the certificate provided to the iOS device refers to the
internal hostname, which is not accessible to the user registering the phone. Be
sure to configure the MobileIron appliance using the external hostname.
iOS: In rare cases, the phone number may not be available to the MobileIron Client
on an iOS device. This causes the server name resolution feature to fail. It also
causes the iOS device to register as a PDA. The best approach to this issue is to set
the phone number on the iOS device. To set the number: 1. Tap Settings. 2. Tap
Phone. 3. Tap My Number. 4. Enter the phone number. 5. Tap Save.
iOS: The times you can set for "Maximum inactivity timeout" vary by iOS device.
iOS: iOS devices accept settings for up to four subscribed calendars. Therefore, any
additional calendar settings applied to an iOS device will be ignored.
iOS: For the User Name specified in subscribed calendar settings, iOS devices may
display the @ in an email address using different characters.
iOS: iOS 4 sets IMAP email settings as POP settings, though the settings have been
transmitted correctly by the VSP.
iOS: In rare cases, removal of old MobileIron profiles will fail. For example, if you
re-register an iOS device, the Exchange settings associated with the old profile may
remain. To address this issue, you may need to do a hard reset and a selective
restore from iTunes.
11358: iOS: The MDM profile sometimes fails to install. Associated error messages
include Profile Failed to Install and Invalid Profile. Repeating the attempt once or
twice resolves the issue.
Company Confidential
678
11688: iOS: If MobileIron password caching is not enabled and an Exchange profile
is sent without a password, then the password that users enter when prompted will
be saved on the device, but not on the VSP. Users must set the Exchange
password manually on the device. Pushing the profile will repeat the process on the
device.
11967: iOS: MobileIron always uses SCEP in proxy mode for Exchange settings,
regardless of the configuration specified in Admin Portal.
If the iOS device has received an MDM profile previously, then installing a new one
may take up to ten minutes.
After implementing an Enterprise Issued APNS certificate, you must restart tomcat
on the VSP. An easy way to do this is to display the Email Settings screen in System
Manager and click the Apply button.
The options displayed under Application Settings > iOS > Restrictions have limitations based on OS version. MobileIron does not have control over these limitations.
12855: iOS: If a device user does not respond to the app download prompt within
60 seconds, then the download expires. Attempts on the part of the user to retry
will fail.
12979: iOS: MDM-enabled iPads do not report mobile country codes (MCC) and
mobile network codes (MNC).
MDM-enabled iOS devices that have been locked prevent the MobileIron VSP from
performing many functions. This is by iOS design. Therefore, if attempts to perform
actions such as pushing new provisioning profiles fail with a message that indicates
the attempt should be made later, then the device is probably locked.
iOS: Cisco AnyConnect does not allow for saving user passwords. Therefore,
despite receiving a VPN setting from MobileIron, users must enter a password. See
the following link for more information on this Cisco issue: https://supportforums.cisco.com/message/3041057.
iOS: The General application setting for iOS (Apps & Configs > App Settings > iOS
> General) should be avoided, if possible. If you must make changes, do so before
you start registering iOS devices.
Windows Phone 7
Windows Phone 7 devices may fail to synchronize with error 0x85010013 or
0x8600C2B when connecting to the Microsoft Exchange Server due to policies that
the device cannot enforce. Specifically, Windows Phone 7 supports the following
parameters:
PasswordRequired
MinPasswordLength
IdleTimeoutFrequencyValue
DeviceWipeThreshold
AllowSimplePassword
PasswordExpiration
PasswordHistory
DisableRemovableStorage
DisableIrDA
DisableDesktopSync
BlockRemoteDesktop
BlockInternetSharing
As a result, you may need to adjust your MobileIron security policies. See the following Microsoft knowledge base article for information: http://support.microsoft.com/kb/2464593.
Company Confidential
679
Verizon: Devices have only an active data plan and no active cell plan are detected
as roaming.
North American operators: Most use standard, 7-bit SMS, which does not support
special characters. Clickatel, however, does support special characters. Because
MobileIron uses Clickatel for SMS support outside of North America, users may see
messages containing odd characters in place of the original characters.
Amazon Kindle Fire: Runs a modified version of Android 2.3, so most of the
Android-supported VSP policies, app settings, and device management commands
work. The limitations are:
MobileIron Android app must be sideloaded - The MobileIron Android app is not
available in the Amazon Appstore and must be sideloaded on the Kindle Fire.
Apps may be sideloaded if the device is configured to allow installation of nonMarket applications (Unknown sources).
Android: For a few devices, shortcuts do not support upgrades. Therefore, attempting to upgrade the MobileIron app does not work. Sometimes, this results in uninstalling the previous version.
Company Confidential
680
Nokia E51 and E90: Do not support lock or device/SD card encryption.
12149: Palm Pre currently is not supported for use with Standalone Sentry.
10987: The Palm Treo disconnects from a Remote Access session if the phone goes
to sleep.
Pantech Duo: No location.
RIM 8703e: Call log reports call as aborted if another call is on hold.
RIM 8950 (Spring-CDMA): No location available.
Samsung Blackjack 1 (version I only): No location.
Samsung Blackjack 2: Camera lockdown policy does not work.
Samsung Jack i637: Security policy on the device prevents MobileIron from running successfully on the device. MobileIron security policies and Exchange settings
cannot be applied. Also, details are not available for matching with ActiveSync
records.
Sanyo Kio (Sprint): Ships with a version of NitroDesks TouchDown that is incompatible with other versions of TouchDown and cannot be uninstalled.
Company Confidential
681
Company Confidential
682
Appendix B
Company Confidential
683
Preparation
Because users will be informed of the registration via email before they receive the
device, you should consider turning off user notification when you bulk register the
devices. As an alternative, consider editing the registration template or informing
users that they should ignore the email. See Customizing registration messages on
page 96 for information on editing the template.
Company Confidential
684
2.
Set the iOS Web-based Registration Requires option to the preferred option.
3.
4.
5.
Click the Pending Device Report button in the All Devices page to create a spreadsheet of the devices you just registered.
The pending devices report lists the username and the PIN and/or password you
will need in order to complete the registration process on the users behalf.
Company Confidential
685
6.
Enter the requested information for the user who will receive the device.
8.
Click Register.
Company Confidential
686
9.
Instruct iOS device users to download the Mobile@Work app from the Apple App
Store and complete the in-app registration process.
MobileIron will detect that the device is already registered and match the new
Mobile@Work app to the existing entry for the device.
Company Confidential
687
Company Confidential
688
Appendix C
If you are using the Configurator to register devices that display the iOS Setup
Assistant, then enable supervision of the devices in the Configurator. The Setup
Assistant is the wizard-like interface you see when starting the device for the first
time. The Setup Assistant prevents display of the registration dialogs, causing
deployment of configuration profiles to fail, unless supervision is enabled.
Consider installing the Wi-Fi profile in a separate operation prior to installing the
MDM profile. This approach prevents the MDM profile installation from failing if the device
does not acquire an IP address (required for VSP connectivity) in a timely manner. Just complete the steps in How to use Apple Configurator for MobileIron registration for the Wi-Fi profile.
2.
Company Confidential
689
3.
4.
5.
In the Admin Portal, select Users & Devices > Devices > Add > Multiple Devices.
2.
3.
4.
5.
In the Adding Multiple Devices dialog, click Browse to select the edited CSV file.
6.
2.
3.
4.
If you plan to configure supervised devices, complete that process in Apple Configurator.
In Apple Configurator, click Prepare at the top of the screen.
Company Confidential
690
3.
4.
Company Confidential
691
5.
6.
7.
Click Open.
Company Confidential
692
Tether a device.
2.
Company Confidential
693
3.
4.
5.
6.
Company Confidential
694
Appendix D
overlays its icon with a special badge that indicates it is a secure app.
The Mobile@Work app works with another MobileIron app to download, install, and
manage your secure apps. The other MobileIron app is called the Secure Apps Manager. The Secure Apps Manager is downloaded and installed along with the secure
apps.
Setting up your device to use secure apps requires you to do the following:
1.
2.
Company Confidential
695
2.
Follow the instructions to install secure apps, including the Secure Apps Manager
3.
Company Confidential
696
Complete the steps in Download and install the secure apps on page 696.
2.
3.
4.
Tap Done.
After creating the secure apps passcode, note the lock icon in the status bar.
Company Confidential
697
2.
Some secure apps, such as the email app, are active even when you are not using
them. For example, the email app syncs your email and calendar items. Until you log
in with your secure apps passcode, these apps cannot do their jobs.
Company Confidential
698
When you are logged out of secure apps, the icon looks like the following:
For example, you are logged out when you have not used a secure app for five minutes.
The secure apps icon turns into a warning icon in some situations:
The warning icon appears when you need to reenter your secure apps passcode, such
as when you power on the device.
Company Confidential
699
Company Confidential
700
Appendix 1
Company Confidential
701
Mobile@Work prompts the device user to create a secure apps passcode the first time
the user does one of the following:
Company Confidential
702
2.
3.
Taps OK.
4.
5.
Taps OK.
Company Confidential
703
6.
Taps Done.
Company Confidential
704
1.
2.
Taps OK.
The device user can now continue with the secure app.
2.
Mobile@Work will prompt the device user for the secure apps passcode the next time
the user launches a secure app, or the next time the user taps the Local Files or
Remote Files tab in Mobile@Work.
Company Confidential
705
2.
3.
Company Confidential
706
4.
5.
6.
Taps OK.
Company Confidential
707
7.
8.
Taps OK.
9.
Taps Done.
Company Confidential
708
Taps OK.
2.
Company Confidential
709
3.
4.
Taps OK.
5.
6.
Taps OK.
Company Confidential
710
7.
Taps Done.
When the device user realizes that he has forgotten the passcode
The device user does the following:
1.
Launches a secure app, or taps the Local Files or Remote Files tab in Mobile@Work.
Mobile@Work prompts the user to login with the secure apps passcode:
Company Confidential
711
2.
3.
Enters the User Name and Password for registering with the VSP.
Company Confidential
712
4.
5.
Taps OK.
6.
7.
Taps OK.
Company Confidential
713
8.
Taps Done.
The device user taps Create New, and continues as above to enter his VSP credentials,
followed by a new secure apps passcode.
If the device user taps Cancel, Mobile@Work displays the following:
Company Confidential
714
The device user can return to the secure app and try again.
Forgotten secure apps passcode with Mobile@Work 5.7 and VSP 5.5
Forgotten secure apps passcode handling is different if Mobile@Work 5.7 is registered
with a VSP 5.5. Mobile@Work displays a message to the device user describing the
steps to take if the user has forgotten the passcode. Executing these steps means that
the device user cannot recover any secure data that the AppConnect apps had saved.
The steps are:
1.
Uninstall Mobile@Work.
2.
Reinstall Mobile@Work.
3.
4.
Company Confidential
715
Company Confidential
716
Appendix 2
This chapter provides the iOS device user perspective of using Mobile@Work. For the
Email attachments
Your administrator determines how you view email attachments based on your
companys security policies.
See Accessing email attachments on page 726.
Using Mobile@Work, you can also:
Save local copies of content server documents and email attachments for later
viewing.
See Managing local files on page 729.
Open documents you are viewing in other apps, if your administrator has configured your device with this capability.
See Opening documents in other apps on page 741.
For information about the types of files that Mobile@Work can display, see Supported
files in the Mobile@Work for iOS app on page 743.
The instructions that follow are based on using Mobile@Work on an iPhone running
iOS 5.1.1. Mobile@Work works a little differently on an iPad to take advantage of the
larger screen. See Mobile@Work on an iPad on page 743.
Company Confidential
717
Note: These features are available only if your administrator has enabled the
Docs@Work feature on the VSP.
2.
Company Confidential
718
Company Confidential
719
3.
Description
Server
http://companySharePointSite.com/Marketing/NewProductDocuments/TopFeatures to
specify the TopFeatures folder in the NewProductDocuments library.
Note: A valid URL does not contain spaces or
certain special characters. For example, a space
is entered in a valid URL as %20, as in https://
companySharePointSite/Shared%20Documents.
Name
User name
Password
Remember Password
Company Confidential
720
4.
Tap Go.
Mobile@Work logs you in to the content server and displays the sites folders.
Company Confidential
721
2.
Tap the remote file share (content server) that you want to log in to.
3.
Description
User name
Company Confidential
722
Field
Description
Password
Remember Password
4.
Tap Go.
Mobile@Work logs you in to the content server and displays the sites folders.
Company Confidential
723
2.
3.
Tap the remote file share (content server) that contains the document that you
want to view.
Tap the folder containing the document that you want to view.
Navigate to the appropriate folder by tapping successive folder names. This example shows the file list after navigating to the following folder:
Shared Documents/subteamsite1/Shared Documents
Company Confidential
724
4.
Tap the document that you want to view. Mobile@Work loads and displays the
selected document.
Note: Loading a large document can take some time. Mobile@Work shows the loading progress.To cancel loading, navigate back to the folder view by tapping the
folder name.
5.
Company Confidential
725
6.
You can open email attachments using any app appropriate for the attachments file
type.
This behavior is the normal behavior of the Mail app.
Company Confidential
726
1.
2.
Tap the attachment to fully download it, if it is surrounded by a dashed box. To fully
download one or more attachments, you can also scroll down the screen and tap
Download Full Message.
For smaller attachments that are already fully downloaded, skip to step 3.
3.
Company Confidential
727
4.
You are now viewing the attachment in Recent Attachments in Local Files in
Mobile@Work.
Company Confidential
728
2.
The attachment contains text that says The original attachment was removed as
required by the security policies of your administrator.
Company Confidential
729
2.
3.
Company Confidential
730
The document is now available for viewing under Local Files. See Viewing a local
file on page 732.
2.
Company Confidential
731
3.
The document is now available for viewing under Local Files. It is no longer available under Recent Attachments.
Company Confidential
732
Note: Mobile@Work prompts you to log in if you are not currently logged in to the
content server, and you have not selected to have Mobile@Work remember your
content server password. Mobile@Work requires your login credentials because it is
checking if a newer version of the document is available on the content server.
Company Confidential
733
2.
Note: Mobile@Work prompts you to log in if you are not currently logged in to the
content server, and you have not selected to have Mobile@Work remember your
content server password. Mobile@Work requires your login credentials because it is
checking if a newer version of the document is available on the content server.
3.
Tap Update Now to sync your local file to the updated remote file.
Mobile@Work updates the local file and displays it.
Company Confidential
734
2.
3.
Tap Delete.
Mobile@Work deletes the file from the Local Files list.
Company Confidential
735
1.
2.
Company Confidential
736
2.
3.
Company Confidential
737
4.
5.
Company Confidential
738
Mobile@Work removes the file from the Recent Attachments folder and adds it to
the Local Files folder.
2.
Company Confidential
739
3.
Tap Edit.
4.
Tap the Delete icon on the file that you want to delete.
Company Confidential
740
5.
Tap Delete.
Mobile@Work removes the file from the Recent Attachments folder.
Company Confidential
741
2.
3.
Company Confidential
742
Mobile@Work on an iPad
The behavior of the Mobile@Work for iOS app is slightly different on an iPad than it is
on an iPhone.
Company Confidential
743
information about what you are currently doing, such as looking at the home
screen, or navigating through content server folders.
the tabs for accessing the Mobile@Work home screen, Local Files, Remote Files,
and settings.
The right (detail) pane contains information depending on what the master pane is
displaying. For example, the detail pane displays:
a files content
About information for Mobile@Work
the Mobile Activity Map
In Portrait mode, you can tap on the detail pane to hide the master pane:
Company Confidential
744
The icons behave the same as they do in Mobile@Work on an iPhone. For example,
see:
Company Confidential
745
Company Confidential
746
Appendix 3
Set up access to a remote file share for which you have login credentials.
A remote file share is a repository of documents located on a network content
server, such as a Microsoft SharePoint site.
Company Confidential
747
2.
3.
Company Confidential
748
Company Confidential
749
4.
Description
Name
URL
https://companySharePointSite.com/Marketing to
specify the Marketing subsite in the SharePoint site.
https://companySharePointSite.com/Marketing/Demo
to specify the Demo subsite within the Marketing site.
5.
Username
Password
Remember Password
Tap OK.
The SharePoint Client verifies your credentials and displays the entry for the content server repository.
Company Confidential
750
Note: To delete a content server repository, long press the entry and tap Delete.
Tap the content server that contains the document that you want to view.
For example, tap Marketing Docs to display the files and folders in the Marketing
Docs content server.
2.
Navigate to the appropriate folder by tapping successive folder names. This example shows the file list after navigating to the following folder:
Company Confidential
751
subteamsite1/Shared Documents
3.
Tap the document that you want to view. The secure ThinkFree Document Viewer,
or other secure app, loads and displays the selected document. If the ThinkFree
Document Viewer does not support the type of document, an error message displays.
Loading a large document can take some time. You can tap Cancel to cancel loading.
If ThinkFree Document Viewer does not support the document type, the SharePoint
Client displays a list of secure apps to try to view the document with.
Company Confidential
752
If no secure app supports viewing the document type, the Android OS indicates
that no app is available to open the selected file.
Attempting to open the document with an app that does not support the document
type results in an error message or erroneous behavior, depending on the app.
If the SharePoint Client does not support a document type, it displays a special icon
for the document:
Company Confidential
753
2.
Long press (touch and hold the same position) the document you want to save:
Company Confidential
754
3.
Tap Save.
4.
5.
You can now use the secure File Manager to view the local copy of the document.
Company Confidential
755
Email a document
To email a document as an attachment:
1.
2.
Long press (touch and hold the same position) the document you want to email:
3.
Tap Send.
Company Confidential
756
4.
5.
Add the recipients, subject, and message body, and send the email.
Company Confidential
757
Company Confidential
758
Appendix 4
Company Confidential
759
On the device, go to Settings > Location & security > Select device administrators.
2.
Company Confidential
760
3.
Tap Deactivate.
4.
5.
Company Confidential
761
6.
Click Uninstall.
Company Confidential
762
On the device, go to Settings > Location & security > Select device administrators.
2.
Uncheck the Samsung DM agent to remove it from the list of device administrators.
3.
Tap Deactivate.
4.
5.
Select Downloaded.
6.
7.
Click Uninstall.
Company Confidential
763
The device user can access this screen by selecting Options > Email Setup from the
MobileIron app menu.
Company Confidential
764
Encryption Compliant
Configuration Received
Company Confidential
765
Profile Complete
Indicates whether the MobileIron app can communicate with the email app.
If the device is using TouchDown, then TouchDown will launch and prompt the user to accept
the license agreement and enter the password.
If the device is using the Samsung native email
client, then the Go to Email button displays.
When the device user taps the button, the
MobileIron app displays an alert stating that the
configuration will take some time to complete,
and that a notification will prompt the user to
activate the Device Administrator privileges for
the email client.
If an error occurs, an error message displays.
The device user can tap the View Details button
and email details to the administrator.
If the device is using the HTC native email app,
the app launches after setup is completed.
If the device is using the Motorola native email
app, the app is configured successfully, but the
user must launch it manually. The user follows
the steps in the app. The app exits after each
step and the user must relaunch it. After one
time through this process, the app is completely
set up.
2.
Company Confidential
766
It is from a source that the Android OS trusts (that is, it can be checked against
the trusted CA certificates installed on the device).
The CN attribute in the certificate must match the email address in the email
profile.
Company Confidential
767
The device user can tap the notification to begin the Wi-Fi setup process.
Company Confidential
768
2.
Company Confidential
769
3.
Tap Options.
Company Confidential
770
4.
Networks that are properly configured display with a green check. Networks that are
not properly configured or require input from the device user display with a red X. Tap
an entry to display the details for that networks configuration.
Company Confidential
771
The following table describes the entries in the Wi-Fi Setup screen.
Passcode Compliant
Encryption Compliant
Indicates whether the device encryption status complies with the security policy. If this test fails, then a Set
Encryption button displays at the bottom of the screen.
The device user can tap the button to turn on encryption.
Profile Valid
Company Confidential
772
Profile Complete
Company Confidential
773
Company Confidential
774
Select a certificate and tap View Details to display certificate information. Tap Reprovision Certificates to retrieve new or updated certificates.
Certificate alerts
When the administrator pushes certificates to supported Android devices, the device
receives a system notification, provided the device is compliant with existing passcode
and encryption policies. Tap the notification to begin the provisioning process.
Company Confidential
775
Company Confidential
776
Appendix 5
Company Confidential
777
Tapping the Secure Sign-In web clip displays the following page.
Company Confidential
778
Entering a valid username and password prompts the VSP to apply the profiles configured for the device.
When the device user is ready to sign out, tapping the web clip displays the following
page:
Company Confidential
779
Company Confidential
780
If you want to clear the passcode on the device when the device user signs out,
select the Clear passcode option.
Click Save.
Company Confidential
781
Create the restrictions that you want applied when a user signs out.
For example, you might want to disable access to YouTube when an authorized user
is not signed in.
2.
Example
Suppose you want iPads to be restricted to basic web use when an authorized user is
not signed in. You would need to create a Restrictions configuration to lock down the
camera, inappropriate content, screen captures, app installation, and so on.
To implement these restrictions, you would complete the following steps:
1.
Select Policies & Configs > Configurations > iOS > Restrictions.
2.
3.
4.
Click Save.
5.
6.
7.
Select Signed-Out.
8.
Click Apply.
From this point on, all multi-user devices will receive the new restriction settings upon
sign-out.
Company Confidential
782
2.
3.
4.
5.
Select the label or labels that represent the devices to be configured for multi-user
sign-in.
Click Apply.
Company Confidential
783
Remote sign-out
To sign out a user on a multi-user device from the Admin Portal:
1.
2.
Company Confidential
784
Remove on sign-out?
Apps@Work access
Yes
Docs@Work access
Yes
Passcode
Optional
Restrictions
No
Wi-Fi
Optional
VPN
Yes
Yes
Exchange
Yes
LDAP
Yes
CalDAV
Yes
CardDAV
Yes
Subscribed Calendars
Yes
Web Clips
No
Credentials (Certificates)
Yes
SCEP
Yes
No
APN
No
Single-App Mode
Yes
Yes
No
No
No
General
No
Company Confidential
785
Company Confidential
786
Appendix 6
A retail store might want to use tablets to provide one or two custom apps for customers to use while shopping.
A school might want to distribute tablets that present only appropriate apps for the
user who signs in.
Note: Though the Android kiosk feature allows multiple users to log in on a given
device, it does not represent full multi-user support. It is intended as a view filter for
apps. The profiles on the device do not change when different users log in. Instead, a
different list of apps displays based on the current user.
The kiosk feature supports two modes of operation:
single app
multiple apps
Requirements
Android kiosk mode is supported for Samsung SAFE 3.0 devices.
Company Confidential
787
Setup steps
To set up an Android kiosk device:
1.
2.
The policy specifies the kiosk type. The configuration specifies which apps to display to
which users in multiple-app mode.
These instructions assume that the apps are already installed on the devices. If any
apps specified in the kiosk setup are not installed on the device, that app will be represented by a blank icon.
2.
3.
The package name is included in the URL, as shown in the figure above.
For in-house apps:
1.
2.
3.
Company Confidential
788
Select Policies & Configs > Policies > Add New > Android Kiosk.
Single App is selected by default.
2.
Description
System bars are screen areas dedicated to navigation and the display of notifications and status.
Clear this option if you want to hide the system
bar when the device is acting as a single-app
kiosk.
Task manager
Company Confidential
789
Item
Description
Navigation bar
Status bar
3.
Click Save.
4.
Assign the policy to the appropriate label to push it to the target devices.
Select Policies & Configs > Policies > Add New > Android Kiosk.
2.
Company Confidential
790
3.
Description
Inactivity logout
Administrative access to
exit Kiosk mode
Branding
Background Color
Banner Color
Banner Text
Banner Logo
System bars are screen areas dedicated to navigation and the display of notifications and status.
Clear this option if you want to hide the system
bar when the device is acting as a single-app
kiosk.
Company Confidential
791
Item
Description
Task manager
4.
Click Save.
5.
Assign the policy to the appropriate label to push it to the target devices.
6.
Company Confidential
792
2.
Select Policies & Configs > Configurations > Add New > Android > Samsung Kiosk.
If you intend to use LDAP groups to restrict access to apps on kiosk devices, then
select the LDAP groups you want to use.
These users will have access to the specified apps on kiosk devices, that is, those
devices that have a kiosk policy applied.
If all kiosk users should have access to all specified apps, then do not select LDAP
groups.
Note: The LDAP groups that are available, and the corresponding attributes, are
based on the last sync between the VSP and the LDAP server. If you made a recent
Company Confidential
793
change to LDAP data, it will not be reflected on the next sync (scheduled or manual).
3.
Select the apps you want to make accessible for kiosk devices that receive this configuration.
Note that the name displayed is the common name for the app. The package name
is the unique identifier determined by the app developer.
4.
Click Save.
5.
Assign the configuration to the appropriate label to push it to the target devices.
Company Confidential
794
2.
2.
2.
Only users configured for administrative access in the kiosk policy can disable kiosk
mode from the device. The kiosk must be configured to support multiple apps and
multiple users. To disable Android kiosk mode from the device:
1.
2.
Company Confidential
795
Example
Consider a school that wants to install the followings apps on several tablets. Though
all the apps will be installed on each tablet, the apps that are displayed depend on
which user has logged in.
The following table shows the apps and the LDAP groups that should have access to
them.
LDAP
Groups
Apps
View
Update
Send 2
Parents
Send 2
Teachers
Teachers
yes
yes
yes
yes
Tutors
yes
yes
Students
yes
yes
LDAP
Groups
Apps
View
Update
Send 2
Parents
Send 2
Teachers
yes
yes
KioskTeachers
Teachers
yes
yes
KioskTutors
Tutors
yes
yes
KioskStudents
Students
yes
Company Confidential
796
yes
Device details
The Device Details pane in the Admin Portal displays the following information about
kiosk mode:
Company Confidential
797
Deployment notes
Kiosk mode is a viewing filter only
Kiosk mode is NOT an App Blocking feature. It only restricts the viewing of apps
which can be launched.
Apps must be installed on the device for them to launch from the kiosk.
Distribute apps with the silent install option enabled.
Eases the deployment process
Configuring which apps to run
Single App mode uses the Android kiosk policy.
Multiple Apps mode uses kiosk configurations
Apps defined in kiosk configurations with no LDAP groups defined apply to ALL
kiosk users.
The union of all kiosk configurations applicable for a kiosk user determines the
list of apps to display.
If the device loses its connection to the VSP, then kiosk mode cannot be disabled.
You must do a factory reset.
Company Confidential
798
Appendix 7
Company Confidential
799
What is MyPhone@Work?
MyPhone@Work is a self-service web application that enables MobileIron users to participate in the management of their devices. Registered users can do tasks like:
Supported browsers
The following internet browsers are supported:
Firefox 14
Internet Explorer 8
Safari 4.0
Browser Settings
Your browser needs to be configured to display mixed content to ensure full access to
all tabs in MyPhone@Work.
Supported platforms
The following table lists the platforms supported for MyPhone@Work and its features.
MyPhone@Work
Android
iOS
Win 7
WP8
Register
yes
yes
yes
Lock
yes
yes
Wipe
yes
yes
yes
Find It yes
Communications
History Voice / SMS /
Data Usage SMS Log/Search
App Management
Company Confidential
800
Getting started
MyPhone@Work gives device users the ability to perform basic tasks without administrative intervention.
Logging in
Users who did not self register will need the MobileIron administrator to provide the
URL to the MobileIron Server, as well as the user ID and password for their account.
As with the Admin Portal, the user ID and password are case sensitive.
The URL for accessing MyPhone@Work is:
https://<MobileIron_server>
To log in:
1.
2.
3.
Note: The following tabs will be disabled if you have default settings applied:
Company Confidential
801
Contacts
Calls & Texts
Activity
To enable these tabs, click Settings and enable the displayed options. Note that it may
take some time for the data associated with these tabs to display.
Registering phones
If you have been assigned the Myphone@Work Registration role, then you can register
your own phones without help from your MobileIron administrator.
To register a phone from MyPhone@Work:
1.
2.
Description
My device has no
phone number
Country
Company Confidential
802
Item
Description
Mobile
Operator
Platform
Device Language
3.
Click Register.
Searching
You can search MyPhone@Work for specific content. Select one of the following content types from the dropdown list in the upper right corner:
Company Confidential
803
Logging out
Click Log Out in the upper right corner to end your MyPhone@Work session.
Company Confidential
804
Home
The Home page gives you an initial snapshot of your phone and your usage.
Communication Graph
The Communication Graph gives you a graphic snapshot of your communications.
Contacts are matched are indicated in the node labels. Non-contacts are identified by
number.
Company Confidential
805
The lengths of the lines joining the nodes indicate the relative rank of the corresponding contacts. In other words, those contacts you communicate with more frequently
are displayed with shorter lines. Click the arrow under the Communication Graph title
bar to display the underlying data for the graph.
Company Confidential
806
Click a node in the graph to show the data for your interactions with just the corresponding phone.
Company Confidential
807
My Usage
The My Usage section in the Home page provides a quick snapshot of your usage,
updated daily.
Storage
The Storage section provides a rough chart of internal and removable storage currently available on the phone.
Company Confidential
808
Lost Phone
The Lost Phone section enables you to act in the event that your phone is lost or stolen. Select from the following options:
Find It
Lock It
Wipe It
Note: Your administrator must give you the required roles for access to these buttons.
Click Find It to display a map with the last known location of the phone. This feature is available only if you have been assigned the MyPhone@Work Locate role.
Company Confidential
809
2.
If the last know location may be out of date, click the Update Location button to
remotely enable GPS and obtain a lat/long reading.
Company Confidential
810
3.
Click OK to continue, despite the possibility that contacting the phone might take
some time.
A Cancel button is available in case the process takes longer than expected.
Wipe It
Click Wipe It to return your phone to factory defaults. This feature is available only if
you have been assigned the MyPhone@Work Wipe role.
3.
Click Restore.
4.
Select the device whose backup snapshots you want to select from.
5.
Company Confidential
811
6.
Select the resources to restore (i.e, User Files and/or Storage Card).
7.
Click Apply.
My Apps
The My Apps section lists newly added apps available for your phone.
Click the My Apps link to display the Applications screen, or click the link for a displayed app to go directly to that page.
Company Confidential
812
Contacts
Click the Contacts tab to display the list of contacts synchronized between your phone
and MyPhone@Work. If the Contacts tab is not enabled, then your MobileIron administrator did not enable contact synchronization. See Preferences on page 824.
Note: Contacts stored on the SIM card are not synchronized at this time.
Displaying contacts
Click a contact to display the information for that contact.
Company Confidential
813
Searching contacts
To search your contact list, enter text in the Search Contacts field. You can search
your contacts list based on any name or number fields, such as First Name, Last
Name, Home Phone, and so on.
Adding contacts
To add a contact:
1.
Company Confidential
814
2.
3.
Click Save.
The next time your phone connects to MobileIron, this new contact will be added to
the list of contacts on your phone.
Editing contacts
To edit a contact:
1.
2.
Click Edit.
Company Confidential
815
3.
4.
Click Save.
Your changes will be copied to your phone the next time it connects to MobileIron.
Deleting contacts
To delete a contact:
1.
2.
Click Delete.
Company Confidential
816
Click the heading for any column to sort the displayed list based on that column. Displayed contact names are links to the information for the corresponding contacts. If
you click an unknown contact, you are invited to add the contact to your address
book.
Showing/Hiding content
By default, the content of texts is hidden for privacy purposes. You can display the
content by clearing the Hide Text Content checkbox.
Keywords
Calls versus texts
Call types
Date range
Company Confidential
817
Using keywords
Enter text in the Keywords field to restrict the display to those entries containing the
specified text. For texts, the keywords will be matched against the content as well as
the contact information.
Company Confidential
818
Activity
The Activity page displays your statistics for calls, SMS, and data, and compares them
to the average calculated for your MobileIron implementation.
Filtering activity
To filter display activity:
1.
2.
3.
4.
Company Confidential
819
Company Confidential
820
Apps
Click the My Apps icon to display the Applications page.
Browsing apps
The Applications page lists the applications recommended by your organization. The
MobileIron administrator can group these applications into custom categories. Click a
category to browse the applications available for download.
To determine which applications are currently installed on your phone, click Apps On
My Phone.
Company Confidential
821
Installing apps
You can install apps that are displayed in the My Apps page. To install an app:
1.
2.
3.
Company Confidential
822
The status of the app changes to Pending, indicating that it has been scheduled for
installation on your phone.
Uninstalling apps
To uninstall apps that are currently installed on your phone:
1.
2.
3.
Company Confidential
823
Preferences
Use the Preferences page to change customizable settings.
Note: iOS users will see a subset of these options.
Privacy settings
Use the following guidelines for your privacy settings:
Setting
Description
Sync contacts
Specify whether you want to copy contact information between your phone and
MyPhone@Work. If you choose not to synchronize contacts, then the Contacts tab will be disabled. Note that contacts stored on your SIM
card are not currently synchronized.
Account settings
Change Password
To change your MobileIron password, click the Change Password link. This option does
not apply to users whose accounts are managed through LDAP.
Certificate
To upload a personal certificate:
1.
2.
3.
4.
5.
Company Confidential
824
Appendix 8
Company Confidential
825
System
Processor
Memory
16 GB
Drives
Chassis
Form Factor
19 1U Rackmount
Dimensions (D x H x W)
Weight
Buttons
Power On/Off
LEDs
Power LED
Front Panel
2x USB Ports
Serial
IPMI
Intelligent Platform Management Interface (IPMI) 2.0 with virtual media over
LAN and KVM-over-LAN support; 1x
10/100BASE-T (RJ45)
Ethernet
2x 10/100/1000BASE-T (RJ45)
VGA
1x VGA (DB15)
PS/2
USB
2x USB Ports
Serial
Power
200 W maximum
Voltage
Connector
IEC 60320-C13
Back Panel
Power Supply
Operating Environment
Company Confidential
826
Operating
Non-Operating
Heat Output
Company Confidential
827
2 x Front, 3x Back
LAN
Company Confidential
828
First-Generation Appliance
This section provides the specs for first-generation appliances, which were distributed
prior to mid-March, 2011.
General
Enclosure
Dimensions
Power
Heat Output
Memory
Processor
Disks
Serial Port
# Ethernet
Ports
19 1U rack mountable
14"L X 1" H X 19" W
330 watt maximum
1126 BTU/hr (3.412BTU/hr/watt * 330watt)
16 GB
2.4 GH single CPU
2 mirrored hard disks (250 GB)
1 RJ45 form factor Serial port in the front
4 Gigabit
Port settings
Bits per second
9600
Data bits
Parity
None
Stop bits
Flow Control
None
Company Confidential
829
RJ-45-to-DB-9
Terminal
Adapter
Console Device
Signal
RJ-45 Pin
RJ-45 Pin
DB-9 Pin
Signal
RTS
CTS
DTR
DSR
TxD
RxD
GND
GND
GND
GND
RxD
TxD
DSR
DTR
CTS
81
RTS
Console Port
(DTE)
Company Confidential
830
Appendix 9
4.
Description
Click Save.
At this point, the settings are saved, but not applied.
5.
To apply these changes, you need to restart the tomcat server for the MobileIron
VSP. Enter the following commands using the CLI:
enable
service tomcat stop
service tomcat start
Company Confidential
831
Company Confidential
832