AdminGuideVSP57 Rev07August2013 MobilIron

MobileIron VSP
Administration Guide
VSP Version 5.7
Standalone Sentry Version 4.7
Integrated Sentry Version 4.2
Android Client Version 5.6
iOS Client Version 5.7
WP8 Client Version 5.7
Revised: August 7, 2013
Proprietary and Confidential
Do Not Distribute
2009-2013 Mobile Iron, Inc. All Rights Reserved. Any reproduction or

redistribution of part or all of these materials is strictly prohibited.
Information in this publication is subject to change without notice. Mobile
Iron, Inc. does not warrant the use of this publication.
For some phone images, a third-party database and image library,
2007-2009 Aeleeta's Art and Design Studio, is used. This database and
image library cannot be distributed separate from the Mobile Iron product.
MobileIron, Connected Cloud, and MyPhone@Work are registered
trademarks of Mobile Iron, Inc. BlackBerry is a registered trademark of
RIM. Windows is a registered trademark of Microsoft, Inc. iPhone is a
trademark of Apple, Inc. Android is a trademark of Google Inc.
Contents
Section I: Device Management - - - - - - - - - - - - - - - - - - - - 23
Chapter 1
Getting Started .......................................................................... 25

Administration tools ............................................................................ 26
Installation ........................................................................................ 26
Starting Admin Portal .......................................................................... 26
Logging out ........................................................................................ 27
Setup tasks ........................................................................................ 28
Setting the enterprise name .................................................................
Setting the external hostname ..............................................................
Enabling iOS MDM support ...................................................................
If you intend to develop and distribute in-house apps ..............................
If you have already enabled iOS MDM support ........................................
If you have not requested an MDM certificate yet ....................................
If you already have your MDM certificate ................................................
Confirming MDM for an iOS device ........................................................
Denying check-Ins for devices having expired MDM certificates .................
Displaying a report of devices having expired MDM certificates ..................
28
28
28
29
29
29
30
32
32
32
Using the Admin Portal ........................................................................ 33

Navigating the Admin Portal ................................................................. 33
Displaying hints in the Admin Portal ...................................................... 34
License monitor .................................................................................. 35
Pre-requisites ..................................................................................... 35
Licenses and HA deployments ............................................................... 36
Supported features by OS .................................................................... 37
Common feature set ............................................................................
Android .............................................................................................
BlackBerry 10 .....................................................................................
iOS ...................................................................................................
Mac OS X ...........................................................................................
Windows Phone 7 ................................................................................
Windows Phone 8 ................................................................................
Windows RT/Pro .................................................................................
Supported platforms ............................................................................
Chapter 2
37
40
41
42
43
44
45
46
46
Managing Users ......................................................................... 49

Introduction to user management ......................................................... 50
User sources ...................................................................................... 50
Users and roles ................................................................................... 51
User management page ....................................................................... 51
Managing LDAP users .......................................................................... 52
1
Displaying available LDAP users ............................................................

Viewing LDAP user/group associations ...................................................
Synchronizing with the LDAP server .......................................................
Setting the LDAP sync discard option .....................................................
Deleting LDAP users ............................................................................
Moving between the LDAP user display and the local user view .................
Changing passwords for LDAP users ......................................................
Dont append _MIxx ............................................................................
52
53
53
54
55
56
56
56
Assigning and removing roles ............................................................... 57

Managing local users in Admin Portal ..................................................... 61
Adding local users in Admin Portal .........................................................
Editing local users in Admin Portal .........................................................
Linking local users to LDAP users ..........................................................
Deleting local users in Admin Portal .......................................................
Forcing a password change for local users ..............................................
61
62
63
63
64
Language support ............................................................................... 66

Translated versions of the iOS, WP8, and Android clients ..........................
Selecting languages ............................................................................
Setting the system default language .....................................................
Changing language selection from Admin Portal ......................................
Chapter 3
66
67
69
69
Registering Devices .................................................................... 71

Overview of registration methods .......................................................... 72
Admin registers a single device .............................................................
Admin registers a list of devices (bulk registration) ..................................
Admin invites users to register ..............................................................
In-app registration for iOS and Android ..................................................
Users register additional devices ...........................................................
Admin registers ActiveSync devices .......................................................
72
73
73
74
75
75
Registration considerations by OS ......................................................... 77

iOS ...................................................................................................
Android .............................................................................................
Windows Phone 7, Windows RT, and Windows 8 Pro ................................
Windows Phone 8 ................................................................................
77
77
78
78
Registration by administrator: individual devices ..................................... 79

What the user sees ............................................................................. 80
Registration by administrator: multiple devices (bulk registration) ............. 82
Contents of the CSV ............................................................................ 82
Loading the multiple devices registration CSV ......................................... 85
Invite users to register ........................................................................ 86
2
In-app registration for iOS and Android .................................................. 88

Auto-populating the server name (Android) ............................................ 88
ActiveSync device registration .............................................................. 89
Tracking registration status .................................................................. 90
Managing operators and countries ......................................................... 91
Enabling operators ..............................................................................
Enabling additional countries for registration ..........................................
Disabling operators .............................................................................
Filtering operators ...............................................................................
91
91
91
92
Specifying eligible platforms for registration ............................................ 93

Configuring user authentication requirements for registration (iOS, Android,
Windows Phone 8) .............................................................................. 94
Limit for failed attempts to enter a registration password ......................... 94
PIN-based authentication for WP8 devices .............................................. 94
Customizing registration messages ........................................................ 96
Displaying registration templates ..........................................................
Editing registration messages ...............................................................
Using variables in registration messages ................................................
Filtering registration messages .............................................................
Restoring registration messages to default content ..................................
96
96
97
99
99
Registration notes ............................................................................. 100

iOS profile fails to install .....................................................................100
Chapter 4
Managing Devices..................................................................... 101

Overview of managing devices and users ............................................. 102
Users & Devices page .........................................................................102
Displaying device assets .................................................................... 103
Alerts displayed in the Devices page .....................................................105
Displaying more device and user information .........................................106
Searching for a device record ..............................................................110
Using the Users & Devices dashboard ..................................................112
Reporting on managed devices ............................................................113
Registration-related features and tasks ................................................ 114
Reprovision device .............................................................................114
Retire ...............................................................................................115
Resend provision message ..................................................................116
Security-related features and tasks ..................................................... 117
Lock .................................................................................................117
Unlock ..............................................................................................118
Wipe ................................................................................................119
3
Selective Wipe ...................................................................................119

Block AppTunnels ...............................................................................120
Lost .................................................................................................120
Found ...............................................................................................121
Locate ..............................................................................................121
Maintenance features and tasks .......................................................... 123
Send Message ...................................................................................123
Update Roaming Settings ....................................................................124
Enabling roaming for iOS devices .........................................................125
Disabling roaming for iOS Devices ........................................................126
Viewing roaming settings for iOS devices ..............................................127
Change Ownership .............................................................................128
Apply To Label ...................................................................................128
Remove From Label ...........................................................................129
Using labels to establish groups .......................................................... 130
Default labels ....................................................................................130
Filter and manual type labels ...............................................................131
Creating labels ..................................................................................131
Viewing devices currently associated with a label ...................................132
Associating a filter with a label: dynamic labels ......................................133
Deleting labels ...................................................................................134
Optional SMS configuration: Syscomm phone ....................................... 135
Chapter 5
Managing Policies ..................................................................... 137

Overview of managing policies ............................................................ 138
Policies page .....................................................................................138
Working with policies ......................................................................... 140
Displaying policies ..............................................................................140
Editing policies .................................................................................140
Applying policies to labels ...................................................................140
Removing Policies from labels ..............................................................141
Creating a new policy .........................................................................141
Deleting policies ................................................................................142
Displaying custom policies for a selected label .......................................142
Displaying custom policies for a selected user ........................................142
Prioritizing policies .............................................................................142
Displaying policy status ......................................................................143
Displaying supported platforms for policies ............................................145
Working with default policies .............................................................. 146
Working with security policies ............................................................ 147
If you change password specifications ...................................................154
Compliance actions for security policy violations .....................................154
Viewing quarantine information ............................................................162
4
Working with privacy policies .............................................................. 163

Working with lockdown policies ........................................................... 169
Working with sync policies .................................................................. 174
Sync policies and battery use ..............................................................179
Country changes and alerts .................................................................179
iOS multitasking sync interval and sending device details to the VSP .........179
Android devices and the Client Is Always Connected option ......................180
Working with backup & restore policies ................................................ 181
Working with Docs@Work policies ....................................................... 182
Working with single-app mode policies for iOS ...................................... 183
Finding the bundle ID .........................................................................183
Working with global HTTP proxy policies ............................................... 185
Working with Android kiosk policies ..................................................... 187
Using the Policies dashboard .............................................................. 188
Filtering by period of time ...................................................................188
Refreshing dashboard content .............................................................188
Policies dashboard panes ....................................................................188
Troubleshooting policies ..................................................................... 190
Troubleshooting: compliance actions ....................................................190
Troubleshooting: Android encryption ....................................................190
Troubleshooting: quarantine on iOS devices ..........................................190
Chapter 6
Managing Device Settings with Configurations .............................. 193

About managing device settings .......................................................... 194
Configurations page ...........................................................................195
Default ............................................................................................195
Displaying configurations (app settings) status ......................................197
Adding new configurations (app settings) ..............................................198
Editing configurations (app settings) .....................................................198
Deleting configurations (app settings) ...................................................199
Android Samsung browser settings ...................................................... 200
Android Samsung kiosk settings .......................................................... 201
Android Samsung Container settings .................................................... 202
Exchange settings ............................................................................. 205
iOS/OS X Exchange profiles and password caching .................................210
Email settings (POP and IMAP) ............................................................ 211
Supported variables ...........................................................................213
Wifi settings ..................................................................................... 214
Open authentication ...........................................................................214
5
Shared authentication ........................................................................217

WPA Enterprise authentication .............................................................219
WPA2 Enterprise authentication ...........................................................220
WPA Personal authentication ...............................................................222
iOS WiFi profiles and password caching .................................................223
VPN settings ..................................................................................... 224
PPTP ................................................................................................224
L2TP ................................................................................................225
IPSec (Cisco) .....................................................................................225
Cisco AnyConnect ..............................................................................227
Juniper SSL .......................................................................................228
F5 SSL .............................................................................................228
Custom SSL for iOS ............................................................................229
Supported variables ...........................................................................230
iOS VPN profiles and password caching .................................................230
AppConnect settings .......................................................................... 232
AppConnect Configuration settings ...................................................... 233
AppConnect Container policy settings ................................................... 234
Bookmarks settings ........................................................................... 235
Certificates settings ........................................................................... 236
SCEP settings ................................................................................... 237
Why proxy? .......................................................................................240
Using Symantec Managed PKI ..............................................................240
Using the OpenTrust integration ...........................................................241
Using Symantec Web Services Managed PKI ..........................................244
Docs@Work settings .......................................................................... 248
Web@Work settings .......................................................................... 249
iOS and OS X settings ........................................................................ 250
General settings ................................................................................250
CalDAV settings .................................................................................250
CardDAV settings ...............................................................................251
Web Clips settings ..............................................................................252
Configuration profile settings ...............................................................253
LDAP settings ....................................................................................253
iOS settings ..................................................................................... 255
Restrictions settings ...........................................................................255
Subscribed Calendars settings .............................................................258
APN settings ......................................................................................259
Provisioning Profile settings .................................................................259
iOS and OS X differences ................................................................... 260
6
Samsung KNOX support ..................................................................... 261

Disabling the container .......................................................................261
Re-enabling the container ...................................................................261
Chapter 7
Managing Certificates................................................................ 263

Overview of certificates ...................................................................... 264
Types of certificates ...........................................................................265
Supported certificate scenarios ........................................................... 266
Using the VSP as a Certificate Authority ................................................266
Using the VSP as a certificate proxy .....................................................266
Using Kerberos constrained delegation ..................................................267
More information ...............................................................................268
Chapter 8
Troubleshooting Devices............................................................ 269

Overview of troubleshooting devices .................................................... 270
Force Device Check-In ....................................................................... 271
Using logs ........................................................................................ 272
MDM Log ..........................................................................................272
Certificate Log ...................................................................................272
Browse All Logs (General Log) .............................................................273
Service Diagnostic screen ................................................................... 275
Chapter 9
Working with Events ................................................................. 277

About events .................................................................................... 278
Events page ......................................................................................278
Managing events ............................................................................... 279
Creating an event ..............................................................................279
Making sure the alert is sent to the correct recipients .............................279
Applying the event to a label ...............................................................280
Editing an event ................................................................................280
Deleting an event ..............................................................................280
Setting alert preferences .....................................................................280
Event types ...................................................................................... 281
International roaming event ................................................................281
Threshold reached event .....................................................................284
SIM changed event ............................................................................288
Memory size exceeded event ...............................................................290
System event ....................................................................................293
Policy violations event ........................................................................298
Displaying event center templates ........................................................303
Adding custom Event Center messages .................................................303
Using variables in Event Center messages .............................................305
Specifying which template to use .........................................................307
7
Filtering Event Center messages ..........................................................307

Editing Event Center messages ............................................................308
Deleting Event Center messages ..........................................................308
Customizing Event Center messages .................................................... 309
Displaying Event Center templates .......................................................309
Adding custom Event Center messages .................................................309
Using variables in Event Center messages .............................................311
Specifying which template to use .........................................................313
Filtering Event Center messages ..........................................................313
Editing Event Center messages ............................................................313
Deleting Event Center messages ..........................................................314
Events ............................................................................................. 315
Marking as Read or Unread .................................................................315
Filtering events ..................................................................................315
Exporting event history .......................................................................316
Adding a note ....................................................................................316
Chapter 10
Working with MobileIron Sentry.................................................. 317

MobileIron Sentry ............................................................................. 318
Adding, Editing, and deleting a Sentry on the VSP ................................. 319
Adding an entry for MobileIron Integrated Sentry ...................................319
Adding a MobileIron Standalone Sentry entry ........................................319
Editing MobileIron Sentry settings ........................................................325
Deleting a Sentry entry .......................................................................326
451 redirect processing ...................................................................... 327
Disabling redirect processing ...............................................................327
Device and server authentication support for Standalone Sentry .............. 328
Device authentication .........................................................................328
Server authentication .........................................................................328
Configuring device and server authentication .........................................329
Authentication using Pass Through .......................................................330
Authentication using a group certificate ................................................330
Authentication using an identity certificate and Pass Through ..................331
Authentication using an identity certificate and Kerberos constrained delegation
333
Managing certificates for Standalone Sentry ......................................... 337
Generating a self-signed certificate for Sentry ........................................337
Generating a CSR for Sentry ................................................................338
Uploading Sentry certificates ...............................................................340
Viewing a Sentry certificate .................................................................341
Email attachment control support for Standalone Sentry ........................ 342
Supported devices .............................................................................342
8
Email attachment control options .........................................................342

Forwarding emails with attachments .....................................................345
Files types that email attachment control supports .................................345
Standalone Sentry S/MIME handling to sign or encrypt emails ..................347
Configuring email attachment control ................................................... 348
Configure the Standalone Sentry ..........................................................348
Regenerate the encryption key if it is compromised ................................350
ActiveSync server background health check .......................................... 354
Viewing the ActiveSync server status ....................................................354
Setting Sentry preferences ................................................................. 355
Auto blocking unregistered devices .......................................................355
Setting the Sentry Sync Interval ..........................................................355
Setting the Service Account Notification Email .......................................356
Default ActiveSync Policy behavior .......................................................356
Chapter 11
Working with ActiveSync Phones via MobileIron Sentry.................. 359

ActiveSync devices and MobileIron Sentry ............................................ 360
Working with ActiveSync policies ......................................................... 362
Adding multiple ActiveSync accounts to a registered device
................... 367
Viewing ActiveSync associations .......................................................... 368

Information displayed for ActiveSync associations .................................368
Filtering the ActiveSync associations list ................................................369
Displaying more information for an ActiveSync association ......................369
Taking Actions on ActiveSync associations ............................................ 371
Allow ................................................................................................371
Block ................................................................................................372
Wipe ................................................................................................374
Registering ActiveSync phones ............................................................375
Removing ActiveSync phones ..............................................................375
Linking an ActiveSync device to a managed device .................................375
Overriding and re-establishing VSP management of a device ...................375
Assigning an ActiveSync policy ............................................................376
Reverting an ActiveSync policy ............................................................377
Allowing Windows 7 devices to sync ..................................................... 378
Chapter 12
Using the SMS Archive Package.................................................. 381

About the SMS Archive package .......................................................... 382
Chapter 13
Using Enterprise Connector........................................................ 383

Enterprise Connector for on-premise VSPs ............................................ 384
Installation and configuration tasks ......................................................384
Viewing Enterprise Connector status .....................................................384
9
Working with the Connector ............................................................... 385

Viewing the Connector detailed information ...........................................385
Changing user passwords ....................................................................386
Changing the status reporting interval ..................................................386
Section II: Apps and Data Management

Chapter 14
- - - - - - - - - - - - - - - 389
Managing Mobile Apps with Apps@Work ...................................... 391

About managing mobile apps .............................................................. 392
What is the app distribution library? .....................................................392
What is app control? ...........................................................................392
What is app inventory? .......................................................................393
Working with apps for iOS devices ....................................................... 395
Prerequisites .....................................................................................395
iOS managed apps .............................................................................396
AppConnect apps ...............................................................................396
Apps@Work container for iOS ..............................................................396
Authentication options and iOS versions ................................................396
Setting up Apps@Work for iOS ............................................................397
Populating Apps@Work for iOS ............................................................398
Importing app store apps for iOS: App Store import ...............................398
Manually adding App Store apps for iOS ................................................399
Adding in-house apps for iOS ...............................................................404
Publishing apps in Apps@Work for iOS devices .......................................407
Removing apps from the app distribution library ....................................409
Linking app store apps to inventory apps ..............................................409
Upgrading apps .................................................................................409
Changing iOS app information .............................................................410
Changing the iOS app icon and screenshots ...........................................411
Adding a category for iOS apps ............................................................411
Changing the category for an iOS app ...................................................411
Turning user-paid apps into managed apps ...........................................411
Informing users of new apps and upgrades for featured apps ...................412
Editing app distribution messages ........................................................413
Customizing the Apps@Work icon ........................................................413
Unpublishing iOS apps (removing from labels) .......................................413
Managing iOS Volume Purchase Program (VPP) apps .............................. 415
How Apples program works ................................................................415
Where MobileIron comes in .................................................................415
What device users see ........................................................................415
Setup tasks .......................................................................................415
Uploading the payment file to the VSP ..................................................416
Applying VPP labels ............................................................................416
Configuring a VPP alert .......................................................................416
10
Working with apps for Android devices ................................................. 418

What are Google Play apps? ................................................................418
What are in-house apps? ....................................................................418
What are secure apps? .......................................................................418
Silent install and uninstall on Samsung SAFE devices ..............................418
Adding Google Play apps for Android ....................................................419
Adding in-house apps for Android .........................................................422
Adding secure apps for Android ............................................................423
Adding apps to the app storefront for Android devices .............................426
Troubleshooting: Android apps ............................................................426
Working with apps for BlackBerry devices ............................................. 428
Working with apps for Windows Mobile devices ..................................... 429
Working with apps for Windows Phone 8 devices ................................... 430
Importing recommended apps for WP8 devices ......................................430
In-house and third-party apps for WP8 devices ......................................431
Before you develop in-house apps for WP8 devices .................................431
Adding the AET and applying a label .....................................................432
Adding in-house and third-party apps for distribution to WP8 devices ........432
Removing the label ............................................................................434
Upgrading to a new version of an app on WP8 devices ............................434
Editing WP8 app information ...............................................................434
Deleting a Windows Phone 8 app from the VSP ......................................435
Working with apps for Symbian devices ............................................... 436
Maintaining apps for BlackBerry, Windows Mobile, and Symbian .............. 437
Setting up app control ...................................................................... 438
App control alerts ..............................................................................438
App control rule types ........................................................................438
App control rule criteria ......................................................................439
App control rules applied in security policies ..........................................439
Configuring app control alerts ..............................................................440
Adding an app control rule ..................................................................440
Applying an app control rule to a security policy .....................................441
Viewing app control status ..................................................................442
Viewing app inventory
...................................................................... 443
Whats in an app name? ......................................................................443

Synchronizing app inventory ...............................................................443
Filtering the inventory display ..............................................................443
Displaying the devices on which an app is installed .................................444
Managing app inventory ..................................................................... 445
Determining which apps are new ..........................................................445
Determining when an app was first reported ..........................................445
Launching a web search for a selected app ............................................445
11
Displaying permissions for Android apps ...............................................446

Deciding whether an app is OK ............................................................446
Moving directly to the App Control screen ..............................................447
Upgrading the MobileIron client application ........................................... 448
Override for in-house app URLs ........................................................... 449
Implementing app source override on the VSP .......................................449
Manual synchronization of apps ...........................................................450
Malware prevention: App reputation .................................................... 451
Enabling app reputation ......................................................................451
Viewing app reputation data ................................................................452
Chapter 15
Docs@Work ............................................................................ 453

About Docs@Work ............................................................................ 454
Docs@Work for content servers ...........................................................454
Docs@Work for email attachment control ..............................................454
Single Sign On for Docs@Work ............................................................455
Supported content servers ..................................................................455
Supported authentication to content servers ..........................................456
Supported ActiveSync servers for attachment control ..............................456
Supported devices .............................................................................456
Docs@Work requirements ...................................................................457
File viewers .......................................................................................457
SharePoint Pre-requisites ....................................................................457
File synchronization (iOS) ...................................................................458
Data security (iOS) ............................................................................458
Configuring email attachment control ................................................... 459
Configuring Docs@Work for content servers (Android) ........................... 460
Configuring Docs@Work for content servers (iOS) ................................. 461
Docs@Work setup tasks ..................................................................... 462
Enable Docs@Work ............................................................................462
For Android, obtain and configure apps .................................................462
Set up Docs@Work configurations ........................................................463
For iOS: Set up Docs@Work policies .....................................................467
Set up your preference for saving passwords on the VSP .........................470
Impacts of other MobileIron features (iOS) ........................................... 472
Quarantine impact on documents .........................................................472
Retire and wipe impact on documents ...................................................472
Block impact on documents .................................................................473
Jailbreak impact on documents ............................................................473
Impacts of other MobileIron features (Android) ..................................... 474
Supported files in the Mobile@Work for iOS app .................................... 475
12
Chapter 16
AppConnect ............................................................................ 477

About AppConnect ............................................................................. 478
What are AppConnect-enabled apps? ....................................................478
AppConnect and AppTunnel .................................................................479
AppConnect apps and Single Sign On ....................................................479
App-specific Configuration from the VSP ...............................................479
What operating systems support AppConnect? .......................................480
AppConnect for Android ......................................................................480
AppConnect for iOS ............................................................................481
How to configure AppConnect ............................................................. 482
Basic configuration .............................................................................482
Adding third-party and in-house secure apps .........................................482
Adding AppTunnel support ..................................................................482
Adding compliance actions ..................................................................483
AppConnect configuration tasks .......................................................... 484
Adding secure apps for deployment ......................................................484
Configuring the AppConnect global policy ..............................................484
Configuring AppConnect container policies .............................................494
Enabling MobileIron secure apps ..........................................................498
Enabling AppConnect third-party and in-house apps ...............................498
Configuring an AppTunnel service ........................................................499
Configuring an AppConnect app configuration ........................................504
Enabling AppTunnel ............................................................................510
Configuring the Open With Secure Email App option ...............................510
Configuring compliance actions ............................................................510
Managing AppTunnel ......................................................................... 512
Manually blocking the AppTunnel feature on a device ..............................512
Viewing App Tunnels ..........................................................................512
Taking actions on app tunnels ..............................................................513
Using AppConnect for Android ............................................................. 514
Why a Secure Apps Manager? ..............................................................514
AppConnect apps that MobileIron provides for Android ............................514
VSP licensing options for Android secure apps ........................................515
Document types supported by ThinkFree Document Viewer .....................516
Using AppTunnel with the SharePoint Client app .....................................516
Lock, unlock, and retire impact on AppConnect ......................................517
Situations that wipe AppConnect app data .............................................518
Accessible apps to preserve the user experience ....................................518
Device details for AppConnect apps ......................................................519
Using AppConnect for iOS .................................................................. 520
AppConnect apps that MobileIron provides for iOS ..................................520
Mobile@Work and AppConnect apps .....................................................520
13
Chapter 17
Web@Work for iOS ................................................................... 523

Supported iOS devices ........................................................................523
Required MobileIron products ..............................................................523
Web@Work overview ..........................................................................523
Multi-factor authentication and authorization for device users ..................524
Web@Work URL schemes ....................................................................525
Pasteboard data loss prevention handling ..............................................526
Situations when Web@Work deletes its sensitive data .............................526
Web@Work distribution ......................................................................526
Secure enterprise web site access using AppTunnel ................................526
Web@Work user agent string ..............................................................527
Configuring Web@Work on the VSP Admin Portal ...................................528
Section III: System Management - - - - - - - - - - - - - - - - - - 539

Chapter 18
Overview of System Manager ..................................................... 541

Introduction to System Manager ......................................................... 542
Getting started ................................................................................. 543
Starting System Manager ....................................................................543
Starting System Manager from Admin Portal ..........................................543
Logging out .......................................................................................544
Saving a configuration ........................................................................544
Chapter 19
Configuring VSP System Settings................................................ 545

Overview ......................................................................................... 546
Interfaces ........................................................................................ 547
Managing network interfaces ...............................................................547
Changing physical interfaces ...............................................................547
Adding VLAN interfaces .......................................................................548
Deleting a VLAN interface ....................................................................549
Routes ............................................................................................. 550
Adding network routes ........................................................................550
Deleting network routes ......................................................................550
DNS and Hostname ........................................................................... 552
Static Hosts ...................................................................................... 553
Date and Time (NTP) ......................................................................... 555
CLI ................................................................................................. 557
Syslog ............................................................................................. 559
SNMP .............................................................................................. 560
Email Settings .................................................................................. 562
Optional SMS configuration: Syscomm phone ........................................563
14
Port Settings .................................................................................... 564

Data Purge ....................................................................................... 566
Services .......................................................................................... 569
Chapter 20
Configuring VSP Security Settings............................................... 571

Overview ......................................................................................... 572
Identity Source > Local Users ............................................................. 573
Adding local users for System Manager .................................................573
Editing local users for System Manager .................................................574
Deleting local users for System Manager ...............................................575
Certificate Mgmt ............................................................................... 576
To generate a self-signed certificate .....................................................576
To generate a certificate signing request (CSR) ......................................578
Uploading certificates .........................................................................580
Viewing certificates ............................................................................581
Access Control Lists ........................................................................... 583
Editing an ACL ...................................................................................585
Copying an ACL .................................................................................585
Deleting an ACL .................................................................................585
Networks and Hosts .......................................................................... 586
Network Services .............................................................................. 588
Access Control Lists: ACLs .................................................................. 590
Portal ACLs ...................................................................................... 591
Chapter 21
Configuring VSP Maintenance Settings......................................... 593

Overview ......................................................................................... 594
Getting MobileIron server software updates .......................................... 595
Exporting the configuration ................................................................ 596
Importing a configuration ................................................................... 597
Clearing the configuration .................................................................. 598
Rebooting ........................................................................................ 599
Manually purging data (system storage) .............................................. 600
Backing up and restoring the VSP ........................................................ 601
Configuring system backups ................................................................601
Viewing backup status ........................................................................603
Viewing backup logs ...........................................................................604
Restoring from a system backup ..........................................................605
Restoring data only ............................................................................606
15
Chapter 22
Troubleshooting ....................................................................... 607

Overview ......................................................................................... 608
Working with logs ............................................................................. 609
Enabling debugging for MobileIron modules ...........................................609
Disabling debugging ...........................................................................610
Viewing logs ......................................................................................610
Exporting logs ...................................................................................611
Remote logs ......................................................................................613
Network monitor ............................................................................... 615
Service diagnosis .............................................................................. 616
LDAP sync history ..............................................................................616
Section IV: Command Line Interface (CLI) - - - - - - - - - - - - - - 617

Chapter 23
Command Line Interface ........................................................... 619

About CLI ........................................................................................ 619
Logging in .........................................................................................619
Logging out .......................................................................................619
Help commands .................................................................................619
Auto-complete keys ...........................................................................620
Movement keys .................................................................................620
Deletion keys ....................................................................................620
Modes ..............................................................................................621
EXEC mode commands ...................................................................... 622
enable ..............................................................................................622
exit ..................................................................................................623
help .................................................................................................623
host .................................................................................................623
logout ..............................................................................................624
ping .................................................................................................624
show banner .....................................................................................624
show clock ........................................................................................624
show hostname .................................................................................625
show interfaces .................................................................................625
show ip ............................................................................................625
show log ...........................................................................................626
show logging .....................................................................................628
show logtail .......................................................................................628
show memory ...................................................................................629
show ntp status .................................................................................629
show processes .................................................................................629
show service .....................................................................................630
show software repository ....................................................................630
show tcp ...........................................................................................630
16
show timeout ....................................................................................631

show version .....................................................................................632
timeout ............................................................................................632
traceroute .........................................................................................632
EXEC PRIVILEGED commands ............................................................. 633
clear arp-cache ..................................................................................634
configure terminal ..............................................................................634
dbcleanup app_inventory ....................................................................634
disable .............................................................................................635
end ..................................................................................................635
exit ..................................................................................................635
failover .............................................................................................635
grubupdate .......................................................................................635
install rpm ........................................................................................635
no install rpm ....................................................................................637
poweroff ...........................................................................................637
reload ..............................................................................................637
service .............................................................................................638
setup ...............................................................................................638
show portalacl ...................................................................................639
show running-config ...........................................................................639
show statichost ..................................................................................640
show system .....................................................................................640
show tech .........................................................................................642
software checkupdate .........................................................................642
software update .................................................................................643
ssh ..................................................................................................643
telnet ...............................................................................................643
write ................................................................................................644
CONFIG commands ........................................................................... 644
banner .............................................................................................645
certificate client .................................................................................645
certificate portal ................................................................................646
clock set ...........................................................................................646
do ....................................................................................................647
enable secret ....................................................................................647
end ..................................................................................................648
eula .................................................................................................648
hostname .........................................................................................648
interface GigabitEthernet ....................................................................649
interface VLAN ...................................................................................649
ip arp ...............................................................................................649
ip domain-name ................................................................................650
ip name-server ..................................................................................650
17
ip route ............................................................................................650
kparam ............................................................................................651
no ....................................................................................................651
ntp ..................................................................................................652
portalacl ...........................................................................................653
service .............................................................................................653
service support ..................................................................................653
software repository ............................................................................654
statichost ..........................................................................................654
syslog ..............................................................................................655
system user ......................................................................................655
INTERFACE mode commands .............................................................. 655
end ..................................................................................................656
ip address .........................................................................................657
no ....................................................................................................657
physical interface GigabitEthernet ........................................................657
shutdown ..........................................................................................658
Section V: Appendixes - - - - - - - - - - - - - - - - - - - - - - - 659

Appendix A
Known Issues and Usage Notes 661

Known issues ................................................................................... 662
Usage notes ..................................................................................... 671
General ............................................................................................671
Android ............................................................................................672
Workarounds for VI-89 .......................................................................674
iOS ..................................................................................................677
Windows Phone 7 ...............................................................................679
Networks with limitations ....................................................................680
Devices with limitations ......................................................................680
Appendix B
Web-based Registration for iOS and OS X Devices 683

What is web-based registration? ......................................................... 684
Preparation .......................................................................................684
Installing the Mobile@Work app for iOS ................................................684
Implementing web-based registration for iOS and OS X devices .............. 685
Appendix C
Distributing iOS MDM Profiles with Apple Configurator 689

Notes on using Apple Configurator .......................................................689
How to use Apple Configurator for MobileIron registration .......................689
Appendix D
Secure Apps on Android Devices 695

Download and install the secure apps .................................................. 696
Create the secure apps passcode ........................................................ 697
18
Secure apps notifications ................................................................... 698

Secure apps status bar icons .............................................................. 699
Camera, gallery, and media player warning messages ............................ 700
Appendix E
Secure apps on iOS Devices 701

Creating a secure apps passcode ..........................................................701
Logging in with the secure apps passcode .............................................704
Logging out of secure apps ..................................................................705
Resetting the secure apps passcode - user initiated ................................705
Resetting the secure apps passcode - administrator initiated ....................708
Handling a forgotten secure apps passcode ...........................................711
Appendix F
Docs@Work for iOS 717

Accessing content server documents ....................................................718
Accessing email attachments ...............................................................726
Managing local files ............................................................................729
Managing recently opened email attachments ........................................735
Opening documents in other apps ........................................................741
Supported files in the Mobile@Work for iOS app .....................................743
Mobile@Work on an iPad .....................................................................743
Appendix G
The SharePoint Client App for Android 747

Accessing a content server ..................................................................747
Set up content server access ...............................................................747
View the content server repositorys documents .....................................751
Refresh the content server ..................................................................753
Save documents locally ......................................................................754
Email a document ..............................................................................756
Automatically saved documents ...........................................................758
Appendix H
Working with the MobileIron App and Related Agents for Android 759
Uninstalling the MobileIron app for Android ........................................... 760
Uninstalling the Samsung DM Agent .................................................... 763
Troubleshooting email setup on Android devices .................................... 764
How the Email Setup screen works .......................................................765
Device Administrator privileges for the Samsung email app .....................766
Troubleshooting based on results .........................................................767
Troubleshooting Wi-Fi setup on Android devices .................................... 768
Displaying the Wi-Fi Setup page ...........................................................769
Understanding and using the Wi-Fi Setup page ......................................771
Troubleshooting based on results .........................................................773
Certificate configuration support on the MobileIron for Android app .......... 774
Certificate Setup screen ......................................................................774
Certificate support for Wi-Fi setup ........................................................775
19
Certificate alerts ................................................................................775
Appendix I
Multi-User Support for iOS 5 and Later 777

Using Secure Sign-In ......................................................................... 778
Setting Secure Sign-In preferences ..................................................... 781
Setting unique restrictions for signed-out devices .................................. 782
Example ...........................................................................................782
Enabling Secure Sign-In ..................................................................... 783
User certificates and device certificates .................................................783
Remote sign-out ............................................................................... 784
What gets removed on sign-out .......................................................... 785
Appendix J
Android Kiosk Support 787

Requirements ....................................................................................787
Setup steps ...................................................................................... 788
Finding the package name for an Android app ........................................788
Creating an Android Kiosk policy ......................................................... 789
Single-app kiosk policy .......................................................................789
Multiple-apps kiosk policy ...................................................................790
Creating an Android Kiosk configuration ............................................... 793
Enabling/Disabling Android kiosk mode ................................................ 795
From the Admin Portal ........................................................................795
From the kiosk device .........................................................................795
Example .......................................................................................... 796
Device details ................................................................................... 797
Deployment notes ............................................................................. 798
Appendix K
The User Portal: MyPhone@Work 799

What is MyPhone@Work? ................................................................... 800
Supported browsers ...........................................................................800
Supported platforms ...........................................................................800
Getting started ................................................................................. 801
Logging in .........................................................................................801
Registering phones .............................................................................802
Searching .........................................................................................803
Logging out .......................................................................................804
Home .............................................................................................. 805
Communication Graph ........................................................................805
My Usage ..........................................................................................808
Storage ............................................................................................808
20
Lost Phone ........................................................................................809

If you have more than one phone ........................................................812
My Apps ...........................................................................................812
Contacts .......................................................................................... 813
Displaying contacts ............................................................................813
Searching contacts .............................................................................814
Adding contacts .................................................................................814
Editing contacts .................................................................................815
Deleting contacts ...............................................................................816
Calls & Texts .................................................................................... 817
Showing/Hiding content ......................................................................817
Filtering calls and text ........................................................................817
Activity ............................................................................................ 819
Filtering activity .................................................................................819
Displaying underlying data ..................................................................819
Apps ............................................................................................... 821
Browsing apps ...................................................................................821
Installing apps ...................................................................................822
Uninstalling apps ...............................................................................823
Preferences ...................................................................................... 824
Privacy settings .................................................................................824
Account settings ................................................................................824
Appendix L
Physical Appliance Hardware Specification 825

MobileIron Standard Appliance (M2100) ............................................... 826
MobileIron M2500 Series Appliance ...................................................... 828
First-Generation Appliance ................................................................. 829
General ............................................................................................829
Port settings ......................................................................................829
Console Port Signaling and Cabling Using a DB-9 Adapter ........................830
Appendix M
Configuring Outbound HTTP Proxy for Gateway Transactions / System

Updates 831
What the HTTP outbound proxy does not apply to ..................................832
21
22
Section I: Device Management
Company Confidential
23
24
Chapter 1
Getting Started
25
Getting Started
Administration tools
The VSP has the following administration tools:
Admin Portal
System Manager
Admin Portal handles the most common administrative tasks.
System Manager handles VSP configuration and system troubleshooting. See Section
III: System Management for information on using System Manager.
Installation
The MobileIron Admin Portal is installed as part of the system setup. See the Installation Guide for installation details.
Starting Admin Portal

To log into Admin Portal:
1.
Enter the URL for the MobileIron Admin Portal in a supported browser:
https://<fully_qualified_hostname>/mifs
2.
Enter a user ID and password having a role that provides access to at least a portion of the Admin Portal. The ID and password are case sensitive.
Note: The administrator user created during installation has an appropriate role.
See Assigning and removing roles on page 57.
3.
Click SIGN IN.

If you enter the wrong password five consecutive times, the user ID you entered
will be locked out temporarily. Wait 30 seconds and try again.
26
Getting Started
Bookmarking Admin Portal pages

Do not create bookmarks for Admin Portal pages. Session IDs will be included in the
bookmark and may cause connection problems. If you would like to create a bookmark for the Admin Portal, create one manually for the following URL:
https://<fully_qualified_hostname>/mifs
Logging out
To log out of the MobileIron Admin Portal, click the Log Out link in the upper right corner. If you do not log out, your session will expire after a period of inactivity.
27
Getting Started
Setup tasks
Setting the enterprise name
The company name entered during the MobileIron VSP installation is used as the
default enterprise name identifying your organization in email, SMSes, alerts, and certificates. If the company name you entered is not the one you want to use in these
contexts, you can change the name. Be sure to do so before you upload certificates,
or you may impact all registered devices. To change this name:
1.
Click the Settings tab in the Admin Portal.
2.
Click the Preferences link.
3.
In the Enterprise Name field, enter the text to use when referring to the enterprise.
4.
Click Save.
Setting the external hostname

The external hostname is set during installation. It is used in the registration URL sent
to users for completing the registration process. It is also used in self-signed certificates. Note that changing this field requires the following:
Regeneration of any self-signed certificates or uploading matching portal-HTTPS

and client-TLS certificates
Rebooting the appliance

To specify a different host name to use for external access:
1.
2.
3.
4.
In the External Host field, enter the fully-qualified domain name to be used for
accessing MobileIron.
Click Save.
Enabling iOS MDM support

Once you have completed all steps required by Apple, you can enable iOS MDM support in MobileIron. See the following source for information on Apples current program:
http://www.apple.com/ipad/business/integration/mdm/
MobileIron uses Apples enhanced MDM certificate infrastructure to streamline the
process of acquiring and uploading an MDM certificate. You can now complete the following tasks from a single screen within the Admin Portal:
generate a Certificate Signing Request (CSR)

upload the CSR
access the Apple Push Certificates Portal to request a certificate
upload the MDM certificate
28
Getting Started
If you already have an MDM certificate, but have not uploaded it, you can upload it
from the same screen.
If you intend to develop and distribute in-house apps

If you intend to develop in-house apps for distribution, then you still need to participate in Apples iDEP program. The enhanced MDM certificate infrastructure does not
eliminate this requirement.
If you have already enabled iOS MDM support

If you enabled iOS MDM support in a previous MobileIron release, then you should not
use the enhanced certificate infrastructure at this time unless otherwise instructed by
Apple or MobileIron. Doing so will disable your current certificates for all registered
iOS devices.
If you have not requested an MDM certificate yet

To complete the process if you have not yet requested the MDM certificate from Apple:
1.
In the Admin Portal, select Settings.
2.
Scroll down to the MDM Preferences section.
3.
Select the Enable MDM Profile option.
4.
Click Install MDM Certificate.

The following dialog displays.
29
Getting Started
5.
Click Create new plist to generate the required property list in Apples .PLIST XML
format.
This may take a few minutes. Click the Refresh icon to update the status of this
task.
6.
Once the plist has been generated, click Download the plist.
7.
Select a location for the plist when prompted.

The downloaded file is req-plist.txt.
8.
Click the Apple Push Certificates Portal link to start the process of requesting the
MDM certificate.
9.
When you receive the certificate, click Display Upload Certificate Form.
10.
Click Browse to select the MDM certificate.
11.
Click Upload Certificate.
If you already have your MDM certificate

If you have already requested and received your MDM certificate from Apple, you can
upload the certificate using the following steps:
1.
In the Admin Portal, select Settings.
2.
Scroll down to the MDM Preferences section.
3.
Select the Enable MDM Profile option.

30
Getting Started
4.
Select I already have an MDM Certificate, and want to upload it.
5.
Click Display Upload Certificate Form.
31
Getting Started
6.
Click Browse to select the MDM certificate.
7.
Confirming MDM for an iOS device

To confirm that MDM is operational for an iOS device:
1.
Select the device in the All Devices page.
2.
Expand the Details section of the Device Details pane.
3.
Confirm that the MDM Operational flag value is Yes.
Denying check-Ins for devices having expired MDM

certificates
By default, the VSP allows iOS devices having expired MDM certificates to check in. To
deny check-ins to these devices, complete the following steps:
1.
2.
3.
Select Settings > Preferences in Admin Portal.

In the MDM Preferences section, clear the clear the Permit expired client certificate option.
Click Save.
Displaying a report of devices having expired MDM

certificates
To display a list of iOS devices having expired MDM certificates, complete the following
steps:
1.
Select Settings > Preferences in Admin Portal.
2.
Select the MDM Certificate Report link.
3.
Open or save the resulting CSV file.
32
Getting Started
Using the Admin Portal

There are some basic points to review before you start using the Admin Portal.
Navigating the Admin Portal

Displaying hints in the Admin Portal
License monitor
Navigating the Admin Portal
The following table describes the UI elements in the Admin Portal

Number
Element
Description
Main menu
The main navigation menu.
Secondary menu
Displays the sub-level menus for the main menu.
Page level task

bar
Includes the set of actions you can take on each

record displayed in the page.
Login information
Displays the user logged in, and the function to

sign out.
Information
center
Provides links to the MobileIron support website,

the MobileIron VSP version information, and
license status.
Getting Documentation
The MobileIron support website also includes

product documentation. You will need credentials
to access the MobileIron support website.
6
System manager
Links to the VSP System Manager.
33
Getting Started
Number
Element
Description
Page
Displays all the records for the menu.
Details panel
Displays more information for each record in the

Page.
To switch from the Admin Portal to the System Manager, select the System Mgr link at
the top of any page in the Admin Portal.
You will be prompted to enter a user ID and password. Enter the user ID and password for the local user created during setup or a local user created in the System
Manager under Security > Local Users.
Note: During setup, two local users having the same credentials are created, one for
Admin Portal and one for System Manager. If you have made changes to the roles or
password for the Admin Portal user, these changes will not affect the System Manager
user.
To switch from the System Manager to the Admin Portal, select the Admin Portal link
at the top of any page in the System Manager. Note that certain actions performed in
the System Manager may require you to log in again when you switch to Admin Portal
.
Displaying hints in the Admin Portal

Each screen in the Admin Portal includes a hidden panel displaying basic information
about the use of the screen. Two buttons are available for displaying the panel.
To display the panel and leave it open, click the double arrow button in the upper right
portion of the screen. To display the panel and have it close automatically when you
move the cursor away from the panel, click the ? button.
34
Getting Started
License monitor
The Licensing link is available by clicking on the ? icon on the top right-hand corner of
the Admin Portal.
Note: The appearance of the link depends on configuration with MobileIrons internal
license tracking systems. Therefore, the link might not be visible immediately after
you upgrade.
Click the link to display:
total number of licenses purchased

licenses used across all VSPs
licenses used on the current VSP
% of used licenses applied to the current VSP
The following licenses are supported:
Advanced Management (device licenses purchased and used)

AppConnect
Docs@Work
Pre-requisites
The license monitor requires access to the MobileIron Gateway.
35
Getting Started
Licenses and HA deployments

If MobileIron Professional Services has implemented a high-availability (HA) deployment for you, then you will see additional VSP license usage. MobileIron is managing
these licensing issues. You can ignore the additional license at this time.
36
Supported features by OS
Each operating system has features and limitations that differentiate it from the other
operating systems. Depending on the devices operating system and native API, some
of the MobileIron features are available and some are not.
Below is information about the features available for each supported operating system:
Common feature set on page 37

Android on page 40
BlackBerry 10 on page 41
iOS on page 42
Mac OS X on page 43
Windows Phone 7 on page 44
Windows Phone 8 on page 45
Windows RT/Pro on page 46
Supported platforms on page 46
Common feature set

This table lists features across Android, iOS, Mac OS X, Windows Phone 7, and Windows Phone 8 devices.
All features in this table are common to both Android and iOS devices. If a feature is
available on only iOS or Android, but not on both, it will not be listed in this table.
Other operating systems are included in this table to provide quick access to information about the availability of features in comparison with Android and iOS.
See the remaining sections for the full feature set of each operating system
Android
iOSa
BlackBerry
10
OS Xa
WP7
WP8
Win RT/Pro
Per Device
yes
yes
yes
yes
Bulk
User Self-Service
(By Invitation)
yes
yes
yes
yes
yes
yes
yes
Android
iOSa
BlackBerry
10
OS Xa
WP7
WP8
Win RT/Pro
Device Inventory
yes
yes
yes
yes
Device Details
yes
yes
yes
yes
Provisioning
Asset Management
Ownership Status
yes
yes
yes
yes
Designate Lost Device

Designate Found
Device
yes
yes
yes
yes
yes
yes
Retire Device
yes
yes
yes
yes
37
Send Message
yes
yes
partialq
Force Check-In
yes
yes
yes
Reprovision Client
yes
yes
Sync Policy
yes
yes
partial
Group Actions (Labels) yes
yes
yes
yes
Android
iOSa
BlackBerry
10
OS Xa
WP7
WP8
Win RT/Pro
Lock
yes
yes
yes
Unlock
yes
yes
Wipe
yesb
yes
yesc
yes
yesc
yes
yesc
Selective Wipe (Email)

Certificate
Distribution
Encryption Policy
(Internal Storage)
Encryption Policy
(SD Card)
yesd
yesd
yesd
yesi
yes
yes
yesf, v
yesg,i
yest
yesh
yesi
N/A
Password Policy
yes
yes
yesc
yes
yesc
yes
yesc
Lockdown Policy
yesi
yesj
yesl
Privacy Policy
Block Registration
by OS
partialm
partialm
partialm
yes
yes
yes
yes
Locate
Email Attachment
Control
yes
yes
yesn
yesn
partialk,n
partialn
Android
iOSa
BlackBerry
10
OS Xa
WP7
WP8
Win RT/Pro
Device Inventory
yes
yes
yes
yes
yes
yes
Device Details
yes
yes
yes
yes
yes
yes
Allow / Block
yes
yes
yes
yes
yes
yes
Wipe
yes
yes
yes
yes
yes
yes
Register
yes
yes
yes
ActiveSync Policy
yes
yes
yes
yes
yes
yes
Android
iOSa
BlackBerry
10
OS Xa
WP7
WP8
Win RT/Pro
yes
yes
yesn,q
Security
Sentry Access
Control
Compliance Actions
Alert via Event

Center yes
Block ActiveSync via
Sentry yes
yes
yes
Quarantine yes
yes
Block AppConnect Apps yes
yes
Block App Tunnels
yes
yes
Wipe AppConnect Apps
yes
yes
Remove Configurations
yes
yes
Android
iOSa
BlackBerry
10
OS Xa
WP7
WP8
Win RT/Pro
yes
yes
App Management
Enterprise App
Storefront yes
38
App Distribution Library
yes
yes
App Control Policy
yes
yes
App Inventory
yes
yes
Install
yesi
yes
App Tunneling
yes
yes
yes
yesu
yes
yes
Android
iOSa
BlackBerry
10
OS Xa
WP7
WP8
Win RT/Pro
Content Server Access yes
yes
Secure Web Browsing yes
yes
Android
iOSa
BlackBerry
10
OS Xa
WP7
WP8
Win RT/Pro
yesi,p
yes
partials
yes
Content
Management
Application Settings
Exchange
VPN
yes
yes
yes
Wi-Fi
yes
yes
yes
Android
iOSa
BlackBerry
10
OS Xa
WP7
WP8
Win RT/Pro
International
Roaming
yes
yes
Event Center
partial
partial
Android
iOSa
BlackBerry
10
OS Xa
WP7
WP8
Win RT/Pro
yes
yes
Android
iOSa
BlackBerry
10
OS Xa
WP7
WP8
Win RT/Pro
Register
yes
yes
yes
Alerting
Troubleshooting
Email Client Logs
MyPhone@Work
Portal
Lock
yes
yes
Wipe
yes
yes
yes
Find It
yes
yes
a Requires an APNS certificate for MDM (provided by Apple).

b Includes SD cards for most devices.
c Through MobileIron Sentry and ActiveSync.
d Selective wipe of email through security compliance actions, removing the device from the associated label, or retiring
the device; do not use the Selective Wipe command.
e Supported for Ciscos AnyConnect VPN client on Android.
f Only root certificates are supported.
g Supported for Android 3.0 and higher.
h Cannot be disabled.
i Specific versions of Android, SAFE APIs, or Mobile@Work are required for some features. See the detailed documentation.
j Through iOS Restriction settings.
k One or more significant parts of this feature are not supported. See the detailed documentation for this feature.
l SD cards only.
m Device location and inventory collection can be disabled on iOS and Android devices. Inventory collection can be disabled on OS X.
n Through Docs@Work.
p Through integration with selected devices and email apps.
39
q Via email only.

r Push notifications are not supported; therefore, initial sync is supported at registration only, and subsequent changes are
not recognized.
s Only contacts are supported.
t Via iOS Data Protection.
u In-house and third-party apps only.
v Identity certificates can be distributed via Mobile@Work.
Android
Bold text indicates that the feature is available on Android and not available on iOS.
Security
Asset Management
Application Management
Lock
Device Inventory
Enterprise App Storefront
Unlock
Device Details
Wipe
Ownership Status
App Control Policy
On-Device Inventory
Certificate Distribution
Designate Found Device
Install
Encryption Policy (Internal

Storage)b,c
Retire Device
Uninstall
Send Message
Silent Install/Uninstalllg
Encryption Policy (SD Card)
Force Check-In
Content Server Access
Reprovision Client
AppConnect Wrapper
Password Policy
Lockdown Policyb,c,d
Privacy Policy (partial)e
Sync Policy
Group Actions (Labels)
Extended Lockdown Policyd
Block Registration by OS
Locate
App Tunneling
Sentry Access Control
MyPhone@Work Portal
Device Inventory
Register
Exchanged
Device Details
Lock
Wi-Fi
Allow / Block
Wipe
VPNh
Wipe
Find It
Kioskd
Compliance Actions
Alerting
Register
ActiveSync Policy
Provisioning
40
Per Device
Alert via Event Center
International Roaming
Bulk
Block ActiveSync via Sentry
Event Centeri
User Self-Service (By Invitation)
Quarantine
Block AppConnect Apps
Troubleshooting
Content Management
Email Client Logs
Secure Web Browsing

a Includes SD cards for most devices.

b Supported for devices on which the Samsung SAFE APIs are present.
c Supported on Android 3.0 and higher.
d Specific versions of Android, SAFE APIs, or Mobile@Work are required for some features. See the detailed documentation.
e Only Location and Apps privacy settings currently apply.
f Through Docs@Work.
g Starting with Mobile@Work 5.1, supports silent install and uninstall on Samsung SAFE devices running Android 2.2
or later.
h Supported for Cisco AnyConnect.
i One or more significant parts of this feature are not supported. See the detailed documentation for this feature.
BlackBerry 10
Security
Password Policya
Device Inventory
Encryption Policya
Device Details
Allow / Block
Selective Wipe
ActiveSync Policy
a Via MobileIron Sentry and ActiveSync.
41
iOS
Bold text indicates that the feature is available on iOS and not available on Android.
Security
Asset Management
Lock
Device Inventory
Unlock
Device Details
Ownership Status
App Control Policy
On-Device Inventory
Install

Storage)g
Retire Device
Uninstall
Send Message
AppConnect Wrapper
Password Policy
Force Check-In
AppConnect SDK
Lockdown Policyb
Reprovision Client
Privacy Policy (partial)c
Sync Policy
Wipe
Selective
Wipea
Locate
Email Attachment Controld
App Tunneling
MyPhone@Work Portal
Device Inventory
Register
Exchange
Device Details
Wipe
Wi-Fi
Allow / Block
Lock
VPN
Wipe
Find It
Register
ActiveSync Policy
Compliance Actions
Provisioning
Alerting
Per Device
Quarantine
Bulk
Service Quality Monitoringe
User Self-Service (By Invitation)
Event Centerf
Block AppConnect Apps

Troubleshooting
Content Management
Email Client Logs
Secure Web Browsing

42
a Selective wipe of email through security compliance actions, removing the device from the associated label, or retiring
b Via iOS Restrictions settings.
c Only Location and Apps privacy settings currently apply.
d Through Docs@Work.
e Speed-test and user-reported dropped calls only.
f One or more significant parts of this feature are not supported. See the detailed documentation for this feature.
g Via iOS Data Protection.
Mac OS X
Security
Asset Management
Lock
Device Inventory
On-Device Inventory
Unlock
Device Details
Wipe
Ownership Status
Password Policy
Privacy Policy
Retire Device
Force Check-In
Exchangeb
Wi-Fi
VPN
Provisioning
Per Device
Bulk
a Only apps privacy settings apply.

b Only contacts are synchronized.
43
Windows Phone 7
Security
Wipea
Device Inventory
Password Policya
Device Details
Email Attachment Control
Allow / Block
Wipe
ActiveSync Policy

b Through Docs@Work. One or more significant parts of this feature are not supported. See the detailed documentation
for this feature.
44
Windows Phone 8
Security
Asset Management
Device Inventory
Device Details
Certificate Distributionb
Ownership Status
Install

Storage)c
Retire Device
Silent App Update (Inhouse apps)
Password Policy
App Inventory (In-house/

third-party apps)
MyPhone@Work Portal
Device Inventory
Wipe
Exchange
Wipe
f
Sync Policy
Lockdown Policyd
Device Details
Allow / Block
Wipe
Register
ActiveSync Policy
Compliance Actions
Provisioning
Alert via Event Centere
Per Device
Bulk
User Self-Service
tation)
(By Invi-
b Identity certificates can be distributed via Mobile@Work.

c Enabled by default; cannot be disabled.
d SD card only.
e Push notifications are not supported; therefore, initial sync is supported at registration only, and subsequent changes are
not recognized.
f Selective wipe of email through security compliance actions, removing the device from the associated label, or retiring
45
Windows RT/Pro
Security
Wipea
Device Inventory
Password Policya
Device Details
Email Attachment Control
Allow / Block
Wipe
ActiveSync Policy

b Through Docs@Work. One or more significant parts of this feature are not supported. See the detailed documentation
for this feature.
Supported platforms
The following platforms are supported:
Android 2.2 and higher (minimum Android 2.3 for AppConnect features)
BlackBerry 10
iOS versions 4.0 and higher
OS X Lion, Mountain Lion
Windows Phone 7, 8
Windows RT/Pro
Supported iOS devices
iPhone 3gs and later
all iPads
iPod touch 4th generation
46
Supported OS X devices
Model ID
Model Name
MacBook7,1
MacBook (13-inch, Mid 2010)
MacBook6,1
MacBook (13-inch, Late 2009)
MacBook5,2
MacBook (13-inch, Early/Mid 2009)
MacBook5,1
MacBook4,1
MacBook (13-inch, Early/Late 2008)
MacBook3,1
MacBook2,1
MacBook (13-inch, Late 2006/Mid 2007)
MacBookAir5,2
MacBook Air (13-inch, Mid 2012)
MacBookAir5,1
MacBookAir4,2
MacBookAir4,1
MacBookAir3,2
MacBook Air (13-inch, Late 2010)
MacBookAir3,1
MacBook Air (11-inch, Late 2010)
MacBookAir2,1
MacBook Air (13-inch, Late 2008/Mid 2009)
MacBookAir1,1
MacBook Air (13-inch, Early 2008)
MacBookPro10,2
MacBook Pro (13-inch, Retina, Late 2012)
MacBookPro10,1
MacBook Pro (15-inch, Retina, Mid 2012)
MacBookPro9,2
MacBook Pro (13-inch, Mid 2012)
MacBookPro9,1
MacBookPro8,3
MacBook Pro (17-inch, Early/Late 2011)
MacBookPro8,2
MacBookPro8,1
MacBookPro7,1
MacBookPro6,2
MacBookPro6,1
MacBookPro5,5
MacBookPro5,4
MacBookPro5,3
MacBookPro5,2
MacBook Pro (17-inch, Early/Mid 2009)
MacBookPro5,1
MacBook Pro (15-inch, Late 2008)
MacBookPro4,1
MacBook Pro (15/17-inch, Early/Late 2008)
MacBookPro3,1
MacBook Pro (15/17-inch, Mid/Late 2007)
MacBookPro2,2
MacBookPro2,1
47
48
Chapter 2
Managing Users
49
Managing Users
Introduction to user management

This chapter explains how to manage local and LDAP users for Admin Portal. For information on managing local users in System Manager, see Identity Source > Local
Users on page 573.
User sources
MobileIron supports local users and LDAP users. Local users are entities created in the
local MobileIron database. They are not known to the network or other corporate services. LDAP users are imported from your organizations LDAP server.
In most cases, you will configure an LDAP server and import LDAP users.
Local users are best for the following scenarios:
administration
testing
Local users created in the Admin Portal can be used for registering devices and
accessing Admin Portal and MyPhone@Work. Local users created in the System Manager can be used in the System Manager and the CLI.
misystem user
misystem is a default VSP user used for the following tasks:
creates the default rules and policies

executes system maintenance tasks
This user is not listed in the Admin Portal, and it has no VSP roles assigned to it.
Local Users Created During Setup

The local user you define during setup actually results in two local users, one in Admin
Portal and one in System Manager.
Though these two users start with the same name and password, they are separate
users stored in separate databases. Changes made to one do not affect the other. For
50
Managing Users
example, if you change the password for the Admin Portal user, the password for the
System Manager user does not change.
Users and roles

You work with the following basic user types in Admin Portal:
Super users
Help desk users
Device users
Super users have all roles assigned. Help desk users have a combination of Admin
Portal roles assigned that enable them to perform basic IT tasks. The combination of
roles may vary according to the organizations needs. Device users usually have limited roles assigned to enable registration and access to the MyPhone@Work user portal.
LDAP groups and roles

In a large organization, assigning roles to individual users can be cumbersome.
Instead, you can assign roles to LDAP groups or organizational units. Assigning roles
to these LDAP entities applies them to all members of these entities.
User management page

In the Users & Devices page in Admin Portal, click Users to display the user management screen.
By default, the user management screen displays the Authorized Users view. This
view includes LDAP and local users. You can display LDAP entities by selecting from
the To dropdown list.
Required role
The User Management role is required for access to the user management screen.
51
Managing Users
Managing LDAP users

The Installation Guide explains how to configure LDAP servers for use in your MobileIron implementation. Once you have configured one or more LDAP servers, the associated LDAP entities can be displayed in the User management screen. LDAP entities
are useful for assigning roles that are inherited by the members of an entity. LDAP
users are immediately available for device registration.
Note: If you want an LDAP user to have access to MyPhone@Work, then you must
assign the User Portal role. Likewise, access to features in Admin Portal requires the
appropriate roles. See Assigning and removing roles on page 57.
Displaying available LDAP users

To display the LDAP users that are available:
1.
In the Users & Devices page, click Users.
2.
Select LDAP Entities from the To dropdown list.
3.
Select LDAP Users from the Category dropdown list.
4.
In the Search by Name field, enter text that will match an LDAP user entry in the
selected category, based on first name, last name, or account name.
52
Managing Users
You may use % as a wildcard. For example, to search for all users having smith at
the end of the user ID, you would enter %smith.
5.
Click the search icon.

The matching user records are displayed.
LDAP does not report members for a group that is also the Primary Group for those
members. If you do not see the users you expect, examine your LDAP configuration.
Consider us OUs, instead.
Viewing LDAP user/group associations

The Users screen includes links for displaying associations between users and groups.
For example, if you have assigned a role to the Engineering group, you can display the
users associated with that group.
Click the link next to an authorized LDAP entity to display the associated entities.
Synchronizing with the LDAP server

MobileIron synchronizes user data from the LDAP server every 24 hours, by default. If
you want to synchronize immediately, as when you have added new users, then click
the Resync with LDAP button in the Users page.
Changing the LDAP Sync Interval

To change the amount of time between each synchronization with LDAP servers:
1.
Select Settings > LDAP > Preferences.
53
Managing Users
2.
Select the preferred interval from the dropdown.
3.
Click Save.
Setting the LDAP sync discard option

The LDAP sync discard option under LDAP preferences provides control over:
whether to discard the LDAP sync data if the reloaded data set declines significantly
at what point the decline is considered significant
This option is enabled by default and set to 25%. This default ensures that abnormal
behavior on the part of the LDAP system will not result in unnecessary, disruptive
updates in the VSP and removal of configurations from registered devices. Consider
changing or disabling this setting if you are going to make major changes to your
LDAP system. Be sure to confirm that the changes are acceptable before disabling this
feature.
To change this option:
1.
Select Settings > LDAP.
2.
3.
Adjust the setting as needed:
To change the threshold at which the sync is discarded, enter a different percentage.
To disable the setting, clear the Enable Sync Discard checkbox.
54
Managing Users
4.
Click Save.
When the LDAP sync declines

Typical reasons for a significant decline in the LDAP sync include:
changes in the LDAP environment

slow response from the LDAP server
network congestions
When a sync is discard, a message appears under Settings > Service Diagnostic. The
message contains the LDAP counts before and after the sync and the percentage configured in the Enable Sync Discard setting.
Consider the following steps when the sync fails for this reason:
1.
Did the issue first start at about the same time as a major change to the LDAP environment?
This would suggest that a valid change in the LDAP environment triggered the discard.
2.
Has the sync failed once or multiple times?
If sync has failed once, try a manual sync. If sync has failed multiple times, determine
whether a change was made to the LDAP environment. If you are unable to find a
major change, consider changing the percentage for the Enable Sync Discard setting.
Deleting LDAP users

You can delete an LDAP user if that user is not associated with a registered device.
To delete an LDAP user:
1.
In the Users & Devices page, click the Users.
2.
Click the checkbox for the user you want to delete.
3.
Click Delete User.
55
Managing Users
Moving between the LDAP user display and the local user
view
To move back to the local user view, select Authorized Users from the To dropdown
list.
Changing passwords for LDAP users

The Admin Portal does not currently provide an LDAP interface that enables changing
an LDAP users password.
Dont append _MIxx

Avoid creating user IDs that include _MIxx, where xx is a number. This sequence is
reserved for user IDs requiring special processing, which includes stripping the _MI
sequence and all characters following it.
56
Managing Users
Assigning and removing roles

Note: The User Management role is required for completing this task.
Assign roles to enable access to product features available through interfaces such as
the Admin Portal and MyPhone@Work.
The MobileIron Server recognizes the following roles for users:
Role
Description
User Portal
Allows access to the User Portal (MyPhone@Work).

For iOS and Android, this role is required for registration
unless PIN-based registration is configured.
For WP8, this role is required for registration.
With User Portal selected, you can choose to enable or disable the following roles:
MyPhone@Work Locate
MyPhone@Work Lock
MyPhone@Work Wipe
MyPhone@Work Registration
Local users receive User Portal access by default, but LDAP
users do not.
MyPhone@Work
Locate
Allows end users to locate their phones from

MyPhone@Work.
MyPhone@Work
Lock
Allows end users to lock their phones from

MyPhone@Work.
MyPhone@Work
Wipe
Allows end users to wipe their phones from

MyPhone@Work.
MyPhone@Work
Registration
Allows end users to register phones from the

MyPhone@Work user portal. If this role is not applied, then
the Add a Phone link does not appear in the
MyPhone@Work portal. However, iOS and Android users
can still register devices from within the MobileIron app. If
you want to prevent additional registrations from within
the app, consider requiring a Registration PIN (Settings >
Preferences).
User Management
Allows access to the Users link in the Users & Devices main
menu in the Admin Portal.
57
Managing Users
Role
Description
Users & Devices
Allows access to the following in the Admin Portal:
All secondary menus, excet Users, in the Users &

Devices main menu.
App Tunnels in the Apps main menu.

The User Management role is required to access the Users
menu.
Access to all secondary menus in the Users & Devices
main menu requires the following roles:
Users & Devices

User Management
Policies
Allows access to the security and policies features.
All secondary menus, except Configurations, in the Policies & Configs main menu.
Note: The Apps & Configs role is required to access Configurations in the Policies & Configs menu.
Access to all secondary menus in the Policies & Configs
main menu requires the following roles:
Policies
Apps & Configs
Apps & Configs
All secondary menus, except AppTunnels, in the Apps

main menu.
Configurations in the Policies & Config main menu.

Note: The Users & Device role is required to access
AppTunnels in the Apps main menu.
Access to all secondary menus in the Apps main menu
requires the following roles:
The Apps & Configs

Users & Devices
Events
Events Settings and Events in the Logs & Events main

menu.
Settings
Allows access to all secondary menus in the Settings main

menu in the Admin Portal.
58
Managing Users
Role
Description
Logs
Allows access to following in the Admin Portal:
All secondary menus except Events Settings and Events

in the Logs & Events main menu.
Note: The Events role is required to access Events Settings
and Events in the Logs & Events menu.
Access to all secondary menus in the Logs main menu
requires the following roles:
Logs
Events
API
Allows access to the Web Services API to enable custom

reporting.
Sentry For iPad
Allows access to the Sentry for iPad app.
Selective Wipe
Allows access to the Selective Wipe function in the Admin

Portal.
Admin Wipe
Allows access to the Wipe function in the Admin Portal.
Admin Locate
Allows access to the Locate function in the Admin Portal.
To assign roles to users in the Admin Portal:

1.
Click Users in the Users & Devices page.
2.
Select the type of users you want to work with:
Select Authorized Users from the To drop down list to select from existing user
accounts.
Select LDAP Entities from the To drop down list to select groups of users from
the configured LDAP server. (Roles assigned to an LDAP entity are inherited by
all members of the entity.)
59
Managing Users
3.
If you selected LDAP Entities, select the type of entity in the Category dropdown:
4.
Authorized LDAP Entities

LDAP OU
LDAP Groups
LDAP Users
If the user or group you want to work with is not displayed, enter information in the
Search by Name field and click the search icon.
5.
Click the checkbox next to each user or entity you want to work with.
6.
Click Assign Roles.
7.
Select the roles you want to assign and clear the roles you want to remove.
8.
Click Save.
The new roles take effect the next time an affected user logs in. A user who is
logged in when the change is made must log out and log back in to see the effects
of the change.
60
Managing Users
Managing local users in Admin Portal

This section explains how to manage local users in Admin Portal. For information on
managing local users in System Manager, see Identity Source > Local Users on
page 573.
Adding local users in Admin Portal

To add a user account in the local MobileIron database for Admin Portal:
1.
2.
Click the Add Local User button.
3.
Use the following guidelines to complete the information:
61
Managing Users
Field
Description
User ID
Enter the unique identifier to assign to this user.

Note: If you are using local users and LDAP users, the
user ID cannot match that of an LDAP user.
First Name
Enter the users first name.
Last Name
Enter the users last name.
Display Name
Optional name used to identify the device user. If you

leave this field blank, then the display name will have the
following format:
Firstname Lastname
Password
Enter a password for the user. The password has the following requirements:
Passwords must have at least 8 characters.

Passwords must contain at least 1 alphabetic character.
Passwords must contain at least 1 numeric character.
Passwords cannot have 4 or more repeating characters.
Passwords cannot be the same as the user ID.
Password may contain Unicode characters, except for
CLI access.
Users cannot change a password more than once

during a 24 hour period.
Confirm Password
Confirm the password for the user.
Email
Enter the users email address.
4.
Click Save.
5.
Assign the necessary roles. See Assigning and removing roles on page 57.
Editing local users in Admin Portal

You can edit account information for local users. For example, you can:
change the MobileIron password

edit the first name, last name, or display name
update the email address
To edit local user account information:
1.
Display the Users & Devices page.
2.
Click Users.
3.
Click the Edit icon for the user entry to display the Edit User dialog.
62
Managing Users
4.
Make the changes to the displayed information.

See Adding local users in Admin Portal on page 61 for information on completing
each field.
5.
To change the user password, click the Change Password link
6.
Click Save.
Linking local users to LDAP users

A local user can be matched with its corresponding LDAP user. For example, suppose
you created a local user for preliminary system rollout and testing, but for the production rollout, you want that user matched with its LDAP equivalent.
To match a local user to its corresponding LDAP entry:
1.
2.
Click the checkbox for the local user you want to match.
3.
Click Link to LDAP.
Note: Existing roles for the local user are removed. The next time the user authenticates, roles will be applied based on the LDAP group of the corresponding LDAP user.
Deleting local users in Admin Portal

You can delete a local user if that user is not associated with a registered device.
To delete a local user:
1.
63
Managing Users
2.
Click the checkbox for the user you want to delete.
3.
Click Delete User.
Forcing a password change for local users

If there is a possibility that a local users credentials have been exposed or compromised, you can force that user to change the password during the next login. For
example, if you have emailed credentials, you should consider forcing the user to set a
new password.
To force a password change for a local user:
1.
Select the user in the User management screen.
2.
Click the Force Password Change button.
3.
Click Yes to confirm the action.

The next time that user completes a successful login, the following dialog will display to prompt the user to set a new password.
64
Managing Users
65
Managing Users
Language support
MobileIron currently provides the following language support features:
Translated versions of the iOS and Android clients

Selection of supported languages
Default language selection
Changing language selection from Admin Portal
Translated versions of the iOS, WP8, and Android clients

The devices selected language determines which language the MobileIron Client uses.
Once the MobileIron Client communicates a language change to the VSP, the VSP uses
the selected language for messages sent to the device.
iOS client
The MobileIron iOS client is available in the following languages:
English
French (France)
German
Japanese
Korean
Simplified Chinese
Traditional Chinese
Portuguese (Brazilian)
Spanish (Latin American)
See the release notes for the iOS Client for any recent additions to this list. Also see
iOS messages on page 68 for information on the languages supported for messages
sent to iOS devices from the VSP.
WP8 client
The MobileIron WP8 client is available in the following languages:
English
French (France)
German
Japanese
Korean
Simplified Chinese
Traditional Chinese
66
Managing Users
Russian
The language for Mobile@Work is automatically set to the language setting of the
device. It defaults to United States English, if the language setting on the device is not
supported.
Android client
The MobileIron Android client is available in the following languages:
English
French (France)
German
Japanese
Korean
Simplified ChineseTraditional Chinese
See the release notes for the Android Client for any recent additions to this list. Also
see Android messages on page 68 for information on the languages supported for
messages sent to Android devices from the VSP.
Selecting languages
You may choose to enable or disable languages for the messages sent from the VSP to
devices. For example, if you have only Japanese-speaking users, you may prefer to
remove the other message templates from the Admin Portal.
To determine which languages are enabled:
1.
Select Settings > Preferences.
67
Managing Users
2.
3.
Under Language Preferences, move the supported languages to the preferred list:
Disabled Languages or Enabled Languages.
Click Save.
iOS messages
The following languages are supported for messages sent to iOS devices:
English
French (France)
German
Japanese
Korean
Simplified Chinese
Traditional Chinese
Russian
Android messages
The following languages are supported for messages sent to Android devices:
English
French (France)
German
68
Managing Users
Japanese
Korean
Simplified Chinese
Traditional Chinese
Russian
Setting the system default language

The System Default Language setting under Settings > Preferences determines the
language to be used if the locale of the device cannot be determined or the corresponding language is not supported. The languages available for this setting are
determined by the languages in the Enabled Languages list.
Changing language selection from Admin Portal

Administrators can manually change the language selection for devices that do not
report their locale. In this case, language selection applies only to the messages sent
from the MobileIron VSP (e.g., Event Center alerts). If the device later reports a different locale, then the VSP honors the reported locale.
To change the language selection for a device:
1.
In the Admin Portal, go to Users & Devices > Devices.
2.
Click on the checkbox next to the device.
3.
Click on Actions > Change Language.

69
Managing Users
4.
In the Set Language dropdown, select the preferred language.
5.
Click Change Language.
70
Chapter 3
Registering Devices
71
Registering Devices
Overview of registration methods

Registering a device designates it for management by the VSP.
The following registration methods are available:
admin registers a single device

admin registers a list of devices
admin invites users to register
in-app registration for iOS and Android
users register additional devices
admin registers ActiveSync devices
The process resulting from these methods may vary by device OS.
Note: Windows Phone 7 does not require registration.
Admin registers a single device

The admin can register a single device from the Admin Portal.
Best for
This method is best for the following scenarios:
adding the first few devices to a new system

adding a few new devices to an existing system
Level of end-user interaction
Medium for most OSes.
Prerequisites
The user (local or LDAP) associated with the device must be available for selection
at the time of registration.
For iOS, WP8, and Android, the User Portal role must be assigned to the user.
The following information must be available for the device:
phone number (if any)
country
platform
See
Registration by administrator: individual devices on page 79
72
Registering Devices
Admin registers a list of devices (bulk registration)

The admin can register a large group of devices by uploading a CSV file containing the
information required for registration.
Best for
This method is best for the following scenarios:
adding a significant number of devices

rolling out multiple devices into a production environment
registering devices managed by BES 4.x
using web-based registration with iOS devices (see Web-based Registration for iOS
and OS X Devices on page 683)

Medium for most OSes.
Prerequisites
LDAP users specified in the CSV file must be available for selection. Local users that
have not been created already will be created as part of the Bulk Registration process.
For iOS, WP8, and Android, the User Portal role must be assigned to the users.
The following information must be available for the device:
country
platform
See
Registration by administrator: multiple devices (bulk registration) on page 82
Admin invites users to register

For users who are mobility savvy and do not require significant assistance, you can
send an invitation and enable them to register their own phones. You can send an
invitation to multiple users from the Users Management screen. The invitation
includes instructions on how to log into MyPhone@Work to register phones.
Best for
adding devices for users who do not require assistance
rolling out multiple devices into a production environment
High. Users must initiate the registration process, enter all required information, and
respond to installation prompts on the device.
73
Registering Devices
Prerequisites
LDAP users must have the User Portal role assigned.

For iOS, WP8, and Android, the User Portal role must be assigned to the user, and
the MyPhone@Work Registration option must be enabled.
The user needs to know the following information for the device:
country
platform
See
Invite users to register on page 86
In-app registration for iOS and Android

One way to reduce the load on IT personnel is to instruct iOS and Android users to
download the MobileIron app directly from the App Store on iTunes or from Google
Play (formerly Android Market) and initiate registration from within the app.
Best for
adding iOS or Android devices for users who do not require assistance
High. Users must download the app, initiate the registration process, and respond to
registration prompts.
Prerequisites
Configuring the Server Name Lookup preference (under Settings > Preferences in
Admin Portal) makes registration easier by automatically filling in the server
address for the user (Android/US only). This feature depends on access to the
MobileIron Gateway; therefore, the corresponding port must be properly configured. See the Pre-Deployment Checklist in the Installation Guide for details.
This feature depends on the presence of the mobile number on the SIM.
The user associated with the device must be known as an LDAP user or defined as
a local user.
The User Portal role must be assigned to the user.

See
In-app registration for iOS and Android on page 88
74
Registering Devices
Users register additional devices

Once a device has been registered, an authorized user can use MyPhone@Work to
register additional devices without administrative help.
Best for
adding devices for users who do not require assistance
High. The user initiates the registration process, enters registration information, and
responds to registration prompts on the device.
Prerequisites
Users must have the User Portal role assigned, with the MyPhone@Work Registration option enabled.
The user needs to know the following information for the device:
country
platform
See
MyPhone@Work User Guide
Admin registers ActiveSync devices

If you have a MobileIron Sentry configured, then you can see the devices that are
connecting to your ActiveSync server. To incorporate these devices into your VSP
inventory, you can use the Register button in the ActiveSync Associations screen.
Best for
devices accessing email via ActiveSync
Medium. Users must respond to installation prompts on the device.
Prerequisites
MobileIron Sentry must be installed and configured.
For iOS, WP8, and Android, the User Portal role must be assigned to the user.
You need to know the following information for the device:
country code
75
Registering Devices
platform
See
ActiveSync device registration on page 89
76
Registering Devices
Registration considerations by OS
Before you begin registering devices, you should be aware of OS-specific features and
dependencies.
iOS
iOS registration currently depends on acquiring the MobileIron Client from the
iTunes App Store. Therefore, an iTunes account is required. You do not need a
credit card in order to establish an iTunes account; just start downloading the
MobileIron app to a PC or Mac, click Create New Account, and select None as your
payment method.
If you have configured a MobileIron Sentry to support iOS devices connecting via
ActiveSync, then you can initiate registration from the ActiveSync Devices screen.
By default, the user is required to enter a password to register the device. If you
prefer, you can change this behavior to require a MobileIron-generated Registration
PIN instead, or to require both a password and a Registration PIN. See Configuring
user authentication requirements for registration (iOS, Android, Windows Phone 8)
on page 94 for information on specifying behavior for this feature.
For MDM-enabled iOS devices, MDM features are not dependent on the MobileIron
Client after registration. Therefore, if a user uninstalls the MobileIron Client, features like app inventory will continue to function.
If you need to register many iOS devices on behalf of users, as when iPhones are
purchased by the corporation and rolled out in bulk, depot-style registration may be
preferable. See Web-based Registration for iOS and OS X Devices on page 683.
Android
Android registration currently depends on acquiring the MobileIron Client from the
Google Play (formerly Android Market).
For devices that cannot access Google Play, provide another way for the device
users to get the Mobile@Work for Android app. For example, email the app to the
device users. You can also place the app on a website and provide the URL to the
device users.
On some devices, several features require a third-party add-in called NitroDesks

TouchDown. This add-in needs to be installed prior to installation of the MobileIron
Client.
Configuring the Server Name Lookup preference (in Admin Portal under Settings >
Preferences) makes registration easier by automatically filling in the server address
for the user (US only). Note that the administrator must initiate registration or
invite the user to register.
If you have configured a MobileIron Sentry to support Android devices connecting

via ActiveSync, then you can initiate registration from the ActiveSync Devices
screen.
By default, the user is required to enter a password to register the device. If you
prefer, you can change this behavior to require a MobileIron-generated Registration
PIN instead, or to require both a password and a Registration PIN. See Configuring
77
Registering Devices
user authentication requirements for registration (iOS, Android, Windows Phone 8)

on page 94 for information on specifying behavior for this feature.
Windows Phone 7, Windows RT, and Windows 8 Pro

There is no MobileIron Client software provided for Windows Phone 7, Windows RT,
and Windows 8 Pro devices.
MobileIron Sentry is required for the available device management features.

Note: These devices do not have device management features. However, these
devices can sync using Exchange ActiveSync and be managed using ActiveSync policies.
Windows Phone 8
Single device registration, bulk registration, and invitations to register are supported for Windows Phone 8 (WP8) devices.
Registration of the WP8 device is done through the WP8 native client.
The Mobile@Work app is installed as part of the registration process.
The User Portal role is required for WP8 device registration whether PIN-based registration is required or not.
If PIN registration is enabled on the VSP (in the Admin Portal, Setting > Preferences) the device user must first verify the PIN before registering the device.
The device user is required to enter a username (Email) and password to register
the WP8 device even when PIN registration is enabled.
78
Registering Devices
Registration by administrator: individual

devices
See Overview of registration methods on page 72 for points to consider before using
this registration method.
To register a single device:
1.
In Admin Portal, select Users & Devices > Devices.
2.
Click +Add > Single Device.
3.
Use the following guidelines to complete the registration information.
Item
Description
User
Enter user information to locate the user account. For

example, you might enter the user ID, first name, last
name, or email address. Select the user you want to work
with from the dropdown list of matching accounts.
This device has no

phone number.
If you do not have a cellular operator for the device or a

data plan with your current operator, select This device
has no number.
Why: The MobileIron VSP will communicate with the
MobileIron Client that will be installed on the phone. For
devices that have cellular services, cellular is used. For
devices that do not have cellular service, such as iPods
and PDAs, WiFi can be used.
Device Platform
Select the name of the operating system used on this

phone.
If you do not see the platform you want, it may be disabled. See Specifying eligible platforms for registration
on page 93.
Why: The operating system specified determines which
MobileIron Client will be downloaded to the phone.
Country
Select one of the supported countries from the dropdown

list. Selecting the correct country populates the Country
Code field. If the country you need is not displayed, you
may need to alter the default country list. Select Settings
> Preferences.
Mobile
Enter the phone number for the device. Your selection

from the Country list will populate the Country Code field.
Enter the prefix and number without spaces, dashes, leading zeros, or parentheses.
For example, you would enter a typical US phone number
as 4085555555. You would enter a typical UK phone number as 7889524526.
Why: This is the number that MobileIron will use as the
target for the registration SMS message.
79
Registering Devices
Item
Description
Operator
Select the name of the mobile service operator for this

phone. If you selected a country having a country code
other than 1, then this field is hidden.
Why: The name of the operator is required for proper
transmission of SMS messages used for communication
between the MobileIron VSP and the device. For devices
having a country code other than 1, the operator is automatically identified and need not be specified.
Note: You can determine whether an operator is displayed
in the list by selecting Operators under the Settings tab in
the Admin Portal.
Device Owner
Select Company if this phone is owned by the enterprise.

Select Employee if this phone is owned by the user. Note
that MobileIron automatically assigns default labels based
on ownership. See Using labels to establish groups on
page 130 for information on labels.
Why: Administrators may want to assign different polices
to phones based on ownership.
Device Language
To communicate with the device user in a language other

than the default language, select a language from the
dropdown list. Languages must first be enabled under Settings > Preferences. Note that, if the device reports a
locale associated with a different language, then the language associated with the locale will be used.
Email User
Clear this check box if you do not want the user to receive
email concerning registration status. For example, if you
are in possession of the phone, and notifying the user
about registration activities is not necessary, then clear
this option. Select this option if the device is in the
owners possession.
Why: Users may be confused if they begin receiving notifications about the phone if it is not in their possession.
4.
Click Register.
After a brief pause, a popup displays listing instructions for the next step. The content of this popup varies based on the OS and type of the device. Consider leaving
this message displayed until the registration has been completed. Also note that
the instructions also appear in the log.
What the user sees

For most OSes, this registration method results in user notification by SMS and email.
PDA users are notified by email. The SMS contains a live URL link. The email includes
a URL, instructions, and the information the user will need to enter during registration. The user can click the live URL in the SMS or enter the URL directly into the
80
Registering Devices
device browser to complete the registration process. See the MobileIron end-user document for the specific OS for details on the input expected from the user.
If the user does not respond within 24 hours, MobileIron sends a reminder. After 120
hours, the registration expires. This expiration interval is configurable (Settings >
Preferences > Passcode Expiry). The maximum value is 4320 hours (6 months).
For BES 4.x devices deployed via BES, the user does not receive the SMS or email and
does not enter any input.
81
Registering Devices
Registration by administrator: multiple devices

(bulk registration)
Bulk registration can be performed using a CSV file. When you import the registration
CSV file, MobileIron completes the following tasks:
Creates specified local user accounts, if they do not already exist.

Finds specified LDAP user accounts.
Initiates the registration process.
Contents of the CSV

Each line in the file must contain the following fields, separated by tabs or commas, in
the following order:
Field
Description
Example
User ID
Specifies the user ID for either

an existing local user, a local
user to be created, or an LDAP
user that can be looked up as an
LDAP user on the configured
LDAP server. Spaces are not
supported for local users.
jdoe
Country Code
Specifies the country code corresponding to the phone number.
For PDAs, such as the iPod

touch, enter 0 in this field.
Number
Specifies the phone number.
4085551212
For PDAs, such as the iPod

touch, enter PDA .
Operator
Specifies the service provider

name. This field is not required
for PDAs, such as the iPod
touch, or for countries having a
country code other than 1. See
Settings > Operators for a list. If
the operator does not appear in
this list, contact MobileIron
Technical Support.
82
Sprint
Registering Devices
Field
Description
Example
OS
Specifies a character indicating

the operating system. Use the
following characters:
I: iOS
A: Android
M: WP8
Windows Phone 7 devices are
not supported for bulk registration.
Entries are case sensitive.
If the specified platform has
been disabled for registration,
then the registration will fail.
See Specifying eligible platforms for registration on
page 93.
E/C
Specifies phone ownership. Use

the following characters:
C: Company
E: Employee
Source
Specifies the identity source of

the user name. Use the following
characters:
L: Local
D: Directory (LDAP)
Entries are case sensitive.
First Name
If the Source field contains L,

provide the users first name.
John
Last Name

provide the users last name.
Doe
Email

provide the users email
address.
jdoe@mycompany.com
Password
Specifies the password to set for

a new local user account. If you
do not intend to use this field or
the user is an LDAP user, then
you can leave it blank.
p@$sW0rd
83
Registering Devices
Field
Description
Example
Device Language
Specifies the language to use for

communicating with the device
user if the device has not
reported its locale.
ja-JP
en-US: English
ja-JP: Japanese
ko-KR: Korean
fr-FR: French
de-DE: German
zh-CN: Chinese
zh-TW: Traditional Chinese
es-ES: Spanish
pt-BR: Portuguese (Brazil)
This field is optional.
User Display Name
Specifies an alternate name

used to identify the device user.
If you leave this field blank, then
the display name will have the
following format:
Smith, Ken
Firstname Lastname
This field is optional.
Notify User
Specifies whether the user

should receive email concerning
registration status. For example,
if you are in possession of the
phone, and notifying the user
about registration activities is
not necessary, then set this
option to FALSE. Specify TRUE if
the device is in the owners possession.
Why: Users may be confused if
they begin receiving notifications about the phone if it is not
in their possession.
Multiple devices registration sample file

You can click the Sample CSV File button in the Adding Multiple Devices screen to start
with a sample file you can use as a starting point.
84
Registering Devices
Guidelines for multiple devices bulk registration content

Note the following requirements when entering your bulk registration content:
Local user IDs cannot contain spaces. Spaces are allowed for LDAP users.
The Platform field is case sensitive. Enter only uppercase letters in this field.
Phone numbers cannot contain spaces or non-numeric characters.
Loading the
multiple devices
registration CSV
To load the bulk file:

1.
Go to Users & Devices > Devices.
2.
Click +Add > Multiple Devices.
3.
Click the Browse button to select the CSV file containing the bulk registration data.
4.
Click Import File.
5.
Click Apply.
6.
Review the Status column to confirm that each entry was successfully imported.
7.
If any items failed, scroll to the right and hover over the Message column to display
information about the reason the item was not applied successfully.
What the user sees

For most OSes, this registration method results in user notification by SMS and email.
PDA users are notified by email. The SMS contains a live URL link. The email includes
a URL, instructions, and the information the user will need to enter during registration. The user can click the live URL in the SMS or enter the URL directly into the
device browser to complete the registration process. See the MobileIron end-user document for the specific OS for details on the input expected from the user.
If the user does not respond within 24 hours, MobileIron sends a reminder. After 120
hours, the registration expires. This expiration interval is configurable (Settings >
Preferences > Passcode Expiry). The maximum value is 4320 hours (6 months).
For BES 4.x devices deployed via BES, the user does not receive the SMS or email and
does not enter any input.
85
Registering Devices
Invite users to register

Administrators can invite users to perform self-service registration through
MyPhone@Work. (See The User Portal: MyPhone@Work on page 799 for information
on this self-service user portal.) The administrator sends invitations that provide the
instructions necessary to complete the registration process.
Note: Language-specific templates are not currently available for invitations.
To send invitations:
1.
Click the Users link in the Users & Devices page.
2.
Select the type of user accounts you want to work with:
Select Authorized Users from the To dropdown list to select from local user
accounts.
Select LDAP Entities from the To dropdown list to select users from the configured LDAP server.
3.
Click the checkbox next to each user you want to invite.
4.
Click the Send Invitation button.
5.
Review the default text for the invitation and make any changes.
The text is displayed here with HTML markup. The user will receive the formatted
version.
6.
Click Send.
86
Registering Devices
What the user sees

This registration method results in user notification via email. The email contains
instructions for registering devices via the MyPhone@Work user portal. See The User
Portal: MyPhone@Work on page 799 for information on what the user is expected to
do to complete the registration process.
87
Registering Devices
In-app registration for iOS and Android

You can ask iOS and Android users to download the MobileIron app from the iOS App
Store or Google Play (formerly Android Market) and register by themselves. To prepare for this option, complete the following steps:
1.
2.
Make sure that the user has a user record (local or LDAP) available in MobileIron.
See Managing Users on page 49.
Instruct the user on downloading the app and registering. The user will need the
following information:
user name
password and/or Registration PIN
server (and the port number, if you did not use the default port number for TLS)
What the user sees

See the MyPhone@Work for iOS or MyPhone@Work for Android document for information on the registration process from the users point of view.
Auto-populating the server name (Android)

Users are prompted to enter the MobileIron server name during registration. For US
phones that have phone numbers, you can configure a setting to attempt to fill in this
field automatically:
1.
2.
In the Admin Portal, select the Preferences link in the Settings page.
Select Yes for the Enable Server Name Lookup option under iOS/Android In-App
Registration Preferences.
Note: Because this feature relies on a mobile number, it does not apply to iPads
using WiFi.
3.
Click Save.
The MobileIron Gateway must be accessible for server name lookup. See the Predeployment Checklist in the Installation Guide for information on the requirements for
MobileIron Gateway access. The mobile number must also be present on the SIM in
order for the Enable Server Name Lookup option to work.
88
Registering Devices
ActiveSync device registration

The ActiveSync Devices view displays the devices that are accessing ActiveSync. This
view is populated only if you have a MobileIron Sentry configured. From this view, you
can decide to register selected devices.
To register an ActiveSync phone with MobileIron:
1.
Select the ActiveSync Associations link under the Users & Devices tab.
2.
Select the checkbox for the ActiveSync phone to be registered.
3.
Click the Register button.
4.
See Registration by administrator: individual devices on page 79 for instructions

on completing the registration process.
89
Registering Devices
Tracking registration status

The Users & Devices page displays the state for each device:
Pending means that the users device has been registered on the MobileIron Server,
but the MobileIron Client download has not yet been completed.
Verified means that the user has confirmed that the download of the MobileIron Client should proceed.
Active means that the MobileIron Client has been successfully downloaded and connected back to the MobileIron VSP at least once.
Lost means that this phone has been manually marked as Lost. This status does
not affect other functionality.
Infected means that the MobileIron VSP detected a virus attached to a document
on the device and attempted to remove the virus.
Wiped means that the phone has been restored to factory defaults.
Note: If a BES-managed device does not change from the Verified state to the Active
state, consider resending the provision message.
90
Registering Devices
Managing operators and countries

MobileIron provides a default list of operators for users to select from during registration. You can enable or disable operators to determine whether they appear in the list
of operators displayed during registration of US devices and other devices having a
country code of 1.
For non-US devices, country selection is an important part of the registration process.
MobileIron also provides a default list of countries enabled for registration purposes.
You may need to adjust this list to enable additional countries.
This section explains how to customize displayed operators and countries.
Enabling operators
Enabling an operator displays it in the list of operators presented to users during registration.
1.
In the Admin Portal, select the Operators link under the Settings tab to display the
Operators screen.
By default, the Operators screen shows only Enabled operators.
2.
Select Disabled or All from the Status dropdown.
3.
Click the checkbox next to each operator you want to enable.
4.
Click Enable.
Enabling additional countries for registration

A subset of countries are enabled for device registration by default. You should check
this list and determine if any of your users have home countries not represented in the
default list. Complete the following steps to enable additional countries:
1.
In Admin Portal, go to Settings > Preferences > Registration Preferences.
2.
Select countries from the Disabled Countries list.
3.
Click the arrow button to move them to the Enabled Countries list.
4.
Click Save.
Disabling operators
Disabling an operator removes it from the list of operators presented to users during
registration.
1.
In the Admin Portal, select the Operators link under the Settings tab to display the
Operators screen.
By default, the Operators screen shows only Enabled operators.
2.
Click the checkbox next to each operator you want to disable.
3.
Click Disable.
91
Registering Devices
Filtering operators
You can use filters to display only those operators you want to work with in the Operators screen. You can:
Search for a specific operator

Display operators by country
Display operators by status
Searching for an operator
To search for a specific operator:
1.
Enter a portion of the operators name in the Search by Name field.
2.
Click the search icon to display the matching operators.
3.
Click the x that appears in the search field to return to the default display.
Displaying operators by country

To narrow the list of operators by country, select a country from the Country dropdown list.
Displaying operators by status

To display operators by status, select from the Status dropdown list. The following
options are available:
Enabled
Disabled
All
92
Registering Devices
Specifying eligible platforms for registration

In some cases, you may want to exclude from registration for all devices of a particular platform. For example, if corporate policy dictates that a particular device platform
will not be supported, you may want to prevent users from selecting the platform
during self registration. Likewise, you may want to prevent helpdesk personnel from
mistakenly registering the unsupported platform in the Admin Portal.
To exclude a device platform from registration:
1.
In Admin Portal, select Settings > Preferences.
2.
Scroll to the Registration Preferences section.
3.
In the Enabled Platforms list, select the platform you want to exclude.
Shift-click platforms to select more than one.
4.
5.
Click the left arrow button to move the selected platforms to the Disabled Platforms
list.
Click Save.
All methods of registration now exclude the selected platforms.
93
Registering Devices
Configuring user authentication requirements

for registration (iOS, Android, Windows Phone
8)
By default, iOS, Android, and Windows Phone 8 users must enter a password to register a device. You have the option to require a MobileIron-generated Registration PIN in
place of or in addition to the password.
To change user authentication requirements:
1.
2.
Scroll down to the iOS/Android/Windows Phone 8 Preferences.
3.
Select the type of authentication for registration.
4.
5.
Scroll down to the Registration PIN code Preferences, specify the minimum length
for the PIN (6-12 characters).
Click Save.
Limit for failed attempts to enter a registration password

After the sixth failed attempt to enter a registration password, the VSP now locks the
device users account for 30 seconds. The device user sees a message stating that the
account is locked and will be released after the specified interval.
PIN-based authentication for WP8 devices

If PIN registration is enabled on the VSP (in the Admin Portal, Setting > Preferences),
the registration Email that the WP8 device user receives contains the PIN and URL
with instructions for verifying the PIN.
At this point, the device Status in the All Devices page shows as Pending.
The device user must verify the PIN before completing the registration process on the
WP8 device. If the PIN is not verified before continuing the registration process on the
device, the device registration fails.
After the PIN is verified, the device Status in the All Devices page shows as Verified.
Once the PIN is verified, the device user is ready to complete the registration on the
device. See Getting started with Windows Phone 8 for instructions on how to register
the WP8 device. After registration on the device is completed, the device Status in the
All Devices page shows as Active.
Note the following:
Username and password are always required for WP8 device registration.
The User Portal role is required for WP8 device registration whether PIN-based registration is enabled or not.
When a WP8 device is in Verified state, the device user can successfully register
another device using the same username.
94
Registering Devices
If the PIN expires for WP8 devices

By default, the PIN is set to expire in 120 hours. If the PIN expires before the WP8
device user verifies the PIN, you must first retire the device, then click Register Device
in the Users and Devices page in the Admin Portal and register the device. This generates a new PIN.
Re-provisioning is not supported for WP8 devices.
95
Registering Devices
Customizing registration messages

The registration process is a critical part of deployment. You can customize the messages involved in this process by editing the registration templates. Registration templates enable you to specify content and basic formatting using HTML markup.
MobileIron sends multiple messages related to registration:
registration SMS
registration email and reminder email
post registration email
These messages may vary by:
platform
language
In addition, messages may vary by device type:
phones
PDAs
To accommodate this range of messages:
Separate registration templates are provided for each language/platform combination.
Each registration template contains separate text for each registration message
type.
Each registration template contains separate text for phones and PDAs.
Displaying registration templates

To display MobileIron message templates:
1.
In Admin Portal, select Settings > Templates.
2.
Select Registration Templates.
3.
Click the View link for the template you want to view.
Editing registration messages

To edit registration messages:
1.
In Admin Portal, select Settings > Templates > Registration Templates.
2.
Click the Edit icon for the template you want to edit.
Registration messages are displayed with the HTML markup that provides the basic
formatting for the content.
3.
Make changes to the displayed registration messages.

Note that you can click the Variables Supported link to display a guide to the supported variables. See Using variables in registration messages on page 97 for
additional details.
96
Registering Devices
4.
Click Save.
Using variables in registration messages

Each field in a registration template has a set of supported variables, most of which
are required. Supported and required variables also differ by OS. Use the following
variables to guide your customization. You can also click the Variables Supported link
to display this information. All variables except $BRANDING_COMPANY_NAME$ are also
required in the specified field.
iOS/Android Field
Supported Variables
Registration SMS (Phones)
$REG_LINK$
Registration Email
Subject (Phones)
$ENT_NAME$, $USER$, $PHONE$
Subject (PDAs)
Body (Phones)
$ENT_NAME$, $BRAND_COMPANY_NAME$,
$PHONE$, $INAPP_REG_STEPS$, $REG_LINK
Body (PDAs)
$PHONE$, $INAPP_REG_STEPS$, $REG_LINK$
Reminder Subject (Phones)
Reminder Subject (PDAs)
Reminder Body (Phones)
Reminder Body (PDAs)
$INAPP_REG_STEPS$
Server
$SERVER_URL$
Username
$USER_ID$
Password
$PASSCODE$, $PASSCODE_TTL$
Post Registration Email

Subject (Phones)
$BRAND_COMPANY_NAME$, $USER$, $PHONE$
Subject (PDAs)
Body (Phones)
$BRAND_COMPANY_NAME$, $PHONE$
Body (PDAs)
Field (Other OSes)
Supported Variables
Registration SMS (Phones)
$REG_LINK$
Registration Email
Subject (Phones)
97
Registering Devices
Subject (PDAs)
Body (Phones)
$PHONE$, $PASSCODE$, $PASSCODE_TTL$,
$REG_LINK$
Body (PDAs)
$PASSCODE$, $PASSCODE_TTL$, $REG_LINK$
Reminder Subject (Phones)
Reminder Subject (PDAs)
Reminder Body (Phones)
$PHONE$,$PASSCODE$, $PASSCODE_TTL$,
$REG_LINK$
Reminder Body (PDAs)
$PASSCODE$, $PASSCODE_TTL$, $REG_LINK$
Post Registration Email

Subject (Phones)
Subject (PDAs)
$BRAND_COMPANY_NAME$, $USER$,
$PHONE%
Body (Phones)
Body (PDAs)
Variable descriptions
The following table describes the variables used in registration messages.
Variable
Description
$BRAND_COMPANY_NAME$
An internal variable.
$ENT_NAME$
The name of the organization using the VSP to

secure the device. See Settings > Preferences
> Enterprise Name.
$INAPP_REG_STEPS$
Combines $SERVER_URL$, the users LDAP

password, $PASSCODE$, and $USER_ID$.
$PASSCODE$
The registration PIN generated for the device by

the VSP.
$PASSCODE_TTL$
The number of hours that the registration PIN

remains valid. See Settings > Preferences >
Passcode Expiry.
$PHONE$
The phone number associated with the device.
$REG_LINK$
The URL that users access to complete the registration process (i.e., https://server
name:port/i for iOS, https://server name:port/
a/ for Android, and https://server name:port/v/
passcode for others).
$SERVER_URL$
The VSP server address used for iOS/Android

registration.
98
Registering Devices
Variable
Description
$USER$
The name of the user associated with the

device, as displayed in the VSP.
$USER_ID$
The user ID for the user associated with the

device, as defined in the user account on the
VSP.
Filtering registration messages

In the Registration Templates page, you can filter registration messages by:
language
platform
To filter registration messages:
1.
2.
If you want to restrict the templates displayed based on language, select the preferred language from the Language list.
If you want to restrict the templates displayed based on device platform, select the
preferred platform from the Platform list.
Restoring registration messages to default content

To restore a registration message to the default content provided by MobileIron:
1.
In the Registration Templates page, select the template you want to restore.
2.
Click Restore to Factory Default.
99
Registering Devices
Registration notes
iOS profile fails to install
Removing old MobileIron profiles on iOS devices
During testing or in the event that the registration process is interrupted, you may
have expired profiles left on your iOS device. These profiles may interfere with your
efforts to complete the registration process. To address this issue, you should remove
the MobileIron profiles left on the device.
To remove MobileIron profiles from an iOS device:
1.
Tap the Setting icon on the device.
2.
Tap General.
3.
Scoll down to the Profiles section.
4.
Tap Profiles.
5.
Select the profile.
6.
Tap the Remove button.
100
Chapter 4
Managing Devices
101
Managing Devices
Overview of managing devices and users

Most of the day-to-day tasks necessary for managing enterprise devices and their
users fall into the following basic categories:
Inventory management
Theft/loss protection
Basic maintenance
The Users & Devices page in the Admin Portal provides access to these features.
Users & Devices page

The Users & Devices page enables you to manage your enterprise devices.
Use the Users & Devices page to:
Register/enroll a new device and associate it with a user

Register/enroll devices in bulk mode
Display a list of registered devices
View and manage devices connected through ActiveSync
Apply labels in order to group devices
Create and remove labels
Locate, Lock, Wipe or perform other administrative actions on a device
Required role
Users must have the Users & Devices role to access the Users & Devices page. See
Assigning and removing roles on page page 57.
102
Managing Devices
Displaying device assets

Click the Devices link to display the devices being managed by MobileIron.
The following information is displayed for each phone
Column
Description
User
Displays the full name of the user registered with this

phone.
Number
Displays the phone number.
Phone
Displays the make and model of the phone.

If you have MDM for iOS enabled and the View MDM Alerts
option selected under Settings > Preferences > MDM Preferences, then entries for iOS devices that need attention
will include alert icons. See Alerts displayed in the
Devices page on page 105 for information on alerts and
what they mean.
OS
Displays the operating system running on the phone as

reported by the MobileIron Client running on the phone.
Country
Displays the home country for the phone.
Status
Displays the state for each device:
Pending means that the users device has been registered on the MobileIron Server, but the MobileIron Client download has not yet been completed.
Verified means that the user has confirmed that the

download of the MobileIron Client should proceed.
Active means that the MobileIron Client has been successfully downloaded and connected back to the MobileIron VSP at least once.
Lost means that this phone has been manually marked

as Lost. This status does not affect other functionality.
Infected means that the MobileIron VSP detected a

virus attached to a document on the device and
attempted to remove the virus.
Wiped means that the phone has been restored to factory defaults.
Last Check-In
Displays the elapsed time since the device was able to

update profiles and app settings from the MobileIron VSP.
E/C
Indicates whether the phone has been registered as

employee owned (E) or company owned (C).
103
Managing Devices
Column
Description
Operator
Displays the name of the service provider specified when

the phone was registered with MobileIron.
Language
Displays the language currently used for messages sent to

the device. If the device reports a locale, then the language associated with that account is used. If the device
has not reported a locale, then the default language is
used, or you can set a specific language by selecting More
Actions > Change Language.
104
Managing Devices
Alerts displayed in the Devices page

The following table describes the alerts that may be displayed in the All Devices page
(Phone column) for devices.
Alert
Icon
Alert Name
Description
Action
Data Protection
Disabled (iOS
only)
Data Protection:
Display the tooltip for the

alert icon.
MobileIron iOS
Multitasking is
Disabled
One of the following

MDM-mandated security
requirements is not being
met:
Passcode is not set

Encryption is not fully
enabled
Multitasking:
The MobileIron multitasking feature for iOS is not
enabled, most likely
because Location Services has not been
enabled on the device.
Unlocked Device
(iOS and
Android only)
App Control Violation
The OS has been compromised.

On iOS devices,
Mobile@Work prevents
the user from accessing
Docs@Work features.
See Jailbreak impact on
documents on page 473.
An app control rule has
been violated.
105
For tooltip Passcode

Required, inform the user
that MDM mandates setting a passcode on the
device.
For tooltip Restore
Required, inform the user
that the device must
undergo a complete
restore after upgrade from
iOS 3.x to fully enable
encryption features.
For tooltip MobileIron iOS
Multitasking is Disabled,
confirm that Location Services is enabled on the
device. For iOS 4.2, go to
Settings > General >
Loca-tion Services. For
iOS 4.3 and higher, go to
Settings > Location Services.
If the device connects to
email via ActiveSync, then
block it using the Block
feature in the ActiveSync
Devices page.
Inform the user that the
device must be restored.
Select the device entry
and view the Device
Details pane to display
specific information on the
violation. See App control
alerts on page 438.
Managing Devices
Alert
Icon
Alert Name
Description
Action
Quarantined
(iOS only)
Configurations have been

removed from the device
due to a security violation.
See Viewing quarantine

information on page 162.
Device Administrator Not Activated (Android)
Device Administrator Not

Activated:
If the device connects to

email via ActiveSync, then
block it using the Block
feature in the ActiveSync
Devices page.
MDM Profile
Removed (iOS)
The device administrator

privilege is not activated
for the MobileIron app or
the Samsung DM Agent.
(See Uninstalling the
Samsung DM Agent on
page 763 for information
on this agent.) The
device administrator privilege is required for most
of the device management features that MobileIron provides.
Inform the user that the

privilege must be
restored.
MDM Profile Removed:

The MDM profile has been
removed from the device.
An MDM profile is
required for the MobileIron app on iOS to operate with full functionality.
Displaying more device and user information

In the Devices page, click the user name for a displayed device record to see additional information about the device it represents. iOS devices have somewhat different
details available than other managed devices.
Details displayed for iOS and Android devices

When you select an iOS or Android device in the Devices page, the Device Details
pane on the right displays important information about the selected device.
106
Managing Devices
The following device information displays:
user name
user email
phone number
device model and capacity
OS version
operator
image of the device
Click the arrow for a category on the right to display additional details.
107
Managing Devices
The following table summarizes the categories and information available on the right
side of the Device Details pane..
Category
Information Available
Policies
Status of policy distribution
App Settings
Status of app settings distribution, e.g., Exchange,

VPN, etc.
Label Membership
Labels to which this device has been applied
Apps
Apps installed via MobileIron (Admin Portal or

MyPhone@Work)
iOS
(only if MDM is
enabled)
Links to iOS-specific information:

Certificate Inventory
Profile Inventory
Provisioning Profile Inventory
MDM Log
Details
Additional details received from the device, including:

Build Version
MDM Operational flag
Data Protection Enabled flag (iOS)
UDID (iOS)
Comment
Any text added by a MobileIron administrator to

record information about this device
For information about details displayed relating to AppConnect for Android, see
Device details for AppConnect apps on page 519.
Details displayed for managed devices (Non-iOS/Android)

When you select a non-iOS/Android managed device from the All Devices page, the
Device Details pane displays important information about the device.
The following device information displays, if available:
user name
user email
phone number
device model and capacity
OS version
operator
image of the device
RAM used
storage used
MobileIron registration status
108
Managing Devices
elapsed time since last connection to MobileIron

For WP8 devices, the device capacity, RAM, and storage used information is not available. The phone number and the country information is available only if the Admin or
the device user provides the information when registering the device on the Admin
Portal or on MyPhone@Work (User Portal).
Click the arrow for a category on the right to display additional details.
The following table summarizes the information displayed, when available, for the
selected phone.
Category
Information Available
Policies
Status of policy distribution
App Settings
Status of app settings distribution, e.g., Exchange,

VPN, etc.
Label Membership
Labels to which this device has been applied
Backup snapshots
Backups of phone data taken using the Take Backup

Snapshot action or a backup & restore policy.
Apps
Apps installed on the device
Details
Additional information known about the phone,

such as:
Free media card storage
IMSI
Battery life
Comment
Text added to this phone record
For information about details displayed relating to AppConnect for Android, see
Device details for AppConnect apps on page 519.
Adding a comment to device details

The Comment pane under Phone Details enables you to include brief text with the
device record. To add a comment:
1.
Click the Edit button in the Comment pane.
2.
Enter the text.
3.
Click Save.
109
Managing Devices
The text displays in the Comment pane, followed by the date and time it was created or modified.
Displaying log data for a selected device

To display log data for a selected device in the Users & Devices page:
1.
2.
Select the entry for the device of interest.

Click the Log button in the Phone Details section on the far right to display the log
entries for the selected phone.
Searching for a device record

The Devices page offers basic and advanced searching.
Basic searching
You can quickly search for devices based on the following criteria:
label
iOS MAC Address
iOS Serial Number
iOS UDID
User Principal/ID
User Email Address
User First/Last Name
To search by label, select the appropriate label name from the Labels list.
To search by the other criteria, use the following syntax in the Search by User or
Device field:
mac:<iOS MAC Address>

sn:<iOS Serial Number>
udid:<iOS UDID>
uid:<User Principal/ID>
mail:<User Email Address>
110
Managing Devices
name:<User First/Last Name>

For example, if you want to find the devices registered with the email address
jdoe@mobileiron.com, you can enter the following:
mail:jdoe@mobileiron.com
Advanced searching
In a large enterprise with hundreds or thousands of devices, you can use the
Advanced Search link to display records for all devices that meet specified criteria.
You can also assign a label to them for future filtering. The following criteria are available:
PLATFORM_NAME
STATUS
OPERATOR
LDAP_GROUP
LDAP_USER_ATTRIBUTE
DEVICE_OS
DEVICE_MODEL
DEVICE_MANUFACTURER
DEVICE_OWNER
To perform an advanced search:

In the Users & Devices page, click Devices.
3.
Click the Advanced Search link.
4.
Select a field to specify criteria for.

For example, you might select STATUS.
5.
Click in the All field to select a value for the field.

For example, you might select Retired.
6.
Select additional fields and criteria as needed.
7.
Click the Search button to display the matching devices and their owners.
8.
If you want to create a filter label for the specified criteria, select an existing list
from the Assign Label to result dropdown, and click Save. See Using labels to
establish groups on page 130.
Note: You can search for devices for which the status field value is Blocked, which
means that the device is blocked from accessing the ActiveSync server. For iOS
111
Managing Devices
devices, it also means that the device cannot access Docs@Work features. However,
the Status column does not show the value Blocked. Instead, the ActiveSync Devices
view shows this information. See Viewing ActiveSync associations on page 368.
Using the Users & Devices dashboard

The Users & Devices dashboard provides a snapshot of the devices known to the
MobileIron VSP.
Filtering by period of time

You can filter the data displayed in the dashboard by clicking the corresponding button
in the upper left corner.
Refreshing dashboard content

Click the Refresh button in the dashboard to display updated data.
Note: Pressing F5 in a dashboard does not necessarily retrieve new data.
Users & Devices dashboard panes

The Users & Devices dashboard contains the following panes:
Pane
Description
Status
Displays a pie chart showing the percentage of phones

having each registration status.
Operating System
Displays a pie chart showing the percentage of phones

running each supported operating system.
112
Managing Devices
Pane
Description
Operator
Displays a pie chart of the service providers reported,

including WiFi. An arrow at the bottom of the chart key
indicates that there are additional rows in the key. Click
the arrow to displays the rows.
Platform Breakdown
Displays phones by status and platform.
New Registrations
Displays the latest phones to begin the registration process.
Pending Registration
Displays the phones that have a status of Pending.
Recent Wipes
Displays a list of the users whose phones have been

wiped and the user ID that requested each wipe.
Recent Infection
Detect
Displays a list of the phones on which infected files have

been detected and removed by the MobileIron Server.
Recent Find Request
Displays a list of the users whose phones have been the

target of a Locate request in either the Admin Portal or
the User Portal.
SIM Card Changes
Lists those phones that have different SIM cards.
Reporting on managed devices

MobileIron provides a Web Services API that enables you to create reports on many
aspects of your managed devices. See the MobileIron API documentation for information.
113
Managing Devices
Registration-related features and tasks

The following table summarizes features and tasks related to registration.
Feature
Description
Use Case
Reprovision Device
Restarts the MobileIron

provisioning process for
the device
Troubleshooting incomplete
registration
Retire
Ends the registration (and

MobileIron management)
for a device
Moving devices out of inventory
This section explains how to use these features.
Reprovision device
Android
iOS
Win 7
WP8
yes
yes
Select Reprovision Device to restart the MobileIron provisioning process without

repeating the whole registration process. For example, you might want to do this if the
initial attempt was interrupted, leaving the registration in the Pending state. This feature is not applicable for BES-managed devices.
Note
This action applies only to phones in the Pending or Verified state. To reinstall the
MobileIron Client for phones in the Active state, you can either restore from a backup
snapshot or retire the phone and re-register it. To reinstall the MobileIron Client for
phones in the Wiped state, you must re-register.
To reprovision the device:

1.
2.
Select the checkbox for the device in the All Devices page.
3.
Select Actions > More Actions > Reprovision Device.

The same registration settings are used.
114
Managing Devices
Retire
Android
iOS
OS X
Win 7
WP8
yes
yes
yes
yes
Retiring a device archives the data for that phone, removes the configurations and
settings applied by the VSP., The entry for the device no longer appears in the Users &
Devices page (unless you click the Retired Devices link), and the user is notified that
the software has been removed.
If the retired device is also in the ActiveSync Devices view, it remains there. However,
because the device is retired, it can no longer access the ActiveSync server. You can
manually remove the device from the ActiveSync Devices page. See Removing
ActiveSync phones on page 375.
Also note:
Retiring an iOS device also removes from the device the documents and configurations related to Docs@Work. See Retire and wipe impact on documents on
page 472.
Retiring an Android device means the device user cannot access any AppConnect
apps or data.
For details, Lock, unlock, and retire impact on AppConnect on page 517.
Note
For BES 5.x devices deployed using the BES 5.x server, if you set the BES software
configuration to Required, then the Retire function in Admin Portal will not be able to
uninstall the MobileIron Client. As a result, the phone will be re-registered. In this
case, you must first use the BES Administration Service to either remove the software
configuration from the device or deactivate the device.
To retire a device:
1.
Display the Devices & Users page.
2.
3.
Select Retire from the Actions menu.
115
Managing Devices
4.
In the displayed dialog, confirm the user and device information and enter a note.
5.
Click Retire.
The user receives notification of the action.
Resend provision message

Android
iOS
Win 7
WP8
No longer supported.
116
Managing Devices
Security-related features and tasks

The following table summarizes the features and tasks related to security.
Feature
Description
Use Case
Lock
Forces the user to enter a

password before accessing the phone
Dealing with lost and stolen

devices
Unlock
Reverses the Lock function.

devices
Wipe
Removes content and settings to return the device

to factory default settings

devices
Immediately blocks access

to all AppTunnels for all
AppConnect apps on a
device

devices
Lost
Flags a device as lost

devices
Found
Flags a device as found

devices
Locate
Reports the last known

location for a device

devices
Block AppTunnels
Preparing a device for a different user
Immediately removing
access to servers behind the
firewall
Lock
Android
iOS
OS X
Win 7
WP8
yes
yes
yes
Locking a device forces the user to enter a password to access the phone and prevents the user from reversing this restriction. The user is informed of this action via
email. If the user has set a password for the device, then that password must be
entered. Locking an Android device also causes the device user to be locked out of
AppConnect apps. For details, see Lock, unlock, and retire impact on AppConnect on
page 517.
To lock a device:
1.
2.
3.
Click the Lock button.
117
Managing Devices
Note
If the MobileIron Client on the selected device is currently connected, then this action
will be applied immediately. However, if the MobileIron Client is not currently connected, the MobileIron VSP will first attempt to complete the operation using the
Syscomm phone, if one has been configured. If a Syscomm phone has not been configured, then the MobileIron VSP will attempt to complete the operation by means of
the operators SMTP service. If SMTP is used, it may take more time to execute the
operation, and the time required may vary by operator.
To remove the lock, create a new Security policy that specifies that passwords are
optional and assign it to the device. This task enables the user to remove the restriction on their phone. The phone will continue to request a password until the user turns
off the restriction on the phone. Also, because only one active policy of the same type
can be applied to a phone, you may choose to remove this policy from the phone once
the user has successfully turned off the lock. You can do this by applying the previous
policy or removing the phone from the policy used to remove the lock. See Using
labels to establish groups on page 130 for information on working with labels.
Unlock
Unlock
Passcode
to Unlock
Android
iOS
Win 7
WP8
yesc
yes
c Not supported for encrypted devices.
To unlock an Android device or an iOS device with MDM support:

1.
2.
Select the checkbox for the device in the Devices page.
3.
Select Unlock from the Actions menu.
Notes:
This function does not apply to Android devices locked using face or pattern locks.
Because the MobileIron app cannot remove the passcode on an encrypted Android
device, the Unlock command sets the passcode to "un!ockm3!" on encrypted
devices.
On Android devices using AppConnect apps, unlock also removes the secure apps
passcode.
For details, see Lock, unlock, and retire impact on AppConnect on page 517.
118
Managing Devices
Wipe
Android
xx
yes
iOS
yes
OS X
yes
xxx
Win 7
WP8
yes
xx Includes SD cards for most devices.

xxx Requires FileVault2 (i.e., FDE) to be enabled.
Warning
Wiping a device returns it to factory defaults, which can result in loss of data.
Wiping a device returns its settings to the factory defaults and informs the user of this
action via email. The Wipe task differs considerably by OS due to the limitations of
each OS.
Note: The Admin Wipe role is required for this feature.
To wipe a device:
1.
Select Devices under the Users & Devices page.

Note: The remote wipe command applies only to Mac computers that have FileVault2 (i.e., FDE) enabled.
2.
Select the checkbox for the device to be wiped.
3.
Select Wipe from the Actions menu.
Note: If the MobileIron Client on the selected device is currently connected, then this
action will be applied immediately. However, if the MobileIron Client is not currently
connected, the MobileIron VSP will first attempt to complete the operation using the
Syscomm phone, if one has been configured. If a Syscomm phone has not been configured, then the MobileIron VSP will attempt to complete the operation by means of
the SMTP configuration. If SMTP is used, it may take more time to execute the operation, and the time required may vary by operator.
Selective Wipe
Selective
Wipe
(Files)
Selective
Wipe
(Email)
Selective
Wipe
(SMS)
Android
iOS
Win 7
WP8
-f, g
-e, g
e Using MobileIron Sentry and ActiveSync

f For Exchange through integration with selected devices and email apps.
g Selective wipe of email for this operating system is accomplished through security compliance actions, removing the
device from the associated label, or retiring the device; it is not accomplished using the Selective Wipe command.
119
Managing Devices
The Selective Wipe command is no longer supported.
Block AppTunnels
Android
iOS
Win 7
WP8
yes
You can manually block the AppTunnel feature in AppConnect apps on a device. The
authorized AppConnect apps remain authorized, but the apps will no longer be able to
access the web sites configured to use the AppTunnel feature.
Note: For the Docs@Work features in Mobile@Work, blocking the AppTunnel feature
blocks access to all the Docs@Works features.
To manually block the AppTunnel feature in AppConnect apps on a device:
1.
2.
3.
Select More Actions > Block App Tunnels from the Actions menu.
4.
Add a note.
5.
Click Block AppTunnels.
Lost
Android
iOS
Win 7
WP8
yes
yes
When a user reports a lost device, you can set its status to Lost. Setting this status
does not have a functional effect on the phone. It just flags the phone as lost for
tracking purposes and to ensure that it appears in the Lost Phones screen.
To designate a device as lost:
1.
2.
3.
Select More Actions > Lost from the Actions menu.
120
Managing Devices
4.
5.
Click Lost.
The entry for this device will appear with a status of Lost. Use the Found action to
undo this status. See Found on page 121.
Found
Android
iOS
Win 7
WP8
yes
yes
If a user reports that a lost phone has been found, you can use the Found action to
remove the Lost indicator from the entry for the phone. Setting this status does not
have a functional effect on the phone.
To designate a lost device as found:
1.
2.
3.
Select More Actions > Found from the Actions menu.
4.
5.
Click Found.
The entry for this device returns to Active status.
Locate
Android
iOS
Win 7
WP8
via Cell
Tower
yes
yes
via GPS
yes
Most registered phones can be located on a map using cell tower IDs. The MobileIron
Client records tower data until the next time data is synchronized between the MobileIron Client and the MobileIron VSP. See Working with security policies on page 147
for information on changing the Sync Interval setting. Using the Connect Now feature
on the device will result in immediate synchronization.
Exceptions currently include certain GSM phones, which do not provide the necessary
location data.
Note
The Admin Locate role is required for this feature.
To display the last known location for a device:

1.
2.
121
Managing Devices
3.
Select More Actions > Locate from the Actions menu to display the last known location of the phone.
Note: To ensure that old and misleading location information is eliminated, location
data expires after 72 hours.
4.
Click the phone icon on the map to display the date on which the location information was collected.
122
Managing Devices
Maintenance features and tasks

The following table summarizes the features and tasks related to device maintenance.
Feature
Description
Use Case
Send Message
Sends a message via SMS,

email, and/or Push Notification (i.e., APNs or C2DM)
Communicating with users
Update Roaming
Settings
Enable or disables roaming

for voice and data on iOS
devices (iOS 5 or later).
Support for this feature
varies by operator.
Disabling roaming for a traveling employee.
Change Ownership
Switches ownership status

between Company and
Employee
Managing company vs private assets and information
Apply To Label
Assigns the device to the

selected label
Managing groups
Remove From Label
Removes the device from

the selected label
Managing groups
Re-enabling roaming when

the employee returns.
Send Message
Android
iOS
Win 7
WP8
yes
yes
You can send an SMS text, email or Push Notification (i.e., APNs or C2DM) to selected
devices.
Note: For SMS delivery from the MobileIron VSP, you may send up to the maximum
number of messages per month as permitted by MobileIron.
Note
If the phone is currently connected to the MobileIron VSP, then the message is sent
through the data channel.
To send a message to a device:

1.
2.
3.
Select Send Message from the Actions menu.
123
Managing Devices
4.
Select the message types you want to send:
SMS
Email
Push Notification (i.e., APNs for iOS or C2DM for Android)
Note: The character limit for SMS is 125. The character limit for Email and Push
Notification is 200. If you select SMS and another option, then the 125 character
limit applies.
5.
If you are sending email, enter a subject in the Subject field. (The Subject field is
applicable to email only.)
6.
Enter your message in the Message area.
7.
Click Send.
Update Roaming Settings

Android
iOS
Win 7
WP8
yes
The Update Roaming Settings action allows you to enable or disable roaming for voice
and data on iOS devices (iOS 5 or later). Support for this feature varies by operator.
Note: The Apply settings option in the iOS MDM app setting must be selected, or this
feature will not work. This setting is selected in the default iOS MDM app setting. If
you have edited this setting or created your own iOS MDM app setting, make sure this
option is selected.
124
Managing Devices
Enabling roaming for iOS devices

To enable roaming for the selected iOS device:
1.
In the Devices page, select the iOS devices you want to work with.
2.
Select iOS Only > Update Roaming Settings from the Actions menu.
125
Managing Devices
3.
Select Enable Voice Roaming.
4.
Select Enable Data Roaming if you want to enable data roaming, as well.
5.
Click Send.
Disabling roaming for iOS Devices

To disable roaming for the selected iOS devices:
1.
In the Devices page, select the iOS devices you want to work with.
2.
Select iOS Only > Update Roaming Settings from the Actions menu.
126
Managing Devices
Note that the check boxes remain unselected, regardless of whether roaming has
been enabled for the selected devices.
3.
Click Send.
Clicking Send without making changes in this dialog disables roaming on the
selected devices.
Viewing roaming settings for iOS devices

To view the existing roaming settings on the selected iOS device:
1.
2.
In the Devices page, select the iOS device you want to work with.
Find the Disable Voice Roaming and Disable Data Roaming settings in the Device
Details pane.
127
Managing Devices
Note: N/A indicates that the operator for the selected device does not support this
feature. Also note that data roaming might display as enabled, but is effectively disabled if voice roaming is disabled.
Change Ownership
Android
iOS
Win 7
WP8
yes
yes
yes
When you register a device, you specify whether the phone is owned by the company
or the employee. Specifying ownership is important if you want to assign different policies or take actions based on whether a phone is company property or the property of
an employee.
To change this designation:
1.
2.
3.
Select Change Ownership from the Actions menu.
4.
Select the preferred ownership setting (Company or Employee) in the displayed

dialog.
5.
Add text to the Note field.
6.
Click Change Ownership.
Apply To Label
Android
iOS
Win 7
WP8
yes
yes
yes
Applying a device to a label tags the phone as part of the associated group. When you
specify a label for an action, you perform the action on all devices having the label.
See Using labels to establish groups on page 130 for more information on labels.
128
Managing Devices
To apply a device to a label:

1.
2.
3.
Select Apply To Label from the Actions menu.
4.
Select the label to apply from the pop-up dialog box.

Only labels that have not already been associated with this device will be displayed.
For example, iOS devices are automatically applied to the iOS label, so that label
does not appear in the list. Also, automatic labels that are not applicable to this
device will not appear in the list. For example, the iOS label will not appear for a
selected Android phone.
5.
Click Apply.
Remove From Label

Android
iOS
Win 7
WP8
yes
yes
yes
Removing a device from a label removes the tag that makes it a part of the associated
group. See Using labels to establish groups on page 130 for more information on
labels.
To remove device from a label:
1.
2.
3.
Select Remove From Label from the Actions menu.
4.
Select the label from the pop-up dialog box.

Removing the device from the label causes MobileIron to undo the policies specified
by the label and return the phone to the default policy specified in MobileIron.
5.
Click Apply.
129
Managing Devices
Using labels to establish groups

You can use labels for devices, apps, policies, and events. This process forms a group.
For example, you might create a label called Executives to tag devices belonging to
employees at the executive level. You can then locate all of these devices quickly in a
search, or apply policies based on whether a device has this label.
Default labels
MobileIron includes the following default labels:
Label
Description
All-Smartphones
Automatically applied to all devices at registration.
All-Syscomm
Manually applied to the Syscomm phones during SMS configuration. A Syscomm phone becomes a designated proxy
for SMS messages.
Android
Automatically applied to registered devices that have the

Android platform selected during registration.
BlackBerry
Company-Owned

Company checkbox selected during registration.
Employee-Owned

Employee checkbox selected during registration.
iOS

iOS platform selected during registration.
OS X
Automatically applied to registered Apple devices that

have OS X selected during registration.
Symbian
130
Managing Devices
Label
Description
WinMo
Windows Phone 8

WindowsPhone platform selected during registration.
Note: You cannot delete default labels.
Filter and manual type labels

Labels fall into the following categories:
Filter
Manual
Filter labels use specific criteria to specify a group of devices. Manual labels have no
criteria associated with them; you select each device associated with a manual label.
When you initially create a label, it is stored as a filter label. If you use the Advanced
Search feature to specify the criteria for a label, then it remains a filter label. If you
select phones in a Admin Portal screen and apply a label to them, then the label
becomes a manual label.
Creating labels
To create a new label:
1.
In the Users & Devices page, click the Labels link.
2.
Click Add New.
3.
Use the following guidelines to complete these fields.
Field
Description
Example
Name
Enter a unique name

that clearly identifies
the purpose of the
label.
Executive Team
Description
Provide additional
meaning and usage
information.
For members of the

executive staff
reporting to John
Smith
131
Managing Devices
4.
Click Save.
You can now apply this label to devices. See Apply To Label on page 128.
Viewing devices currently associated with a label

To view the devices currently associated with a specific label:
1.
2.
Click the link in the View Devices column.
132
Managing Devices
Associating a filter with a label: dynamic labels

You can use the Advanced Search feature in the All Devices page to associate a filter
with a label. The resulting dynamic label represents the devices defined by the filter at
a given time. See Searching for a device record for information on using Advanced
Search.
Example: Creating a label for devices by operator

To create a label for all devices having a specific operator:
1.
Create a label. See Creating labels on page 131.
2.
In the All Devices screen, click the Advanced Search link.
3.
In the Select Field dropdown, select Operator.
4.
Select the operator from the dropdown to the right of Operator.
5.
In the Assign Label to result list, select the label you created.
Example: Creating a label for devices by LDAP group

To create a label for all devices associated with a specific LDAP group:
1.
133
Managing Devices
2.
3.
In the Select Field dropdown, select LDAP_GROUP.
4.
Enter the first few characters of the LDAP group name to display matching groups.
5.
Select the LDAP group from the list of matching groups.
6.
Example: Creating a label for devices by LDAP user attribute

To create a label for all devices associated with a specific LDAP user attribute:
1.
2.
3.
In the Select Field dropdown, select LDAP_USER_ATTRIBUTE.
4.
Enter the LDAP attribute and value to use in the field to the right of the dropdown
using the following format:
<attribute_name>=<attribute_value>
Example: mail=jsmith@mycompany.com
5.
Deleting labels
To delete a label:
1.
2.
Select the label you want to work with.
3.
Click Delete.
Note
Default labels cannot be deleted. See Default labels on page 130.
134
Managing Devices
Optional SMS configuration: Syscomm phone

MobileIron uses SMSes to:
provision devices with the MobileIron Client

send alerts and notifications
wipe devices for some platforms
Email provides an alternative to SMS for each of these actions except wipe. Therefore,
MobileIron offers an optional SMS configuration consisting of special devices called
Syscomm phones. These components of a MobileIron implementation act as SMS
proxies.
Note: To ensure that most of the Syscomm phones resources are dedicated to serving
as an SMS proxy, you should either use a device having few apps installed and little
data stored, or configure the privacy policy for this phone to synchronize no files. This
also accelerates the initial synchronization process, which must be completed before
the Syscomm function can be synchronized to the phone.
To designate a Syscomm phone:
1.
2.
Create a local user called SyscommAdmin.

Configure the SyscommAdmin user with an email address that will alert appropriate
personnel if the phone malfunctions, has low battery power, and so on.
3.
Register the designated device for this user.
4.
Create a new sync policy that enables the Client is Always Connected option.
5.
Apply the sync policy to the All-Syscomm label.
6.
Apply the All-Syscomm label to this phone.

Once the label has been successfully applied, the Syscomm phone is ready to act as
the SMS proxy.
135
Managing Devices
136
Chapter 5
Managing Policies
137
Managing Policies
Overview of managing policies

MobileIron uses policies to regulate the behavior of the devices it manages. Each policy consists of a set of rules.
The following policy types are available:
Default (See Working with default policies on page 146.)
Global HTTP Proxy (See Working with global HTTP proxy policies on page 183.)
Security (See Working with security policies on page 147.)

Privacy (See Working with privacy policies on page 163.)
Lockdown (See Working with lockdown policies on page 169.)
Sync (See Working with sync policies on page 174.)
Backup & Restore (See Working with backup & restore policies on page 181.)
Docs@Work (See For iOS: Set up Docs@Work policies on page 467.)
Single-App Mode (See Working with single-app mode policies for iOS on
page 183.)
Android Kiosk (See Working with Android kiosk policies on page 187.)
ActiveSync Policies (See Working with ActiveSync policies on page 362.)
AppConnect global policy (See Configuring the AppConnect global policy on
page 484).
You can create multiple policies for each policy type, but only one active policy of each
type can be applied to a specific device.
Policies page
Use the Policies page at Policies & Configs > Policies to specify and control aspects of
enterprise device behavior.
Each policy page displays the following information about the policies belonging to
the corresponding policy type:
Field
Description
Policy Name
Identifier for this policy. The policy name must

be unique for policies of the same type.
Priority
Priority set for this policy in relation to other policies of the same type.
Status
Current status of this policy. The status can be

Active or Inactive.
Description
Additional information about the policy, such as

its purpose.
Type
Which policy category this policy belongs to. See

Overview of managing policies on page 138 for
a list of types.
138
Managing Policies
Field
Description
Last Modified
The date and time of the last change made to

this policy.
# Phones
The number of phones affected by this policy.

Click the link to display a list of the devices.
Labels
The labels applied to this policy. See Using

labels to establish groups on page 130 for
information on labels.
Watchlist
Displays the number of devices for which the

policy is queued. Click the link to display a list of
the devices.
Exception: Backup & Restore policies are not
distributed to the MobileIron Clients. In this
case, the Watchlist column indicates the devices
that are awaiting backup.
Required role
Users must have the Policies role to access the Policies page. See Assigning and
removing roles on page 57.
139
Managing Policies
Working with policies

Each policy type is displayed in a separate screen. You can use the same procedures
to work with each type of policy.
Displaying policies
To display policies:
1.
Click the corresponding link under Policies & Configs to display the policies you
want to work with:
Policies: the standard MobileIron policies, including default and custom policies
Default Policies: the standard MobileIron policies automatically assigned to
most devices
ActiveSync Policies: the specialized policies for devices that connect to the
enterprise via ActiveSync
2.
3.
If you selected the Policies link, you can filter the displayed policies by selecting
from the Policy Type list.
Select a policy to display the details of that policy in the right pane.
Editing policies
To edit an existing policy:
1.
2.
want to work with.
If you selected the Policies link, you can filter the displayed policies by selecting
from the Policy type list.
3.
Select a policy to display the details of that policy in the right pane.
4.
Click the Edit button in the right pane to display editable settings for the policy.
5.
Make the changes to the displayed settings.
6.
Click Save.
Note
Policy changes may cause devices to which that policy is applied to prompt the user to
restart the device.
Applying policies to labels

Use labels to apply policies to devices. See Using labels to establish groups on
page 130 for information on creating and managing labels.
To apply a label to a policy:
140
Managing Policies
1.
want to work with.
2.
Select the checkbox next to the policy.
3.
Click More Actions.
4.
Select Apply To Label from the displayed submenu.
5.
Select the label.
6.
Click Apply.
Removing Policies from labels

You can remove a policy from a label when you no longer want changes to that policy
to affect devices having a given label. See Using labels to establish groups on
page 130.
To remove a label from a policy:
1.
want to work with.
2.
Select the checkbox next to the policy.
3.
Click More Actions.
4.
Select Remove From Label from the displayed submenu.
5.
Select the label.
6.
Click Remove.
Creating a new policy

To create a new policy:
1.
Click the Policies & Configs tab.
2.
Select Add New.
3.
Select the policy type from the displayed submenu.
4.
Adjust the displayed settings.
5.
6.
See Working with security policies on page 147.

See Working with privacy policies on page 163.
See Working with lockdown policies on page 169.
See Working with sync policies on page 174.
See Working with backup & restore policies on page 181.
See For iOS: Set up Docs@Work policies on page 467.
See Working with ActiveSync policies on page 362.
See Configuring the AppConnect global policy on page 484.
Click Save.
Apply the policy to the appropriate labels. If you do not complete this step, then the
policy will not affect any devices. See Applying policies to labels on page 140.
141
Managing Policies
Deleting policies
To delete policies from the MobileIron Server:
1.
Click one of the filters under the Policies & Configs tab to display the policy you
want to delete.
2.
Select the checkbox for the policy you want to delete.
3.
Click Delete in the upper left.
What happens when you delete a policy

When you delete a policy, all devices to which that policy were applied are updated
with the default version of that policy.
Displaying custom policies for a selected label

To display a list of the policies associated with a specific label:
1.
Select a policies page under Policies & Configs.
2.
Select a label from the Labels drop-down list.
Note: Default policies are not included.
Displaying custom policies for a selected user

To display a list of the policies associated with a specific user:
1.
2.
Select a policies page under Policies & Configs.

Enter any portion of the users first name, last name, or user ID and click the
search icon to find policies assigned to user records matching the entered criteria.
Note: Default policies are not included. See Working with default policies on
page 146.
Prioritizing policies
When you create a custom policy, you can assign a priority relative to the other custom policies of the same type. This priority determines which policy is applied if more
than one policy is associated with a specific device. For example, if you create a security policy for executives and a security policy for iOS devices, then an executive with
an iPhone would have two different possible policies applied. Because only one policy
of a given type can be applied to a device, the priority defined for the policies determines which is applied.
You can manage priorities for individual policies, or you can use the Modify Priority
screen to manage priorities for a policy type in a single screen. To manage priorities in
a single screen:
1.
Select Policies & Configs > Policies.
2.
Select a type from the Policy Type dropdown.
3.
Select Modify Priority.
142
Managing Policies
4.
5.
Drag and drop policies until they reflect the priorities you want to set, with highest
priority of 1 appearing at the top of the list.
Click Save.
Displaying policy status

The Device Details pane displays status for the following tasks:
apply lockdown policies

apply security policies
The statuses you will see are:
Pending: The process of applying the policy has been started.

Sent: The policy has been successfully sent to the device.
Applied: The VSP has confirmed that the verifiable settings appear to have been
applied to the device. For Android devices, use the View Details button to see the
verifiable results for Security and Lockdown policies.
Partially Applied: One or more settings may have been rejected by the device. This
can mean that the feature is not supported by the device. For Android devices, use
the View Details button to see the verifiable results.
The following figure shows status displayed in the Device Details pane.
143
Managing Policies
Click the View Details button for Android devices to see information on each policy.
144
Managing Policies
Displaying supported platforms for policies

To clarify which policies are supported for which platforms, Platforms Supported
links are included in the policy dialogs.
Each link displays a table outlining the platform support for each policy feature.
145
Managing Policies
Working with default policies

Default policies are the policies applied to a device automatically when it is registered.
Default policy values are also used as a starting point when you create a custom policy. MobileIron provides the values for each default policy specification. You can then
edit the default policies to your needs. If you do edit a default policys values, those
new values become the starting point when you create a new custom policy.
MobileIron provides defaults for the following policy types:
Security
Privacy
Lockdown
Sync
Docs@Work
ActiveSync (See Working with ActiveSync policies on page 362.)
AppConnect global policy
Note: You cannot delete default policies.

The default settings for each policy type are listed in the section for each type.
146
Managing Policies
Working with security policies

Encryption
Policy (Internal Storage)
Encryption
Policy
(SD Card)
Password
Policy
App Control
Android
iOS
OS X
Win 7
WP8
yesj,h
yes
yes
yesh
yes
yes
yes
yes
yes
yes
e Using MobileIron Sentry and ActiveSync.

j Supported for Android 3.0 and higher.
h Supported for Samsung SAFE devices.
Security policies specify how MobileIron addresses several areas of mobile security.
Use the following guidelines to create or edit Security policies.
Item
Description
Default Policy Setting
Name
Required. Enter a descriptive name

for this policy. This is the text that
will be displayed to identify this
policy throughout the Admin Portal. This name must be unique
within this policy type.
Default Security Policy
Tip: Though using the same name

for different policy types is allowed
(e.g., Executive), consider keeping
the names unique to ensure
clearer log entries.
Status
Select Active to turn on this policy.

Select Inactive to turn off this policy.
Why: Use the Status feature to
turn a policy on or off across all
phones affected by it. The policy
definition is preserved in case you
want to turn it on again.
147
Active
Managing Policies
Item
Description
Priority
Specifies the priority of this custom

policy relative to the other custom
policies of the same type. This priority determines which policy is
applied if more than one policy is
associated with a specific device.
Select Higher than or Lower
than, then select an existing policy from the dropdown list. For
example, to give Policy A a higher
priority than Policy B, you would
select Higher than and Policy B.
See Prioritizing policies on
page 142 for more information.
Because this priority applies only

to custom policies, this field is not
enabled when you create the first
custom policy of a given type.
Description
Enter an explanation of the purpose of this policy.
148
Default Security Policy
Managing Policies
Item
Description
Select Mandatory to specify that

the user must enter a password
before being able to access the
device. Otherwise, select Optional,
which allows the user to determine
whether the password will be set.
Optional
Password
Password
Note: If you intend to use the

Lock feature in case the phone
is lost or stolen, then a password must be set on the phone.
Therefore, specifying a mandatory password is strongly
advised.
For OS X: Select Mandatory to
specify that the device user must
comply with the password policy
when resetting the password for
the device. This does not force a
user to change an existing password.
For Mobile@Work for Android 5.1:
Select Mandatory to enable the
AppConnect passcode on the
device. The password rules you
specify here apply to both the
device passcode and the AppConnect passcode. Note that starting
with Mobile@Work for Android 5.5,
a device code passcode is not
mandatory. You specify the
AppConnect passcode rules on the
AppConnect global policy.
Password Type
Specify whether the password

should be simple numeric input, be
restricted to alphanumeric characters, or neither (that is, Dont
Care).
Dont Care
For WP8 devices, the Dont Care

option requires that the password
is either simple or alphanumeric.
Minimum Password
Length
Enter a number between 1 and 10

to specify the minimum length for
the password. Leave this setting
blank to specify no minimum.
149
Managing Policies
Item
Description
Maximum Inactivity Timeout
Select the maximum amount of

time to allow as an inactivity timeout. To disable this feature, select
Never. The user can then specify
up to this value as the interval
after which the screen locks.
30 minutes
For OS X:
Enter the maximum timeout interval that the device user can set for
the device before the screensaver
engages.
For iOS:
The Grace Period for Device Lock
option determines whether the
user must enter a password to
unlock the screen. Also consider
the case when the maximum inactivity timeout that you specify is
greater than the maximum inactivity timeout that the device supports. In this case, the inactivity
timeout that the user can specify is
limited by the devices maximum
inactivity timeout.
Minimum Number
of Complex Characters
iOS, OSX, and Android 3.0 and

higher only: Specify the minimum
number of special characters that
must be included in a password.
WP8: Specify the minimum level of

complexity, 1 to 4, required in a
password. The values indicate the
minimum number of character
types required. The character
types are lowercase, uppercase,
numbers, and non-alphanumeric.
Maximum Password Age
iOS, OSX, and Android 3.0 and

higher only: Specify the numbers
of days after which the password
will expire. 0 indicates no limit.
150
Managing Policies
Item
Description
Maximum Number
of Failed Attempts
For iOS, OSX, and Android: Specify

the maximum number of times the
user can enter an incorrect password before the device is wiped.
iOS: After the number of failed

attempts, the device imposes a
time delay before a passcode can
be entered again. The time delay
increases with each failed attempt.
The passcode time delays always
begin after the sixth attempt, so if
you set this value to 6 or lower, no
time delays are imposed and the
device is erased when the attempt
value is exceeded. 0 indicates no
limit. For iPhone OS 4, the range is
4 to 16. In prior versions, the
range is 2 to 11.
Password History
iOS and Android 3.0 and higher

only: Specify the number of passwords remembered to ensure that
users define a different password.
For example, if you want to prevent users from repeating a password for the next four password
changes, enter 4.
Grace Period for
Device Lock
For OS X: Specify the maximum

amount of time the device can be
on the screensaver without
prompting for a passcode on wake
from the screensaver.
For iOS: Specify the interval after
the device locks during which the
user can unlock the device without
entering a passcode.
Android: Not used.
Data Encryption
151
None
Managing Policies
Item
Description
Device Encryption
Android 3.0 and higher, Samsung

SAFE devices running Android 2.3
or higher, and WP8 only: Select On
to turn on encryption. Otherwise,
select Off.
Off
Note: If Device Encryption is

turned On, then the Password
option is automatically set to Mandatory.
For WP8 devices: If Device Encryption is turned on, it cannot be
turned off. You have to reset the
device to factory settings to turn
off device encryption.
Data Type
Not supported.
none selected
File Types
Not supported.
none specified
SD Card Encryption
Samsung SAFE devices only:

Select On to turn on encryption.
Otherwise, select Off.
Off
Access Control
For the following options, select the compliance action you want to apply to
devices that trigger access control. For detailed information on the impact that
compliance actions have on devices, see Compliance actions for security policy
violations on page 154.
For All Platforms
Apply compliance
action when a
device has not connected to MobileIron in x days
Select the compliance action you

want to apply if a device has not
connected to the VSP in the specified number of days.
iOS: Supports all compliance
actions.
Android, starting with
Mobile@Work for Android 5.6 and
Secure Apps Manager 5.7: Supports only the following compliance
actions:
Sending alert
Blocking email access if you are
using a Standalone Sentry for
email access.
Blocking app tunnels.
152
Managing Policies
Item
Description
Apply compliance
action when a policy has been out of
date for x day

want to apply if a device has not
met policy requirements for the
specified number of days.
iOS: Supports all compliance
actions.
Android: Does not support this policy violation.
Apply compliance
action when a
device violates following App Control
rules

want to apply when a device violates the specified App Control
rules. See Applying an app control
rule to a security policy on
page 441.
For iOS devices

Apply compliance
action when iOS
version is less than

want to apply when MobileIron
detects an iOS device having a version number less than the specified
version.
Apply compliance
action when Data
Protection is disabled

detects an iOS device that has the
Data Protection feature disabled.
Apply compliance
action when a compromised iOS
device is detected

detects an iOS device that has
been modified to circumvent manufacturer restrictions.
Note that when the device is compromised, Mobile@Work prevents
the user from accessing
Docs@Work features. See Jailbreak impact on documents on
page 473
Apply compliance
action for the following disallowed
devices

detects a specified iOS device.
Apply compliance
action when device
MDM is deactivated
(iOS 5 or higher)

detects that the MDM profile has
been removed from the device.
For Android devices
153
Managing Policies
Item
Description
Apply compliance
action when
Android version is
less than x

detects an Android device having a
version number less than the specified version.
Apply compliance
action when a compromised Android
device is detected

detects an Android device that has
been rooted, that is, root access
has been given to an app.
Apply compliance
action when Data
Encryption is disabled

detects an Android device that has
the Data Encryption feature disabled.
Apply compliance
action when device
administrator is
deactivated

detects that the device administrator privilege has been removed
from the MobileIron app.
Note: The quarantine action

Remove All Configurations has no
impact when the device administrator is deactivated.
For WP8 devices
Apply compliance
action when Data
Encryption is disabled

detects an WP8 device that has the
Data Encryption feature disabled.
If you change password specifications

If you change password specifications, users may be prompted to reset their passwords. Consider notifying users of the new specifications before making changes to
the policy.
Compliance actions for security policy violations

When you configure access control in a security policy, you can select default compliance actions that are provided with the VSP. You can also select custom compliance
actions that you create.
154
Managing Policies
Note: To create the custom compliance actions, see Custom compliance actions on
page 156.
155
Managing Policies
Default compliance actions

The following table describes the default compliance actions:
Default compliance action
Description
Send Alert
Sends alert that you configured for the policy violation.

To configure the alert, see Policy violations event
on page 298.
Block Email, AppConnect

Apps And Send Alert
Sends alert that you configured for the policy

violation.
Restricts access to email via ActiveSync if you

are using a Standalone Sentry for email access.
Immediately blocks access to the web sites configured to use the AppTunnel feature.
Unauthorizes AppConnect apps.

iOS: AppConnect apps become unauthorized
when the next app checkin occurs. When
launched, an AppConnect app displays a message and exits. Some iOS AppConnect apps that
have portions that involve only unsecured functionality can allow the user to use only those
portions.
Android, starting with Mobile@Work for Android
5.6 and Secure Apps Manager 5.7: AppConnect
apps become unauthorized when the next
device checkin occurs. When the device user
tries to launch an AppConnect app, the Secure
Apps Manager displays a small pop-up message
with the reason the app is unauthorized.
This action impacts AppConnect apps that are
part of the Docs@Work for Android solution, as
well as third-party AppConnect for Android
apps.
iOS: Docs@Work for iOS: Blocks the use of

Docs@Work features in Mobile@Work for iOS.
Custom compliance actions

You can customize the compliance actions that you want to take for the settings in the
Access Control section of security policies. Custom compliance actions enable you to
specify combinations of the following actions:
Send alert
Block email access and AppConnect apps
Quarantine: block email access, block app tunnels, block AppConnect apps, and
wipe AppConnect app data
156
Managing Policies
Remove configurations (i.e., profiles)

Specify exceptions for WiFi-only devices
iOS only, iOS 5.0 and later: remove managed apps, and block new downloads
Once you create a set of these actions, you can select that set from the dropdowns in
the Access Control section of security policies.
Creating custom actions

To create a set of custom actions for access control:
1.
Select Policies & Configs > Compliance Actions.
2.
Click Add.
157
Managing Policies
3.
Use the following guidelines to complete this screen.

Item
Description
Name
Enter an identifier for this set of compliance

actions. Consider specifying the resulting action
so that the option will be more readable in the
context of the security policy settings.
Select if you want to trigger a message indicating that the violation has occurred.
To configure the alert, see Policy violations
event on page 298.
Block email access and

AppConnect apps
Selecting this option has the following impact to

the device:
Restricts access to email via ActiveSync if you

are using a Standalone Sentry for email
access.
Immediately blocks access to the web sites

configured to use the AppTunnel feature.
Unauthorizes AppConnect apps.

when the next app checkin occurs. When
launched, an AppConnect app displays a message and exits. Some iOS AppConnect apps
that have portions that involve only unsecured functionality can allow the user to use
only those portions.
Android, starting with Mobile@Work for
Android 5.6 and Secure Apps Manager 5.7:
AppConnect apps become unauthorized when
the next device checkin occurs. When the
device user tries to launch an AppConnect
app, the Secure Apps Manager displays a
small pop-up message with the reason the
app is unauthorized.
part of the Docs@Work for Android solution,
as well as third-party AppConnect for Android
apps.

Docs@Work features in Mobile@Work for iOS.
158
Managing Policies
Item
Description
Quarantine
Selecting this option has the following impact to

the device:
Restricts access to email via ActiveSync.

Immediately blocks access to the web sites
configured to use the AppTunnel feature.
AppConnect apps become unauthorized and

their secure data is deleted (wiped).
and their secure data is wiped when the next
app checkin occurs. When launched, an
AppConnect app displays a message and
exits. Some iOS AppConnect apps that have
portions that involve only unsecured functionality can allow the user to use only those portions.
Android, starting with Mobile@Work for
Android 5.6 and Secure Apps Manager 5.7:
AppConnect apps become unauthorized and
their data is wiped when the next device
checkin occurs. When the device user tries to
launch an AppConnect app, the Secure Apps
Manager displays a small pop-up message
with the reason the app is unauthorized.
part of the Docs@Work for Android solution,
as well as third-party AppConnect for Android
apps.

Docs@Work features in Mobile@Work for iOS
and wipes its data.
159
Managing Policies
Item
Description
Remove All Configurations
iOS: Select if you want to remove the configurations (i.e., profiles) that provide access to corporate resources.
Android: Select to remove the following configurations:
Exchange
VPN
Wi-Fi
Docs@Work
However, because of Android limitations, this

action does not remove any certificates used in
SCEP, Certificate, and Wi-Fi configurations.
These certificates are installed into the devices
credential storage. Only the device user can
remove them by using the Clear Credential Storage command in the Android Settings app on
the device. Certificates used in Exchange and
VPN configurations are removed because these
certificates are stored in the respective apps.
Do not remove Wi-Fi settings from Wi-Fi only
devices
: Select if you want to retain the Wi-Fi configurations for devices that do not have cellular
access. You might select this option to ensure
that you can still contact these devices.
iOS: The iOS version determines how MobileIron
decides whether a device supports Wi-Fi only.
Prior to iOS 4.2.6, the device model (e.g., iPod)
is used.
4.
Do not remove Wi-Fi settings
iOS: Select if you want to retain the Wi-Fi configurations for any device, regardless of whether
it has cellular access. You might select this
option to preserve limited network access
despite the policy violation.
Remove Managed apps, and

block new downloads
iOS 5 and later only: Select if you want to

remove managed apps and prevent reinstallation of these apps.
Click Save.
This new set of actions now appears in the drop down list for settings in the Access
Control section of security policies.
160
Managing Policies
When the compliance action takes effect

When you first apply a security policy, several factors affect the amount of time
required to communicate the changes to targeted devices:
sync interval
time the device last checked in
battery level
number of changes already queued
the app checkin interval for AppConnect for iOS
Once the change reaches the device, the MobileIron VSP checks the device for compliance. If the device is out of compliance, then the action is performed.
Confirming removal of configurations for iOS

The following entries in the MDM log (Logs & Events > MDM Log) indicate that configurations have been removed.
Restoring configurations
MobileIron automatically restores the configurations once the device user addresses
the policy violation. For example, if the policy violation resulted from an old version of
iOS, then upgrading resolves the issue. The same factors that apply to establishing
the quarantine affect the amount of time required to release the device from quarantine.
161
Managing Policies
Exception: If the WiFi configuration has been removed from a WiFi-only device, then
configurations must be restored manually.
Viewing quarantine information

Devices that have had configurations removed due to policy violations are considered
quarantined. You can view quarantine information in the following places:
Devices page
Configurations page
Devices page: quarantined devices
To see if an individual device has been quarantined:
1.
Select Users & Devices > Devices.
2.
Note devices that have been highlighted and appear with a quarantine icon.
3.
Select the entry for a quarantined device.
4.
Expand the App Settings section in the Device Details pane to see which configurations have been removed due to quarantine.
Configurations page: configurations removed due to quarantine

To see which configurations have been removed due to quarantine:
1.
2.
Select Policies & Configs > Configurations.

Click a number link in the Quarantined column to display a list of devices that have
had the configuration removed.
162
Managing Policies
Working with privacy policies

Android
g
partial
iOS
OS X
g
partial
partial
Win 7
WP8
g Only Location and Apps privacy settings currently apply to iOS and Android. Only Apps privacy settings apply to OS X.
Privacy policies specify which files to synchronize with the MobileIron VSP and
whether activity or content should be synchronized for each type of data. Privacy policies also specify which information the MobileIron Client should include in its log.
Use the following guidelines to create or edit Privacy policies:
Item
Description
Name
Required. Enter a descriptive

name for this policy. This is the
text that will be displayed to
identify this policy throughout
the Admin Portal. This name
must be unique within this policy type.
Default Privacy Policy
Tip: Though using the same

name for different policy types
is allowed (e.g., Executive),
consider keeping the names
unique to ensure clearer log
entries.
Status
Select Active to turn on this

policy. Select Inactive to turn
off this policy.
163
Active
Managing Policies
Item
Description
Priority
Specifies the priority of this

custom policy relative to the
other custom policies of the
same type. This priority determines which policy is applied if
more than one policy is associated with a specific device.
than, then select an existing
policy from the dropdown list.
For example, to give Policy A a
higher priority than Policy B,
you would select Higher than
and Policy B. See Prioritizing
policies on page 142 for more
information.
Because this priority applies

only to custom policies, this
field is not enabled when you
create the first custom policy of
a given type.
Description
Enter an explanation of the

purpose of this policy.
Default Privacy Policy
Calls
Specify synchronization for

voice calls:
Sync Activity
Sync Activity: Collect statistics

on incoming and outgoing calls.
None: Do not collect call statistics.
SMS

SMS:
Sync Activity: Collect SMS statistics.
Sync Content: Collect SMS statistics and store SMS data on
the MobileIron Server.
None: Do not collect SMS statistics or store SMS data.
Note that if the users privacy
settings in MyPhone@Work
specify that SMS content shall
not by synced, then the Sync
Content option here results in
syncing of SMS activity data
only.
164
Sync Activity
Managing Policies
Item
Description
Data Traffic

data traffic:
Sync Activity
Sync Activity: Collect data traffic statistics.

None: Do not collect data traffic statistics.
Contacts

contacts:
Sync Content
Sync Content: Copy contact

information between the phone
and the MobileIron Server.
None: Do not copy contact
information between the phone
and the MobileIron Server.
Note: If you select None, then
the Contacts tab in
MyPhone@Work will be disabled. See The User Portal:
MyPhone@Work on page
page 799.
Apps

apps:
Sync Inventory: Obtain identifying information (i.e., meta
data) for the apps installed on
the device.
None: Do not obtain app information. If you select this
option, then app data for the
device will not be reflected in
the App Inventory page.
Exception: Identifying information on iOS managed apps is
stored, regardless of the setting you select. See iOS managed apps on page 396 for
information on managed apps.
165
Sync Inventory
Managing Policies
Item
Description
Documents

document files:
Sync Content
Sync Content: copy document

files on the phone to the MobileIron Server.
None: do not copy document
files on the phone.
The files having the following
extensions are classified as
document files: doc, docx,
docm, dotx, dotm, xls, xlsx,
xlsm, xltx, xltm, xlsb, xlam,
ppt, pptx, pptm, potx, potm,
ppam, ppsx, ppsm.
Picture Files
Specify synchronization for picture files:
None
Sync Content: Copy picture

files from the phone to the
MobileIron Server.
None: Do not copy picture files
from the phone to the MobileIron Server.
The files having the following
extensions are classified as picture files: bmp, gif, jpeg, jpg,
png, psd, psp, tif, 3dm, 3df.
Video Files

video files:
Sync Content: Copy video files
None: Do not copy video files
Files having the following
video files: 3gp, asf, asx, avi,
mov, mp4, mpg, qt, rm, swf,
wmv.
166
None
Managing Policies
Item
Description
Music Files

music files:
None
Sync Content: copy music files

None: do not copy music files
Files having the following
music files: aac, aif, iff, m3u,
mid, midi, mp3, mpa, ra, ram,
wav, wma.
MobileIron iOS App
Multitasking
Specify whether to enable or

disable the multitasking for the
MobileIron iOS app. This feature governs whether the OS
can bring the MobileIron app
into memory periodically. No
data is transmitted to the app
by the OS when this occurs.
Disabled
If the either the Location option

or the MobileIron iOS App Multitasking option is enabled,
then device users will still be
able to use the MAI features
(e.g., Report Dropped Call)
that trigger the MobileIron app
to collect location data. However, if both options are disabled, then all MAI functions
will be disabled.
Store File Types

other file types:
All: Copy all file types not specified by other settings.
Except: Copy all file types not
specified by other settings,
except for those having the
listed extensions.
167
All
Managing Policies
Item
Description
Location
Specify which location data, if

any, is stored on the VSP:
Sync Cell Tower
None: No location data is

stored.
Sync Cell Tower: Cell tower
data is stored.
Sync GPS if available: GPS data
is stored.
Excluding File
Directory
Specify any file folder that

should be excluded from synchronization.
/Windows, /system,
/Program Files, /Temp
Including subdirectories
If Excluding File Directory

specifies a value, select this
option to include an entire
folder tree.
Selected
168
Managing Policies
Working with lockdown policies

Android
yes
iOS
Win 7
WP8
partial
m Camera lockdown supported for Android 4.0 and later, and also on devices on which the Samsung SAFE APIs are present.
BlueTooth and WiFI lockdown are supported on devices on which Samsung SAFE APIs are present. Extended lockdown policies are supported with Android 4.0 and later if the device has Samsung SAFE APIs present and is running Mobile@Work
version 5.1.
n Supports only SD card.
Note: To lock down features on iOS devices, see App Settings > iOS > Restrictions.
Lockdown policies specify which features should be disabled in the event that device
access must be restricted.
Use the following guidelines to create or edit Lockdown policies:
Item
Description
Name

name for this policy. This is
the text that will be displayed
to identify this policy throughout the Admin Portal. This
name must be unique within
this policy type.
Default Lockdown Policy

name for different policy
types is allowed (e.g., Executive), consider keeping the
names unique to ensure
clearer log entries.
Status

off this policy.
169
Active
Managing Policies
Item
Description
Priority
Specifies the priority of this

custom policy relative to the
other custom policies of the
same type. This priority
determines which policy is
applied if more than one policy is associated with a specific device. Select Higher
than or Lower than, then
select an existing policy from
the dropdown list. For example, to give Policy A a higher
priority than Policy B, you
would select Higher than
and Policy B. See Prioritizing policies on page 142 for
more information.
Because this priority applies

only to custom policies, this
field is not enabled when you
create the first custom policy
of a given type.
Description

Default Lockdown Policy
Camera
Android 4.0 and higher, and

Samsung Enterprise APIs
only: Enable or disable camera access.
Enable
Lockscreen Widgets
Android 4.2 and later: Enable

or disable the ability to add
widgets to the lockscreen.
Placing widgets on the lockscreen means device users
can perform tasks without
unlocking the device.
Enable
SD Card
Not for Android unless Samsung Enterprise APIs are

present on the device. Enable
or disable access to the
secure data card.
Enable
170
Managing Policies
Item
Description
Bluetooth
Android with Samsung Enterprise APIs only: Enable or disable access to Bluetooth
features. You can enable both
Audio and Data or just Audio.
Enable Audio & Data
Note: Use caution when using

this option. MobileIron recommends against disabling audio
because hands-free Bluetooth access is disabled. Legal
requirements for hands-free
use of devices while driving is
becoming more widespread.
IRDA
Not supported.
Enable
WiFi
Enable or disable access to

wireless LANs.
Enable
Android (Samsung
SAFE)
Android 4.0 or higher with

Samsung Enterprise APIs and
running version 5.1 or higher
of the Mobile@Work for
Android app:
Android Browser

the Android browser.
Enable
Copy / Paste

copy / paste functionality.
Enable
Factory Reset
Enable or disable the ability to

reset the device to factory
defaults.
Enable
Google Backup
Enable or disable backup to

Google servers.
Enable
Google Play

Google Play.
Enable
GPS User Control
Enable or disable the device

users ability to turn GPS on
and off.
Enable
GPS
If GPS User Control is disabled, specify whether GPS is

enabled or disabled on the
device.
N/A
Management
Removal

users ability to remove the
Mobile@Work app and the
Samsung DM Agent.
Enable
171
Managing Policies
Item
Description
Microphone
Enable or disable access by

apps to the microphone. This
feature does not impact voice
calls.
Enable
NFC
Enable or disable NFC (Nearfield Communication) data

exchange when the device
touches another device.
Enable
OTA Upgrade
Enable or disable over-the-air

upgrades of the device firmware.
Enable
Warning: Do not disable if

OTA Upgrade is enabled. Disabling Setting Changes when
OTA Upgrade is enabled can
result in a non-functional
device because setting
changes are required for
upgrade.
Roaming Data

data services while roaming.
Enable
Roaming Voice Calls
Enable or disable voice calls

while roaming.
Enable
Screen Capture
Enable or disable screen capture.
Enable
Setting Changes

user access to the settings
app.
Enable
Tethering Bluetooth
Enable or disable Bluetooth

tethering.
Enable
Tethering - USB
Enable or disable USB tethering.
Enable
Tethering - Wi-Fi
Enable or disable Wi-Fi tethering.
Enable
USB Debug

users ability to enable USB
debugging.
Enable
USB Mass Storage

the devices USB storage from
a computer.
Enable
USB Media Player
Enable or disable the USB

media player.
Enable
YouTube

YouTube.
Enable
172
Managing Policies
Note
Policy changes may cause devices to which that policy is applied to prompt the user to
restart the device.
173
Managing Policies
Working with sync policies

Android
iOS
Win 7
WP8
yes
partiala
a. Only the sync interval is applied,

and only at enrollment.
Sync policies specify how the MobileIron Client behaves on the device and interacts
with the MobileIron VSP. These interactions include synchronization of profiles, configurations, and app inventory.
Use the following guidelines to create or edit sync policies:
Item
Description
Name
Required. Enter a descriptive name

for this policy. This is the text that
will be displayed to identify this policy throughout the Admin Portal.
This name must be unique within
this policy type.
Default Sync Policy
Tip: Though using the same name

for different policy types is allowed
(e.g., Executive), consider keeping
the names unique to ensure clearer
log entries.
Status

Priority
Specify a priority for this policy in

relation to other custom policies of
this type. Priority determines which
policy is applied in the case of a
conflict. For example, if a device
has two labels assigned to it, and
each label has a different sync policy, then the priority is used to
determine which policy is applied.
Active

than and select the relative policy
from the dropdown list. Because
priority applies only to custom policies, this setting is not available
when you create the first custom
policy of this type. Default policies
are not included in prioritization.
Description
Enter an explanation of the purpose

of this policy.
174
Default Sync Policy
Managing Policies
Item
Description
Server IP/Host
Name
Displays the IP address or host

name of the MobileIron VSP that
the MobileIron Client will communicate with. This setting is completed
automatically when the first phone
registration is requested.
Use TLS
Specify whether to use Transport

Layer Security for interactions
between the MobileIron VSP and
the MobileIron Client installed on
devices.
175
selected
Managing Policies
Item
Description
Sync While Roaming
Specifies which data, if any, should

be synchronized with the VSP while
the device is roaming.
Only Activity and

SMS Content
All Activity and Content: Causes all

activity and content to be synchronized while the device is roaming.
Only Activity and SMS Content:
Restricts synchronized data to
activity and SMS content while the
device is roaming. Eliminates synchronization of some data to reduce
the cost of data transfer when additional charges may apply. This
option is selected by default.
Only Roaming Status: Restricts synchronized data to roaming status
while the device is roaming. Eliminates synchronization of most data
to minimize the cost of data transfer when additional charges may
apply. Synchronizing roaming status ensures that location data is
communicated to the server and
that roaming alerts can be generated in a timely fashion. International roaming alerts are not
generated.
No Sync: Prevents all data from
being synchronized while the device
is roaming. Roaming alerts may not
be generated by Event Center in a
timely fashion because the device
cannot communicate its roaming
status. Therefore, if international
roaming alerts have been configured, the MobileIron Client on the
device will generate a local roaming
alert.
Sync SD Card Files
Specify whether to include files

from removable storage devices,
such as SD cards, when synchronizing files between the device and the
MobileIron VSP.
Why: Removable storage may
include gigabytes of data, making it
impractical to back up the data over
the air.
176
Enable
Managing Policies
Item
Description
Sync on Low Battery
Specify whether to synchronize files

between the device and the MobileIron Server when battery power is
below the percentage specified in
the Battery Level setting. Note that
disabling synchronization on low
battery will also prevent the MobileIron Client from automatically connecting to the MobileIron VSP.
Therefore, the Status field for the
phone will list the elapsed time
since the phone was last connected.
Disable
Battery Level
Specify the minimum battery level

(%) to use with the Disable Sync on
low battery power setting.
20
Battery Level for

File Upload
Specify the minimum battery level

(%) to use for writing data from the
device to the MobileIron VSP during
the synchronization process.
60
Why: This option helps limit the

impact of file uploads on battery
power during the initial synchronization.
177
Managing Policies
Item
Description
Heartbeat Interval
Not for iOS: Specify the maximum

amount of time that the MobileIron
Client will wait before:
14
sending a request to the MobileIron Server to confirm that the

client and server are connected.
Note that the MobileIron Client
does not connect to the server
according to this interval unless
the Client is Always Connected
option is selected.
sampling quality-of-service and

network quality data for Mobile
Activity Intelligence reports.
The MobileIron VSP will close the
network connection for clients that
have been inactive for twice the
interval specified for this setting,
thereby reducing demand on the
MobileIron VSP.
Why: Increasing the heartbeat
interval can help preserve battery
life. However, it also results in fewer
samples of signal strength and network quality, therefore impacting
the quality-of-service data presented in the Mobile Activity Intelligence reports (see Using the
Mobile Activity Intelligence Suite
on page 301).
Decreasing the heartbeat interval
helps the MobileIron Client detect
disconnection from the MobileIron
Server more quickly.
Sync Interval
Specify the frequency for starting

the synchronization process
between the device and the MobileIron Server.
Note: Decreasing this interval
requires additional resources that
may increase the drain on phone
batteries.
178
240
Managing Policies
Item
Description
MobileIron iOS App

Multitasking Sync
Interval
Specifies the minimum duration

between attempts to send iOS
device details to the VSP. This duration adhered to when iOS brings the
MyPhone@Work iOS app into memory following major location change
events.
15 minutes
See iOS Multitasking Sync Interval

and Sending Device Details to the
VSP for additional information.
Client is Always
Connected
for BlackBerry, iOS or Not for iOS.

Specify whether the MobileIron Client should remain connected to the
VSP during the sync interval. Keeping the client connected ensures
timely communication between the
client and the VSP. You might consider disabling this feature if battery
drain becomes an issue.
Disabled
For Android devices, see Android

devices and the Client Is Always
Connected option on page 180.
BlackBerry Connection
Not supported.
All Connections
Enabled
Sync policies and battery use

If you note significant battery impact after installing the MobileIron Client, consider
reviewing and optimizing your sync policies.
Country changes and alerts

Country changes are monitored by the MobileIron Client. Assuming that the Sync
While Roaming option is not set to No Sync, each country change causes the MobileIron Client to send the change to the VSP. If the MobileIron Client can connect, then
the Event Center generates the configured alerts, regardless of the sync interval. If
connectivity is not established, then the MobileIron Client generates a local alert, if
configured.
iOS multitasking sync interval and sending device details to

the VSP
MobileIron uses multitasking features available starting in iOS 4.0 on devices that are
cellular enabled, i.e., iPhone and iPad 3G. For all other iOS devices, synchronization of
device details has not changed. This approach reduces the dependence on manual
start of the app to report critical changes to the device.
179
Managing Policies
The synchronization process is as follows:
Each time the iOS Multitasking Sync Interval elapses, if the MobileIron app is
awake, the MobileIron app reports device details to the VSP. These details include
whether the SIM has been changed and whether the device has been compromised.
This sync interval is set to 15 minutes by default, but is configurable in the Sync
policy. The app does not wake up on its own.
Independently of the multitasking sync interval, the operating system may wake up
the app based on changes in cell tower location. In this case, the app determines if
device details have been sent to the VSP within the specified multitasking sync
interval. If device details have not been sent during that interval, then the app
sends those details to the VSP. If the app wakes up and determines that the device
has been compromised or the SIM state has changed, this information is immediately sent to the VSP.
Android devices and the Client Is Always Connected option

Android devices that are running version 5.1 or later of the Mobile@Work for Android
app support the Client is Always Connected option on the sync policy. Enable this
option only when C2DM cannot be used. These situations include:
Devices running Android versions prior to 4.0 that have no Google account configured.
Regions and countries in which C2DM is not available.

Select commercial and government use cases.
Devices which do not support C2DM, such as the Amazon Kindle.
The VSP uses C2DM to immediately send lock, unlock, retire, and wipe commands to
devices. With this field enabled, the VSP can send these commands to the device at
any time without using C2DM.
MobileIron recommends that you enable Always Connected mode on a maximum of
5000 devices per VSP. The reason is that the device generates a regular connection
status check to the VSP when using Always Connected mode.
This status check can impact the device as follows:
It will cause a small increase in battery power consumption on the device.

It will cause a small increase in bandwidth usage on the device, which sometimes is
a concern when using cellular networks.
180
Managing Policies
Working with backup & restore policies

Android
iOS
Win 7
WP8
181
Managing Policies
Working with Docs@Work policies

Android
iOS
Win 7
WP8
yes
Docs@Work policies specify settings that change the behavior of the Mobile@Work for
iOS app.
For information on configuring a Docs@Work policy, see For iOS: Set up Docs@Work
policies on page 467.
182
Managing Policies
Working with single-app mode policies for iOS

Single-app mode enables you to configure an iOS device for kiosk-like use, restricting
use of the device to the designated app. For example, you might want to configure an
iPad for use as an electronic catalog. The Home button and features such as taking a
screenshot or receiving notifications are disabled. The Single-App Mode policy specifies the app to use.
This policy applies only to supervised iOS 6 devices, that is, devices that have been
deployed using the Apple Configurator.
To configure a single-app mode policy:
1.
Select Policies & Configs > Policies > Add New > Single-App Mode.
2.
Use the following guidelines to complete this form:

Name
Required. Enter a descriptive name for this policy. This is

the text that will be displayed to identify this policy
throughout the Admin Portal. This name must be unique
Tip: Though using the same name for different policy
names unique to ensure clearer log entries.
Status
Select Active to turn on this policy. Select Inactive to turn

off this policy.
Why: Use the Status feature to turn a policy on or off
across all phones affected by it. The policy definition is
preserved in case you want to turn it on again.
Priority
Specifies the priority of this custom policy relative to the

other custom policies of the same type. This priority
determines which policy is applied if more than one policy
is associated with a specific device. Select Higher than
or Lower than, then select an existing policy from the
dropdown list. For example, to give Policy A a higher priority than Policy B, you would select Higher than and
Policy B. Because this priority applies only to custom
policies, this field is not enabled when you create the first
Description
Identifier
Enter the bundle ID of the app to be used. Example:

com.apple.mobilesafari.
3.
Click Save.
4.
Apply the policy to the appropriate labels.
Finding the bundle ID

To determine the bundle ID:
183
Managing Policies
1.
Sync your device to your iTunes library.
2.
On your PC or Mac, open the Mobile Applications folder in the iTunes library.
3.
Duplicate the app file and assign a .zip extension.
4.
Open the iTunesMetadata.plist file in the zip file.
5.
Find the softwareVersionBundleId key in the list.
184
Managing Policies
Working with global HTTP proxy policies

The Global HTTP Proxy policy applies only to supervised iOS 6 devices, that is, devices
that have been deployed using the Apple Configurator. The web proxy monitors traffic
and detects sensitive data that is being sent in violation of information security policies, enabling administrators to address DLP and content filtering needs.
When the global HTTP proxy policy is configured on an iOS device, HTTP traffic is
routed to a proxy server that the IT admin specifies. If that server is not reachable for
any reason, the apps on the device that use HTTP as a transport mechanism cannot
send or receive data. The global HTTP proxy works over both cellular and Wi-Fi networks and requires that apps use the native iOS networking APIs.
Important: Confirm that you have specified the correct proxy information, and that
the proxy is reachable. An invalid or unreachable proxy server will make the device
unreachable by the network. In this case, physical access is required to reset the
device.
To configure a global HTTP proxy policy:
1.
Select Policies & Configs > Policies > Add New > Global HTTP Proxy.
2.
Use the following guidelines to complete this form:

Name
Required. Enter a descriptive name for this policy. This is

the text that will be displayed to identify this policy
throughout the Admin Portal. This name must be unique
Tip: Though using the same name for different policy
names unique to ensure clearer log entries.
Status
Select Active to turn on this policy. Select Inactive to turn

off this policy.
Why: Use the Status feature to turn a policy on or off
across all phones affected by it. The policy definition is
preserved in case you want to turn it on again.
Priority
Specifies the priority of this custom policy relative to the

other custom policies of the same type. This priority
determines which policy is applied if more than one policy
is associated with a specific device. Select Higher than
or Lower than, then select an existing policy from the
dropdown list. For example, to give Policy A a higher priority than Policy B, you would select Higher than and
Policy B. Because this priority applies only to custom
policies, this field is not enabled when you create the first
Description
185
Managing Policies
Proxy Type
Select Manual or Auto. If you select Manual, then you

must specify the proxy server address and port. A username and password for the server are optional input.
If you select Auto proxy type, then you have the option of
entering a proxy autoconfiguration (PAC) URL.
Proxy Server
If you selected the Manual proxy type, enter the network

address for the proxy server.
Proxy Server Port
If you selected the Manual proxy type, enter the port

number for the proxy server.
User Name
Optional. Enter the user name for authenticating to the

proxy server.
Password
Optional. Enter the password for authenticating to the

proxy server.
Proxy PAC URL
Optional. If you selected the Auto proxy type, enter proxy

autoconfiguration (PAC) URL. If you leave this field blank,
the device will use the web proxy autodiscovery protocol
(WPAD) to determine the location of the PAC file.
3.
Click Save.
4.
Apply the policy to the appropriate labels.
186
Managing Policies
Working with Android kiosk policies

The Android kiosk policy specifies whether the kiosk devices use single-app mode or
multiple-app mode.
See Android Kiosk Support on page 787 for information on configuring this policy.
187
Managing Policies
Using the Policies dashboard

The Policies dashboard provides a snapshot of how policies and security features have
been applied across your device inventory. Go to Policies & Configs > Dashboard.
Filtering by period of time

You can filter the data displayed in the dashboard by clicking the corresponding button
in the upper left corner.
Refreshing dashboard content

Click the Refresh button in the dashboard to display updated data.
Note: Pressing F5 in a dashboard does not necessarily retrieve new data.
Policies dashboard panes

The Policies dashboard contains the following panes:
Pane
Description
Policy
Displays a pie chart showing the relative

numbers of each policy type.
Endpoint Security
Displays two pie charts showing the ratio

of encrypted to unencrypted phones and
the ratio of encrypted to unencrypted SD
cards.
188
Managing Policies
Pane
Description
Policy Activity
Summarizes policy activity, including

changes in policies, added policies, and
changes in policy assignment.
Labels Changing Policy
Summarizes policy activity by label. See

Using labels to establish groups on
Individual Smartphones Changing

Policy
Summarizes policy activity by individual

phones.
189
Managing Policies
Troubleshooting policies
Troubleshooting: compliance actions
The application settings were not removed from the device.
1.
Confirm that the device is an MDM-enabled iOS device.
2.
Confirm that the device has checked in.
3.
Confirm that the sync interval has elapsed since you made the change to policy.
Troubleshooting: Android encryption

Data Encryption is not enabled, but the Android device has not been blocked and no
alert has been issued.
1.
Confirm that the device supports encryption (Android 3.0 or later or Samsung with
Enterprise APIs).
2.
Confirm that the event is assigned to a label.
3.
Confirm that the device has been applied to the correct label.
4.
5.
6.
Use the Force Device Check-In option to override the Sync Interval setting and
prompt the device to connect to the server.
Confirm that the battery level on the device is not below the sync threshold set in
the sync policy.
If the user insists that encryption has been enabled, the encryption may be delayed
by battery level constraints imposed by Android devices. Ask the device user to
plug in the device so that encryption can be implemented.
Troubleshooting: quarantine on iOS devices

An iOS device that is out of compliance with the security policy has not been quarantined.
1.
2.
3.
4.
5.
6.
Confirm that the device is an iOS device with MDM enabled.

Confirm that the app setting that has not been removed is currently supported for
quarantine.
Confirm that the security policy containing the quarantine flag is assigned to a
label. Exception: Assignment to a label is not required for the default security policy.
Confirm that the device has been applied to the correct label.
the sync policy.
The user has addressed the security policy violation, but the device is still quarantined.
190
Managing Policies
1.
2.
the sync policy.
191
Managing Policies
192
Chapter 6
Managing Device Settings with

Configurations
193
Managing Device Settings with Configurations
About managing device settings

Configuring major settings across a large inventory of different devices can mean a
major daily time investment for IT personnel. You can automate this process by specifying and distributing configurations, also called app settings. A configuration is a
group of settings to be applied to devices.
The following table summarizes the device settings managed by the VSP.
Category
Types
Android Samsung
Samsung Browser
Samsung Kiosk
Samsung Container
Infrastructure
Exchange
Email
Wifi
VPN
Bookmarks
Certificates
SCEP
MobileIron
AppConnect
Configuration
Container Policy
MobileIron Features
Docs@Work
Web@Work
iOS and OS X (Mac)
General
Restrictions
iOS Only
Windows Phone 8
CalDAV
CardDAV
Web Clips
Configuration Profile
LDAP
Subscribed Calendars
APN
Provisioning Profile
Enrollment Token (AET)
194
Configurations page
Use the Configurations page to create and manage configurations. It displays the
following information for each configuration.
Field
Description
Name
Indicates a name for this group of settings.
Setting Type
Indicates the kind of configuration.
Description
Displays additional information about this group of

settings.
# Phones
Indicates the number of phones to which this group of

settings has been applied. Click the link to display a list of
the devices.
Labels
Indicates the labels to which this group of settings has

been applied.
WatchList
Displays the number of devices for which this group of settings is queued. Click the link to display a list of the
devices.
Quarantined
Displays the number of devices that have had configurations removed due to policy violations. Click the link to display a list of the devices. See Creating custom actions
on page 157 for information on quarantining devices.
Required role
Users must have the Policies and Apps & Configs roles to access this page.
Default
The following table summarizes the default configurations packaged with the VSP:
Setting
Type
Description
System - iOS
Enrollment CA
Certificate
Certificate
System certificate to support the built-in

SCEP server.
System - iOS
Enrollment SCEP
SCEP
System settings for the built-in SCEP server.

Note that the default URL contains HTTP. Do
not change this to HTTPS without
configuring a third-party certificate. The
default is a self-signed certificate, which iOS
does not support with HTTPS.
System - iOS
Enterprise AppStore
WEBCLIP
System settings for Apps@Work web clip.
System - iOS
Enterprise AppStore
SCEP
SCEP
195
Setting
Type
Description
System - iOS MDM
MDM
Default MDM profile for iOS MDM.
System - iOS MDM

CA Certificate
Certificate
Certificate that the mobile device will trust

for the purpose of accepting OTA MDM
requests.
System - Multi-User
Secure Sign-In
WEBCLIP
System settings for Secure Sign-In web clip,

which enables access to multi-user function
for iOS devices. See Multi-User Support for
iOS 5 and Later on page 777 for more
information.
System Mobile@Work AET
APPENROLL
MENTTOKE
N
App enrollment token for the Mobile@Work

app for WP8 devices. See Working with
apps for Windows Phone 8 devices on
page 430.
System - Windows
Phone Enrollment
SCEP
SCEP
System settings for WP8 devices.
Editing default iOS MDM settings

iOS MDM settings are editable, though, in most cases, you should not change access
rights here. To edit the default iOS MDM settings:
1. Select Policies & Configs > Configurations.
2. Select the System - iOS MDM configuration.
3. Click Edit.
4. If changing an access right is necessary, select an access right and click the appro-
priate arrow to move the access right to the Available list. The following table summarizes these access rights.
Access Right
Notes
Allow inspection of installed

configuration profiles.
Enables inventory of configuration profiles.
Allow installation and removal of

configuration profiles.
Enables overall configuration tasks.
Allow device lock and passcode

removal.
Enables remote lock and unlock capabilities.
Allow device erase.
Enables remote wipe.
Allow query of Device Information.
Enables inventory of standard device items,

such as device capacity, serial number.
Allow query of Network

Information.
Enables inventory of standard network

items, such as phone/SIM numbers, MAC
addresses.

provisioning profiles.
Enables a device user to run select in-house

apps.
196
Access Right
Notes
Allow installation and removal of

provisioning profiles.
Enables installation of select in-house apps.

applications.
Enables app inventory.
Allow restriction-related queries.
Enables reports on the restrictions of each

configuration profile on the device. These
correspond to the settings in the iOS
Restrictions and Passcode payloads.
Allow security-related queries.
Enables report on security items, such as

whether a passcode is present.
Allow manipulation of settings.
(iOS 5 and later) Enables an administrator

to turn on/off voice and data roaming.
Allow app management.
(iOS 5.0 and later) Enables the "managed

apps" capability introduced in iOS 5 so that
an administrator can push requests to install
apps, prevent iCloud backup, and remove
the apps and all app data on demand.
5. If you want the VSP to indicate that the MDM profile has been removed from iOS 5
devices, select Check out when MDM profile is removed.
Note: Receipt of this alert is not guaranteed. Therefore, this setting does not
ensure notification upon removal of the profile.
6. If you want to automatically alert iOS 5 users when a new iOS MDM configuration is
available, select Send an APNs message to iOS 5 devices...
7. Click Save.
Restoring system web clips (iOS)

If you enable the Removable option for the Multi-User web clip or the Apps@Work web
clip, and the device user removes one of these web clips, use one of the following
methods to restore the web clip:
Remove the MDM profile on the device and tap Update Configuration Profile in
Mobile@Work.
Push the web clip from the Devices page by selecting the device and clicking Push
Profiles.
Displaying configurations (app settings) status

The Device Details pane displays status for application of configurations.
The statuses you will see are:
Pending: The process of applying the settings has been started.

Sent: The settings have been successfully sent to the device.
197
Applied: The VSP has confirmed that the verifiable settings appear to have been
applied to the device. For Android devices, use the View Details button to see the
verifiable results.
Partially Applied: One or more settings may have been rejected by the device. This
can mean that the feature is not supported by the device. For Android devices, use
the View Details button to see the verifiable results.
Click the View Details button for Android devices to see information on each configuration.
Adding new configurations (app settings)

Android
iOS
WP8
yesa,b
yes
yesc
a. Through integration with selected devices and email apps.

b. Through MobileIron Sentry and ActiveSync.
c. Only Exchange and Certificates.
To add new configurations (app settings):

1. Select Policies & Configs > Configurations.
2. Select the Add New dropdown.
3. Select the type of configuration you want to create.
4. Complete the displayed form for the configuration.
5. Click Save.
6. To push the configuration (app setting) to devices, apply it to the appropriate
labels. Select More Actions > Apply to Label.
Editing configurations (app settings)

Android
iOS
Win 7
WP8
yesa,b
yes
yesc

To edit configurations (app settings):

1. In the Configurations screen, select the configuration you want to edit.
2. Click Edit.
198
Deleting configurations (app settings)

Android
iOS
Win 7
WP8
yesa,b
yes
yesc

To delete configurations (app settings):

1. In the Configurations screen, select the settings you want to delete.
2. Click Delete.
199
Android Samsung browser settings

Select Policies & Configs > Configurations > Add New > Android > Samsung Browser
to configure web browser options for Samsung SAFE devices (SAFE API 4.0 and later).
The following settings are available:
Item
Description
Auto Fill
Select to enable automatic completion of web

forms.
Cookies
Select to allow use of cookies.
Javascript
Select to enable Javascript.
Pop-ups
Select to allow pop-ups.
Show Security Warning
Select to display browser security warnings.

Note: Not supported for Galaxy S4.
Smartcard Authentication
Select if Smartcard authentication is required for

the browser.
200
Android Samsung kiosk settings

See Android Kiosk Support on page 787.
201
Android Samsung Container settings

Select Policies & Configs > Configurations > Add New > Android > Samsung Container) to configuring settings for the Samsung KNOX Container.
See Samsung KNOX support on page 261 for information on configuring Samsung
KNOX support.
Use these settings to:
specify requirements for the container password.

specify which apps to install in the container.
select the Android Samsung browser configuration to use in the container.
select the Exchange configuration to use in the container.
Item
Description
Authentication
Password Type
Select the kind of password to require:
Alphanumeric: Must include at least one alphabetic

and one numeric character.
Complex: Must include at least one alphabetic, one

numeric, and one special character (i.e., a symbol).
Min Password Length
Specify a minimum length for he password. The

accepted range is 6-16.
Min Number of Complex

Characters
Specify the minimum number of complex characters

for the passcode. Valid entries are 0-10.
For example, to require at least two complex characters in the passcode, enter 2.
Max Character
Occurrences
Specify a limit for the number of times a specific character can occur in the passcode.
For example, to prevent a specific character from
occurring 3 or more times, enter 2.
Max Character Sequence

Length
Specify a limit for the number of characters that can

appear in sequence in a passcode.
For example, to prevent abc from occurring in a
passcode, enter 2.
Max Numeric Sequence

Length
Specify a limit for the number of numeric characters

that can appear in sequence in a passcode.
For example, to prevent 123 from occurring in a
passcode, enter 2.
202
Item
Description
Min Character Change

Length
Specify a minimum number of characters that must

change when the passcode is reset.
For example, to ensure that at least 2 characters
change, enter 2.
Forbidden Strings
Specify any strings that must not be present in the

passcode.
To add a string:
1. Click + to add an entry.
2. Click the Name placeholder in the new entry.
3. Replace Name with the string you want to add.
For example, to prevent the passcode from including

the users email address or last name, enter $EMAIL$,
$LAST_NAME.
See Supported variables on page 204 for a list of
supported variables.
Max Inactivity Timeout
Specify the idle time duration after which the lock

should be enabled. If password is set, the user will be
prompted for a password when unlocking the container.
Max Password Age
Specify the number of days after which the password

will expire.
Stored Password History
Specify the number of previous passwords that are

stored and cannot be used when setting a new password.
Max Number of Failed

Attempts
Specify the maximum number of failed password

attempts to allow. When this number is exceeded, the
container will be disabled.
Password Visible Option
Select Off to disable the Make password visible

option.
Apps
Select the in-house apps to be installed in the container:
1. Click the + button.
2. Select an app from the Name list.
The Version and Package Name fields are filled in

automatically.
App Settings
203
Item
Description
Browser
Specifies the Android Samsung Browser configuration

to use in the container. You need to create the Samsung Browser configuration separately. Otherwise,
this list will be empty.
Exchange
Specifies the Exchange configuration to use in the

container. You need to create the Exchange configuration separately. Otherwise, this list will be empty.
Supported variables
The following variables are supported for Android Samsung Container s:
$EMAIL$
$USERID$
$FIRST_NAME$
$LAST_NAME$
$DISPLAY_NAME$
$USER_CUSTOM1$
$USER_CUSTOM2$
$USER_CUSTOM3$
$USER_CUSTOM4$
$NULL$
204
Exchange settings
Android
a b
yes ,
iOS
OS X
Win 7
WP8
yes
yes
yes
a. With selected devices and email apps.

Select Policies & Configs > Configurations > Add New > Exchange to specify the
settings for the ActiveSync server that devices use. The ActiveSync server can be a
Microsoft Exchange server, an IBM Lotus Notes Traveler server, Microsoft Office
365, or other servers.
For OS X: Only Contacts are synchronized, and ActiveSync is not supported.
For iOS:
If an Exchange profile already exists on the device, then attempts to distribute new
ActiveSync settings using MobileIron will fail.
For iOS and OS X:
iOS/OS X can take advantage of the optional Save User Password feature under
Settings to facilitate Exchange configuration.
For Android:
The Exchange configuration works with:
Android devices using the NitroDesk TouchDown email app and Android version 2.2
or later
Android devices using the Android Email+ email app and Android version 4.0 or
later
Samsung SAFE devices running the Samsung native email app and Android version
2.2. or later
Starting with version 5.1 of the Mobile@Work for Android app, the Exchange
configuration also works with:
HTC devices using HTC Sense 4.0 or later using the HTC native email app
Note: The HTC native email app does not work with Lotus Notes Traveler.
Motorola devices with Enterprise Device Management APIs and running Android 4.0
or later, and using the Motorola native email app
For more a detailed list of Motorola devices, see
http://developer.motorola.com/products/?filters=1425#filter
Note: The Motorola native email app does not work with Lotus Notes Traveler.
Consider the following behavior on Motorola devices:
On some Motorola devices, the native email app exits after each setup step. On
these devices, the device user must relaunch the native email app to continue with
the next setup step.
205
After setup is completed, the Mobile@Work homescreen displays. On all other

devices, the email app starts after setup is completed.
The Exchange server or Sentry must use a trusted certificate. Motorola devices will
not configure an Exchange account to servers using untrusted certificates.
The following table describes the Exchange settings you can specify.
Item
Description
General
Name
Enter brief text that identifies this group of Exchange

settings.
Description
Enter additional text that clarifies the purpose of this

group of Exchange settings.
Server Address
Enter the address of the ActiveSync server.

If you are using Standalone Sentry, do the following:
Enter the Standalone Sentrys address.
If you are using Lotus Domino server 8.5.3.1 Upgrade

Pack 1 for your ActiveSync server, set the server
address to <Standalone Sentrys fully qualified domain
name>/traveler.
If you are using a Lotus Domino server earlier than

8.5.3.1 Upgrade Pack 1, set the address to
<Standalone Sentry fully qualified domain name>/
servlet/traveler.
If you are using load balancers, contact MobileIron Professional Services.

When using Integrated Sentry, set the server address to
Microsoft Exchange Servers address.
Note: When using Sentry, you can do preliminary
verification of your Exchange configuration choices for the
ActiveSync User Name, ActiveSync User Email, and
ActiveSync Password fields. To do so, first set the server
address to the ActiveSync server. After you have verified
that users can access their email using this Exchange
configuration, change the server address to the
appropriate Sentry address.
Use SSL
Select to use secure connections.

For Android: SSL is always used, regardless of wheter this
setting is selected.
Use alternate device

handling
Replaces the Use Standalone Sentry option. Use this

option only under the direction of MobileIron Support.
Domain
Specify the domain configured for the server.
206
Item
Description
ActiveSync User
Name
Specify the variable for the user name to be used with this
Exchange configuration. You can specify any or all of the
following variables $EMAIL$, $USERID$, $PASSWORD$.
You can also specify custom formats, such as
$USERID$_US.
Typically, you use $USERID$ if your ActiveSync server is a
Microsoft Exchange Server, and you use $EMAIL$ if your
ActiveSync server is an IBM Lotus Notes Traveler server.
For WP8 devices, if the User Name setting is modified after
the Exchange setting is provisioned, the device cannot
sync. The workaround is to remove the Exchange setting
and reapply, or retire the device and register the device
with the new User Name.
ActiveSync User
Email
Specify the variable for the email address to be used with

this Exchange configuration. You can specify any or all of
the following variables $EMAIL$, $USERID$,
$PASSWORD$. You can also specify custom formats, such
as $USERID$_US.
Typically, you use $EMAIL$ in this field.
ActiveSync Password
Specify the variable for the password to be used with this

Exchange configuration. You can specify any or all of the
following variables $EMAIL$, $USERID$, $PASSWORD$.
You can also specify custom formats, such as
$USERID$_US.
Identity Certificate
Select the SCEP entry you created for supporting

Exchange ActiveSync, if you are implementing certificatebased authentication.
Items to
Synchronize
Not for iOS, OS X or Android: Select the Outlook items to

be synchronized: Contacts, Calendar, Email, Tasks.
Past Days of Email

to Sync
Specify the maximum amount of email to synchronize

each time by selecting an option from the dropdown list.
On Android devices, this setting works only with these
email apps:
NitroDesk TouchDown
However, the TouchDown app does not display this
information in its settings screen.
Samsung SAFE devices native email app

On WP8 devices, the 1 Day option maps to the All option.
Move/Forward Messages to Other Email
Accounts
Samsung Android SAFE, iOS 5 and later: Specifies

whether device users can move email out of the
originating email account.
This feature is not supported for WP8 devices.
Enable S/MIME
Enables support for S/MIME encryption.

207
Item
Description
S/MIME Signing
identity
Select a certificate as a signing identity.
S/MIME Encryption
identity
Select a certificate as an encryption identity.
ActiveSync

Not for iOS or OS X. Limited support for Android.
Sync during
Peak Time
Select the preferred synchronization approach for peak

times.
This field is applicable to only some Android devices. On
those devices, the synchronization approach that you
choose applies at all times, not just peak times. The other
ActiveSync settings, such as Off-peak times, do not apply
to Android devices.
The only Android devices that this field applies to are:
Android devices using the NitroDesk TouchDown email

app
Samsung SAFE devices using their native email app

For WP8 devices, the following Peak times are not
supported:
Every 5 minutes, Every 10 minutes, Every 2 hours, Every
4 hours.
Off-peak Time
Select the preferred synchronization approach for off-peak

times.
Use above settings

when roaming
Specify whether to apply synchronization preferences

while roaming.
Send/receive when
send
Specify whether queued messages should be sent and

received whenever the user sends a message.
Peak Time
Peak Days
Specify which days should be considered peak days.

Start Time
Specify the beginning of the peak period for all peak days.
End Time
Specify the end of the peak period for all peak days.
iOS 5 and Later

Settings
Email access to
Third-Party apps
Specifies whether third-party apps can use the account for

email access.
208
Item
Description
Recent Address
syncing
iOS 6 and later.

Specifies whether of recently-used email addresses can be
synchronized.
Android
Exchange App
Priority
Drag and drop email configurations to specify which are

allowed. Change the order of selected configurations to
specify priority.
If there are no email apps specified in the Selected column, then Mobile@Work uses the following provisioning
priority:
1. Android Email+
2. NitroDesk TouchDown
3. Native email app
General
Accept all SSL
certificates
Enables device users to set Android devices to accept all

SSL certificates. This setting applies to Android Email+,
Samsung SAFE Email, and TouchDown and is intended for
use when the MobileIron Sentry uses self-signed certificates.
Note: Use caution when enabling this setting, as device
users might unknowingly expose the device to attack.
Copy/Paste
Prevents use of the copy and paste commands in the

NitroDesk TouchDown email app.
Allow access to
secure info from
outside container
Specify whether to publish contacts and calendar items to

non-secure email clients running on the same device
NitroDesk
TouchDown
If you are using NitroDesks TouchDown to manage

Exchange on Android devices, enter the license key you
received from NitroDesk. The license key will be
provisioned with the other Exchange settings in this
profile.
Samsung SAFE (Samsung SAFE 4.0 and later

Email Account Creation By User
Select this option to allow Samsung SAFE device users to

create an email account on the device. Otherwise, email
accounts can be created only as part of VSP-initiated provisioning of supported email clients.
HTML Email
Select this option to allow use of HTML email. This option

is not enabled by default, which prevents rendering of
HTML-based email.
SmartCard Authentication
Select this option to enable SmartCard authentication.

SmartCard authentication is generally reserved for highsecurity environments using multi-factor authentication.
209
iOS/OS X Exchange profiles and password caching

To facilitate iOS and OS X deployments, MobileIron offers the option of caching a
users email password. This option is turned off by default. Cached passwords are
encrypted, stored on the appliance, and used only for authentication. Note that the
email password must match the LDAP password in order for this feature to be of use.
210
Email settings (POP and IMAP)

Android
iOS
OS X
Win 7
WP8
yes
yes
Select Policies & Configs > Configurations > Add New > Email to set up POP or IMAP
email.
The following table describes the email settings you can specify:
Item
Description
Name
Enter brief text that identifies this group of email settings.
Description

group of email settings.
Account Type
Select POP or IMAP to indicate the type of email account

you are configuring. The internet service provider (ISP)
can give you information on which type of account is
available.
User Email
Specify the email address to use. The default value is

$EMAIL$. Use this field to specify an alternate format. For
example, your email standard might be $EMAIL$_US for
users in the United States.
See Supported variables on page 213.
Incoming Mail
Server Settings
Path Prefix
Specify the IMAP path prefix for the email client. A prefix is
generally required when all IMAP folders are listed under
the Inbox. ISPs that require prefixes usually provide
information on the specific prefix to configure.
Server Address
Specify the address for the server handling incoming mail.

The internet service provider (ISP) can give you this
address.
Server Port
Specify the port number for the server handling incoming

mail. The internet service provider (ISP) can give you this
information.
Require SSL
Specify whether secure sockets layer (SSL) is required for

incoming email transport. This is determined by the way in
which the user mailboxes are set up. Your internet service
provider (ISP) can give you this information.
User Name
Specify the email address to use. The default value is

example, your standard might be $USERID$.
Why: Some enterprises have a strong preference
concerning which identifier is exposed.
211
Item
Description
Use Password
Authentication
iOS and OS X only: Specify whether to authenticate the

password for email access.
Password
Specify the password to use. The default value is

$PASSWORD$. Use this field to specify a custom format,
such as $PASSWORD$_$USERID$.
Outgoing (SMTP)
Mail Server Settings
Server Address
Specify the address for the SMTP server handling outgoing

mail.
Server Port
Specify the port number for the SMTP server handling

outgoing mail.
Require SSL
Specify whether to use secure sockets layer (SSL)

outgoing email transport.
Require
Authentication
Specify whether to use secure sockets layer (SSL) for

outgoing email transport.
Use Same User

Name and Password
for Sending Email
Specify whether to use the same user name and password

used for incoming email. If you select this option, then the
Server User Name option is disabled.
Server User Name
Specify the user name to use. The default value is

Use Password
Authentication
iOS and OS X only: Specify whether to authenticate the

password for email access.
Password

Advanced Settings
Not for iOS, OSX
Automatic Send/
Receive
Specify how new email should be sent and retrieved. You

can set an automatic time interval or select Manual to
configure no automatic email exchange.
Download Messages
Specify the number of messages to download to the device

during send/receive.
Message Format
Indicate whether messages should be formatted in plain

text or HTML.
Message Download
Limit
Specify a size limit for a single message to be downloaded.
212
Item
Description
Download
Attachment
Specify a size limit for an attachment to be downloaded, or

specify that attachments are not be downloaded.
iOS 5 Settings
Block move/forward
messages to other
email accounts
Enables the iOS 5 feature that prevents users from moving

email messages to other email accounts or forwarding
email from accounts other than the originating account.
Block email access

to 3rd party apps
Prevents third-party apps from using the account for email

access.
Enable S/MIME
Enables support for S/MIME encryption.
S/MIME Signing
identity
Enables selection of a certificate as the signing identity. If

you do not select a certificate, then the device user will be
prompted to select from the certificates that are already
on the device.
S/MIME Encryption
identity
Enables selection of a certificate as the encryption identity.

If you do not select a certificate, then the device user will
be prompted to select from the certificates that are
already on the device.
Allow Recent
Address syncing
iOS 6 and later.

Enables synchronization of recently-used email addresses.
Supported variables
You can use the following variables in fields that support variables.
$USERID$
$EMAIL$
$PASSWORD$
$USER_CUSTOM1$ ... $USER_CUSTOM4$ (custom fields defined for LDAP)
213
Wifi settings
Android
iOS
Win 7
WP8
yes
yes
Select Policies & Configs > Configurations > Add New > Wifi to configure wireless
network access.
The fields that appear in the New Wifi Setting dialog change based on values selected.
The following tables describe the fields required for each selection in the
Authentication field.
Open authentication
Use the following guidelines to set up Open authentication.
Item
Description
Name
Enter the name to use to reference this configuration in

MobileIron.
Network Name
(SSID)
Enter the name (i.e., service set identifier) of the WiFi

network these settings apply to. This field is case
sensitive.
Description
Enter additional text to clarify the purpose of this group of

WiFi settings.
Hidden Network
Select this option if the network access is not broadcast.
Authentication
Select Open.
Data Encryption
Not Applicable for iOS. Select the data encryption method

associated with the selected authentication type. The
selection affects which of the following fields are
displayed. For Open authentication, the following
encryption options are available:
Network Key
Disabled
WEP
WEP Enterprise (Not Applicable for Android)
WEP encryption
Not Applicable for iOS. Enter the network key necessary
for accessing this network. The network key should be 5 or
13 ASCII characters or 10 or 26 hexadecimal digits.
Key Index
WEP encryption
If using multiple network keys, select a number indicating
the memory position of the correct encryption key.
Confirm Network
Key
Not Applicable for iOS. Re-enter the network key to

confirm.
214
Item
Description
User Name
WEP Enterprise encryption

Specify whether to use the email address, user ID, or a
custom format as the user name when establishing the
WiFi connection. Acceptable variables: $USERID$ and
$EMAIL$.
Password

Specify $PASSWORD$ and any necessary custom
formatting for the WiFi password.
Apply to Certificates

If you have used the Certificates application settings to
upload the certificates accepted by your WiFi servers,
select these certificates in the Available list and move
them to the Selected list.
Trusted Certificate
Names
WEP Enterprise encryption.
Allow Trust
Exceptions
Use Per-connection
Password
If you did not specify trusted certificates in the Apply to

Certificates list, then enter the names of the
authentication servers to be trusted. You can specify a
particular server, such as server.mycompany.com or a
partial name such as *.mycompany.com.
Select this option to let users decide to trust a server when
the chain of trust cant be established. To avoid these
prompts, and to permit connections only to trusted
services, turn off this option and upload all necessary
certificates.
Select this option to prompt the user to enter a password
each time the device connects to the WiFi network.
215
Item
Description
EAP Type
Not Applicable for Android. Select the authentication

protocol used:
EAP-FAST
EAP-SIM
LEAP
PEAP
TLS
TTLS
For iOS, you can make multiple selections.

If you select EAP-FAST, then you also need to specify the
Protected Access Credential (PAC).
If you select TLS, then you can specify an Identity
Certificate.
If you select TTLS, then you also need to specify the Inner
Identity Authentication Protocol.
Connects To
Select Internet or Work.
iOS 5 Settings
Auto Join
Specifies whether devices should automatically join the

corresponding WiFi network. If this option is not selected,
device users must tap the network name on the device to
join the network.
Proxy Type
Specifies whether a proxy is configured, and which type.

Available types are Manual and Auto.
Proxy PAC URL
Specifies the URL for the proxy auto-configuration (PAC)

file.
Proxy Server
Specifies the proxy servers IP address.
Proxy User Name
For manual proxies, specifies the optional user name for

server access.
Proxy Password
For manual proxies, specifies the optional password for

server access.
216
Shared authentication
Use the following guidelines to set up shared authentication:
Item
Description
Name

MobileIron.
Network Name
(SSID)

sensitive.
Description

WiFi settings.
Hidden Network
Authentication
Select Shared.
Data Encryption

associated with the selected authentication type. The
selection affects which of the following fields are
displayed. For Shared authentication, the following
encryption options are available:
Network Key
Disabled
WEP
WEP Enterprise (Not Applicable for Android)
WEP encryption
for accessing this network. The network key should be 5 or
13 ASCII characters or 10 or 26 hexadecimal digits.
Key Index
WEP encryption
If using multiple network keys, select a number indicating
the memory position of the correct encryption key.
Confirm Network
Key

confirm.
User Name

$EMAIL$.
Password


217
Item
Description
Trusted Certificate
Names
Allow Trust
Exceptions
Use Per-connection
Password
EAP Type
Not Applicable for Android. Select the authentication

protocol used:

certificates.
EAP-FAST
EAP-SIM
LEAP
PEAP
TLS
TTLS

Certificate.
Connects To
iOS 5 Settings
Auto Join

join the network.
Proxy Type

218
Proxy PAC URL

file.
Proxy Server
WPA Enterprise authentication

Use the following guidelines to set up WPA Enterprise authentication:
Item
Description
Name

MobileIron.
Network Name
(SSID)

sensitive.
Description

WiFi settings.
Hidden Network
Authentication
Select WPA Enterprise.
Data Encryption

associated with the selected authentication type. For WPA
Enterprise authentication, the following encryption options
are available:
AES
TKIP
User Name

$EMAIL$.
Password


Trusted Certificate
Names

Allow Trust
Exceptions

certificates.
219
Item
Description
Use Per-connection
Password

EAP Type
Select the authentication protocol used:
EAP-FAST (not for Android)

EAP-SIM (not for Android)
LEAP (not for Android)
PEAP
TLS (not for Android)
TTLS

Certificate.
Connects To
iOS 5 Settings
Auto Join

join the network.
Proxy Type

Proxy PAC URL

file.
Proxy Server
WPA2 Enterprise authentication

Use the following guidelines to configure WPA2 Enterprise authentication.
Item
Description
Network Name
(SSID)

sensitive.
Description

WiFi settings.
Hidden Network
220
Item
Description
Authentication
Select WPA2 Enterprise.
Data Encryption

associated with the selected authentication type. For
WPA2 Enterprise authentication, the following encryption
options are available:
AES
TKIP
User Name

$EMAIL$.
Password


Trusted Certificate
Names

iOS 5 Settings
Auto Join

join the network.
Proxy Type

Proxy PAC URL

file.
Proxy Server
221
WPA Personal authentication

Use the following guidelines to configure WPA Personal authentication.
Item
Description
Name

MobileIron.
Network Name
(SSID)

sensitive.
Description

WiFi settings.
Hidden Network
Authentication
Select WPA Personal.
Data Encryption

associated with the selected authentication type. For WPA
Personal authentication, the following encryption options
are available:
AES
TKIP
Network Key

for accessing this network. The key should be at least 8
characters long.
Confirm Network
Key

confirm.
EAP Type
Select the authentication protocol used:
EAP-FAST
EAP-SIM
LEAP
PEAP
TLS
TTLS

Certificate.
Connects To
222
iOS 5 Settings
Auto Join

join the network.
Proxy Type

Proxy PAC URL

file.
Proxy Server
iOS WiFi profiles and password caching

To facilitate iOS deployments, MobileIron offers the option of caching a users WiFi
password. This option is turned off by default. Cached passwords are encrypted,
stored on the appliance, and used only for authentication. Note that the password
must match the LDAP password in order for this feature to be of use.
223
VPN settings
Android
iOS
OS X
Win 7
WP8
yes
yes
yes
a. Supported for Ciscos AnyConnect VPN client on Android.
Select Policies & Configs > Configurations > Add New > VPN to configure VPN access.
The fields that appear in the New VPN Setting dialog change based on values selected.
The following tables describe the fields required for each selection in the Connection
Type field.
PPTP
Use the following guidelines to configure PPTP VPN.
Item
Description
Name
Enter brief text that identifies this group of VPN settings.
Description

group of VPN settings.
Connection Type
Select PPTP (iOS, OSX, and Android only).
Server
Enter the IP address, hostname, or URL for the VPN server.
User Name

Password

Authentication
Select the authentication method to use: Password or RSA

SecureID.
Encryption Level
Select None, Automatic or Maximum (128 bit).
Domain
Specify the network domain.
Send all Traffic
Selecting this option protects data from being

compromised, particularly on public networks.
Proxy
Select Manual or Automatic to configure a proxy. If you

select Manual, you must specify the proxy server name
and port number. If you select Automatic, you must
specify the proxy server URL.
224
L2TP
Use the following guidelines to configure L2TP VPN.
Item
Description
Name
Description

Connection Type
Select L2TP (iOS, OSX, and Android only).
Server
User Name

Password

such as $PASSWORD$_$USERID$.This field does not
display if you selected RSA SecureID for authentication.
Authentication
Select the authentication method to use: Password or RSA

SecureID.
Shared Secret
The shared secret passcode. This is not the users

password; the shared secret must be specified to initiate a
connection.
Confirm Shared
Secret
Re-enter the shared secret to confirm.
Send all Traffic
Selecting this option protects data from being

compromised, particularly on public networks.
Proxy

IPSec (Cisco)
Use the following guidelines to configure IPSec (Cisco) VPN.
Item
Description
Name
Description

Connection Type
Select IPSec (Cisco).
225
Item
Description
Server
User Name

XAuth Enabled
Specifies that IPsec XAuth authentication is enabled.

Select this option if your VPN requires two-factor
authentication, resulting in a prompt for the password.
This option is enabled by default.
Password

Authentication
Select the authentication method to use: Shared Secret/

Group Name or Certificate.
Group Name
Shared Secret/Group Name authentication.

Specify the name of the group to use. If Hybrid
Authentication is used, the string must end with
[hybrid].
Shared Secret

The shared secret passcode. This is not the users
password; the shared secret must be specified to initiate a
connection.
Confirm Shared
Secret
Use Hybrid
Authentication
Prompt for Password
Re-enter the shared secret to confirm.

Select to specify hybrid authentication, i.e., server
provides a certificate and the client provides a pre-shared
key.
Specify whether the user should be prompted for a
password when connecting.
Certificate authentication.
Select the SCEP entry you created for supporting VPN, if
you are implementing certificate-based authentication.
Include User PIN
Select to prompt the user for a PIN.
226
Item
Description
VPN on Demand
Select to enable the VPN on Demand section. Click Add
New to specify a domain or hostname and the preferred
connection option.
Proxy

Cisco AnyConnect
Use the following guidelines to configure Cisco AnyConnect VPN.
Item
Description
Name
Description

Connection Type
Select Cisco AnyConnect (iOS, OSX, and Android only).
Server
User Name

Password

Group
Specify the name of the group to use.
User Authentication
Select Password or Certificate.
VPN on Demand
connection option.
Proxy
Not for Android. Select Manual or Automatic to configure a

proxy. If you select Manual, you must specify the proxy
server name and port number. If you select Automatic,
you must specify the proxy server URL.
227
Juniper SSL
Use the following guidelines to configure Juniper SSL VPN.
Item
Description
Name
Description

Connection Type
Select Juniper SSL (iOS only).
Server
User Name

Password

Role
Specify the Juniper user role to use as restriction.
Realm
Specify the Juniper realm to use as a restriction.
User Authentication
VPN on Demand
connection option.
Proxy

F5 SSL
Use the following guidelines to configure F5 SSL VPN.
Item
Description
Name
Description

228
Item
Description
Connection Type
Select F5 SSL (iOS and OSX only).
Server
User Name

Password

User Authentication
VPN on Demand
connection option.
Proxy

Custom SSL for iOS

The Custom SSL connection type is for SSL VPN solutions that have a third-party app
in the App Store. Use the following guidelines to configure a custom SSL solution.
Item
Description
Name
Description

Connection Type
Select Custom SSL (iOS and OSX only).
Server
229
Item
Description
User Name

Password

Identifier
App Store identifier for the VPN app being configured. The
app creator should provide this information.
User Authentication
VPN on Demand
connection option.
Custom Data
Key/value pairs necessary to configure the app. Click Add

New to display a popup for entering each pair. The app
creator should provide the necessary key/value pairs.
Proxy

Supported variables
$USERID$
$EMAIL$
$PASSWORD$
$NULL$
iOS VPN profiles and password caching

To facilitate iOS deployments, MobileIron offers the option of caching a users VPN
password. This option is turned off by default. Cached passwords are encrypted,
stored on the appliance, and used only for authentication. Note that the password
230
must match the LDAP password in order for this feature to be of use.
231
AppConnect settings
Configuring an AppConnect app can involve the following configurations:
AppConnect configuration
This configuration is necessary if the AppConnect app requires app tunneling or
app-specific configurations.
See Configuring an AppConnect app configuration on page 504.
AppConnect container policy

The presence of an AppConnect container policy for a device is what authorizes the
app on the device. You also set whether certain features, such as copy/paste or
Open In, are enabled.
See Configuring AppConnect container policies on page 494.
232
AppConnect Configuration settings

233
AppConnect Container policy settings

234
Bookmarks settings
No longer supported. See Web@Work for iOS on page 523 for information on creating bookmarks in Web@Work.
235
Certificates settings
Android
iOS
OS X
Win 7
WP8
yes
yes
yes
yesa
a. Only root certificates.
Select Policies & Configs > Configurations > Add New > Certificates to configure the
necessary identity certificates for your organization.
The following table describes the Certificate settings you can specify:
Item
Description
Name
Enter brief text that identifies this group of certificate

settings.
Description

group of certificate settings.
File Name
Click the Browse button to select the certificate to be

uploaded to the MobileIron Server. Note that the certificate
will also appear in the File Management page.
Password
Specify any password required for decrypting the

certificate.
Confirm Password
Enter the password again to match and confirm.
236
SCEP settings
Android
iOS
OS X
Win 7
WP8
yes
yes
yes
yes
Select Policies & Configs > Configurations > Add New > SCEP to specify settings that
allow the device to obtain certificates from a CA using Simple Certificate Enrollment
Protocol (SCEP).
Creating a SCEP entry is part of a larger process of setting up a SCEP server to support authentication for VPN on demand, Wifi, Exchange ActiveSync, and so on. A
default SCEP setting is included for the built-in SCEP server, which supports iOS and
OS X enrollment.
Item
Description
Name
Enter brief text that identifies this group of SCEP settings.
Description

group of SCEP settings.
Enable Proxy
Indicate whether to enable proxy functions. See Why

proxy? on page 240.
Cache locally
generated keys
Specifies whether the VSP stores the private key sent to

each device. Removing the caching requirement after
devices have been provisioned will require reprovisioning
of certificates for all impacted devices.
User Certificate
Specifies that the certificate is distributed to multiple

devices assigned to a single user.
Device Certificate
Specifies that the certificate is bound to the given device.
Setting Type
Select SCEP for standard certificate-based authentication

using a separate CA.
Select Local if you are using the MobileIron VSP as the CA.
Select Symantec Managed PKI if you are using Symantecs
SCEP solution. See Using Symantec Managed PKI on
Select User Provided if device users will upload their
personal certificates, they would for S/MIME apps. The
MyPhone@Work user portal includes a certificate upload
section for this purpose.
Select OpenTrust if you are using the OpenTrust
integration. See Using the OpenTrust integration on
page 241.
Select Symantec Web Services Managed PKI if you are
using the Symantec Web Services Managed PKI solution.
See Using Symantec Web Services Managed PKI on
237
URL
Enter the URL for the server that corresponds to the

selected setting type.
For example, if you selected SCEP in the Setting Type field,
enter the URL for the SCEP server.
For iOS and OSX: Note that iOS and OSX do not support
https with self-signed certificates. Therefore, should you
choose to use https, you must have a trusted certificate
installed for the portal certificate in order for provisioning
to function properly.
Certificate
See Using the OpenTrust integration on page 241.
MPS Mobile Profiles
Description
Application
Description
Subject
Enter an X.509 name represented as a comma-separated

array of OIDs and values. Typically, the subject is set to
the users fully qualified domain name. For example,
C=US,DC=com,DC=MobileIron,OU=InfoTech or
CN=www.mobileiron.com.
You can also customize the Subject by appending a
variable to the OID. For example,
CN=www.mobileiron.com-$DEVICE_CLIENT_ID$.
Refer to X.509 Codes for information about X.509 OIDs.
For ease of configuration you can also use the $USER_DN$
variable to populate the Subject with the users FQDN.
Subject Common
Name Type
Select the CN type specified in the certificate template.
Subject Alternative
Name Type
Select NT Principal Name, RFC 822 Name, or None, based

on the attributes of the certificate template. You can enter
four alternative name types.
If you enter the $USER_DN$ variable in the Subject field,

select None from the drop-down list.
Note: If this SCEP setting is for authenticating the device

to the Standalone Sentry using an identity certificate:
Select NT Principal Name.

Select Distinguished Name for a second Subject
Alternative Name Type field.
238
Subject Alternative
Name Value
Specify the value for the selected Subject Alternative

Name Type. Variable substitution is supported. See
Supported variables on page 240.
Note: If this SCEP setting is for authenticating the device
to the Standalone Sentry using an identity certificate:
Enter $USER_UPN$ for the value corresponding to NT

Principal Name.
Enter $USER_DN$ for the value corresponding to

Distinguished Name.
Key Size
Select a key size (1024, 2048, or 4096).
Key Usage
Specify acceptable use of the key (signing and/or

encryption).
Finger Print
If your Certificate Authority uses HTTP, use this field to

provide the fingerprint of the CAs certificate.
You can enter a SHA1 or MD5 fingerprint.
Challenge Type
Select None, Microsoft SCEP, or Manual to specify the type

of challenge to use.
Challenge
For a Manual challenge type, enter a pre-shared secret the

SCEP server can use to identify the request or user.
Challenge URL
For a Microsoft SCEP challenge type, enter the URL of the

trustpoint defined for your Microsoft CA.
User Name
Enter the user name for the Microsoft SCEP CA.
Password
Enter the password for the Microsoft SCEP CA.
Issue test
certificate?
Deselect this checkbox after an initial SCEP setting test.

Some certificate authorities charge for each certificate. To
avoid incurring additional charges, deselect this checkbox.
X.509 Codes
The Subject field uses an X.509 distinguished name. You can use one or more
X.509 codes, separated by commas. This table describes the valid X.509 codes:
Code
Name
Type
Max Size
Example
Country/Region
ASCII
C=US
DC
Domain Component
ASCII
255
DC=company, DC=com
State or Province
Unicode
128
S=California
Locality
Unicode
128
L=Mountain View
Organization
Unicode
64
O=Company Name, Inc.
OU
Organizational Unit
Unicode
64
OU=Support
CN
Common Name
Unicode
64
CN=www.company.com
Note: If the SCEP entry is not valid, then you will be prompted to correct it; partial
and invalid entries cannot be saved.
239
Why proxy?
Choosing to enable SCEP proxy functions has the following benefits:
A single certificate verifies Exchange ActiveSync, WiFi, and VPN configurations

There is no need to expose a SCEP listener to the internet.
MobileIron can detect and address revoked and expired certificates.
Supported variables
You can use the following variables in fields that support variables:
$USERID$
$FIRST_NAME$
$LAST_NAME$
$DISPLAY_NAME$
$EMAIL$
$USER_DN$
$USER_UPN$
$USER_LOCALE$
$NULL$
$DEVICE_UUID$
$DEVICE_UDID$
$DEVICE_IMSI$
$DEVICE_IMEI$
$DEVICE_SN$
If SCEP integration is not an option

If SCEP integration is not an option for your organization, consider configuring the
MobileIron VSP as an intermediate or root CA. See Local Certificate Authorities: Using
the VSP as a CA for more information.
Using Symantec Managed PKI

Symantec Managed PKI support enables you to configure certificate-based authentication for the following applications:
Application
Platform
Exchange ActiveSync
iOS (native mail client)
VPN (IPSec, Cisco

AnyConnect and JunOS
Pulse)
iOS and OS X
240
Application
Platform
WiFi
iOS and OS X
NitroDesk TouchDown
Android
Prerequisites
A valid Symantec VeriSign Managed PKI account is required.
To configure SCEP settings for Symantec Managed PKI, select the Symantec Managed
PKI option in the New SCEP Setting dialog (Policies & Configs > Configurations > Add
New > SCEP).
Selecting this option displays the following Symantec-specific settings:
URL Mode: Specifies the mode and the corresponding URL supplied by Symantec.
CA-Identifier: Required information supplied by Symantec.
Upload Certificate: Used to upload the certificate supplied by Symantec.
Using the OpenTrust integration

The VSP supports integration with the OpenTrust Mobile Provisioning Server (MPS).
This integration enables OpenTrust to perform the proxy tasks that would normally be
performed by the VSP.
Compatibility notes
This integration does not involve or support OpenTrust SCEP (decentralized) implementations. It is intended for those who want to deploy a non-SCEP implementation.
This integration does not support the pushing Certificate Authorities Bundles to
devices, which is offered by OpenTrust.
The VSP supports one certificate per OpenTrust configuration. OpenTrust supports
creating profiles having multiple credentials (called application in the OpenTrust
context). Therefore, the SCEP settings dialog automatically omits OpenTrust profiles that specify multiple credentials.
Pre-requisites
The information in this section assumes the following:
You have the URL for your OpenTrust cloud instance.

You have the client-side JSON connector identity certificate the VSP will use to
authenticate to the MPS.
You have implemented a centralized (non-SCEP) OpenTrust cloud.

You have created a Mobile Management Profile on MPS containing a single centralized credential.
241
Configuring the integration with OpenTrust

Configuring the integration with OpenTrust requires creating a new SCEP configuration. Though SCEP is not supported with this integration, you still specify the integration data as part of a SCEP configuration.
To specify OpenTrust settings:
1. Select Policies & Configs > Configurations > Add New > SCEP.
2. Select Setting Type > OpenTrust.
3. In the URL field, enter the URL for your OpenTrust MPS server (received from
OpenTrust).
4. Click Upload Certificate.

5. Click Browse.
6. Select the certificate you created for the integration.
7. Click Upload Certificate.
8. Enter the password for the certificate when prompted.
9. Select the MPS Mobile Profile to use for the integration.
If you do not see an expected profile, then it most likely contains multiple credentials, a configuration that the VSP does not currently support.
The Description and Application Description fields are populated automatically with
the corresponding OpenTrust content associated with the selected profile. In addition, Required Fields and Optional Fields for the certificate (as defined in the
selected MPS profile) are displayed. (MPS stands for the Mobile Provisioning Service
in OpenTrust.)
242
10. Enter supported variables for each field.

Note: Though Optional Fields are not required by OpenTrust, they are still used if
present. Therefore, you must still specify the appropriate variable for each optional
field. For example, the phone number might be an optional field because the tablets in your organization do not have phone numbers. However MPS might still use
this information to request a certificate from the PKI server if it is present.
11. Click Save.
Note: You can save the configuration before you have completed all required fields,
enabling you to enter and save the information in stages.
Supported variables
The following variables are supported for the required and optional fields in a SCEP
configuration for OpenTrust:
$EMAIL$
$USERID$
$FIRST_NAME$
$LAST_NAME$
$DISPLAY_NAME$
243
$USER_DN$
$USER_UPN$
$USER_LOCALE$
$DEVICE_UUID$
$DEVICE_UDID$
$DEVICE_IMSI$
$DEVICE_IMEI$
$DEVICE_SN$
$DEVICE_MAC$
$USER_CUSTOM1$
$USER_CUSTOM2$
$USER_CUSTOM3$
$USER_CUSTOM4$
$NULL$
Using Symantec Web Services Managed PKI

Integration with Symantec Web Services Managed PKI version 8.x enables you to configure certificate-based authentication.
Before you begin

Set up your account for Symantec Web Services Managed PKI with Symantec.
Create an MDM (Web Service Client) profile in the Symantec PKI manager that you
will use for the MobileIron integration.
SeatID
Be sure to include the Symantec SeatID as a required certificate profile field. In a
Symantec Web Services Managed PKI environment, Symantec uses the SeatID to
track the number of seats for billing purposes.
To correctly track the number of seats, the SeatID value in the VSP SCEP settings
must map to the value you created for the SeatID in the Symantec PKI Manager.
For example, if the user's email address is used as the SeatID in Symantec PKI
Manager, the VSP SCEP settings should map the VSP email address attribute to the
Symantec SeatID.
The VSP associates each issued Symantec certificate to a SeatID in the Symantec
PKI Manager. If the SeatID does not exist, a new Symantec user account and
SeatID is automatically created for the user at the time the certificate is requested.
Gather the following items:

The server address for the Symantec Web Services Managed PKI.
On the VSP, the default is set to pki-ws.symauth.com.
The Registration Authority (RA) certificate the VSP will use to authenticate to
the Symantec CA.
244
Configuring the Symantec Web Services Managed PKI settings

To specify the Symantec Web Services PKI settings in the VSP Admin Portal:
1. Select Policies & Configurations > Configurations > Add New > SCEP.
2. Use the following guidelines to specify the settings:

Item
Description
Name
Enter brief text that identifies this group of settings.
Description

group of settings.
Enable Proxy
Indicate whether to enable proxy functions.
Cache locally generated keys
Specifies whether the VSP stores the private key sent to

each device. Removing the caching requirement after
devices have been provisioned will require reprovisioning
of certificates for all impacted devices.
User Certificate
Specifies that the certificate is distributed to multiple

devices assigned to a single user.
Device Certificate
Specifies that the certificate is bound to the given device.
245
Setting Type
Select Symantec Web Services Managed PKI.
Server
Enter the server address for the Symantec Web Services

Managed PKI (received from Symantec).
The default is set to pki-ws.symauth.com.
Note: Do not add https:// before the server name, and do
not add path information after the server name.
Only the hostname of the Symantec CA server should be
provided.
Certificate: Upload
Certificate
Click Upload Certificate to navigate and select the RA certificate you received from Symantec. This is usually a
.p12 file.
Enter the password for the certificate when prompted.
Mobile Profiles
Select the MDM (Web Services Client) profile to use for

this setting.
Only the object ID (OID) for each profile is listed. The OID
is a series of numbers. Before selecting the profile, you
may want to check the Symantec Web Services PKI manager for the correct OID.
Description
The description is populated automatically with the corresponding content associated with the selected profile.
Application Description
The application description is populated automatically

with the corresponding content associated with the
selected profile.
The Required Fields and Optional Fields for the certificate are displayed based on
how the MDM (Web Service Client) profile was set up in the Symantec PKI manager.
Required Fields
Enter supported variables for each field.

Note: The SeatID value in the SCEP settings must map to
the value you created for the SeatID in the Symantec PKI
Manager.
Optional Fields
Enter supported variables for each field.

Note: Though Optional Fields are not required by Symantec, they are still used if present. Therefore, you must still
specify the appropriate variable for each optional field. For
example, the phone number might be an optional field
because the tablets in your organization do not have
phone numbers. However, the Symantec Web Services
server might still use this information to request a certificate from the PKI server if it is present.
Issue test certificate
Deselect this checkbox after an initial SCEP setting test.

Some certificate authorities charge for each certificate. To
avoid incurring additional charges, deselect this checkbox.
3. Click Save.
246
Note: You can save the setting before you have completed all required fields,
enabling you to enter and save the information in stages.
Supported variables
The following variables are supported for the required and optional fields:
$EMAIL$
$USERID$
$FIRST_NAME$
$LAST_NAME$
$DISPLAY_NAME$
$USER_DN$
$USER_UPN$
$USER_LOCALE$
$DEVICE_UUID$
$DEVICE_UDID$
$DEVICE_IMSI$
$DEVICE_IMEI$
$DEVICE_SN$
$DEVICE_MAC$
$USER_CUSTOM1$
$USER_CUSTOM2$
$USER_CUSTOM3$
$USER_CUSTOM4$
$NULL$
Revoking the certificate

You can revoke a Symantec Web Services Managed PKI certificate.
Revoking a certificate adds the certificate to the CRL (Certificate Revocation List). The
certificate is also removed from the Symantec Web Services Managed PKI manager.
When a device authenticates with the VSP, the system first checks the CRL to verify
that the certificate is not on the list. If the certificate is on the list, authentication fails.
To revoke a certificate:
1. Navigate to Logs & Events > Certificate Logs.
2. Select the certificate that you want to revoke.
3. Click Revoke.
247
Docs@Work settings
Android
iOS
Win 7
WP8
yes
yes
Select Policies & Configs > Configurations > Add New > Docs@Work to configure
access to content servers.
For information about setting up the Docs@Work configuration, see Set up
Docs@Work configurations on page 463.
248
Web@Work settings
Select Policies & Configs > Configurations > Add New > Web@Work to specify bookmarks and AppTunnel settings for the Web@Work app. See Configure AppTunnel and
Bookmarks for Web@Work on page 535.
249
iOS and OS X settings

The following iOS- and OS X- specific settings are available:
General
CalDAV
CardDAV
Web Clips
Configuration Profile
LDAP
General settings
Select Policies & Configs > Configurations > Add New > iOS and OS X> General to
specify the basic information for interactions with the iOS and OS X configuration profiles.
Note: General settings can be set once; if you want to use this screen to change these
settings, then the user must manually delete the profile.
Item
Description
Name
Enter brief text that identifies this group of iOS and OS X

general settings.
Description

group of iOS and OS X general settings.
Identifier
Specify the profile identifier. It must uniquely identify this

profile. Use the format
com.companyname.identifier
where identifier describes the profile, as in
com.mycompany.work.
Organization
Specify the issuing organization of the profile, as it will be

shown to the user.
Control when the

profile can be
removed
Not for iOS with MDM: Specify when configuration profiles

should be removed:
Always: always removable.
With Authentication: removable with authentication.
Never: never removable. Select this option to prevent
users from removing the profile.
CalDAV settings
Select Policies & Configs > Configurations > Add New > iOS and OS X > CalDAV to
specify parameters for connecting to CalDAV-compliant calendar servers. CalDAV (or
250
Calendaring Extensions to WebDAV), is a remote calendar access standard supported

by iOSand OS X.
The user may be prompted for any settings you do not specify.
Item
Description
Name

CalDAV settings.
Description

group of iOS and OS X general settings.
HostName
Enter the host name of the calendar server.
Port
Enter the port for the calendar server.
Principal URL
Enter the URL for accessing calendar services.
Use SSL
Select to use SSL for data transfer.
User Name

$USERID$. Use this field to specify an alternate format.
See Supported Variables on page 251.
Password

such as $PASSWORD$_US.
iOS 4 supports only a single CalDAV setting. Therefore, only the first CalDAV
configuration applied to an iOS 4 will take effect.
Supported Variables
$USERID$
$EMAIL$
$NULL$
CardDAV settings
Select Policies & Configs > Configurations > Add New > iOS and OS X > CardDAV to
configure access to subscription address books compatible with this protocol.
251
Note: This configuration is supported on iOS and OS X v10.8 and later. OS X v10.7
Lion is not supported.
Item
Description
Name

subscribed address book settings.
Description

group of iOS and OS X subscribed address book settings.
HostName
Enter the hostname or IP address of the CardDAV account.
Port
Enter the port number of the CardDAV account.
Principal URL
Enter the Principal URL for the CardDAV account.
Use SSL
User Name

Password

Supported variables
$USERID$
$EMAIL$
$NULL$
Web Clips settings

Select Policies & Configs > Configurations > Add New > iOS and OS X > Web Clips to
add web clips to the Home screen of the users device.
Web clips provide fast access to favorite web pages. Make sure the URL you enter
includes the prefix http:// or https://.
Item
Description
Web Clips Set Name

web clips settings.
Description

group of iOS and OS X web clips settings.
252
When you click Add New, the following popup displays.
Use the following guidelines to complete the web clip entry:

Item
Description
Name
Enter brief text to describe the web clip. This is the text
that users will see.
Address/URL
Enter the address or URL for the target of the web clip.
Removable
iOS only: Clear the Removable checkbox to prevent users

from removing the web clip once it is pushed out to their
phones.
Full Screen
iOS only: By default, Full Screen is selected. When

selected, the web clip is displayed as a full-screen
application.
Precomposed
iOS only: By default, Precomposed is selected. When

selected, iOS will not add the bezel shading effect to the
icon.
Icon
Select an icon to display for the web clip.
Configuration profile settings

Occasionally, you may find it necessary to upload an iOS or OS X configuration profile
generated from outside of MobileIron (e.g., from Profile Manager). In this case, you
can select Policies & Configs > Configurations > iOS and OS X > Configuration Profile
to upload the file.
LDAP settings
Select Policies & Configs > Configurations > Add New > iOS and OS X > LDAP to configure an LDAP profile for iOS and OS X devices.
253
Use the following guidelines to complete this form. The iOS 5 Configuration Reference
may also be useful.
Item
Description
Name
Descriptive name to use when referencing this configuration.
Account Description
Optional. Description of the LDAP account.
Account Username
Optional. Username for accessing the LDAP account.
Account Password
Optional. Password that corresponds to the Account Username value. The password applies to encrypted accounts.
Account Confirm
Password
Optional. Confirms the password entered in the Account

Password field.
Account Hostname
The hostname for the LDAP server.
Use SSL
Whether to use SSL.
Search Settings
Should have at least one entry for the account. Each entry
represents a node in the LDAP tree from which to start
searching. Click the + button to add a new entry, then edit
the entry.
An entry consists of the following values:
Description: Explains the purpose of the search setting.
Scope: Select Base, Subtree, or One Level to indicate the
scope of the search. Base indicates just the node level,
Subtree indicates the node and all children, One Level
indicates the node and one level of children.
Search Base: The conceptual path to the specified note
(e.g., ou=people, o=mycorp).
254
iOS settings
The following iOS-specific settings are available:
Restrictions
APN
Restrictions settings
Select Policies & Configs > Configurations > Add New > iOS > Restrictions to specify
lockdown capabilities for iOS.
The following table summarizes the settings.
Item
Description
Name
Enter brief text that identifies this group of iOS

restriction settings.
Description

group of iOS restriction settings.
Device Functionality
Allow Installing Apps
Select to enable the user to install applications.

Unselect to disable the App Store and remove its icon
from the Home Screen. As a result, users will be unable
to install App Store applications on the device. This
setting does not impact installation of in-house apps.
Allow use of Camera
Select to enable the user to operate the camera.

Unselect to disable the camera and remove its icon
from the Home screen. As a result, users will be unable
to take photographs.
Allow FaceTime
Select to allow the user to run FaceTime if the camera is

enabled.
Allow Screen Capture
Select to allow the user to operate the native screen

capture function.
Allow automatic sync

while roaming
Select to allow synchronization of mail accounts while

the device is outside of its home country.
Allow Siri
Select to allow the personal assistant app on supported

devices.
Allow Siri while device

locked
Select to allow the personal assistant app to perform

tasks even when the device is locked.
Allow voice dialing
Select to allow users to access voice dialog features.
Allow in app purchases
Select to allow users to make purchases through apps

running on the device.
255
Item
Description
Force users to enter

store password for all
purchases (iOS 5 and
later)
Select to force device users to enter their iTunes

password for each App Store transaction. If this option
is not selected, then the device user can make multiple
transactions on a single authentication.
Allow multiplayer
gaming
Select to allow users to play games that include other

users.
Allow adding Game

Center friends
Select to allow device users to friends to their gaming

social network in the Apple Game Center.
Allow interactive
installation of
configuration profiles
and certificates
iOS 6.0 and later. Supervised devices only.
Allow Passbook
notifications while
locked
iOS 6.0 and later.
Select to allow users to install configuration profiles and

certificates interactively.
Select to allow Passbook notifications to be shown on

the lock screen.
Applications
Allow Use of YouTube
Select to allow use of the YouTube site. Unselect to

disable YouTube and remove its icon from the Home
screen.
Allow Use of iTunes

Music Store
Select to use of the iTunes Music Store. Unselect to

disable iTunes Music store and remove its icon from the
Home screen. As a result, users will not be able to
preview, purchase or download content.
Allow use of Safari
Select to allow use of the Safari web browser. Unselect

to disable the Safari web browser, remove its icon from
the Home screen, and prevent users from opening web
clips.
Enable autofill
Select to turn on the autofill feature for fields displayed

in Safari.
Force fraud warning
Select to prompt Safari to attempt to prevent the user

from visiting websites identified as being fraudulent or
compromised.
Enable Javascript
Select to turn on Javascript support for Safari.
Block pop-ups
Select to block pop-ups for Safari.
Accept cookies
Select to allow cookies.
iCloud (iOS 5 and later)

Allow backup
Select to allow the device to back up data via Apples

iCloud service.
Allow document sync
Select to allow documents to be synchronized via

Apples iCloud service.
Allow Photo Stream
Select to allow photos to be synchronized to your other

iOS devices via Apples iCloud.
256
Item
Description
Allow shared photo

streams
iOS 6.0 and later
Allow use of iBookStore
Select to allow synchronization of shared photos.

Select to allow access to iBookstore.
Allow Game Center

Select to allow access to Game Center.
Allow iMessage

Select to allow use of iMessage.
Security and Privacy

Allow diagnostic data to
be sent to Apple
iOS 6.0 and later.
Allow user to accept

untrusted TLS
certificates
Select to allow the device user to accept untrusted

HTTPS certificates. If this option is not selected, then
the device will automatically reject untrusted HTTPS
certificates without prompting the device user.
Force encrypted
backups
Requires encrypted backups via iTunes. Automatically

selected due to SCEP requirements.
Select to allow automatic submission of diagnostic data

to Apple.
Content Ratings
Allow explicit music &
podcasts
Select to allow access to websites having adult ratings.

Explicit content is marked as such by content providers,
such as record labels, when sold through the iTunes
Store.
Allow iBookstore media

that has been tagged as
erotica
Ratings region
Select a region from the dropdown list to change the

region associated with the rating selections for
applications, tv shows, and movies.
Allowed content ratings
Select the allowed rating for each type of medium:

movies, tv shows, and apps.
Movies
Select a rating limit for movies stored on the device:
Select to allow users to download iBookstore material

that has been tagged as erotica.
Dont Allow Movies

G
PG
PG-13
R
NC-17
257
Item
Description
TV Shows
Select a rating limit for TV shows stored on the device:

Dont Allow TV Shows
TV-Y
TV-Y7
TV-G
TV-PG
TV-14
TV-MA
Allow All TV Shows
Apps
Select a rating limit for applications on the device:

Dont Allow Apps
4+
9+
12+
17+
Allow All Apps
Subscribed Calendars settings

Select Policies & Configs > Configurations > Add New > iOS > Subscribed Calendars
to configure read-only calendar subscriptions for the devices Calendar application.
A list of public calendars you can subscribe to is available at www.apple.com/downloads/macosx/calendars/.
Item
Description
Name
Enter brief text that identifies this group of iOS subscribed

calendar settings.
Description

group of iOS subscribed calendar settings.
URL
Enter the URL for accessing the subscribed calendar.
Use SSL
258
Item
Description
User Name

Password

iOS devices accept settings for up to four subscribed calendars. Therefore, any
additional calendar settings applied to an iOS device will be ignored.
Supported Variables
$USERID$
$EMAIL$
$NULL$
APN settings
Select Policies & Configs > Configurations > Add New > iOS > APN to define parameters for access point interactions, which define how the device accesses the operators
network.
Item
Description
Access Point Name
Identifier available from the operator.
Description

group of iOS APN settings.
User Name
Enter a user name authorized for this access point.
Password
Enter the password corresponding to the user name

entered.
Proxy Server
Enter the IP address or URL of the APN proxy.
Port
Enter the port number of the APN proxy.
Provisioning Profile settings

Occasionally, you may find it necessary to upload an iOS provisioning profile generated from outside of MobileIron. In this case, you can select Policies & Configs > Configurations > Add New > iOS > Provisioning Profile to upload the file.
259
iOS and OS X differences

The following table outlines important differences in feature support between OS X
and iOS.
Feature
Mac OS X
iOS
CalDAV
MDM authenticates the

account before pushing profiles. Therefore, if the VSP
does not have valid credentials, it will not push the profile.
MDM does not authenticate the

account before pushing profiles. The device user is
prompted to enter a password.
"Save user password" (Settings > Preferences > Save

User Password Preferences)
must be enabled.
CardDAV
MDM does not authenticate

the account. If no credentials
are available, the contacts will
not be synchronized and the
device user will not be
prompted for a password.
MDM does not authenticate the

account before pushing profiles. The device user is
prompted to enter a password.
Exchange
Only Contacts are synchronized. SSL is required.
Email, contacts, tasks, and

appointments are synchronized.
web clip
Profiles will not be pushed if

the size of the web clip image
is greater than 20K.
Profiles will be pushed, regardless of the size of the web clip

image.
260
Samsung KNOX support

The Samsung KNOX Container enables BYOD initiatives by creating a zone for corporate apps within each device. This zone secures access to corporate apps and data.
To configure support for the Samsung KNOX Container:
1. Create a Samsung Browser configuration.
If you do not intend to specify browser behavior in the container, you can skip this
step.
See Android Samsung browser settings on page 200.
2. Create an Exchange configuration for the container.
If you do not intend to specify email client behavior in the container, you can skip
this step.
3. Create a Samsung Container configuration.
The Samsung Container configuration will specify the Samsung Browser configuration and the Exchange configuration you created for the container.
See Android Samsung Container settings on page 202.
4. Create one or more labels to identify the devices that will receive the Samsung
Container configuration.
5. Assign the Samsung Container configuration to the appropriate labels.
Once the configuration is present on the device, then the device begins creating the
container as specified.
Disabling the container

To manually disable the Samsung container:
1. In the Devices page, select the devices that have received the Samsung Container
configuration.
2. Select More Actions > Disable Container.
The container remains disabled until you manually re-enable it.
Re-enabling the container

A Samsung container can be automatically disabled by policy, such as when the device
user enters the container password incorrectly too many times. You can manually disable the container using the Disable Container action.
To manually re-enable the Samsung container:
1. In the Devices page, select the devices on which the container has been disabled.
2. Select More Actions > Enable Container.
261
262
Chapter 7
Managing Certificates
263
Overview of certificates
MobileIron is capable of distributing and managing certificates.
Certificates are mainly used for the following purposes:
Establishing secure communications

Encrypting payloads
Authenticating users
Certificates establish user identity while eliminating the need for users to enter user
names and passwords on their mobile devices. Certificates streamline authentication
to key enterprise resources, such as email, Wi-Fi, and VPN. Some application require
the use of certificates for authentication.
The following diagram compares a certificate to a passport:
The certificate includes information that identifies the user, device, or server that
holds the certificate.
The MobileIron solution provides the flexibility to use the VSP as a local certificate
authority, an intermediate certificate authority, or as a proxy for a trusted certificate
authority.
264
Types of certificates
MobileIron uses the following types of certificates:
Certificate type
Description
Client TLS
Secures communication between a client device and the

VSP, over port 9997.
Portal
Secures HTTP communication, over port 443, between a

web browser and the VSP. Can be the same certificate as
the client TLS certificate.
VSP server SSL
Can be either self-signed or third-party certificates. By

default, VSP generates self-signed certificates. You can use
trusted certificates from third-party certificate providers
such as Verisign, Thawte, or Go Daddy. Kerberos and
Entrust certificates are also supported.
Sentry server SSL
Identifies the Sentry to the client and secures communication, over port 443, between devices and the Sentry.
iOS MDM
Validates profile authenticity for iOS. Enables the MDM feature set for iOS devices. Uses port 2195 to communicate
with Apple APNS.
iOS enrollment
Verifies the identity of the iOS configuration profile. We

recommend using the same certificate for the client TLS,
portal, and iOS enrollment certificates.
Windows Phone 8
(WP8) enrollment
Issued by the VSP to authenticate the device. This is the

local CA certificate.
Client identity
Verifies the identity of users and devices and can be distributed through SCEP/NDES.
The following diagram illustrates where each certificate type is used in the MobileIron
architecture:
265
Supported certificate scenarios

MobileIron supports the following certificate scenarios:
Using the VSP as a Certificate Authority

Using the VSP as a certificate proxy
Using Kerberos constrained delegation
More information
Using the VSP as a Certificate Authority

Standard SCEP integration requires SCEP enrollment with a certificate server. If SCEP
integration is not an option for your organization, you can configure the MobileIron
VSP as an intermediate Certificate Authority (CA) or independent root CA instead,
eliminating the need for an additional server.
The local certificate authority feature is available starting with MobileIron VSP 4.1. You
can configure the VSP as a local certificate authority for the following scenarios:
VSP as an Independent Root CA (self-signed)Configure the VSP as an

independent root certificate authority if you are using a self-signed certificate. Use
this option if your company does not have its own certificate authority and you are
using the VSP as the certificate authority.
VSP as an Intermediate CAUse this option when your company already has its
own certificate authority. Using the VSP as an Intermediate CA gives your mobile
device users the advantage of being able to authenticate to servers within your
company intranet.
See the Local Certificate Authorities: Using the VSP as a CA tech note, available on the
MobileIron Support site.
Using the VSP as a certificate proxy

MobileIron can act as a proxy to a 3rd party CA by using SCEP or APIs exposed by the
3rd party CA. This enables you to configure certificate-based authentication for iOS,
WP8, and Android devices.
Using the VSP as a certificate proxy has the following benefits:
Certificate verifies Exchange ActiveSync, Wi-Fi and/or VPN connections, eliminating

the need for passwords that are complex to manage
MobileIron can detect and address certificate renewal and ensure that devices
cannot reconnect to enterprise resources if they are out of compliance with
company policies
Simplified enrollment with the following:

MS SCEP
Entrust
Local CA
266
Symantec Managed PKI

User provided certificates
Open Trust
Symantec Web Services Managed PKI
The following applications are supported

Android
iOS
WP8d
ActiveSync
yesa-
yesb
yes
VPN
yesc
Wi-Fi
yes
yes
a Android with Email+ and TouchDown

b Mail+, iOS native mail client
c IPSec, Cisco AnyConnect, and JunOS Pulse
d Only root and intermediate CA are supported
The following certificates are supported

Certificate
Android
iOS
WP8
MS SCEP
yes
yes
yes
Entrust
yes
yes
Local CA
yes
yes
yes
Symantec Managed PKI
yes
yes
User provided certificates
yes
yes
Open Trust
yes
yes
Symantec Web Services

Managed PKI
yes
yes
For information about how to create SCEP settings in the VSP, see See SCEP settings
on page 237.
Using Kerberos constrained delegation

You can use Kerberos constrained delegation (KCD) for authenticating the device to
the ActiveSync server and the app server.
For detailed information about how to configure MobileIron to use Kerberos
authentication, see:
Device and server authentication support for Standalone Sentry on page 328.
the Authentication Using Kerberos Constrained Delegation tech note, available on
the MobileIron Support site.
267
More information
For detailed information about how to set up the VSP as a SCEP proxy in a managed
PKI environment, see Setting up Symantec VeriSign Managed PKI Integration tech
note, available on the MobileIron Support site.
For detailed information about how to set up certificate-based authentication for iOS,
see the Certificate-based Authentication for iOS tech note, available on the MobileIron
Support site.
For detailed information about managing certificates on Android devices, see the
MobileIron for Android Release Upgrade Guide for Android Client 4.5.6.
For detailed information about how to set up MobileIron to use Entrust, see the
Authentication Using Entrust Certificate Types tech note, available on the MobileIron
Support site.
268
Chapter 8
Troubleshooting Devices
269
Overview of troubleshooting devices

MobileIron provides troubleshooting features that help you support your device users
and diagnose problems:
Force Device Check-In

Using logs
Service Diagnostic screen
To troubleshoot issues involving MobileIron Server operation, see Section III: System
Management.
270
Force Device Check-In

Android
iOS
OS X
Win 7
WP8
yes
yes
yes
You can use the Force Device Check-in feature to force the device to connect to the
MobileIron Server. You might use this feature if the MobileIron Client has not connected for some time, or you want to override a long sync interval to download
updates.
You can use this feature to troubleshoot MobileIron operations.
Note: The Force Device Check-in feature does not sync the policies and app settings
related to AppConnect. The app checkin interval on the AppConnect global policy controls updates to those policies and app settings. See Configuring the AppConnect
global policy on page 484.
To force registered devices to check in:
1.
2.
3.
Select Force Device Check-in from the Actions menu.
4.
5.
Click Force Device Check-in.
Note that the phone user may have a Connect Now option that forces the MobileIron
Client to attempt to connect to the MobileIron Server.
271
Using logs
The following Log pages in the Admin Portal enable you to easily navigate through the
MobileIron log entries to find the information you need.
MDM Log: for iOS MDM entries

Certificate Log: for certificate-related entries
Browse All: for MobileIron device management entries
MDM Log
The MDM Log displays MDM-specific log entries.
Filter the log entries using the following criteria:
Actions
States
User
Device
Error text
Detail text
Date range
Viewing Errors
Errors result in the display of a View Error link i the Error column. Click the link to display error details.
Certificate Log
The Certificate Log displays certificate-related log entries. You can remove selected
certificates from the log and revoke selected certificates.
Filter the log entries using the following criteria:
User name
Setting name
Expiration date range
Removing a Certificate From the Certificate Log
To remove a certificate from the Certificate Log:
1.
Navigate to Logs & Events > Certificate Logs.
2.
Select the certificate that you want to remove.
3.
Click Remove.
272
Revoking a Certificate
You can revoke certificates created using a Local Certificate Authority. Revoking a certificate adds the certificate to the CRL (Certificate Revocation List). When a device
authenticates with the VSP, the system first checks the CRL to verify that the certificate is not on the list. If the certificate is on the list, authentication fails.
To revoke a certificate:
1.
Navigate to Logs & Events > Certificate Logs.
2.
Select the certificate that you want to revoke.
3.
Click Revoke.
The certificate will be added immediately to the CRL so the next time the device
attempts to authenticate, authentication will fail.
Browse All Logs (General Log)

The Admin Portal tracks status and operations for each managed device using log
entries. You can use log entries to confirm that your actions have been completed and
to investigate problems.
Browsing all log entries

Displaying related log entries
Searching log entries
Browsing all log entries
The All Logs screen enables you to work with all log entries, regardless of whether the
corresponding action has been completed.
Displaying related log entries

Once you find a log entry of interest, you can filter the display to show only that entry
and related entries:
1.
Select the entry of interest.
2.
Click Show Related.
Searching log entries

To search the log entries for specific information:
1.
Click the Search button.
273
2.
3.
Use the following guidelines to enter criteria for your search:

Item
Description
Subject Related To
If you are looking for log entries

related to a specific phone number,
enter the phone number.
Actions
Select the types of actions you want

to see log entries for.
Requested
Specify a range of time during which

the action was requested.
Completed
Specify a range of time during which

the action was completed.
Status
Specify whether you want to see log

entries having a specific status.
Click Search.
274
Service Diagnostic screen

The Service Diagnostic screen in Admin Portal provides a health check for the following services:
LDAP
Sentry
Connector
To display the Service Diagnostic screen, select Settings > Service Diagnostics.
Click Verify All to recheck the listed services, or click the Verify button next to a specific service to verify just that service.
275
276
Chapter 9
Working with Events
277
Working with Events
About events
The Event Center enables MobileIron administrators to connect events to specific
alerts. For example, you can specify an SMS to be sent each time a user enters a different country, informing the user that different rates may apply.
The Event Center currently recognizes the following events:
International Roaming Event

Threshold Reached Event
SIM Changed Event
Memory (Storage) Size Exceeded Event
System Event
Policy Violations Event
Events page
Use the Events (Admin Portal > Logs & Events > Event Settings) page to manage the
events you are interested in and the corresponding actions you want to automate.
Required role
Users must have the Events role to access the Event Settings page. See Assigning
and removing roles on page 57.
278
Working with Events
Managing events
Each event type recognized by the Event Center has settings specific to the event
type. See Event types on page 281 for information on specific settings. This section
explains tasks related to all event types:
Creating an event
Editing an event
Deleting an event
Setting alert preferences
Creating an event
To create an event:
1.
Click Logs & Events > Event Settings in the Admin Portal.
2.
Click Add New.
3.
Select the type of event from the dropdown.
4.
Complete the information for the selected event.
5.
Click Save.
6.
Refresh the screen to display the new event.
Making sure the alert is sent to the correct recipients

When you create an event, you have the opportunity to designate recipients for the
resulting alert. Each event type includes the alert configuration section shown in the
following figure.
For each type of alert (i.e., SMS, email, and push notification (i.e., APNs or C2DM),
you can select one of the following:
User only
User + Admin
Admin only
279
Working with Events
If you select one of the Admin options, then a CC to Admins section displays in the
dialog.
Use this section to select those users, other than the device user, who should be notified. Only users having registered devices display in this list.
Applying the event to a label

To specify the devices to which the event should apply, you select one or more labels
when you create the event. The amount of time it takes to apply an event to a label
depends on the number of devices identified by the label. Therefore, it may take some
time for the label name to display as selected for the event.
Editing an event
To edit a event:
1.
Click Logs & Events > Event Settings in Admin Portal.
2.
Select the event you want to edit.
3.
Click the Edit button.
4.
Make your changes.
5.
Click Save
Deleting an event
To delete an event:
1.
Click the Events Center tab in Admin Portal.
2.
Select the event you want to delete.
3.
Click the Delete button.
Setting alert preferences

You can specify the number of times that MobileIron repeats an attempt to send an
email or SMS alert:
1.
2.
3.
In the Alert Preferences section, enter the number of retries for SMS and email.
4.
Click Save.
280
Working with Events
Event types
Each event type has specific settings that need to be configured. This section
describes the settings for each type.
The current event types are:
International roaming event

Threshold reached event
SIM changed event Event
Memory size exceeded event
System Event
Policy Violations Event
International roaming event

Android
iOS
Win 7
WP8
yes
yes
Note that international roaming detection is not supported for dual-mode devices (i.e.,
devices that switch between GSM and CDMA).
To create an international roaming event:
1.
2.
Click Add New.
3.
Select International Roaming Event from the dropdown menu.
281
Working with Events
4.
Use the following guidelines to create an international roaming event:

Field
Description
Name
Identifier for this notification.
Description
Additional text to clarify the purpose of this notification.
Generate Alert
Turns on/off the alert defined for this event. Not

currently implemented.
Alert for Every

Country Visited in
the Trip
Generates an alert for each country visited after

the user leaves the home country.
Maximum Alerts
Specifies whether there is a limit on the number

of alerts generated for a given trip. If you select
Limited, then you can specify the number of
alerts to allow. Once the user returns to the
home country, the count is returned to 0.
Severity
Specifies the severity defined for the alert: Critical, Warning, and Information.
282
Working with Events
Field
Description
Template
Specifies the template to populate the resulting

alert. Click View to display the content of the
current template. Select an alternate template
from the dropdown or click Create to create a
new template. See The MobileIron Event Center
sends emails, SMSes, and push notification messages based on triggering events. When you
configure events, you can use the default message template or create a new one. Event Center templates enable you to specify content and
basic formatting using HTML markup. on
page 303 for information on creating a new template.
Send SMS
Specifies whether to send an alert in a text message, and whether to send it to the user, the
admin, or both. Specify users in the Apply to
Users section or by selecting a label in the Apply
to Labels section. If you select Admin only or
User + Admin, then the CC to Admins section
displays. Use this section to specify administrative users who should receive the alert.
Send Email
Specifies whether to send an alert in an email,

and whether to send it to the user, the admin, or
both. Specify users in the Apply to Users section
or by selecting a label in the Apply to Labels section. If you select Admin only or User +
Admin, then the CC to Admins section displays.
Use this section to specify administrative users
who should receive the alert.
Send through Push

Notification
Specifies whether to send a message via Apple

Push Notification service or Android C2DM, and
whether to send it to the user, the admin, or
The length of the message is limited to 255
characters.
Apply to Labels
Associate this event with the selected labels.

See Using labels to establish groups on
Search Users
Enter the user ID to find devices to which you

want to apply this event.
Apply to Users
Associate this group of settings with the selected

users.
283
Working with Events
5.
Field
Description
Exclude Labels
Do not apply this event to selected labels. See

Using labels to establish groups on page 130
for information on labels.
Search Users
Enter the user ID to find devices that should not

have this event applied.
Exclude Users
Do not apply this event to the selected users.
CC to Admins
If you selected Admin only or User + Admin,

then the CC to Admins section displays. Use this
section to specify administrative users who
should receive the alert.
Click Save.
Note: If more than one international roaming event applies to a device, only the last
one you edited and saved is triggered.
Threshold reached event

Android
iOS
Win 7
WP8
To create a threshold reached event:

1.
Click the Logs & Events > Event Settings in Admin Portal.
2.
Click Add New.
3.
Select Threshold Reached Event from the dropdown menu.
284
Working with Events
4.
Use the following guidelines to create a threshold reached event:

Field
Description
Name
Identifier for this event.
Description
Additional text to clarify the purpose of this

event.
Threshold on
Specifies whether the notification applies to

International Roaming events or Total Usage.
SMS
Specifies whether SMS usage is limited. If limited, specifies the number of text messages that
must be exceeded to trigger the notification. For
international events, the SMS count is reset
when international roaming stops. For total
usage events, the alert count is reset at the end
of the month.
285
Working with Events
Field
Description
Voice
Specifies whether voice usage is limited. If limited, specifies the number of voice minutes that
must be exceeded to trigger the notification. For
international events, the voice minute count is
reset when international roaming stops. For total
usage events, the voice minute count is reset at
the end of the month.
Data
Specifies whether voice usage is limited. If limited, specifies the number of data MB that must
be exceeded to trigger the notification. For international events, the data MB count is reset when
international roaming stops. For total usage
events, the alert count is reset at the end of the
month.
Use billing plan

allowances when
available
Specifies that limits specified in a billing plan

should override the default thresholds for SMS,
voice, and data. This feature is not supported.
Pre-threshold Action
Specifies that an alert should be generated

before the threshold is reached, based on the
specified percentage of the threshold.
For example, you may want to send a warning
when the usage reaches 80% of the specified
threshold.
Post-threshold
Action
Specifies that an alert should be generated after

the threshold is reached, based on the specified
percentage of the threshold.
For example, you may want to send a warning
when the usage reaches 120% of the specified
threshold.
Generate Alert

Severity
Template

286
Working with Events
Field
Description
Send SMS
Send Email

Send through Push

Notification

characters.
5.
Apply to Labels

Search Users

Apply to Users

users.
Exclude Labels

Search Users

Exclude Users
CC to Admins

Click Save.
287
Working with Events
Note: If more than one threshold reached event applies to a device, only the last one
you edited and saved is triggered.
SIM changed event

Android
iOS
Win 7
WP8
yes
yes
For iOS devices that are not MDM-managed, the device user must start the MobileIron
app on the device to trigger this event.
To create a SIM changed event:
1.
2.
Click Add New.
3.
Select SIM Changed Event from the dropdown menu.
4.
Use the following guidelines for creating a SIM changed event.

Field
Description
Name
Description
Additional text to clarify the purpose of this

event.
Generate Alert

Severity
288
Working with Events
Field
Description
Template

Send SMS
Send Email

Send through Push

Notification

characters.
Apply to Labels

Search Users

Apply to Users

users.
289
Working with Events
5.
Field
Description
Exclude Labels

Search Users

Exclude Users
CC to Admins

Click Save.
Note: If more than one SIM changed event applies to a device, only the last one you
edited and saved is triggered.
Memory size exceeded event

Android
iOS
Win 7
WP8
yes
yes
To create a memory size exceeded event:

1.
2.
Click Add New.
3.
Select Memory Size Exceeded Event from the dropdown menu.
290
Working with Events
4.
Use the following guidelines to create a memory size exceeded event:

Field
Description
Name
Description
Used Memory Size

Exceeds
Specifies the percentage of total memory that

triggers the alert.
Generate Alert

Alert every
Specifies the interval for generating the alert.

Select 1,2,3 or 4 weeks.
Severity
291
Working with Events
Field
Description
Template

Send SMS
Send Email

Send through Push

Notification

characters.
Apply to Labels

Search Users

Apply to Users

users.
292
Working with Events
5.
Field
Description
Exclude Labels

Search Users

Exclude Users
CC to Admins

Click Save.
Notes:
Memory exceeded events are sent only once per week when the configured memory limit is reached.If more than one memory size exceeded event applies to a
device, only the last one you edited and saved is triggered.
System event
A system event generates an alert when components of a MobileIron implementation
is not working. To create a system event:
1.
2.
Click Add New.
3.
Select System Event from the dropdown menu.
293
Working with Events
4.
Use the following guidelines to complete the form:

Field
Description
Name
Description
Sentry (standalone
and integrated) is
unreachable
Generates an alert if the MobileIron VSP is

unable to contact the MobileIron Sentry.
Sentry (standalone
and integrated) cannot reach EAS
server
Generates an alert if the MobileIron Sentry is

unable to contact the ActiveSync server.
MobileIron gateway
is unreachable
Select this option to send an alert if the VSP

cannot connect to the MobileIron gateway.
294
Working with Events
Field
Description
BES is unreachable

cannot connect to an integrated BES server.
LDAP server is
unreachable

cannot connect to any of the configured LDAP
servers.
DNS server is
unreachable
Select this option to send an alert if the VSP and

one of the configured DNS servers.
Mail server is
unreachable

cannot connect to the configured SMTP server.
NTP server is
unreachable

connect to the configured NTP server.
Certificate Expired
Select this option to send an alert for certificate

expiration. An alert is sent 30 days before expiration and on the expiration date. Certificates
supported include MDM APNS/Client (iOS only),
Admin Portal, and device certificates.
Expired
Generates an alert if an iOS provisioning profile

distributed via MobileIron has expired. In general, this profile will be associated with an inhouse app.
SMTP Relay server is

unreachable
Generates an alert if the configured SMTP relay

(for SMS archive) does not respond to a ping or
SMTP ping.
See Settings > Preferences in Admin Portal for
the configured SMTP relay.
SMTP Relay server

error
Generates an alert if the configured SMTP relay

(for SMS archive) returns an error. The alert
includes available details to enable troubleshooting.
See Settings > Preferences in Admin Portal for
the configured SMTP relay.
SMS Message
archive queue is full
Generates an alert if the queue of messages to

be archived exceeds 100. This indicates a possible problem with the service, causing a backlog
in the queue.
In response to this alert, you should check the
health of the SMTP relay server and confirm that
it is correctly configured under Settings > Preferences in Admin Portal.
295
Working with Events
Field
Description
MAI data processing

has not succeeded
for more than 24
hours
Generates an alert when 24 hours has elapsed

since the last time the MAI data processing task
ran successfully. If the task was initiated (automatically or manually) during that 24 hour
period, but failed, then the alert will still be generated. Contact MobileIron Support for information on troubleshooting this issue.
You can schedule this service, check its status,
or launch it manually from Mobile Activity Intelligence > Settings in Admin Portal.
System storage
threshold has been
reached
Generates an alert if the system storage threshold has been reached. See Manually purging
data (system storage) on page 600 for information on setting this threshold.
Connector state
events
Generates an alert if the health of the Connector

changes. MobileIron defines a healthy connector
as one that connects to the server at expected
intervals and syncs successfully with the LDAP
server. An alert is generated if a Connector
changes from healthy to unhealthy, or from
unhealthy to healthy.
Connector requires
manual upgrade
Generates an alert if the automated upgrade of

the Connector fails. This alert prompts you to
manually upgrade the Connector.
Connector can not

connect to LDAP
server
Generates an alert if a configured LDAP server is

no longer reachable.
Connector is
unreachable
Generates an alert if the MobileIron server does

not receive the expected response to the scheduled probe of the Connector. This alert generally
indicates network problems.
VPP Percent Used

Threshold
Generates an alert if the percentage of VPP

tokens for an iOS app purchased via VPP
reaches the specified level. The default threshold is 99 percent, meaning an alert is generated
when 99 percent of the tokens for any VPP-purchased app have been redeemed.
Generate Alert

Maximum Alerts

of alerts generated for a given event. If you
select Limited, then you can specify the number
of alerts to allow.
Alert Every
Specifies the interval for generating alerts for a

given event. Select the number of hours from
the dropdown.
296
Working with Events
Field
Description
Severity
Specifies the severity defined for the alert.

Select Critical, Warning, or Information.
Template

Send SMS
Send Email

Send through Push

Notification

characters.
297
Working with Events
Field
Description
Apply to Labels
Send the alert to users in the selected labels.

Note: In most cases, if you do select a label, it
should not be a label with broad coverage. System event alerts are usually not appropriate for
device users.
5.
Search Users
Enter the user ID to find users to which you

want to send the alert.
Apply to Users
Send the alert to the selected users.
Exclude Labels
Do not send the alert to the selected labels. Use

this option to specify groups of users who should
not receive the alert. For example, you might
specify a custom Executive label if you want to
keep executives from receiving the alert. See
Search Users
Enter the user ID to find users who should not

receive this alert.
Exclude Users
Do not send the alert to the selected users.
Search Users
Enter the user ID to find users who act as telecom administrators and should receive the alert.
CC to Admins

Click Save.
Policy violations event

Android
iOS
Win 7
WP8
yes
yes
yes1
1. Only out of contact and out of

policy violations are supported.
Alerts are only sent by email.
To create a policy violation event:

1.
2.
Click Add New.
3.
Select Policy Violation Event from the dropdown menu.
298
Working with Events
4.

Field
Description
Name
Description
Connectivity
Out-of-contact with
Server for X number of
days
Select this option to send an alert when a device

has been out of contact for the number of days
specified in the Security policy assigned to it.
Out-of-policy for X number of days
Select this option to send an alert when a policy

has been out of date for the number of days
specified in the Security policy assigned to it.
Device Settings
Passcode is not compliant
Generates an alert if a device is detected having

a passcode that does not meet the requirements
specified in the associated security policy.
App Control
299
Working with Events
Field
Description
Disallowed app found
Generates an alert if an app that is specified as

Disallowed is not installed on a device. Apps are
specified as Required, Allowed, or Disallowed
under Apps & Configs > App Control.
App found that is not in

Allowed Apps list
Generates an alert if an app that does not

appear on the list of allowed apps has been
detected on a device. Apps are specified as
Required, Allowed, or Disallowed under Apps &
Configs > App Control.
Required app not found
Generates an alert if an app that is specified as

Required is not installed on a device. Apps are
specified as Required, Allowed, or Disallowed
under Apps & Configs > App Control.
Data Protection/Encryption - iOS - Android

Data Protection/Encryption is disabled
Generates an alert if an iOS device has its Data

Protection feature turned off, or an Android
device has its Data Encryption feature turned
off.
iOS
Disallowed iOS model
found
Select this option to send an alert when a

restricted iOS model is registered.
Disallowed iOS version

found
Select this option to send an alert when a

restricted iOS version is registered.
Compromised iOS device
Select this option to send an alert when a compromised iOS is registered or connects to the
server. That is, an iOS device has been compromised by circumventing the operator and usage
restrictions imposed by the operator and manufacturer.
iOS Configuration not

compliant
Generates an alert if an iOS device does not

have the expected security policy or app settings. This state may indicate that a setting was
changed or was not applied successfully.
Restored Device connected to server
Generates an alert if a previously wiped device

has been restored and attempts to connect
through the MobileIron deployment.
MobileIron iOS App Multitasking disabled by

user
Generates an alert if the device user disables

multitasking for the MobileIron iOS app. Disabling multitasking increases the likelihood that
a compromised device will go undetected for a
significant period of time.
Device MDM deactivated

(iOS 5 and later)
Generates an alert when the MDM profile on a

managed iOS 5 device is removed.
Android
300
Working with Events
Field
Description
Disallowed Android OS
version found
Generates an alert if an Android device having a

disallowed OS version is detected. You can specify disallowed versions in the security policy.
Compromised Android
device detected
Generates an alert if a modified Android device

is detected. That is, an Android device has been
compromised by circumventing the operator and
usage restrictions imposed by the operator and
manufacturer.
Device administrator not

activated for DM client or
agent
Generate an alert when a managed Android

device is found to have no device administrator
privilege activated for the MobileIron app or the
Samsung DM Agent.
Actions
Generate Alert

Maximum Alerts

of alerts generated for a given event. If you
select Limited, then you can specify the number
of alerts to allow.
Alert Every
Specifies the interval for generating alerts for a

given event. Select the number of days from the
dropdown.
Severity
Specifies the severity defined for the alert.

Select Critical, Warning, or Information.
Template

Send SMS
displays. Use this section to specify administrative users who should receive the alert.inistrative users who should receive the alert.
301
Working with Events
Field
Description
Send Email

Send through Push Notification

characters.
5.
Apply to Labels
Send the alert to users in the selected labels.

Search Users
Enter the user ID to find users to which you

want to send the alert.
Apply to Users
Send the alert to the selected users.
Exclude Labels
Do not send the alert to the selected labels. Use

this option to specify groups of users who should
not receive the alert. For example, you might
specify a custom Executive label if you want to
keep executives from receiving the alert. See
Search Users
Enter the user ID to find users who should not

receive this alert.
Exclude Users
Do not send the alert to the selected users.
Search Users
Enter the user ID to find users who act as telecom administrators and should receive the alert.
CC to Admins

Click Save.
302
Working with Events
The MobileIron Event Center sends emails, SMSes, and push notification messages
based on triggering events. When you configure events, you can use the default message template or create a new one. Event Center templates enable you to specify content and basic formatting using HTML markup.
Note: If more than one policy violations event applies to a device, only the last one
you edited and saved is triggered. Therefore, do not create a separate policy violations event for each type of security policy violation. Instead, apply only one policy
violations event to each device. In that one event, select all of the security policy settings that you want to trigger the event. Use the template variable $DEFAULT_POLICY_VIOLATION_MESSAGE in your message template to specify the security policy
violation that triggered the event.
Displaying event center templates

To display Event Center templates:
1.
2.
Select Event Center Templates.

This list includes the default template for each Event Center type. These are not
editable.
3.
Click the View link for the message template you want to view.
Adding custom Event Center messages

To add a custom Event Center message:
1.
Either click the Create button in the event dialog or select the event type from Settings > Templates > Event Center Templates > Add New.
The following figure shows the event dialog.
303
Working with Events
The dialog for the corresponding event type displays.
304
Working with Events
Event Center messages are displayed with the HTML markup that provides the
basic formatting for the content.
2.
In the Name field, enter a name for the template.

The name must be unique for events of the same type.
3.
In the Edit Template for field, select the language this template will be used for.
Note that only those languages that have been enabled for the system will be displayed in this list.
4.
Make changes to the displayed messages.
5.
Click Save.
Using variables in Event Center messages

Supported and required variables for Event Center messages vary by the type of message. The following table summarizes these variables. You can also click the Variables
Supported link to display this information. Note that, unlike variables used for registration variables, Event Center variable do not end with $.
You can remove the variables that you do not want to use from a field in the Event
Center template. This allows you to further customize the Event Center messages.
Template Type
Required Variables
$CURRENT_COUNTRY
$HOME_COUNTRY
$PHONE_NUMBER
$SEVERITY
$USER_NAME
Threshold Reached
$PHONE_NUMBER
$SEVERITY
$THRESHOLD_ON
$THRESHOLD_TYPE
$THRESHOLD_UNIT
$THRESHOLD_VALUE
$USED_VALUE
$USER_NAME
SIM Changed
$CURRENT_PHONE_NUMBER
$NEW_PHONE_NUMBER
$SEVERITY
$USER_NAME
305
Working with Events
Template Type
Required Variables
Memory Size Exceeded
$FREE_MEMORY_SIZE
$MEMORY_SIZE_LIMIT
$PHONE_NUMBER
$SEVERITY
$TOTAL_MEMORY_SIZE
$USER_NAME
System Event
$DEFAULT_SYSTEM_MESSAGE
$SERVER_IP
$SERVER_NAME
$SEVERITY
Policy Violation
$DEFAULT_POLICY_VIOLATION_MESSAGE
$PHONE_NUMBER
$SEVERITY
$USER_NAME
The following table describes the variables used in Event Center messages.
Variable
Description
$CURRENT_COUNTRY
The country in which the device is currently located.
The phone number currently associated with the device in the VSP, but
not matching the phone number currently used by the device.
The hardcoded message associated

with the policy violation that triggered
the alert.
Note: Due to the length limits of SMS,
C2DM, and APNs, the text might be
truncated.
The third-party system message or

error that triggered the alert.
$FREE_MEMORY_SIZE
The amount of free memory currently

available on the device.
$HOME_COUNTRY
The home country of the device.
$MEMORY_SIZE_LIMIT
The threshold set for the device memory.
306
Working with Events
Variable
Description
$NEW_PHONE_NUMBER
The phone number replacing the

$CURRENT_PHONE_NUMBER$ as a
result of a SIM change.
$PHONE_NUMBER
The phone number used by the device.
$SERVER_IP
The IP address of the server triggering

a system event alert.
$SERVER_NAME
The hostname of the server triggering

the system event alert.
$SEVERITY
The defined severity of the system

event, i.e., Information, Warning, or
Critical.
$THRESHOLD_ON
The total used for calculations, i.e.,

International Roaming or Total Usage.
$THRESHOLD_TYPE
The type of usage measured, i.e.,

SMS, Data, or Voice.
$THRESHOLD_UNIT
The unit associated with the type of

usage, i.e., minutes, messages, or MB.
$THRESHOLD_VALUE
The defined threshold value for this

event, e.g., 1000 (voice minutes).
$TOTAL_MEMORY_SIZE
The total memory reported by the

device.
$USED_VALUE
The amount of memory currently used

on the device.
$USER_NAME
The display name of the user associated with the device.
Specifying which template to use

When you create or edit an event, you specify which template to use for resulting
alerts. To select a template:
1.
2.
Create or edit an event.

Select a template from the dropdown or click the Create button to create a new
template.
Filtering Event Center messages

In the Event Center Templates page, you can filter messages by event type. Just
select the preferred event type from the Event Type dropdown.
307
Working with Events
Editing Event Center messages

You can edit your custom Event Center templates. However, default Event Center templates are not editable.
To edit a custom Event Center template:
1.
In Admin Portal, select Settings > Templates > Event Center Templates.
2.
Click the edit icon for the custom template you want to edit.
3.
Make your changes
4.
Click Save.
Deleting Event Center messages

You can delete any of the Event Center messages you have created:
1.
2.
Select the items you want to delete.
3.
Click Delete.
308
Working with Events
Customizing Event Center messages

The MobileIron Event Center sends emails, SMSes, and push notification messages
based on triggering events. When you configure events, you can use the default message template or create a new one. Event Center templates enable you to specify content and basic formatting using HTML markup.
Displaying Event Center templates

To display Event Center templates:
1.
2.
Select Event Center Templates.

This list includes the default template for each Event Center type. These are not
editable.
3.
Click the View link for the message template you want to view.
Adding custom Event Center messages

To add a custom Event Center message:
1.
Either click the Create button in the event dialog or select the event type from Settings > Templates > Event Center Templates > Add New.
The following figure shows the event dialog.
309
Working with Events
The dialog for the corresponding event type displays.
Event Center messages are displayed with the HTML markup that provides the
basic formatting for the content.
2.
In the Name field, enter a name for the template.

The name must be unique for events of the same type.
3.
In the Edit Template for field, select the language this template will be used for.
310
Working with Events
Note that only those languages that have been enabled for the system will be displayed in this list.
4.
Make changes to the displayed messages.
5.
Click Save.
Using variables in Event Center messages

Supported and required variables for Event Center messages vary by the type of message. The following table summarizes these variables. You can also click the Variables
Supported link to display this information. Note that, unlike variables used for registration variables, Event Center variable do not end with $. All variables are required.
Template Type
Required Variables
$CURRENT_COUNTRY
$HOME_COUNTRY
$PHONE_NUMBER
$SEVERITY
$USER_NAME
Threshold Reached
$PHONE_NUMBER
$SEVERITY
$THRESHOLD_ON
$THRESHOLD_TYPE
$THRESHOLD_UNIT
$THRESHOLD_VALUE
$USED_VALUE
$USER_NAME
SIM Changed
$NEW_PHONE_NUMBER
$SEVERITY
$USER_NAME
Memory Size Exceeded
$FREE_MEMORY_SIZE
$MEMORY_SIZE_LIMIT
$PHONE_NUMBER
$SEVERITY
$TOTAL_MEMORY_SIZE
$USER_NAME
311
Working with Events
Template Type
Required Variables
System Event
$SERVER_IP
$SERVER_NAME
$SEVERITY
Policy Violation
$PHONE_NUMBER
$SEVERITY
$USER_NAME
The following table describes the variables used in Event Center messages.
Variable
Description
$CURRENT_COUNTRY
The country in which the device is currently located.
The phone number currently associated with the device in the VSP, but
not matching the phone number currently used by the device.
The hardcoded message associated

with the policy violation that triggered
the alert.
Note: Due to the length limits of SMS,
C2DM, and APNs, the text might be
truncated.
The third-party system message or

error that triggered the alert.
$FREE_MEMORY_SIZE
The amount of free memory currently

available on the device.
$HOME_COUNTRY
The home country of the device.
$MEMORY_SIZE_LIMIT
The threshold set for the device memory.
$NEW_PHONE_NUMBER
The phone number replacing the

$CURRENT_PHONE_NUMBER$ as a
result of a SIM change.
$PHONE_NUMBER
The phone number used by the device.
$SERVER_IP
The IP address of the server triggering

a system event alert.
$SERVER_NAME
The hostname of the server triggering

the system event alert.
312
Working with Events
Variable
Description
$SEVERITY
The defined severity of the system

event, i.e., Information, Warning, or
Critical.
$THRESHOLD_ON
The total used for calculations, i.e.,

International Roaming or Total Usage.
$THRESHOLD_TYPE
The type of usage measured, i.e.,

SMS, Data, or Voice.
$THRESHOLD_UNIT
The unit associated with the type of

usage, i.e., minutes, messages, or MB.
$THRESHOLD_VALUE
The defined threshold value for this

event, e.g., 1000 (voice minutes).
$TOTAL_MEMORY_SIZE
The total memory reported by the

device.
$USED_VALUE
The amount of memory currently used

on the device.
$USER_NAME
The display name of the user associated with the device.
Specifying which template to use

When you create or edit an event, you specify which template to use for resulting
alerts. To select a template:
1.
2.
Create or edit an event.

Select a template from the dropdown or click the Create button to create a new
template.
Filtering Event Center messages

In the Event Center Templates page, you can filter messages by event type. Just
select the preferred event type from the Event Type dropdown.
Editing Event Center messages

You can edit your custom Event Center templates. However, default Event Center templates are not editable.
To edit a custom Event Center template:
1.
2.
Click the edit icon for the custom template you want to edit.
3.
Make your changes
4.
Click Save.
313
Working with Events
Deleting Event Center messages

You can delete any of the Event Center messages you have created:
1.
2.
Select the items you want to delete.
3.
Click Delete.
314
Working with Events
Events
Use the Events screen to track the events that have triggered alerts. To display the
Events screen, go to Logs & Events > Events.
Marking as Read or Unread

To enable tracking of which events have been noted and/or addressed by an administrator, you can mark an event as Read. Likewise, you can switch this flag back to
Unread.
To set the Read/Unread flag:
1.
Select one or more events.
2.
Select Read or Unread from the Actions menu.
Filtering events
You can filter the displayed events using the following criteria:
Read/Unread
Labels
User
Start Date/End Date
Event Type
Event Status
The following table summarizes these filters.

Filter
Description
Read/Unread
Select Read or Unread from the Show dropdown

list. To resume displaying all events, select All.
Labels
Select the preferred label from the Labels dropdown to filter based on the label specified in the
event.
User
Enter a user ID and click the search icon to filter

based on the user IDs specified in the event.
Start Date/End Date
Select dates in the Start Date and End Date

fields to filter events by date range.
Event Type
Select an event type from the Type dropdown to

filter by event type.
Event Status
Select an event status from the status dropdown

to filter based on the events lifecycle state.
315
Working with Events
Event lifecycle and status

Events go through the following lifecycle:
Created -> Dispatch Pending -> Dispatching -> Dispatched
The following two failure states may also occur:
Dispatch Failed: The process of generating the alert failed. This is usually the result
of an SMTP problem. Check the SMTP configuration in System Manager, as well as
the health of your SMTP server.
Expired: Another event occurred that makes the alert obsolete, resulting in expiration before dispatch.
Exporting event history

To export a CSV file containing the currently displayed events, click the Export button.
Adding a note
You can add a note to one or more events to help track the work that has been done
in response. Each event can hold one note; adding another note replaces the existing
note. To add a note:
1.
Select one or more events.
2.
Select Actions > Add Note.
3.
Enter the text of the note.
4.
Click Add.
5.
Press F5 to refresh the screen and confirm that the note displays in the Note field
for the selected events.
316
Chapter 10
Working with MobileIron

Sentry
317
Working with MobileIron Sentry
MobileIron Sentry
MobileIron Sentry is a component of a MobileIron deployment that interacts with your
companys ActiveSync server. The ActiveSync server provides employees access to
their email, contacts, calendar, and tasks. Sentry, with input from the VSP, protects
the ActiveSync server from wrongful access from the devices.
The Sentry is either a Standalone Sentry or an Integrated Sentry. Standalone Sentry
is a separate appliance, whereas Integrated Sentry is a software module on the Microsoft Exchange Server.
You perform Sentry-related configuration as follows:
On the VSP, use the Admin Portal for configuration pertaining to connectivity,
devices, policies, and security.
On Standalone Sentry, use the Sentry System Manager for Standalone Sentry system management.
Before continuing with Sentry configuration using the Admin Portal, see the following:
For details about Sentry and an overview of the configuration tasks that you do, see
the MobileIron Sentry Administration Guide.
For information on Sentry installation if you are using an on-premise VSP, see the
MobileIron Installation Guide.
For information on Sentry installation if you are using ConnectedCloud, see Getting
Started with the MobileIron Connected Cloud.
In the Admin Portal, you configure the following information pertaining to Sentry configuration:
Standalone or Integrated Sentry connectivity.

See Adding, Editing, and deleting a Sentry on the VSP on page 319.
Certificate management for the certificate that Standalone Sentry presents to

devices.
See Managing certificates for Standalone Sentry on page 337.
Device authentication (how the device authenticates to the Standalone Sentry) and
server authentication (how the Standalone Sentry authenticates the device to the
server).
See Device and server authentication support for Standalone Sentry on
page 328.
Email attachment control.

See Email attachment control support for Standalone Sentry on page 342.
Sentry preferences.
See Setting Sentry preferences on page 355.
You also use the Admin Portal to manage ActiveSync associations. See Working with
ActiveSync Phones via MobileIron Sentry on page 359.
318
Adding, Editing, and deleting a Sentry on the

VSP
Use the Admin Portal to add and edit a Sentry to work with the VSP. You can also
delete a Sentry.
Adding an entry for MobileIron Integrated Sentry

To create an entry for a MobileIron Integrated Sentry on the VSP:
1.
2.
Select Settings > Sentry in the
Admin Portal.
Select Add New > Integrated Sentry.
For information about filling in this form, see Installing Integrated Sentry in the
MobileIron Installation Guide.
Adding a MobileIron Standalone Sentry entry

To create a MobileIron Standalone Sentry entry:
1.
In the Admin Portal, go to Setting > Sentry.
319
2.
Select Add New > Standalone Sentry.
3.
Use the following guidelines to complete the form.

Item
Description
Sentry Host / IP
Enter the host name or IP address of the server on which

the Standalone Sentry is installed.
Sentry Port
Enter the port that the VSP will use to access the Standalone Sentry. The default is 9090.
Enable Active Sync
Select Enable ActiveSync to configure the Standalone Sentry for ActiveSync.

The ActiveSync Configuration section displays.
Enable App Tunneling
Select Enable App Tunneling to configure the Standalone

Sentry for AppTunnel.
The AppTunnel Configuration section displays.
Device Authentication Configuration
Device Authentication
Select how users attempting to connect to the ActiveSync

or app server authenticate with the Sentry.
If you configure the Sentry for AppTunnel you can only
choose either Group Certificate or Identity Certificate.
Depending on the method of device authentication, additional fields display.
See Device and server authentication support for Standalone Sentry on page 328 for information on selecting
and configuring a method of device authentication.
320
Item
Description
ActiveSync Configuration
This section of the form displays only if you choose Enable ActiveSync.
Server Authentication
Select how the Sentry authenticates the user to the

ActiveSync server.
Select Pass Through or Kerberos.
The Kerberos option is only available if you selected Identity Certificate for Device Authentication.
ActiveSync Servers
Enter the ActiveSync server hostnames or IP addresses,

separated by semicolons (;). The ActiveSync servers in
this list provide failover support for each other.
The maximum number of characters accepted is 4000
characters.
For Microsoft Office 365, enter m.outlook.com.
For Gmail, enter m.google.com.
Enable Server TLS
Specify whether the ActiveSync servers require SSL (i.e.,

port 443).
321
Item
Description
Enable Redirect Processing (451)
To disable redirect processing, clear the check box.
Limit Protocol Version
Check this option to choose the ActiveSync protocol version that the device and Microsoft Exchange use to communicate with the Standalone Sentry.
If Enable Redirect Processing (451) is disabled, the Standalone Sentry does not handle redirection, and passes the
redirect URL to the device.
If the device is already registered, you have to push the

exchange profile to the device to force the device to use
the new protocol.
Attachment Control
Specify whether to enable email attachment control, and

then specify the type of email attachment control. For
more information, see Email attachment control support
for Standalone Sentry on page 342.
ActiveSync Server Configuration
This section of the form displays only if Enable ActiveSync is checked.

Enable Client TLS
Specify whether the client must use TLS.

Note: Though the field label reads TLS, the intended
requirement is SSL.
Enable Background
Health Check
The default setting is enabled.

Clear the check box to disable the ActiveSync server
health check.
If enabled, when the ActiveSync server fails for the number of times configured in the Dead Threshold setting and
within the number configured in the Failure Window, then
the ActiveSync server status shows Unreachable.
When the background health check determines that the
server is live for the number configured for Live Threshold,
the ActiveSync server status shows Reachable.
Interval
Specify the time interval, in seconds, that Sentry performs

a background health check.
The valid range is 10 through 600. The default is 60.
Live Threshold
Specify the number of times the ActiveSync server background health check is successful before the server is
marked as live.
322
Item
Description
App Tunneling Configuration
This section of the form displays only if Enable App Tunneling is checked.
To add a new service, click +.

See Configuring an AppTunnel service on page 499 for information on configuring an AppTunnel service.
Kerberos Authentication Configuration
This section only displays if the Kerberos option is specified for server authentication either for the ActiveSync configuration or for an AppTunnel service.
See Device and server authentication support for Standalone Sentry on

page 328 for information on configuring Kerberos for server authentication.
323
Item
Description
Global Server Configuration
Scheduling
Specify Priority or Round Robin scheduling if multiple servers are specified.

Priority means that the first available server in the specified list will be used, with the first server in the list having
highest priority. So if the first server in the list is never
unavailable, then the other servers will never be used.
Round Robin means that each server in the list will be used
in turn.
Dead Threshold
Specify the number of times that an server connection can

fail before the server will be marked dead. The valid
range is 1 through 1000.
Failure Window
Specify the time interval in milliseconds during which the

specified number of server connection failures must occur
in order for the server to be marked dead. The valid
range is 1 though 86400000 milliseconds (24 hours).
Dead Time
Specify the amount of time in milliseconds that the server

should be marked dead after the specified number of
connection failures. The valid range is 1 through
172800000 milliseconds (48 hours).
Advanced Configuration
This feature provides you the addition flexibility to configure Standalone Sentry
session timeouts. You may want to configure the session timeouts to manage
server resources. For example, you may want to configure larger timeouts when
using Lotus Notes Traveler with Standalone Sentry.
Note: Do not make changes to the settings unless specifically instructed in the
documentation or by MobileIron Professional Services.
324
Item
Description
Socket read/write
timeout
Specify the time in milliseconds, the Sentry should check

for the socket read/write time out from either the device
or the server.
Enter a valid integer.
The default setting is 10000, and the minimum is 1.
Server connection
timeout
Specify the time in milliseconds after which the Sentry will

time out when connecting to the server.
Server response
timeout

time out when waiting for an HTTP response from the
server.
Device request timeout

time out when waiting for an HTTP request from the device
on a new or existing connection.
4.
5.
Click Save.
Perform this step if you configured the Sentry for app tunneling and the Sentry
uses a self-signed certificate:
In the Settings > Sentry page, for the Sentry configured for app tunneling, click the
View Certificate link.
This makes the Sentrys certificate known to the VSP.
Editing MobileIron Sentry settings

To edit settings for a MobileIron Sentry:
1.
Select Settings > Sentry in Admin Portal.
2.
Select the entry to be edited.
3.
Click the edit icon next to the entry.
4.
Make the necessary changes.
5.
Click Save.
325
To verify that the changes are pushed to the Sentry, check that the Status shows
Success.
For information about editing Integrated Sentry configuration, see Installing Integrated Sentry in the MobileIron Installation Guide.
Deleting a Sentry entry

To delete a Sentry entry:
1.
Select Settings > Sentry in the Admin Portal Admin Portal.
2.
Select the entry to be deleted.
3.
Click Delete.
4.
Click Yes to the verification prompt.
Caution: Do not remove a Standalone Sentry entry without first making sure that no
devices are using Exchange app settings that use that Standalone Sentry. Devices
with such Exchange app settings are still accessing the Standalone Sentry. These
devices can continue to access the ActiveSync server even if they violate their security
policy or if you manually attempt to block them. See Exchange settings on
page 205.
326
451 redirect processing

If 451 redirect URL is set up on your ActiveSync server, the Standalone Sentry handles
the redirection when a device tries to sync. The redirect URL is not forwarded to the
device.
You configure 451 redirect processing on the Standalone Sentry by enabling or disabling the Enable Redirect Processing (451) field in the Edit Standalone Sentry page.
From the Admin Portal, go to Settings > Sentry, and click on the edit icon for the Sentry.
Redirect processing is enabled by default.
Disabling redirect processing

To disable 451 redirect processing:
1.
From the Admin Portal, go to Settings > Sentry.
2.
Select the Sentry to edit, and click the edit icon next to the entry.
3.
Clear the checkbox next to Enable Redirect Processing (451).
4.
Click Save.
327
Device and server authentication support for

Standalone Sentry
Standalone Sentry supports device authentication using user name and password,
certificate-based authentication, or Kerberos Constrained Delegation. Device authentication involves configuring:
device authentication (how the device authenticates to the Standalone Sentry)

server authentication (how the Standalone Sentry authenticates the device to the
server).
Device authentication
Device authentication specifies how the device authenticates to the Standalone Sentry.
Standalone Sentry supports the following types of device authentication:
Description
Pass Through
Only available if you are using the Sentry for ActiveSync

only.
The Sentry passes through the authentication provided by
the device, for example, user name and password, NTLM.
Note: This is the only authentication option you can use
with Microsoft Office 365.
Group Certificate
Available for ActiveSync and AppTunnel.

Requires the following:
A trusted group certificate for device authentication.

A authentication method like user name and password
or NTLM for authenticating the device to the server.
Note: KCD is not supported with Group Certificates.
Available for ActiveSync and AppTunnel.

Requires the following:
A certificate issued by a Trusted Root Authority for

device authentication
A user name and password or a properly configured Kerberos implementation for authenticating the device to
the server.
Server authentication
Server authentication specifies how the Sentry authenticates the device to the backend server. This can be the ActiveSync server or the app server.
328
Standalone Sentry supports the following types of server authentication. These are
supported for both ActiveSync and AppTunnel.
Server Authentication
Description
Pass Through
The Sentry passes through the authentication provided

by the device.
For example: user name and password, NTLM.
Kerberos
Only available if you choose Identity Certificate for

device authentication.
Requires a properly configured Kerberos implementation.
Configuring device and server authentication

You specify the device and server authentication in the Sentry configuration under
Settings > Sentry in the Admin Portal. Click Add New > Standalone Sentry or click the
edit icon for an existing Sentry.
Device authentication is configured in the Device Authentication Configuration section.
Server authentication is configured:

in the ActiveSync Configuration section for the ActiveSync server.
in the App Tunneling Configuration section for each AppTunnel service.
If you do device authentication with Identity certificates, you can specify different
server authentication types for the ActiveSync configuration and for each AppTunnel
service. For example, you can specify Pass Through for the ActiveSync server and Kerberos Constrained Delegation (KCD) for the servers listed for an AppTunnel service.
To configure authentication:
1.
Complete the necessary infrastructure changes.

See Adding a MobileIron Standalone Sentry entry on page 319.
2.
Obtain the certificates required for your implementation.
3.
In the Admin Portal, select Settings > Sentry.
329
4.
5.
Click the edit icon for the existing Standalone Sentry.
In the Device Authentication Configuration section, select one of the following

authentication options, depending on your implementation:
Pass Through
See Authentication using Pass Through on page 330 for next steps.
Group Certificate
See Authentication using a group certificate on page 330 for next steps.
See Authentication using an identity certificate and Pass Through on page 331 for
next steps.
OR
See Authentication using an identity certificate and Kerberos constrained delegation on page 333 for next steps.
Authentication using Pass Through

If you select Pass Through for device authentication, then Pass Through is only option
available for server authentication for the ActiveSync server.
Click Save to save your configuration.
Authentication using a group certificate

If you select Group Certificate for device authentication, additional configuration fields
display in the Device Authentication Configuration section.
330
For device authentication with group certficate, Pass Through is the only option available for server authentication.
To complete the configuration:

1.
In the Device Authentication Configuration section, click Upload Certificate.
2.
Select the certificate (usually a .cer file) you trust.
3.
Click Upload.
Note: The certificate is uploaded at this time, but does not persist until you click
Save.
4.
If you want to validate the certificates presented by the device against the Certificate Revocation List (CRL) published by the CA, then select Check Certificate Revocation List (CRL).
Note that only HTTP- and HTTPS-based CRLs are supported. Some CAs create
LDAP-based CRLs by default that will not work with Sentry.
For CRL validation to work, Sentry requires network connectivity to the CRL Distribution Point (CDP), usually the CA that issued the certificate, through an HTTP or
HTTPS port.
5.
If you are configuring the Sentry for ActiveSync, in the ActiveSync Server Configuration section, Server Authentication defaults to Pass Through.
If you are configuring the Sentry for AppTunnel, in the App Tunneling Configuration
section, select Pass Through for Server Auth for the AppTunnel Service.
6.
Click Save.
Note: The Sentry restarts when you click Save.
Authentication using an identity certificate and Pass Through

This section describes the configuration when you choose Identity Certificate to
authenticate the device to the Sentry and Pass Through for how Sentry authenticates
the device to the ActiveSync or app server.
331
If you select Identity Certificate for device authentication, additional configuration

fields display in the Device Authentication Configuration section.
To complete the form:

1.
2.
3.
In the Device Authentication section, click Upload Certificate.

Select the Root certificate (this may be a root certificate chain) that you received
from the CA you trust. The CA may be a Root Authority or an Intermediate Authority.
Click Upload.
Note that the certificate is uploaded at this time, but does not persist until you click
Save.
4.
Note that only HTTP and HTTPS based CRLs are supported. Some CAs create LDAPbased CRLs by default that will not work with Sentry.
HTTPS port.
Note: The Certificate Field Mapping fields are used only if the server authentication is
done with Kerberos.
5.
If you are configuring the Sentry for ActiveSync, in the ActiveSync Server Configuration section, Server Authentication defaults to Pass Through.
If you are configuring the Sentry for AppTunnel, in the App Tunneling Configuration
section, select Pass Through for Server Auth for the AppTunnel Service.
6.
Click Save.
Note: The Sentry restarts when you click Save after uploading the certificate.
332
Authentication using an identity certificate and Kerberos

constrained delegation
Before you configure Kerberos authentication for Sentry, you must set up your environment. See Authentication Using Kerberos Constrained Delegation on the MobileIron Support site.
This section describes the configuration when you choose Identity Certificate to
authenticate the device to the Sentry and Kerberos for how Sentry authenticates the
device to the ActiveSync or app server.
Note the following:
For ActiveSync, Sentry supports Kerberos authentication only with Microsoft

Exchange Servers.
For AppTunnel, Sentry does not support Kerberos with CIFs enabled content servers.
If you select Identity Certificate for device authentication, additional configuration
fields display in the Device Authentication Configuration section.
To complete the form:
Device Authentication Configuration section

1.
2.
3.

Select the Root certificate (this may be a root certificate chain) that you received
from the CA you trust. The CA may be a Root Authority or an Intermediate Authority.
Click Upload.
Note that the certificate is uploaded at this time, but does not persist until you click
Save.
333
4.
Note that only HTTP- and HTTPS-based CRLs are supported. Some CAs create
LDAP-based CRLs by default that will not work with Sentry.
HTTPS port.
5.
Use the Subject Alternate Name Type list to select the field in the client certificate
that will be used to identify the user for Kerberos Constrained Delegation.
The Type is the same type that you specified when generating the client certificate.
This is often the NT Principal Name.
6.
Use the Value list to select the value used in the Subject Alternate Name field.
Usually, the User UPN (user principal name) is used to identify the user.
ActiveSync Configuration section

If you are configuring Kerberos for ActiveSync, in the ActiveSync Server Configuration
section, configure the following:
1.
For Server Authentication, select Kerberos.
2.
Configure the ActiveSync Server SPNs:
If you used the fully-qualified domain name of the ActiveSync server as the
basis for the Service Principal Name of the server in the ActiveSync Server(s)
field above, then select Derive SPN From FQDN Of ActiveSync Server.
If you configured the IP address or alternate DNS name of the ActiveSync

server in the ActiveSync Server(s) field above, then deselect Derive SPN From
FQDN Of ActiveSync Server.
Enter the SPNs for each of your ActiveSync servers, separated by semicolons, in
the field that appears when this option is selected. Typically, SPNs are in the
form: http/<FQDN>. For example, http/CAS.ironmobile.com.
Note that the SPN is case-sensitive. The name of the CAS node that uses KCD
must exactly match the name of the node.
To view the CAS node:
- Log on to the Active Directory server as an Administrator.
- From Start > All Programs, select Administrative Tools > Active Directory
Users and Computers.
- Navigate to the Computers folder for the Kerberos realm (Kerberos refers to a
domain as a realm).
- Note the exact host name of the CAS.
334
App Tunneling Configuration section

If you are configuring Kerberos for AppTunnel, in the App Tunneling Configuration section, for an AppTunnel Service configure the following:
1.
For Server Auth, select Kerberos.
2.
Enter the Service Principal Name (SPN) for each server listed in the Server List.
Each SPN must be separated by semicolons. Example: sharepoint1.company.com;sharepoint2.company.com.
The Server SPN List applies only when the Service Name is not <ANY> and the
Server Auth is Kerberos.
If each server in the Server List has the same name as its SPN, you can leave
the Server SPN List empty. However, if you include a Server SPN List, the number of SPNs listed must equal the number of servers listed in the Server List.
The first server in the Server List corresponds to the first SPN in the Server SPN
List, the second server in the Server List corresponds to the second server in
the Server SPN List, and so on.
Note: When the Service Name is <ANY> and the Server Auth is Kerberos, the
Standalone Sentry assumes that the SPN is the same as the server name received
from the device.
For details on configuring AppTunnel, see Adding AppTunnel support on page 482.
Kerberos Authentication Configuration section

If you intend to use a Kerberos-generated keytab file:
1.
Select Use Keytab File.
2.
Click Upload File.
3.
Select the keytab file.
4.
Click Upload.
The keytab file provides the required Kerberos authentication information. For
information about generating a keytab, see Authentication Using Kerberos Constrained Delegation on the MobileIron Support site.
5.
Optionally, configure one or more Key Distribution Centers.

The Key Distribution Center is the network service that supplies session tickets and
temporary session keys. This is generally the Active Directory domain controller
host name. Enter either the IP address or the FQDN of the AD.
You can enter multiple KDCs. Separate each KDC with a semicolon.
For example: KDCdomainname1.com;KDCdomainname2.com.
If you do not configure a KDC, the system auto-detects the KDC.
335
6.
Click Save.
Note: The Sentry restarts when you click Save
If you did not upload a keytab file:

1.
Complete the Kerberos configuration fields. Use the following guidelines:
Realm
The Kerberos administrative domain. The realm is usually the company domain
name, in all uppercase characters.
Sentry Service Principal

The service principal for the Sentry service account, preceded by HTTP/. For
example, if the user name of the service account is sentry1_eas_kcd, the service principal would be HTTP/sentry1_eas_kcd.
Password
Password for the Sentry service account.
2.
Optionally, configure one or more Key Distribution Centers.

The Key Distribution Center is the network service that supplies session tickets and
temporary session keys. This is generally the Active Directory domain controller
host name.
If you do not configure a KDC, the system auto-detects the KDC.
3.
Click Save.
Note: The Sentry restarts when you click Save.
336
Managing certificates for Standalone Sentry

You can generate, upload, and view certificates for Standalone Sentry from the Settings > Sentry page on the Admin Portal.
Standalone Sentry presents this certificate to devices so that the devices know that
the Sentry server is a trusted server. Sentry also presents its certificate to other servers connecting to it, such as a server that performs health checks on Sentry.
This certificate is not the same as:
The certificate that devices use to authenticate themselves to Sentry.

For information about device certificates, see Device and server authentication
support for Standalone Sentry on page 328.
The portal certificate that Sentry presents to browsers to identify itself as a trusted
server.
For more information, see Certificate Management in the MobileIron Sentry
Administration Guide.
The Standalone Sentry certificate can be one of the following:
A certificate from a trusted Certificate Authority (CA), such as Verisign or Entrust.

A self-signed certificate.
If you use a self-signed certificate, a device or server that is connecting to Sentry is
warned that the Sentrys certificate is not from a trusted source. Therefore, we recommend that you use a certificate from a trusted Certificate Authority.
To get a certificate from a trusted Certificate Authority, use the Sentry page on the
Admin Portal to generate a certificate signing request (CSR) to the CA. Once you
receive the signed certificate, you can use the same page to upload it to the VSP,
which sends it to Sentry.
Generating a self-signed certificate for Sentry

To generate a self-signed certificate for Sentry:
1.
Select Settings > Sentry in the Admin Portal.
2.
Click the Manage Certificate link for the Standalone Sentry.
337
3.
Select Generate Self-Signed Certificate from the drop-down list.
4.
Click Generate Self-Signed Certificate.
Generating a CSR for Sentry

You can use the Admin Portal to generate a certificate signing request (CSR) to a Certificate Authority.
To generate a CSR for Sentry:
1.
2.
Click the Manage Certificate link.
338
3.
Select Generate CSR.
4.
5.
Field
Description
Common Name
Enter the server host name.
E-Mail
Enter the email address of the contact person in your

organization who should receive the resulting certificate.
Company
Enter the name of the company requesting the certificate.
Department
Enter the department requesting the certificate.
City
Enter the city in which the company is located.
State
Enter the state in which the company is located.
Country
Enter the two-character abbreviation for the country in

which the company is located.
Key Length
Select 1024 or 2048 to specify the length of each key in

the pair.
Click Generate.
A message similar to the following displays.
339
6.
7.
Copy the content between BEGIN CERTIFICATE REQUEST and END CERTIFICATE
REQUEST to a text file.
Copy the content between BEGIN RSA PRIVATE KEY and END RSA PRIVATE KEY to
another text file.
8.
Click OK.
9.
Submit the file you created in step 6 to the certifying authority.
Uploading Sentry certificates

When you receive the CA certificate from the certifying authority, upload the certificate files to Standalone Sentry as follows:
1.
2.
Click the Manage Certificate link.
340
3.
Click the Browse button and select a file to be uploaded. If there are additional
files, click the Add another file link.
Select the certificates as indicated in the following table:
4.
Field
File to Select
Key file
The file created in step 8 of Generating a CSR for Sentry on page 338.
Server certificate
The CA certificate file you received from the certifying

authority.
CA certificate
The generic CA certificate file.
Viewing a Sentry certificate

To view the current Sentry certificate:
1.
2.
Click the View Certificate link.
341
Email attachment control support for

Standalone Sentry
Email attachment control is part of the Docs@Work feature. For an overview of
Docs@Work, see Docs@Work for email attachment control on page 454.
Up to four emails embedded within the email are supported. All attachment control
options are supported for each of the embedded emails. If an Email contains five or
more levels of embedded emails, Sentry encrypts/converts all attachments, including
text and image files.
Supported devices
The devices that Standalone Sentry supports for email attachment control are listed in
the Docs@Work chapter in Supported devices on page 456.
Important: On iOS devices, Sentry supports email attachment control only for the iOS
native email client. It does not support third-party iOS email clients. If you are using
attachment control, and some iOS devices use the third-party iOS email clients, configure a separate Sentry for those devices. On that Sentry, do not enable attachment
control.
Email attachment control options

For each Standalone Sentry, you can configure the type of email attachment control
you want to use using the VSP Admin Portal in the Admin Portal. For configuration
steps, see Configuring email attachment control on page 348.
The following table summarizes the email attachment control options that are supported on iOS and non-iOS devices (see Android devices with AppConnect enabled
on page 457):
Email attachment control option
iOS devices
using the iOS
native email
client
Android with
Secured Email
Other Platforms
(Including
Android using
unsecured apps)
Remove attachment on
page 343
Supported, but
typically not
used
Supported
Supported
Open Only with Docs@Work

on page 343
Supported
Not supported
Not supported

and Protect with Encryption
on page 344
Supported
Not supported
Not supported
342
Email attachment control option
iOS devices
using the iOS
native email
client
Android with
Secured Email
Other Platforms
(Including
Android using
unsecured apps)
Deliver as is on page 345
Supported, but
typically not
used
Not supported
Supported
Open with Secure Email App

on page 345
Not supported
Supported
Not supported
Remove attachment
The Remove attachment option causes the Standalone Sentry to remove attachments from emails, replacing each attachment with another file. The name of the
replacement file is the original attachment file name appended with removed.html.
For example, myDocument.pdf is replaced with myDocument.pdf.removed.html.
The replacement file contains the following text message:
"The original attachment was removed as required by the security policies of your
administrator."
On iOS devices, the message is translated according to the language setting of the
device. The following languages are supported:
United States English

Simplified Chinese
Korean
Japanese
French
German
The language defaults to United States English if the language setting is not one of the
supported languages.
Supported devices: This option is available on non-iOS and iOS devices.
Note: Typically, you wont use this option on iOS devices or on Android devices that
use secure apps . Other options are available on these devices that are less intrusive,
but still keep the attachments secure.

The Open only with Docs@Work option means that attachments open only in
Mobile@Work. The user cannot open the attachment using any other apps on the
device. The user also cannot cut and paste content from the attachment into any
other app.
343
The Standalone Sentry appends the file name of the attachment with .secure. For
example, myDocument.pdf is renamed myDocument.pdf.secure. Mobile@Work is the
only app that can open files with the .secure file extension.
If Mobile@Work does not support viewing a particular file type, it presents an error
message when the user tries to view the attachment. See Supported files in the
Mobile@Work for iOS app on page 475.
Supported devices: This option is available only on iOS devices.
Open Only with Docs@Work and Protect with Encryption

The Open only with Docs@Work, and protect with encryption option means that
attachments open only in Mobile@Work. The user cannot open the attachment using
any other apps on the device. The user also cannot cut and paste content from the
attachment into any other app. Furthermore, the Standalone Sentry encrypts the
attachment, and only Mobile@Work is able to decrypt it, and therefore, display it.
The Standalone Sentry appends the file name of the attachment with .secure. For
example, myDocument.pdf is renamed myDocument.pdf.secure. Mobile@Work is the
only app that can open files with the .secure file extension.
Mobile@Work is unable to display the file in the following cases:
It does not support the file type. In this case, it presents an error message when
the user tries to view the attachment.
See Supported files in the Mobile@Work for iOS app on page 475.
Its encryption key does not match the attachments encryption key.
For more information about this case and how to avoid it, see Regenerate the
encryption key if it is compromised on page 350.
Note: When the device user saves a local copy of an email attachment, the saved copy
is protected by the devices data encryption.
When to use encryption
The encryption protection provides additional access control for the attachment, making it prohibitively difficult for a malicious app to view the content. However, encryption protection has an impact to Standalone Sentry performance.
Therefore, use the encryption option only if the following statements are true:
You are operating in a high security environment.

You are using a physical appliance for your Standalone Sentry or you are using the
Virtual Standalone Sentry large configuration.
Note: Attempts to configure the encryption option fail for other Standalone Sentry
configurations.
Configuration considerations
Changing to or from this option requires you to re-push the Exchange app setting to
the Standalone Sentrys devices. For more information, see Changing the encryption
option on page 349.
344
Supported devices: This option is available only on iOS devices.
Deliver as is
The Deliver as is option delivers all email attachments in their original form. The
device user views attachments with any available apps that work with the type of
attachment.
Supported devices: This option is available on non-iOS and iOS devices.
Consider the following:
Typically, you wont use this option on iOS devices, because other options that keep
the attachments secure are available for iOS devices.
Open with Secure Email App

Typically, you use this option on Android devices for which you have enabled secure
apps. Secure apps are available starting with version 5.1 of the Mobile@Work for
Android app. This option delivers attachments to the secure AppConnect container.
Only AppConnect apps can open the attachment.
For more information, see Using AppConnect for Android.
Supported devices: This option is available on Android devices that are using secure
apps.
Forwarding emails with attachments

When a device user forwards an email that has an attachment, the attachment in the
forwarded email is the original attachment. However, if the ActiveSync server delivers
the email to another device that Standalone Sentry manages, Standalone Sentry
applies the email attachment control to the forwarded emails attachment.
Note: The exception to this behavior involves the behavior of the iOS Mail app. If the
email attachment control option is Remove Attachment, the iOS Mail app forwards
the replacement file -- the file that contains the replacement text and has the
.removed.html file extension. The original attachment is not forwarded. However, you
typically do not use the "Remove Attachment" option on iOS devices.
Files types that email attachment control supports

Each email attachment has a MIME type. MIME stands for Multipurpose Internet Mail
Extensions. MIME is an Internet standard for describing the kind of content that a file
contains. An email program, such as the iPhone Mail app or Microsoft Outlook on a
Windows PC, sets the MIME type of an email attachment.
Standalone Sentry uses the MIME type to determine which attachments it should
apply attachment control to. Although it does not make the decision based on file
extension, a typical mapping exists between file extensions and MIME types.
345
Therefore, in most email environments, Standalone Sentry performs attachment control for files with commonly used file extensions. For example, some of these file types
are:
Microsoft Word documents (doc, .docx)

Adobe Acrobat documents (.pdf)
Microsoft Excel documents (.xls, .xlsx)
Microsoft PowerPoint documents (.ppt, .pptx)
Rich Text Format files (.rtf)
Rich Text Format directory (.rtf.zip)
Archive files (.zip, .tar)
Apple Pages documents (.pages)
Apple Numbers spreadsheet files (.numbers)
Apple Keynote presentation files (.key)
Audio files (.mp3, .mp4 and others)
Video files (.wmv, .mkv, and others)
Certificate files (.cer, .p12and others)
Image and text files

Image files and text files are a special case. Standalone Sentry performs attachment
control only for .csv text files. For all other image and text files, Standalone Sentry
does not perform attachment control when you use one of these options:
Open only with Docs@Work

Open only with Docs@Work, and protect with encryption
The device user can open image and text files using any appropriate app. This special
case allows emails with embedded text or image attachments, such as signatures, to
always be accessible.
Image files typically have one of the following file extensions:
.png
.jpeg, .jpg
.gif
.tiff
.bmp
Text files typically have one of the following file extensions:
.txt
.html
.log
346
File type support summary

The following table summarizes when a Standalone Sentry applies attachment control
for different file types:
Open with
Docs@Work
Open with Docs@Work and

protect with encryption
Remove
attachments
Image files
Not applied
Not applied
Applied
Text files
Not applied
Not applied
Applied
Microsoft RMS
encrypted files
Not applied
Not applied
Applied
Other files
Applied
Applied
Applied
Standalone Sentry S/MIME handling to sign or encrypt emails

Digitally signed emails
Most email apps can use S/MIME (Secure/Multipurpose Internet Mail Extensions) to
digitally sign an email, if the email user requests it. The receiving email app processes
this email signature to validate the following:
The senders identity

Whether the email has been tampered with
The Standalone Sentry does some processing on each email that is directed to an
ActiveSync device. This processing breaks the security of the email signature. Therefore, when an email app receives a signed email, the app always indicates to the user
that it cannot validate the senders identity and that the email has been tampered
with.
For example, the iOS Mail app displays the emails From field in red if:
an iOS device user has enabled S/MIME in the iOS Mail app
the iOS Mail app receives an S/MIME email through Standalone Sentry
Encrypted emails
S/MIME can also be used to encrypt emails, although this use of S/MIME is not common. Standalone Sentry passes along an S/MIME encrypted email with no impact to
the email.
347
Configuring email attachment control

Use the VSP Admin Portal to configure email attachment control.
Do the following high-level steps:
1.
Enable the Docs@Work preference setting.

See Enable Docs@Work on page 462.
2.
Configure each Standalone Sentrys attachment control options.

See Configure the Standalone Sentry on page 348.
3.
Regenerate the encryption key if the key is compromised.

See Regenerate the encryption key if it is compromised on page 350.
Configure the Standalone Sentry

You configure each Standalone Sentry with an email attachment control option for:
iOS devices
Android devices with Secured Email
Other devices
If you require different options for different users, use a different Standalone Sentry
for each set of users.
Before you configure Open only with Docs@Work or Open only with Docs@Work
and protect with encryption options for iOS devices, make sure you have enabled
Docs@Work as described in Enable Docs@Work on page 462. The default setting for
Attachment Control is Disabled. If Attachment Control is set to Disabled, Standalone
Sentry uses the Deliver As Is option for iOS and non-iOS devices.
To configure email attachment control options:
1.
Go to Settings -> Sentry in the Admin Portal.
2.
Click Edit next to the Standalone Sentry entry.
3.
Select Enable Attachment Control.

This option is available only if you selected Enable ActiveSync.
Note: Not selecting this option means the Standalone Sentry uses the Deliver As Is
option for iOS and non-iOS devices.
4.
For iOS, select the type of attachment control that you want to use.
For a description of the options, see Email attachment control options on
page 342.
Note: Make sure you have enabled Docs@Work as described in Enable
Docs@Work on page 462 if you choose Open only with Docs@Work or Open
only with Docs@Work and protect with encryption.
Note: Select Open only with Docs@Work and protect with encryption only if you
are using the large configuration for the Standalone Sentry. For the small and
medium configurations, configuring and saving this option results in an error. To
check for this error, see Checking for configuration errors on page 349
348
5.
For Other Platforms, select the type of attachment control that you want to use.
The only options are Remove Attachments and Deliver As Is. See Email attachment control options on page 342.
6.
Click Save.
The Standalone Sentry restarts when you click Save. A restart can cause a brief
interruption in email service to device users.
7.
If you changed to or from the option Open only with Docs@Work and protect with
encryption, you see the following:
Click Yes if you understand and agree to the impact.

For more information about re-pushing the Exchange app setting, see Changing
the encryption option on page 349.
Checking for configuration errors

If the Standalone Sentry is not available when you click Save, it does not receive the
new settings. When the Standalone Sentry is available again, open the Edit Standalone Sentry view and click Save to send the new settings.
To find out if the Standalone Sentry failed to apply the changes, go to Settings ->
Sentry. Click View Errors on Standalone Sentrys setting for the detailed error message.
Changing the encryption option

Changing the option Open only with Docs@Work, and protect with encryption
requires you to re-push the Exchange app setting to the iOS devices that the Standalone Sentry works with. Otherwise, users will be unable to read or forward previously
received attachments.
Important: The re-push sends the Exchange app setting to all devices with the appropriate label, not just the iOS devices.
The re-push causes the email app on each affected device to:
resynch its emails, calendar items, tasks, and contacts. For example, the email app
removes all emails from its email folders and then re-fetches the emails from the
ActiveSync server.
in some cases, prompt the device user to reenter his password for accessing email.
349
The easiest way to re-push an Exchange app setting to a device is to make a simple
change, such as adding a space at the end of the Description field. The next time each
device checks in, the VSP will send the Exchange app setting to the device.
Therefore, change to or from the encryption option only if:
you can make the change during a planned maintenance period or non-peak operating hours.
you have notified users about what to expect.

To re-push the Exchange setting after changing the encryption option:
1.
2.
In the Admin Portal, go to Policies & Configs > Configurations.

Select an Exchange app setting that uses the Standalone Sentry with the changed
attachment control option.
3.
Click Edit.
4.
Add a space to the end of the Description field.
5.
Click Save.
6.
Repeat steps 2 through 5 for each Exchange app setting that uses the Standalone
Sentry with the changed attachment control option.
Regenerate the encryption key if it is compromised

Standalone Sentry uses an encryption key to encrypt email attachments when the
attachment control option is Open only with Docs@Work, and protect with encryption. The VSP provides one encryption key to all Standalone Sentries using the
encryption option. The VSP generates the encryption key the first time you select the
350
encryption option. The encryption key is compromised if malicious third-party apps

are using it to view email attachments.
If you think the key is compromised, you can generate a new key. However, before
generating a new key, consider the following:
Key regeneration causes a restart for all Standalone Sentries that are using encryption for attachment control.
A restart can cause a brief interruption in email service to device users.
Key regeneration prevents users from reading previously received attachments,

unless you subsequently re-push the Exchange app setting to the devices.
Previously received attachments are encrypted with the old key, but Mobile@Work
uses the new key after key regeneration. Therefore, Mobile@Work cannot display
the old attachment.
Furthermore, consider the scenario when a device user forwards an email with an
attachment encrypted with the old key.The Standalone Sentry is unable to decrypt
the attachment because it is using the new key. In this case, the Standalone Sentry
replaces the attachment with a text file with an explanatory message.
Therefore, key regeneration requires you to re-push the Exchange app setting to
devices. The re-push causes the email app to remove all emails from its email folders and then re-fetch the emails from the ActiveSync server. Re-fetching the emails
means that the Standalone Sentry encrypts the email attachments with the new
key.
Important: The re-push sends the Exchange app setting to all devices with the
appropriate label, not just the iOS devices.
The re-push causes the email app on each affected device to:
resynch its emails, calendar items, tasks, and contacts with the ActiveSync
server. For example, the email app removes all emails from its email folders and
then re-fetches the emails from the ActiveSync server.
in some cases, prompt the device user to reenter his password for accessing
email.
The easiest way to re-push an Exchange app setting to a device is to make a simple
modification, such as adding a space at the end of the Description field. The next
time each device checks in, the VSP will send the Exchange app setting to the
device.
Therefore, regenerate the key only if:
the key has been compromised.

you can regenerate the key during a planned maintenance period or non-peak
operating hours.
you have notified users about what to expect.

To regenerate the key, do the following.
1.
In the Admin Portal, go to Settings -> Sentry -> Preferences.
2.
Click Regenerate Key.
351
3.
Click Yes if you are sure you want to regenerate the key.
4.
Go to Policies & Configs > Configurations.
5.
Select an Exchange setting that uses a Standalone Sentry configured with the
attachment control encryption option.
6.
Click Edit.
7.
Add a space to the end of the Description field.
8.
Click Save.
9.
Repeat steps 5 through 8 for each Exchange setting that uses a Standalone Sentry
configured with the attachment control encryption option.
Note: If a Standalone Sentry is not available when you regenerate the key, its entry in
Sentry > Settings displays an error:
352
To send the new encryption key when the Standalone Sentry is available again:
1.
Go to Settings > Sentry in the Admin Portal.
2.
Click Edit next to the Standalone Sentry entry.
3.
Click Save in the Edit Standalone Sentry screen.
353
ActiveSync server background health check

Standalone Sentry performs periodic background health checks to determine if the
ActiveSync server is up. Background health check is enabled by default.
Note: Disable Background health check if you are using only one ActiveSync server or
if you are using Lotus Notes Traveler 8.5.3.
Perform the following steps to change the Background health check settings for the
ActiveSync server:
1.
In the Admin Portal, go to Settings > Sentry.
2.
Click on the edit icon for the Sentry.
3.
In the Edit Standalone Sentry page, under ActiveSync Configuration, expand

ActiveSync Server Configuration.
Use the following guidelines to configure background health check for ActiveSync
servers:
Item
Description
Enable Background Health

Check
Clear the check box to disable the ActiveSync server health

check.
If enabled, when the ActiveSync server fails for the number
of times configured in the Dead Threshold setting and within
the number configured in the Failure Window, then the
ActiveSync server status shows Unreachable.
When the background health check determines that the
server is live for the number configured for Live Threshold,
the ActiveSync server status shows Reachable.
Interval
Specify the time interval, in seconds, that Sentry performs a

background health check.
Live Threshold
Specify the number of times the ActiveSync server background health check is successful before the server is
marked as live.
Viewing the ActiveSync server status

To view the status for the ActiveSync server go to any of the following:
In the Admin Portal, go to Settings > Service Diagnostic.
In the Standalone Sentry System Manager, go to Troubleshooting > Service Diagnosis.
354
Setting Sentry preferences

Using Settings > Sentry > Preferences in the VSP Admin Portal Admin Portal, you can
set the following preferences for the MobileIron integration with ActiveSync:
Auto Block Unregistered Devices

See Auto blocking unregistered devices on page 355.
Sentry Sync Interval

See Setting the Sentry Sync Interval on page 355.
Service Account Notification Email

See Setting the Service Account Notification Email on page 356
Default ActiveSync Policy behavior

See Default ActiveSync Policy behavior on page 356.
Using Settings > Sentry > Preferences, you can also regenerate the encryption key
that Standalone Sentries use when they encrypt email attachments.
See Regenerate the encryption key if it is compromised on page 350.
Auto blocking unregistered devices

By default, Sentry allows unregistered devices to access the ActiveSync server. Use
this setting to change Sentrys behavior to block unregistered devices from access.
Note: When you change this setting, Standalone Sentry immediately changes its
behavior to reflect the setting. Integrated Sentry informs the Microsoft Exchange
Server to change its behavior the next time Integrated Sentry syncs with the VSP.
To automatically block ActiveSync phones that are not registered with MobileIron:
1.
Click Settings in the Admin Portal.
2.
Click Sentry.
3.
Click Preferences.
4.
Select Auto Block Unregistered Devices.
For other methods for blocking devices from accessing the ActiveSync server, see the
following:
Block on page 372

Working with security policies on page 147
Setting the Sentry Sync Interval

The Sentry Sync Interval is only applicable to Integrated Sentry. This setting tells how
often the VSP and Integrated Sentry sync their data. For example:
The VSP gets the Microsoft Exchange servers ActiveSync policies and devices from
Integrated Sentry.
The VSP gives its ActiveSync policies to Integrated Sentry to give to the Microsoft
Exchange server.
355
To change the Sentry Sync Interval value:

1.
2.
Click Sentry.
3.
Click Preferences.
4.
Set the Sentry Sync Interval to the preferred interval.
Setting the Service Account Notification Email

Configure this setting if you use a Standalone Sentry that uses Kerberos for device
authentication. This setting specifies the email addresses to notify if the Kerberos service account is locked, disabled, or about to expire.
To change the Service Account Notification Email:
1.
2.
Click Sentry.
3.
Click Preferences.
4.
In the Service Account Notification Email field, entry one or more email addresses.
Separate the email addresses commas.
For more information, see Authentication Using Kerberos Constrained Delegation.
Default ActiveSync Policy behavior

The Default ActiveSync Policy behavior is applied if an ActiveSync policy is not applied
to the device.
This behavior determines whether the Sentry applies the ActiveSync servers policy to
the device syncing with the ActiveSync server.
To change the settings:
Note: It may take up to twenty-four hours for any changes to the Default ActiveSync
Policy behavior to take effect.
1.
In the Admin Portal, go to Sentry > Preferences.
356
2.
3.
Set the default behavior. The settings are described in the following table.
Item
Description
Remove AS Server policy
The ActiveSync servers policy is not applied to

the device.
Pass-through AS Server policy
The ActiveSync servers policy is applied to the

device.
Click Save.
357
358
Chapter 11
Working with ActiveSync Phones via

MobileIron Sentry
359
Working with ActiveSync Phones via MobileIron Sentry
ActiveSync devices and MobileIron Sentry

ActiveSync devices use the ActiveSync protocol to access a users email, contacts, calendar, tasks, and notes. The Standalone Sentry associates the user with the device
accessing the ActiveSync server, and allows you to manage these associations.
Note: The terms ActiveSync devices, ActiveSync phones, and ActiveSync associations
are used interchangeably and refer to the user and device accessing the ActiveSync
server. Actions which specifically impact only the user or the device are called out.
Before working with ActiveSync devices on the VSP Admin Portal, see the MobileIron
Sentry Administration Guide for information about the following:
ActiveSync protocol versions

ActiveSync devices
ActiveSync policies, including how they compare to the security policies
VSP, Standalone Sentry, and ActiveSync device interaction
Use the VSP Admin Portal to configure information relating to the Sentries that the
VSP works with. See Working with MobileIron Sentry on page 317.
Once you have configured your Sentrys and understand ActiveSync devices in a MobileIron deployment, use the VSP Admin Portal to manage the ActiveSync devices. You
can do the following tasks:
Create and assign Exchange App Settings to devices.

See Exchange settings on page 205.
Create and assign Security policies to devices.

See Working with security policies on page 147.
Create and assign ActiveSync policies to mailboxes.

See Working with ActiveSync policies on page 362.
Add multiple ActiveSync accounts to a registered device.

See Adding multiple ActiveSync accounts to a registered device on page 367.
View information about ActiveSync devices.

See Viewing ActiveSync associations on page 368.
Block an ActiveSync device from accessing the ActiveSync server.

See Block on page 372.
Allow an ActiveSync device to access the ActiveSync server.

See Allow on page 371.
Wipe an ActiveSync device.

See Wipe on page 374.
Register an ActiveSync device.

See Registering ActiveSync phones on page 375.
Remove an ActiveSync device.

See Removing ActiveSync phones on page 375.
360
Associate an ActiveSync device with a registered device.

See Linking an ActiveSync device to a managed device on page 375.
Reestablish VSP management of a device.

See Overriding and re-establishing VSP management of a device on page 375
Assign an ActiveSync Policy to a device.

See Assigning an ActiveSync policy on page 376.
Revert the ActiveSycn Policy to a device.

See Reverting an ActiveSync policy on page 377.
361
Working with ActiveSync policies

Android
iOS
Win 7
WP8
yes
yes
yes
yes
ActiveSync policies specify settings to apply to selected ActiveSync devices.

ActiveSync devices use the ActiveSync protocol to connect to an ActiveSync server to
access a users email, calendar, tasks, contacts.
Note: We recommend assigning a MobileIron ActiveSync policy to devices other than
iOS, Android, and WP8 devices.
Before you configure ActiveSync policies, see The ActiveSync Policy in the MobileIron Sentry Administration Guide.
Also, see the following information:
Working with security policies on page 147 for detailed information about security
policies.
Working with policies on page 140 for information on general procedures for creating, editing, and applying policies.
To work with ActiveSync policies, from the Admin Portal go to Policies & Configs >
ActiveSync Policies.
362
Use the following guidelines to create or edit ActiveSync policies:

Item
Description
Name

name for this policy. This is the
text that will be displayed to
identify this policy throughout
the Admin Portal. This name
must be unique within this policy type.
Default ActiveSync Policy

name for different policy types
is allowed (e.g., Executive),
consider keeping the names
unique to ensure clearer log
entries.
Status

off this policy.
Description

Active
Password
Password
Select Mandatory to specify

that the user must enter a
password before being able to
access the device. Otherwise,
select Optional, which allows
the user to determine whether
the password will be set.
Optional
Note: If you intend to use the

Lock feature in case the phone
is lost or stolen, then a password must be set on the
phone. Therefore, specifying a
mandatory password is
strongly advised.
Password Type
Specify whether the password

should be simple numeric
input, be restricted to alphanumeric characters, or have no
restrictions (that is, Dont
Care).
Minimum Password
Length
Enter a number between 1 and

10 to specify the minimum
length for the password. Leave
this setting blank to specify no
minimum.
363
Simple
Item
Description
Maximum Password
Inactivity Timeout
Select the maximum amount of

time to allow as an inactivity
timeout. The user can then
specify up to this value as the
interval after which the password must be re-entered.
Minimum Number
of Complex Characters
Specify the minimum number

of special characters that must
be included in a password.
Maximum Password
Age
Select Unlimited or Limited to

indicate whether to enforce
limits on password age. If you
select Limited, specify the
numbers of days after which
the password will expire.
Maximum Number
of Failed Attempts
Specify the maximum number

of times the user can enter an
incorrect password before all
access is denied. Select a number between 4 and 16.
Password History
Specify the number of passwords remembered to ensure

that users define a different
password.
For example, if you want to

prevent users from repeating a
password for the next four
password changes, enter 4.
Lockdown
Text Messaging
Specify whether to enable text

messaging on the phone via
ActiveSync.
Enable
POP/IMAP Email
Specify whether to enable

email forwarding access on the
phone via ActiveSync.
Enable
DesktopSync

DesktopSync on the phone.
Enable
HTML Email

HTML Email access on the
phone.
Enable
Browser

browser access on the phone.
Enable
Security
364
Item
Description
Policy Refresh
Interval
Specify the time that should

elapse between attempts to
synchronize policy settings with
the ActiveSync server.
Limited: 0 Days, 0 Hours
Block ActiveSync
connection for
smartphone when
Select Per-Mailbox smartphone count exceeds to block

ActiveSync connections if too
many devices have the same
mailbox. Specify the number of
devices to set as the limit.
When the limit is exceeded, the
last device that attempts to
access the ActiveSync server is
blocked.
Blocking an iOS device also
includes blocking its access to
the Docs@Work features. See
Block impact on documents
on page 473.
Data Encryption
Require Device
Encryption
Specifies whether the device

should be blocked from accessing the ActiveSync server if the
device does not support
encryption.
Off
Blocking an iOS device also

includes blocking its access to
the Docs@Work features. See
on page 473.
Enable Device
Encryption
Specifies whether to automatically turn on encryption if the

phone supports it.
365
Off
Item
Description
Search Mailboxes
Enter a portion of the mailbox

ID to find a mailbox.
None
Note: This field is not available

for the default ActiveSync policy for Standalone Sentry.
Apply to Mailboxes
Apply the policy to the selected

mailboxes.
Default not applicable
Starting with Standalone Sentry version 4.5, mailboxes configured in an ActiveSync policy
only enforce the number of
devices set in the Per-Mailbox
smartphone count exceeds
field.
To manage devices with the
ActiveSync policy, you must
manually apply the ActiveSync
policy to each device.
In earlier versions of the Sentry, the ActiveSync policy is
automatically applied to
devices with mailboxes configured in the policy. The Default
ActiveSync Policy is automatically applied to devices that do
not have mailboxes configured
in an ActiveSync policy.
Note: This field does is not
available for the default
ActiveSync policy for Standalone Sentry.
In the ActiveSync Policies page, the # Phones for an ActiveSync Policy displays the
number of devices to which the policy is applied. Since we don't recommend assigning
an ActiveSync policy to iOS, Android, and WP8 devices, you may only see devices
other than iOS, Android, WP8.
The ActiveSync policy is assigned to a device in the ActiveSync Association page.
366
Adding multiple ActiveSync accounts to a

registered device
Android
a
iOS
OS X
Win 7
WP8
yes
a. Only the first account can be configured by the VSP. The device user must manually configure additional accounts. Also,
only Android Email+ is supported. NitroDesk TouchDown does not support multiple Email accounts.
Standalone Sentry and Integrated Sentry support multiple Email accounts on the
same device for the following use cases:
The device user requires access to another users Email account.

The device user is a member of a group and requires access to the groups Email
account.
Add additional ActiveSync Email accounts in one of the following ways:
For iOS devices only, the admin creates a new Exchange setting and pushes it to
the device.
Before creating the Exchange setting, set a custom attribute, $User_Custom$, for
the user on the ActiveSync Server. In the Exchange setting, in the ActiveSync User
Name field, enter $USER_CUSTOM1$.
For information on how to create an Exchange setting, see Working with Exchange
Settings in the VSP Administration Guide for Version 5.6.
No actions are required by the device user. To access the email account, the device
user requires the password for the Email account.
OR
For iOS and Android devices, the device user manually adds the ActiveSync email
account to the device.
To add the Email account, the device user requires the following information:
The user name and password for the ActiveSync email account.
The Sentry FQDN.
Note: If multiple mailboxes are registered on a device and each uses a different
Exchange profile, in the ActiveSync Association page:
The second mailbox displays as the same User as the first mailbox.
The Mailbox ID for the second mailbox displays correctly.
367
Viewing ActiveSync associations

Android
iOS
Win 7
WP8
yes
yes
yes
To display the users and the devices that connect via ActiveSync:
1.
In the Admin Portal, click the Users & Devices tab.
2.
Click the ActiveSync Associations link.
Information displayed for ActiveSync associations

The information displayed for ActiveSync associations includes the following:
Column
Description
DeviceID
The DeviceID for the device.
User
The device user.
Number
The device number.
Phone
The device model.
OS
The device platform.
Status
Indicates whether the device is registered with MobileIron.
When a record is associated with a registered device on

the VSP, the status displays as Registered(Linked).
When a record is not associated with a registered

device on the VSP, the status displays as Unregistered(Unlinked).
Use the Link To feature to link the record to the corresponding registered device.
Sync Status
Indicates whether ActiveSync access for the device is

Allowed or Blocked.
If an iOS device is blocked, it also cannot access the
Docs@Work features. See Block impact on documents
on page 473.
First Sync Time
For Integrated Sentry, the First Sync Time displays the

time stamp for the first successful synchronization of data
from the Exchange server.
For Standalone Sentry, the First Sync Time displays the
time stamp when the device is first reported by Sentry to
VSP as a new device.
Mailbox ID
Displays the ID for the synchronized mailbox as defined in

ActiveSync.
Domain
Indicates whether the device connects via Integrated Sentry or Standalone Sentry.
368
Filtering the ActiveSync associations list

To filter the devices displayed in the ActiveSync Devices page, select one of the criteria in the drop-down list for Show.
You can filter the ActiveSync Devices list by these additional criteria:
Item
Description
Registered(linked)
Displays records that are associated with a registered device on the VSP.
Unregistered(unlinked)
Displays records that are not associated with a

registered device on the VSP.
ActiveSync Policy Assigned
Displays associations with device to which an

ActiveSync policy is manually assigned.
ActiveSync Action Applied in

CY
Displays associations with device on which an

ActiveSync action is applied in the calendar year.
Displaying more information for an ActiveSync association

In the ActiveSync Association page, select an ActiveSync record.
The ActiveSync Details pane on the right displays additional information about the
record. Click the arrow for a category to display additional details.
The following table summarizes the information available in the ActiveSync Details
pane.
Label
Description
User
The user (Email account) accessing the ActiveSync

server.
Phone
The device number and model.
369
Label
Description
Device Details
Additional details received from the device.
Mailbox Details
The ActiveSync policy applied to the mailbox.

Redirect URL, if there is a redirect URL, to which the
device is redirected.
Comment
Comments you may have added to this record.
370
Taking Actions on ActiveSync associations

Each ActiveSync user (Email account) on the device displays as a separate record in
the ActiveSync Association page.
Actions applied on a record in the ActiveSync Association page only impact the user
associated with the device in that record. If the user is also available on another
device, the user on that device is not impacted.
Note the following:
The wipe behavior differs depending on the platform. For example, for any Android
device, the Email+ client does not support ActiveSync Wipe.
The Apply Policy and Revert Policy actions are applied to the device, not to the user.
Additional users on the Samsung native client display as unregistered in the
ActiveSync Associations page. To register the user, select the record, then click Link
To to link to the corresponding device.
You can take the following actions on ActiveSync associations:
Allow
Block
Wipe
Register
Remove
Link To
Assign Policy
Revert Policy
Note: Allow, Block, and Wipe actions override the VSPs automatic decision-making
about a devices ability to access the ActiveSync server. For more information, see
Overriding and re-establishing VSP management of a device on page 375.
Note: We recommend applying ActiveSync actions to devices other than iOS, Android,
and WP8 devices. Wipe, Assign Policy, and Revert Policy are ActiveSync actions.
Allow
Android
iOS
Win 7
WP8
yes
yes
yes
yes
Use the Allow button to allow blocked ActiveSync devices to access the ActiveSync
server. The Allow button also allows blocked iOS devices to access the Docs@Work
features as described in Block impact on documents on page 473.
Do the following:
1.
In the Admin Portal, click the ActiveSync Associations link under the Users &
Devices tab.
371
2.
Select the entry for the blocked ActiveSync phone.
3.
Click the Allow button.
4.
Enter a note in the Allow ActiveSync dialog.
5.
Click Allow ActiveSync.
Note: When you select Allow, you are overriding any VSP logic that wipes the device
or allows or blocks the devices access to the ActiveSync server. For more information,
see Overriding and re-establishing VSP management of a device on page 375.
Block
Android
iOS
Win 7
WP8
yes
yes
yes
yes
Use the Block button to block selected ActiveSync devices from accessing the
ActiveSync server.
372
For iOS devices, the Block button also keeps the selected ActiveSync devices from
accessing the Docs@Work features as described in Block impact on documents on
page 473.
The behavior when blocking access to the ActiveSync server is different depending on
whether you are using Standalone Sentry or Integrated Sentry (available only with an
on-premise VSP), as given in the following table..
Sentry type
Block action behavior
Standalone Sentry
Block the user on the device.

The Block action means that the selected ActiveSync
devices are blocked. However, if another ActiveSync
device uses the same mailbox, it is not blocked.
Integrated Sentry with

Microsoft Exchange
2007
Block by mailbox.
Integrated Sentry with

Microsoft Exchange
Server 2010 SP1 and
Microsoft Office 365
Block by device.
The Block action means that the mailboxes of the

selected ActiveSync devices are blocked. All other
ActiveSync devices using those mailboxes are also
blocked. If you later use the Allow action on a device, all
the devices using the same mailbox are allowed.
The Block action means that the selected ActiveSync
devices are blocked. However, if another ActiveSync
device uses the same mailbox, it is not blocked.
For Integrated Sentry, once a single phone has been blocked, you need to use the
Allow command to grant connections to future phones.
Complete the following steps to block an ActiveSync phone:
1.
In the Admin Portal, click the ActiveSync Associations link under the Users &
Devices tab.
373
2.
Select the entry for the ActiveSync phone.
3.
Click the Block button.
4.
Enter a note in the Block ActiveSync dialog.
5.
Click Block ActiveSync.
Note: When you click Block, you are overriding any VSP logic that wipes the device or
allows or blocks the devices access to the ActiveSync server. For more information,
Wipe
Android
iOS
Win 7
WP8
yes
yes
yes
yes
Wiping an ActiveSync phone sends an ActiveSync Wipe command to the phone, which
removes all data from the phone, returning the phone to factory defaults. Once you
wipe a phone, its status changes to Wiped, and the only valid action you can apply is
Remove.
Warning
Returning the phone to factory defaults removes all data. Once a wipe has started, do
not restart your phone. Interfering with the wipe process can render your phone nonfunctional.
Note: Apply this action only to devices other than iOS, Android, and WP8 devices.
To wipe an ActiveSync phone:
1.
Select the ActiveSync Devices view under the Users & Devices tab.
2.
Select the checkbox for the ActiveSync phone to be wiped.
3.
Click the Wipe button.
374
Note: When you click Wipe, you are overriding any VSP logic that wipes the device or
allows or blocks the devices access to the ActiveSync server. For more information,
Registering ActiveSync phones

Android
iOS
Win 7
WP8
yes
yes
Registering an ActiveSync phone with MobileIron enables device management and

intelligence functions for the phone. See ActiveSync device registration on page 89
for information.
Removing ActiveSync phones

Removing an ActiveSync device removes the association between the phone and the
ActiveSync mailbox. All information about the phone is removed, including any previously configured Allow, Block or Wipe commands.
To remove an ActiveSync phone:
1.
Select the ActiveSync Devices view under the Users & Devices tab.
2.
Select the checkbox for the ActiveSync phone to be removed.
3.
Click the Remove button.
4.
Enter a note in the Remove dialog.
5.
Click ActiveSync Remove.
For more information about using Remove, see Overriding and re-establishing VSP
management of a device on page 375.
Linking an ActiveSync device to a managed device

In most cases, MobileIron automatically matches the device record on the ActiveSync
server to the corresponding device record on the VSP. If this link does not happen
automatically, you can use the Link To feature to establish this match.
To link a device in the ActiveSync Associations page to a device in the Devices page:
1.
Select the device in the ActiveSync Devices page.
2.
Click the Link to button.
3.
Select the corresponding device from the popup.
4.
Click Link To.
Overriding and re-establishing VSP management of a device

Unless you use the Allow, Block, or Wipe button for a device on the ActiveSync
Devices view, the VSP automatically makes decisions to perform allow, block, or wipe
actions based on the following:
the devices security policy
375
whether the maximum number of devices per mailbox has been exceeded
whether you specified to auto block unregistered devices
However, once you select the Allow, Block, or Wipe button for the device, the VSP no
longer automatically makes these decisions. You can only manually make these decisions using the Allow, Block, or Wipe buttons. To cause the VSP to once more automatically make these decisions, click the Remove button. The next time the device
attempts to access its email, the VSP and Sentry resync information about the device,
and the VSP again makes these decisions automatically.
For example, consider the scenario where an executives device is being blocked from
accessing email due to the devices security policy. Take the following steps:
1.
Select the Allow Button on the ActiveSync Devices view for the executives device.
This action immediately allows the executive to access email, without waiting for
your further actions.
2.
Use the VSP Admin Portal to update the devices security policy.
For example, exclude the device from using the existing security policy, and create
a new security policy for executives.
3.
Click the Remove Button on the ActiveSync Devices view.

The VSP removes the device from the ActiveSync Devices view. The next time the
device accesses its email, the VSP adds the device back to the view, and once again
manages the device based on its security policy.
You can determine if a device was recently blocked or allowed, and if it was a manual
or automatic action. Using the VSP Admin Portal, do the following
1.
Select Log > Browse All.
2.
Look for Block or Reinstate (which means allowed) in the Action column.
The message column indicates if the action was due to the security policy. If the action
was manual, the message column is either empty, or contains a note added by the
administrator who performed the manual action.
Assigning an ActiveSync policy

Starting with Sentry Version 4.5 and later, you have to manually apply an ActiveSync
policy to a device. If an ActiveSync policy is not applied to a device, the Default
ActiveSync Policy behavior configured in Settings >Sentry > Preferences is applied to
the Sentry interaction with the ActiveSync server.
Note: Apply this action only to devices other than iOS, Android, and WP8 devices.
Note: Manually assigning an ActiveSync policy with earlier versions of Standalone
Sentry or with Integrated Sentry has no impact. In earlier versions of Standalone Sentry, the default ActiveSync policy is automatically applied to a device if the mailbox is
not configured in an ActiveSync policy on the Sentry.
Follow these steps to assign an ActiveSync policy to a device:
1.
In the Admin Portal, go to User & Devices > ActiveSync Devices.
376
2.
Select the device to apply the policy to.

You may select multiple devices.
3.
Click the Assign Policy button.
4.
Select the policy to assign.
5.
Click Assign Policy.
Reverting an ActiveSync policy

Reverting an ActiveSync policy reverts the device to the Default ActiveSync Policy
behavior configured in Settings > Sentry > Preferences. The default behavior is
applied only when the device engages in an ActiveSync Provision.
Follow these steps to Revert to the Default ActiveSync Policy behavior:
1.
In the Admin Portal, go to User & Devices > ActiveSync Associations.
2.
Select the device or devices.
3.
Enter a note in the Revert Policy dialog box.
4.
Click Revert Policy.
377
Allowing Windows 7 devices to sync

Windows 7 devices cannot register with a VSP, because Windows 7 does not have
device management features. However, these devices sync using Exchange
ActiveSync and are managed using ActiveSync policies. The following setup is required
to allow Windows 7 devices to sync.
1.
On the VSP, set Auto Block Unregistered Devices to No.
In the Admin Portal, click Settings.

Navigate to Sentry > Preferences.
For Auto Block Unregistered Devices, select No.
Note: The default setting for Auto Block Unregistered Devices is set to No.
2.
(Optional) Download the self-signed certificate and its signing certificate, the CA
certificate.
Perform this step if your Sentry uses a self-signed certificate. If your Sentry has a certificate signed by a third-party CA, go to step 4.
The specific steps differ slightly for each browser type. The following steps detail how
to download the certificates using the Chrome browser.
On Mac OSX
Navigate to https://sentryhostname, where sentryhostname is the Sentry's

fully-qualified domain name.
Click on the Https padlock icon in the address bar.

Click Certificate Information.
Click the signing certificate (CA), then drag the certificate icon from the panel to
your desktop.
Click the self-signed certificate, then drag the certificate icon from the panel to
your desktop.
Go to step 3.
On Windows
Navigate to https://sentryhostname, where sentryhostname is the Sentry's

fully-qualified domain name.
Click on the Https padlock icon in the address bar.

Click Certificate information.
Click the Details tab.
Click Copy to File...
The Certificate Export Wizard appears.
Click Next.
Select the format you want to use as Base-64 encoded X.509 (.CER), click
Next.
Click Browse to navigate to the Desktop to save the file.
378
Enter a name for the file and click Save, then Next, then Finish.
Note: Other formats are recognized by Windows Phone 7 as valid certificates, but
other formats will not work with an Exchange ActiveSync account.
Click the Certification Path tab.

Select the signing certificate (CA certificate).
Click the Details tab.
Click Copy to File...
The Certificate Export Wizard appears.
Click Next.
Select the format you want to use as Base-64 encoded X.509 (.CER), then click
Next.
Click Browse to navigate to the Desktop to save the file.

Enter a name for the file and click Save, then Next, then Finish.
Go to step 3.
Install the self-signed certificate and its signing certificate, the CA certificate.
Perform this step after performing step 2. If your Sentry has a certificate signed by a
third-party CA, go to step 4.
3.
Email the two certificates (self-signed and CA) to an email account on the
device, for example, a GMail or a Yahoo account.
On the device, tap on the attachments to download.

Tap the shield icons to install the certificates.
Go to step 4.
4.
Configure the Exchange ActiveSync account on the device.
On the device, tap Settings > email + accounts > add an account > advanced
setup.
Enter your email address and Password, then tap Next.

Tap Exchange ActiveSync as the email account type.
In the Domain field, enter the domain of the email server.
In the Server field, enter sentryhostname, where sentryhostname is the Sentry's fully-qualified domain name.
Check Server requires encrypted (SSL) connection.

Tap sign in. The device begins to sync.
379
380
Chapter 12
Using the SMS Archive Package
381
Using the SMS Archive Package
About the SMS Archive package

382
Chapter 13
Using Enterprise Connector
383
Enterprise Connector for on-premise VSPs

Enterprise Connector is a component that connects the VSP to corporate directories,
such as Microsoft Active Directory or LDAP, by means of secure HTTPS connections.
Enterprise Connector helps to secure LDAP communication by eliminating the need for
VSP LDAP requests to be initiated from the DMZ directly to your local LAN LDAP directory source. Inbound firewall rules from the DMZ to the LAN are no longer required to
support LDAP connections.
Installation and configuration tasks

Installation and configuration tasks for Enterprise Connector are included as optional
steps in the Installation Guide. If you are about to install a new MobileIron system,
then incorporate these optional steps. If you want to add Enterprise Connector to an
existing MobileIron implementation, then you will need to complete the following
tasks:
1.
Configure the Enterprise Connector on the VSP.
Assign the Connector role to a new or existing local user.

Add Connector entries on the VSP.
2.
Install the Enterprise Connector.
3.
Configure the Enterprise Connector to access the VSP.
4.
Verify the VSP connection from the Enterprise Connector.
5.
Verify LDAP connectivity from the VSP.
6.
Remove the firewall rules that are no longer necessary for LDAP integration with
the VSP.
See the Installation Guide for details on steps 1 through 5.
Viewing Enterprise Connector status

Once Enterprise Connector is installed and configured, you can view status and other
details from the VSP. Complete the following steps:
1.
Log in to the Admin Portal:

https://<fully-qualified_domain_name>.
2.
Select the Users & Devices tab.
3.
Click the Settings tab.
4.
Select Connector.
5.
Select the Connector of interest to display additional details in the pane on the
right.
384
Working with the Connector

Viewing the Connector detailed information
1.
Log on to the Admin Portal:

2.
Click the Settings tab.
3.
Select Connector to open the Connector.
4.
Select the Connector of interest

The detailed information appears on the right-side pane.
5.
View the Connector detailed information.
Package version: The Connector software version.

Protocol version: The Connector protocol version.
Host platform: The platform that is used by this Connector.
Host platform release: The build for the Connector.
Host name: The host name.
Host address: The host IP address.
Host OS: The host operating system.
URL: The URL to the VSP.
uptime: The length of time the Connector has been up since the last restart of
the Connector service.
Last upgraded: The time when the last upgrade occurred.

Compatibility mode: Options are NO or YES.
-- NO indicates that the auto upgrade was successful.
-- YES indicates that the auto upgrade failed.
Note: A failed auto upgrade does not affect your system operations.
Your system always maintains the previous working version.
Perform a manual upgrade if you want to upgrade to a newer
version after the auto upgrade failed, perform a manual upgrade.
Services/Backend status: The name and status of the backend services.

Session id: An internal generated session ID.
User id: The user account for this Connector.
Last Error: The last error message.
385
Changing user passwords

The administrator can change the user password periodically for security purposes.
These passwords must be changed in the VSP and Connector, respectively.
Changing a users password on the VSP

1.

2.
Select the Users & Devices tab.
3.
Select Users to open the User management page.
4.
Select the user whose password you want to change.
5.
Click Edit to display the Edit User page.
6.
Enter the new password in the Password field.
7.
Re-type the new password in the Confirm Password field.
8.
Click Save.
9.
Click OK.
Changing a users password on the Connector

1.
Log in to the Connector (https://<fully-qualified_domain_name:8443>/mics) to

open the Physical Interfaces page.
2.
Select Connector from the left panel to open the Connector Settings page.
3.
Click Update Password.
4.
Enter the new password.
5.
Re-enter to confirm the password.
6.
Click Apply.
Note: Apply saves the configuration in the current session only. It is not
persistent after the machine reboots.
7.
Click Yes.
A dialog appears informing the status.
8.
Click OK.
9.
Click Save on the upper right corner.

Note: Make sure to click Save to make the configuration persistent after
the machine reboots.
Changing the status reporting interval

The status reporting interval defines how often the Connected Cloud generates a
report on the Connectors health status. The VSP also uses this interval to monitor
Connector health. The default interval is 15 minutes. Once defined, the interval
applies to all Connectors.
To change the status reporting interval:
1.
386
2.
Click the Settings tab and select Connector.
3.
Click Preferences.
The current time interval is displayed.
4.
Enter a value between 1 and 59.
5.
Click Save.
387
388
Section II: Apps and Data

Management
389
390
Chapter 14
Managing Mobile Apps with

Apps@Work
391
Managing Mobile Apps with Apps@Work
About managing mobile apps

Apps@Work provides the tools for distributing and managing mobile apps. You can use
Apps@Work to facilitate installation of standard corporate apps, as well as to help regulate the apps that your users are bringing into the enterprise. These tools consist of:
app distribution library

app access control
app inventory
What is the app distribution library?

The app distribution library provides a centralized location for the apps you want to
manage for your users. App distribution is customized for each supported platform.
For iOS and Android, you can provide users with links to recommended apps on the
Apple Store or Google Play (formerly Android Market), or links to internally-developed
apps they can download from the MobileIron app distribution library.
For Windows Phone 8 (WP8), you can provide users with links to recommended apps
on the Windows Store, or links to internally-developed apps they can download from
the MobileIron app distribution library.
What is app control?

The app control feature enables you to exert control over which apps are installed on
managed devices. Using app control rules, you can define which apps are required,
allowed, or disallowed. You can then associate these rules with a security policy that
specifies the consequences of being out of policy. Consequences include blocking
392
ActiveSync access, including blocking access to Docs@Work features on iOS devices,

and sending an alert (configured in Event Center) to the specified administrator and
user.
What is app inventory?

The app inventory feature presents a snapshot of the apps installed across your managed devices. The App Inventory screen displays the apps that have been reported as
installed by the Mobile@Work app on each device. You can use this list to track new
apps coming into the enterprise, determine the popularity of apps, and so on. In addition, if you choose to link the entries in the app inventory with the apps you have configured in the app distribution library, you can track the progress and impact of your
app management tasks.
Privacy policy settings determine whether app inventory information is reported.
393
394
Working with apps for iOS devices

If the VSP has Apps@Work configured, then the VSP installs an Apps@Work web clip
on the device after registration is complete.
This web clip provides access to the Apps@Work enterprise app storefront.
Apps@Work displays lists of apps that you have configured for download from the
Apple App Store or the VSP. Apps that reside on the Apple App Store are also called
recommended apps. Custom apps that reside on the VSP are called in-house apps.
For comprehensive information on in-house app development, see the Apple website.
The device user must have an iTunes account to download these apps.
Prerequisites
Complete app functionality, including updates to badges resulting from inventory data,
requires:
iOS MDM certificate (See Enabling iOS MDM support on page 28.)
iOS MDM profile enabled (Settings > Preferences)
395
If you intend to develop and manage in-house apps, then participation in Apples iDEP
program is required. See the materials posted on the MobileIron Support site.
iOS managed apps

Starting with iOS 5, apps are managed, meaning the administrator can control
whether the app is backed up and whether the app is deleted when the MDM profile is
removed or the device is quarantined. Note that existing apps installed on a device do
not automatically become managed apps. Device users must delete existing apps and
reinstall them as managed apps.
AppConnect apps
For information about AppConnect apps, see AppConnect on page 477.
You upload iOS AppConnect apps created with the AppConnect wrapping technology to
the app distribution library as in-house apps. AppConnect apps created with the SDK
can be distributed as either in-house apps or recommended apps. The process for
adding an AppConnect app to the app distribution library is the same as for any iOS
app.
When you upload an iOS AppConnect app as an in-house app to the app distribution
library, in some cases the VSP automatically creates an AppConnect container policy
and AppConnect app configuration. The VSP takes this action when the app has specified its desired default values for the policy and configuration in its IPA file. You can
override these values by editing the apps AppConnect container policy or AppConnect
app configuration. The VSP keeps in sync the labels that you apply to the app and the
labels that you apply to the AppConnect container policy and AppConnect app configuration.
Apps@Work container for iOS

An unsigned Apps@Work container is available for iOS. You can download, rebrand,
and sign this container if you want device users to see badges for app updates. The
package will be available as a separate file in the Apps@Work Container App article in
the Customer Support knowledge base. You will need to click through a separate
license agreement before being able to download the file. See the Apps@Work Container for iOS tech note for information on implementing and distributing this app.
Authentication options and iOS versions

The authentication options supported and the resulting user experience depend on the
iOS version being used:
Certificate-based app authentication

available for iOS 5 and later
app downloads proceed without routing end-users to the app page in iTunes
(assuming an iTunes account has been properly configured on the device)
396
HTTP basic authentication

for iOS 4, app downloads route end-users to the app page in iTunes
for iOS 5 and later, app downloads proceed without routing end-users to the
app page in iTunes (assuming an iTunes account has been properly configured
on the device)
requires end-users to enter their MobileIron username and password to download apps
Setting up Apps@Work for iOS

iOS device users do not receive access to Apps@Work by default. You must first set up
access by completing the following tasks:
1.
Set authentication options.

See Setting authentication options on page 397.
2.
Assign the iOS label to the Apps@Work web clip.

See Assigning the iOS label to the Apps@Work web clip on page 397.
If you do not complete this step, then iOS devices will not have access to your
enterprise app storefront. See Assigning the iOS label to the Apps@Work web clip
on page 397.
3.
Populate Apps@Work with iOS apps.

See Populating Apps@Work for iOS on page 398.
4.
Publish apps to iOS devices.

See Publishing apps in Apps@Work for iOS devices on page 407.
Because the Apps@Work web clip is deployed like any other configuration, there might
be considerable lag between device registration and the appearance of the web clip.
Setting authentication options

By default, both certificate-based app authentication and HTTP basic authentication
are enabled. To change the selected authentication options:
1.
Select Apps > App Distribution Library.
2.
Select iOS from the Select Platform list.
3.
4.
Clear the authentication options you do not intend to support.
5.
Select the authentication options you intend to support.
6.
Click Save.
If neither authentication option is selected, then iOS devices will not have access to
your enterprise app storefront.
Assigning the iOS label to the Apps@Work web clip

The VSP does not send the Apps@Work web clip to iOS devices until you assign the
iOS label to the web clip:
1.
Select Policies & Configs > Configurations.
397
2.
Select the System - iOS Enterprise AppStore setting.
3.
Select More Actions > Apply to Label.
4.
Select the iOS label.
5.
Click Apply.
Populating Apps@Work for iOS

Shortly after you install the VSP, Apps@Work is automatically populated with default
iOS apps. (There is a brief delay.) You can also add your own app selections using any
of the following methods:
Importing app store apps for iOS: App Store import

Manually adding App Store apps for iOS
Adding in-house apps for iOS
Importing app store apps for iOS: App Store import

App Store apps (i.e., recommended apps) are the commercial apps available from the
Apple App Store and displayed in Apps@Work. You can configure App Store apps by
importing the necessary information directly from the Apple App Store.
To import app information:
1.
In Admin Portal, select Apps > App Distribution Library.
2.
In the Select Platform list, select iOS.
3.
Click the App Store Import button.
4.
In the App Name field, enter text to search on.

The search is handled by the iTunes search engine, so enter the text you would normally enter when looking for an app in iTunes. iTunes matches the text against app
names, app IDs, app authors, and app descriptions.
5.
In the App Store list, select the country for the App Store you want to search.
6.
In the Limit field, enter the number of entries you want to retrieve.
To improve search performance, the default is set to 20. You can enter a number
between 20 and 200.
7.

The matching apps are displayed.
8.
Click the Import or Update link for an app to import the relevant information.
Import indicates an app that does not yet exist in the app distribution library.
Update indicates an app that exists in the app distribution library, but has an
update available for download.
9.
Close the dialog.

The app is displayed in the App Distribution Library screen with an icon that identifies the app as a recommended app.
10.
Click the edit icon for the app.
11.
Make any necessary changes to the default settings.
12.
Click Save.
398
13.
Select Actions > Apply To Label to specify the device groups that should see this
app.
Manually adding App Store apps for iOS

App Store apps (i.e., recommended apps) are the Apple Store apps displayed in the
MobileIron app. You can configure these apps manually using the MobileIron App Wizard.
Important: To ensure that the VSP is able to track the devices that have an App Store
app installed, you must associate the official app name with the displayed app name.
We recommend that you test an app installation to determine the official name and
create the association prior to distributing the app to users. See Linking app store
apps to inventory apps on page 409 for information on establishing this association.
To manually set up an App Store app for iOS devices:
1.
In the Admin Portal, select Apps > App Distribution Library.
2.
3.
Click the Add App button.

The iOS Add App Wizard starts.
4.
Click Next.
5.
Select Recommended App.
6.
Use the following guidelines to complete this screen:

Item
Description
iTunes ID
Enter the iTunes ID for the app. See Getting the

iTunes app ID on page 402 for detailed steps
for getting the ID.
Note: The app ID is not editable later, so be sure
to enter the correct ID.
App Name
Enter the name to display on the App Store

Apps list on devices. Only alphanumerics,
underscores, dashes and spaces are allowed in
this field. App names longer than 25 characters
will be truncated when displayed on the device.
Note that the App Inventory page in the Admin
Portal will display the name reported by the
installed app, not the app name entered here.
You can create a link between these app names.
See Linking app store apps to inventory apps
on page 409 for information on creating this
link.
iPad Only
Set to Yes if the app is designed only for iPads.

This ensures that the app is not displayed in
Apps@Work for other iOS devices.
iOS 5 or later only - Managed App Settings
399
Item
Description
Prevent backup of
the app data
iOS 5 and later: Ensures that iTunes will not

attempt to back up possibly sensitive data associated with the given app. No further action is
necessary to apply this restriction.
Remove app when

MDM profile is
removed
iOS 5 and later: Set to Yes to ensure that the

app will not remain on the device if device management is disabled. No further action is necessary to apply this restriction.
Allow app removal

when device is quarantined or signed
out
iOS 5 and later: Set to Yes to enable configured

compliance actions to remove the app if a policy
violation results in a quarantined device or the
device signs out in multi-user mode. This option
does not apply unless the corresponding option
has been specified in a compliance action, and
that compliance action has been selected for one
or more policy options in the security policy for a
device. Once the device is no longer quarantined, the app can be downloaded again.
This App Store app

is free
iOS 5 and later: Set to Yes for free recommended apps.

iOS 5 allows Managed App features to be applied
to free apps and apps purchased with VPP credits, but not to apps paid for by the user. Specifying whether the app is free ensures successful
download of apps that require user payment.
Send installation
request on device
registration or signin
iOS 5 and later: Set to Yes to prompt device

users to install this app once device registration
is complete or a user signs in on a multi-user
device.
7.
Click Next.
8.

Item
Description
App Name
Displays the app name you entered in the previous

screen. This field is not editable.
Display Version
Enter the version number you want to display to users.

You may enter numerals and periods (.) in this field.
Description
Enter any additional text that helps describe what the

app is for.
Featured
Select No if you do not want to highlight this app in the

Featured apps list. Note that the Message feature for iOS
apps applies only to featured apps. See Informing users
of new apps and upgrades for featured apps on
page 412 for information.
400
Item
Description
App Updates
Select Update managed app only to update previous

versions of the app only if they were installed as managed apps.
Select Update managed or unmanaged app to update a
previous version of the app, regardless of whether it was
installed as managed. The update is then applied as an
unmanaged updated. This option is useful if you want to
support existing unmanaged installations of the app
without forcing users to uninstall and reinstall as a managed app. (Apple prohibits installation of updates over
unmanaged apps.)
Hide in App
Storefront
Select Hide to prevent this app from displaying in the app

storefront. For example you might want to hide apps that
will be installed upon registration anyway. Hiding a mandatory app reduces clutter in the app storefront, leaving
device users with a concise menu of the approved apps
they might find useful.
Select Show to display the apps if it is normally always
hidden, such as the Apps@Work Container.
Category
Select a category if you would like this app to be displayed in a specific group of apps on the device. Click the
here link to define new categories.
9.
Click Next.
10.
Use the following guidelines to complete this page:
11.
Item
Description
App Icon
Select the icon to be used to represent this app. The file

must be in JPG, PNG, or GIF format. PNG is recommended
for best resizing results. Acceptable dimensions are 57x57
pixels, 72x72 pixels, or 114x114 pixels. If you do not
select an icon, then a default icon will be displayed next to
this app in Apps@Work.
iPhone and iPod

touch screenshots
Select up to 4 optional screenshots to display for the app.

Screenshots must be in JPG, PNG, or GIF format. Acceptable dimensions are 320x480 pixels, 480x320 pixels,
640x960 pixels, and 960x640 pixels. Note that the display
of rotated screenshots in the Admin Portal might not be
consistent with the display on the devices.
iPad screenshots
Select up to 4 optional screenshots to display for the app.

Screenshots must be in JPG, PNG, or GIF format. Acceptable dimensions are 768x1024 pixels and 1024x768 pixels.
Click Next.
If the graphics you specified are accepted, the Congratulations screen displays.
401
12.
Click Finish.
The app is displayed in the App Distribution Library screen with an icon that identifies the app as a recommended app.
13.
Associate the app with a label to have that app listed on iOS devices.
Getting the iTunes app ID

To configure a recommended app in the Add App Wizard, you must supply the ID for
the app as defined on the iTunes website. However, IDs are not always readily available.
To determine the iOS application ID:
1.
Open iTunes.
2.
Browse to the iTunes Store.
3.
Browse to the App Store.
4.
Locate the app you want to configure.
402
5.
Open a text editor, like Notepad.
6.
Copy the link for the app icon.

For example, using Firefox, you can right-click on the icon and select Copy Link.
7.
Paste the link into the text editor.
8.
Note the numbers following id and ending before ?mt=8.

These numbers are the application ID.
403
Adding in-house apps for iOS

To add an iOS in-house app to the app distribution library:
1.
2.
3.

The iOS Add App Wizard starts.
4.
Click Next.
In-house App is selected by default.
5.

Item
Description
App Upload
Click Browse and navigate to the in-house app (.ipa) you

want to upload.
Note: For iOS, the VSP supports uploading apps that are
up to 5 GB.
iPad Only
Set to Yes if the app is designed only for iPads, set the
iPad Only option to Yes. This ensures that the app is not
displayed in Apps@Work for other iOS devices.
iOS 5 or later only - Managed App Settings
6.
Prevent backup of
the app data
iOS 5 and later: Ensures that iTunes will not attempt to

back up possibly sensitive data associated with the given
app. No further action is necessary to apply this restriction.
Remove app when

MDM profile is
removed
iOS 5 and later: Set to Yes to ensure that the app will not
remain on the device if device management is disabled.
No further action is necessary to apply this restriction.
Allow app removal

when device is quarantined or signed
out
iOS 5 and later: Set to Yes to enable configured compliance actions to remove the app if a policy violation
results in a quarantined device or the device signs out in
multi-user mode. This option does not apply unless the
corresponding option has been specified in a compliance
action, and that compliance action has been selected for
one or more policy options in the security policy for a
device. Once the device is no longer quarantined, the app
can be downloaded again.
Send installation
request on device
registration or signin
iOS 5 and later: Set to Yes to prompt device users to

install this app once device registration is complete or a
user signs in on a multi-user device.
Click Next.
The Add App Wizard examines the selected bundle to ensure that it meets requirements for in-house apps distributed for iOS devices. If the bundle is acceptable, the
following screen displays.
404
Note: Downloads of iOS in-house apps over 3G should be limited to 20 MB. Use
WiFi for downloading larger in-house apps.
7.
Use the following guidelines to complete the items in this screen:

Item
Description
App Name
Displays the App Name defined for the app bundle. You
can edit this text to display a different name to users.
Note that app names longer than 25 characters will be
truncated when displayed on the device.
Note: An iOS app is packaged as a bundle. A bundle is a
directory in the file system that groups related resources
together in one place. An iOS app bundle contains the
app executable file and supporting resource files such as
app icons, image files, and localized content.
Display Version
Enter the version number to be displayed to users. You

may enter numerals and periods (.) in this field.
Bundle Version
Displays the version defined for the bundle. This item is

not editable.
Description

app is for.
Override URL
If you are implementing an alternate URL for downloading in-house apps, enter that URL here. The URL must
point to the in-house app in its alternate location. See
Override for in-house app URLs on page 449 for the
requirements for this configuration.
Featured

Featured apps list. On the device, the user can a subset
of featured apps. Note that the Message feature for iOS
apps applies only to featured apps. See Informing users
of new apps and upgrades for featured apps on
page 412 for information.
Data Protection
Required
Select Yes to require that data protection be enabled in

order to install this app.
Note: Devices without data protection enabled will not
see the app at all in the In-house Apps list on the device
and will not know that data protection compliance is
required. Therefore, you may want to communicate the
requirement to users.
405
Item
Description
App Updates
Select Update managed app only to update previous

versions of the app only if they were installed as managed apps.
Select Update managed or unmanaged app to update a
previous version of the app, regardless of whether it was
installed as managed. The update is then applied as an
unmanaged updated. This option is useful if you want to
support existing unmanaged installations of the app
without forcing users to uninstall and reinstall as a managed app. (Apple prohibits installation of updates over
unmanaged apps.)
Hide in App
Storefront
Select Hide to prevent this app from displaying in the app

storefront. For example you might want to hide apps that
will be installed upon registration anyway. Hiding a mandatory app reduces clutter in the app storefront, leaving
device users with a concise menu of the approved apps
they might find useful.
Select Show to display the apps if it is normally always
hidden, such as the Apps@Work Container.
Displays the identifier for the provisioning profile incorporated in the bundle.
Note: The provisioning profile is a text document containing verification information for the app. Apps are not
usable on iOS without a current provisioning profile.
Category
8.
Click Next.
406
9.

Item
Description
App Icon
Required. Select the icon to be used to

represent this app. The file must be in
JPG, PNG, or GIF format. PNG is recommended for best resizing results. Acceptable dimensions are 57x57 pixels, 72x72
pixels, or 114x114 pixels.
iPhone and iPod

touch screenshots
Select up to 4 optional screenshots to display for the app. Screenshots must be in

JPG, PNG, or GIF format and one of the
following dimensions specifications:
320x480 pixels
640x960 pixels
480x320 pixels
960x640 pixels
iPad screenshots
Select up to 4 optional screenshots to display for the app. Screenshots must be in

JPG, PNG, or GIF format and one of the
following dimensions specifications:
1024x768 pixels
768x1024 pixels
10.
Click Next.
11.
Click Finish.
The app is displayed in the App Distribution Library screen with an icon that identifies the app as an in-house app.
The provisioning profile for the app is also stored on the VSP and is displayed in the
App Settings page. It is displayed for viewing only, and is automatically deleted
from the VSP if the app is deleted from the VSP.
12.
Associate the app with a label to have that app listed on iOS devices.
Publishing apps in Apps@Work for iOS devices

Once you have added an iOS app (App Store or in-house) to the app distribution
library, you need to select one or more labels to specify which apps should be published to which iOS devices. If you did not apply a label immediately after adding the
app, the app will not be visible to any iOS devices.
To publish an app for iOS devices:
1.
2.
3.
Select the app you want to work with.
407
4.
5.
6.
7.
Select Actions > Apply to Label.

Select the label that represents the iOS devices for which you want the selected
app to be displayed.
Click Apply.
If you have not done so already, consider linking any App Store app to the corresponding entry in the app inventory.
This step will help with app tracking because the name you assign to the app is not
likely to be the same as the name reported by the app once it is installed. You
should also consider testing the first installation of each App Store app so that you
can record the corresponding reported app name. See Linking app store apps to
inventory apps on page 409.
User notification of newly-published apps

When a featured app or an update to an installed app is published to device users,
those users receive a notification in the form of a badge that appears on the corresponding tab in Apps@Work. The number on the badge indicates the number of apps
or updates available. (The availability of an update is determined by comparing the
version number for the installed app to that of the newly-published app.
If the user deletes a published app, that app will not become available for reinstalling
again until the next sync interval causes the MobileIron VSP to be updated. You can
address user concerns by using the Force Device Check-in command to force the
MobileIron app to update the VSP.
408
Removing apps from the app distribution library

Removing an app from the app distribution library removes the listing for the app from
Apps@Work on iOS devices, and removes the app from iOS 5 devices. It does not
uninstall the app for iOS 4 devices. However, for in-house apps on iOS 4 devices, it
does remove the provisioning profile from the devices. This eventually prevents those
devices from running the app, though it may take a couple of days to take effect.
To remove an iOS app from the app distribution library:
1.
2.
3.
Select the app you want to remove.
4.
Click Delete.
A message displays warning that deleting the app from the VSP will delete it from
devices running iOS 5 or later.
5.
Click Yes to proceed.

For in-house apps, the app bundle and the provisioning profile are removed from
the VSP.
Linking app store apps to inventory apps

An App Store app is displayed in Apps@Work using the app name you specified when
you manually added it to the app distribution library. However, the App Inventory page
displays the name reported by the app. This name can often be quite different. Therefore, to facilitate tracking of installed apps, you might want to create a link between
the two names.
To link the App Store app name to the reported app name:
1.
2.
3.
Click the edit icon next to the app you want to work with.
4.
Select the corresponding inventory app name from the Inventory Apps list.
5.
Click Save.
Once the link is established, the # of Devices Installed column in the App Distribution screen displays the correct number. You should consider changing the app
name as specified in any app control rules to ensure it matches the official name.
Upgrading apps
When an upgrade for an app becomes available, you can just add it to the app distribution library and assign it to appropriate labels like any other app. The VSP detects
that it is an update and indicates its availability in the form of a badge that appears on
the corresponding tab in Apps@Work. The VSP also replaces the app entry displayed
in the apps lists on the devices.
409
Tapping the entry for the app having an update displays an UPDATE tag instead of an
INSTALL tag.
Updates to featured apps are published in the same way to all devices in the labels
assigned to the apps. You can also send a message to devices to announce the availability of updates to featured apps.
Changing iOS app information

iOS app information includes:
name
version
description
featured option
Note: The iTunes ID is not editable. If you entered the wrong ID when you added this
app to the app distribution library, then you need to delete the app entry and create a
new one.
To change app information:
1.
2.
3.
4.
Make your changes.
5.
Click Save.
410
Changing the iOS app icon and screenshots

When you add an iOS app to the app distribution library, you have the option to
upload an app icon and several screenshots. If you skipped these steps or just want to
change the files you uploaded, you can edit the entry:
1.
Obtain the icon or screenshot you want to use.

See Manually adding App Store apps for iOS on page 399 for information on supported formats and dimensions.
2.
3.
4.
5.
Click the edit icon under the icon or screenshot.
6.
Select the file to use from the file browser.
7.
Click Save.
Adding a category for iOS apps

You can create categories for organizing the apps displayed on managed iOS devices.
The categories appear as dividers in the app lists. To add a new category:
1.
2.
3.
Click the edit icon next to any app.
4.
Click the here link under the Category list.
5.
Enter a category name (up to 64 characters) and description (up to 255 characters).
6.
Click Save.
7.
Click Cancel to close the Edit App for iOS dialog.
Changing the category for an iOS app

To change the category for an iOS app:
1.
2.
3.
Click the edit icon next to the app.
4.
Select a different category from the Category list.
5.
Click Save.
Turning user-paid apps into managed apps

Upgrading an existing app does not automatically make it a managed app. Therefore,
if a device user has already installed an app directly from the Apple App Store, then
the user must uninstall that app and install a recommended or prepaid app from
Apps@Work. For example, if a new employee already has installed a paid app that
your organization ordinarily manages through the Apple VPP program, then the
411
employee must delete the app and reinstall it from the Prepaid tab in Apps@Work.
Otherwise, the app will remain unmanaged.
Informing users of new apps and upgrades for featured apps

You can send out a mass APNs message informing iOS users about the availability of a
new featured app or an update for an installed app. As with badge notifications,
updates are determined by comparing the version number of the installed app with
that of the update. This feature applies only to apps designated as Featured apps.
To send a message about an available app:
1.
2.
3.
Select the featured app you want to work with.
4.
Click Message.
5.
Use the following guidelines to select the app installation option:

Send request for new
installations
Prompts the device user to install the app, if not

already installed.
Send request for updates
Prompts the device user to update the app, if not

already updated.
Send request for both new

installations and updates
Use iOS managed app
install/update action
6.
Prompts the device user to install or update the app.

iOS 5 and later: Skip the Apps@Work display and
immediately install or update the app.
To check the content of the message prior to sending:

a. Select the Push Notification template from the list.
b. Click View Messages.
7.
Click Send.
412
Again, the message is sent only for apps configured as featured apps in the app
distribution library.
Editing app distribution messages

To edit an app distribution message:
1.
In the Admin Portal, select Settings > Templates > Others.
2.
Click the edit icon for the template you want to edit.
The app distribution message is displayed.
3.
Make changes to the displayed message.
4.
Click Save.
Using variables in app distribution messages

App distribution messages must include the $APPNAME$ variable, which indicates the
application name of the app being distributed.
Customizing the Apps@Work icon

You can customize the Apps@Work icon to the needs of your organization. For example, you can upload a different graphic or change the displayed name from
Apps@Work to something else.
To customize the Apps@Work icon:
1.
Select Policies & Configs > Configurations .
2.
Select the web clip for the iOS Enterprise AppStore.
3.
Click Edit.
4.
Click the Apps@Work link.
5.
6.
To display a different name with the web clip, enter your preferred name in the
Name field.
To select an alternate icon, click Browse.
In general, you should not edit the URL.
7.
Click Save.
Unpublishing iOS apps (removing from labels)

Unpublishing an iOS app removes it from the lists of apps displayed on managed iOS
devices. To do this, you need to remove the app from the label that initiated the distribution. If there is no other label creating an association between an iOS 5 device and
an app, then the app is removed from the device.
To remove an iOS app from a label:
1.
2.
3.
4.
Select Actions > Remove from Label.
413
5.
Select the labels from which you want to remove the app.
6.
Click Remove.
The app is immediately removed from the apps list on the devices associated with
the given label.
414
Managing iOS Volume Purchase Program (VPP)

apps
Apple provides a Volume Purchase Program (VPP) to facilitate app purchase and distribution within an organization. The App Store Volume Purchase Program allows participating organizations to purchase iOS apps in volume and distribute the apps to their
users. By participating in this program, organizations can buy iOS apps in volume
using a Volume Voucher, credit card, or PCard, and then distribute the apps to multiple
devices.
How Apples program works

Apples program involves the following basic steps:
1.
2.
3.
Your Program Facilitator searches for and purchases apps at the App Store Volume
Purchase Portal.
The Program Facilitator receives app purchase codes (also called tokens or credits)
in the form of a payment file and distributes these codes to device users.
Device users redeem codes and download apps.
Where MobileIron comes in

MobileIron provides a way for Program Facilitators to distribute, track, and reconcile
the app purchase codes obtained from the App Store Volume Purchase Portal:
1.
2.
3.
4.
Program Facilitators can upload each payment file into the MobileIron app distribution library.
End users having a device managed by MobileIron can select a recommended app
from the list of Prepaid apps displayed in the MobileIron app on the device. The app
can be purchased using one of the uploaded purchase codes.
The MobileIron VSP records the use of the purchase code and updates the count of
remaining codes.
An optional alert warns the Program Facilitator (or other designated person) when
the number of remaining codes falls below a specified threshold.
What device users see

To support the Apple VPP, the MobileIron app on iOS devices now includes a Prepaid
filter for apps.
Setup tasks
Setup for VPP support requires the following tasks:
1.
Upload the payment file to the VSP.
2.
Configure the optional alert.
415
Uploading the payment file to the VSP

If you are participating in Apples Volume Purchase Program (VPP), you should download payment files from the Apple VPP portal, one for each app. Each payment file
enables you to add and reconcile the codes purchased and used for the corresponding
app. The payment file must be in XLS format; XLSX and any other derivatives are not
supported.
Note: Some versions of Excel will attempt to save an XLS file as XLSX by default. If
you open the file in Excel, be sure not to save the file when you close it.
To upload a payment file:
1.
If the app to which the payment file applies is not already present in the MobileIron
app distribution library, then add it now.
If the app is an iOS 5 Managed App, be sure to select No for This App Store app is
free in the App Wizard.
2.
Once the app is present in the app distribution library, select Apps > App Distribution Library.
3.
4.
Select the app associated with the payment file.
5.
Click the VPP button.
6.
Click the Browse button and select the file to payment XLS.
7.
Click Upload Payment File.
8.
Click OK.
The entry for the app now displays the number of codes (or tokens) purchased and
the percentage that have been used (i.e., redeemed for apps).
Applying VPP labels

There may be cases in which you want to recommend an app to one group of users,
and provide VPP payment to a different group of users. In this case, you can use the
Actions > Manage VPP Labels option to apply the VPP availability to that select group
of users.
Example: Recommend an app to all iOS users, pay for executives

For example, suppose you want to recommend an app to all iOS users, but only executives will have it paid for via VPP. Other users will need to provide their own payment.
You would apply the iOS label using Actions > Apply To Label. You would apply the
Executives label using Actions > Manage VPP Labels.
You can use the Actions > Remove From Label command to remove either or both
labels.
Configuring a VPP alert

You can configure alerts to inform appropriate personnel when the remaining VPP
tokens for an app have fallen below a specified threshold.
416
To configure a VPP alert:

1.
In the Admin Portal, select Logs & Events > Event Settings.
2.
Select Add New > System Event or select an existing system event entry.
3.
Scroll down to the VPP Percent Used Threshold option.
4.
Make sure the option is selected and specify the percentage threshold.
5.
Configure the associated alert.
6.
Select the labels and/or users to which the alert should be applied.
7.
Clear any unwanted options in the event.
8.
Click Save.
417
Working with apps for Android devices

You can add the following kinds of apps for Android devices:
Google Play apps

In-house apps
Secure apps
Secure apps are available only if you have configured the device to support
AppConnect, available starting with version 5.1 of the Mobile@Work for Android
app.
What are Google Play apps?

Google Play apps are apps available for download from Google Play (formerly Android
Market). The MobileIron administrator adds recommendations (i.e., recommended
apps) to the app distribution library and determines on which Android devices these
recommendations are listed. When a device user selects a Googe Play app, a Google
Play download is started.
What are in-house apps?

In-house apps are mobile apps that you develop and distribute internally. MobileIron
enables you to distribute and track in-house apps. Distributed in-house apps appear in
the In-house Apps list on managed Android devices.
What are secure apps?

Access to secure apps and their data on Android devices are protected by AppConnect
for Android. Secure apps, also known as AppConnect apps, are developed internally or
by third-party developers. You distribute secure apps internally like in-house apps.
Device users login with a single sign-on secure apps passcode to access these apps,
and the data associated with the apps is encrypted. Secure apps can share data only
with other secure apps.
Distributed secure apps appear in the Secure Apps list on managed Android devices.
For detailed information about AppConnect for Android and secure apps, see Using
AppConnect for Android on page 514.
Silent install and uninstall on Samsung SAFE devices

Starting with version 5.1 of the Mobile@Work for Android app, you can silently install
and uninstall in-house apps on Samsung Approved for Enterprise (SAFE) devices running Android 2.2 or later.
The advantages that this feature provides are:
It eliminates any dependency on the device user for app install and uninstall.
418
You can protect in-house apps and associated data by using the VSP Admin Portal
to uninstall in-house apps if a device is lost or stolen.
Some devices prevent the user from uninstalling the app. On other devices, if the
device user uninstalls the in-house app, it is automatically reinstalled.
This feature automatically uninstalls an in-house app when:
No label maps the in-house app to the device.

You apply labels to in-house apps to set up which devices can use the app. By
removing remove the appropriate label from a device or app, the VSP notifies the
Mobile@Work app to uninstall the in-house app.
You retire the device.

You remove the in-house app from the VSP.
Because installing and uninstalling apps is controlled administratively, in-house apps
using this feature are also known as managed apps.
This feature is not supported for:
Recommended Apps or AppConnect Apps.

Devices that are not Samsung SAFE devices.
Adding Google Play apps for Android

Google Play apps (i.e., recommended apps) are the Google Play (formerly Android
Market) apps displayed in the MobileIron app.
To set up a Google Play app for Android devices:
1.
2.
Select Android from the Select Platform list.
3.

The Android Add App Wizard starts.
4.
Click Next.
5.
Select Recommended App.
419
6.

Item
Description
App Name
Enter the name that the device reports if the app is

installed. Only alphanumerics, underscores, dashes and
spaces are allowed in this field.
It is important to enter the reported name to ensure
that app inventory will correctly reflect the presence of
this app.
If you do not know the reported name, enter a temporary name in this field, then distribute the app to a test
device and check the App Inventory page for the
reported name. You can then edit this field to reflect the
reported name.
Package Name
Enter the unique, fully-qualified identifier for this app.

The package name for an Android app is included in the
Google Play (formerly Android Market) URL. The following example highlights the package name:
https://market.android.com/details?id=com.data-
viz.docstogo&feature=top-free
Note that the package name provides the basis for

matching recommended apps with entries in the App
Inventory screen. Therefore, the requirement that the
package name be unique impacts the app inventory display.
Min. OS Version
Select the minimum version required for this app.

Devices that do not meet the minimum version requirement will not display this app in the Google Play Apps
list.
7.
Click Next.
8.

Item
Description
App Name
Displays the app name you entered in the previous

screen. This field is not editable here.
Description

app is for. This text appears on the target devices under
the app name in the Google Play Apps list.
420
Item
Description
Featured

Featured apps list. On the device, the user can tap a button to display all recommended (i.e., Google Play) and
in-house apps or a subset of featured apps.
Category
Select a category if you would like this app to be displayed in a specific group of apps in the Google Play
Apps list on the device. Click the here link to define new
categories.
9.
Click Next.
10.

Item
Description
App Icon
Select the icon to be used to represent this app. The file

must be 144 x 144 pixels and in JPG, PNG, or GIF format.
We recommend PNG for best resizing results. If you do
not select an icon, then a default icon will be displayed
next to this app in the Google Play Apps list.
To clear the field, such as if you select the wrong file,
click the - button next to the Browse button.
Android Screenshots
Click the Browse button to select and upload optional

screenshot files. The supported dimensions are 480x800
pixels and 480x854 pixels. GIF, JPG, and PNG are supported. We recommend PNG for best resizing.
Once you upload the first screenshot, a + icon displays.
Click this icon to upload additional screenshots.
To clear the field, such as if you select the wrong file,
click the - button next to the Browse button.
11.
Click Next.
If the graphics you specified are accepted, the Congratulations screen displays.
12.
Click Finish.
The app is displayed in the App Distribution Library page with an icon that identifies
the app as a recommended app.
Note that the App Version field will remain blank until the app is installed on a
device.
13.
Associate the app with a label to have that app listed on Android devices.
Android app versions and device counts

The App Version field displays the latest version found in the app inventory. Until a
managed device reports a version number, this field contains a dash. The # of
Installed Devices field displays the number of devices associated with the latest version of the app. To see collective information on all installed versions of the app, go to
421
Adding in-house apps for Android

In-house apps are the internally-developed mobile apps that are displayed in the Inhouse Apps list.
To add an in-house app to the app distribution library:
1.
2.
3.
Click Add App.

4.
Click Next.
5.
Select Yes for Silently Install if you want Samsung SAFE devices to silently install
and uninstall the app.
For more information, see Silent install and uninstall on Samsung SAFE devices
on page 418.
6.
Click Browse and navigate to the in-house app (.apk) you want to upload.
Note: You cannot upload an in-house app that exceeds 2.15 GB.
7.
Click Next.
The Add App Wizard examines the selected package to ensure that it meets requirements for in-house apps distributed for Android devices. If the package is acceptable,
the following screen displays.
8.

Item
Description
App Name
Displays the app name defined by the app developer.

This is the name that displays to device users. This field
is not editable.
Display Version
Displays the version number defined by the app developer. This is the version that displays to device users.
This field is not editable.
Code Version
Displays the version defined for the package. This item is

not editable.
Description

the app name in the In-house Apps list.
Override URL
If you are implementing an alternate URL for downloading in-house apps, enter that URL here. The URL must
point to the in-house app in its alternate location. See
422
9.
Item
Description
Featured

Featured apps list. On the device, the user can tap a button to display all recommended and in-house apps or a
subset of featured apps.
Category
Click Next.
Note: The icon for Android in-house apps is defined by the app developer. However,
after you finish adding the app, you can edit the entry for the app and change the
icon.
10.
If you would like to provide screenshots of the app, click the Browse button and
select the files. The supported dimensions are 480x800 pixels and 480x854 pixels.
GIF, JPG, and PNG are supported. We recommend PNG for best resizing.
Once you upload the first screenshot, a + icon displays. Click this icon to upload
additional screenshots.
11.
Click Next when you are finished uploading screenshots.
12.
Click Finish.
Adding secure apps for Android

You upload all secure apps and the Secure Apps Manager to the VSP as in-house apps.
The VSP distributes the apps to Android devices based on labels that you assign to the
apps and devices.
The apps that you upload include:
the Secure Apps Manager that MobileIron provides.

The Secure Apps Manager is required for AppConnect to work. See The
Mobile@Work app and the Secure Apps Manager on page 480.
the AppConnect apps that MobileIron provides.

These apps can include NitroDesk TouchDown, ThinkFree Document Viewer, and
File Manager.
Note: The SharePoint Client app is part of the File Manager .apk file.
See AppConnect apps that MobileIron provides for Android on page 514.
the AppConnect apps that your enterprise wrapped.

See AppConnect and third-party/in-house secure apps on page 478.
Before you begin: Get the Secure Apps Manager and the other AppConnect apps that
MobileIron provides from the support.mobileiron.com site. Save them to a location
accessible from your VSP.
To add a secure app to the app distribution library:
423
1.
2.
3.
Click Add App.

4.
Click Next.
5.
Ignore the Silently Install option.

The Silently Install option is not applicable to AppConnect apps. No is selected by
default.
6.
Click Browse and navigate to the AppConnect app (.apk) you want to upload.
Note: You cannot upload an AppConnect app that exceeds 2.15 GB.
7.
Click Next.
The Add App Wizard examines the selected package to ensure that it meets
requirements for in-house apps distributed for Android devices. It also recognizes
that the app is an AppConnect app. If the package is acceptable, the following
screen displays.
8.

Item
Description
App Name
Displays the app name defined by the app developer.

This is the name that displays to device users. This field
is not editable.
Display Version
Displays the version number defined by the app developer. This is the version that displays to device users.
This field is not editable.
Note: The version number for AppConnect apps includes:
the version number defined by the app developer

additional numbers provided by the wrapping process
Code Version
Displays the version defined for the package. This item is

not editable.
424
Item
Description
Description

the app name in the Secure Apps list.
MobileIron recommends that you add the following
descriptions for the AppConnect apps that MobileIron
provides:
the Secure Apps Manager

The Secure Apps Manager works with the
Mobile@Work app to secure and manage secure apps
on your device.
NitroDesk TouchDown
NitroDesk TouchDown provides secure access to your
company email, contacts, calendar, and tasks.
ThinkFree Document Viewer

ThinkFree Document Viewer provides secure access to
your company documents and email attachments.
File Manager
File Manager allows you to securely navigate and
manage your company files.
9.
Override URL
If you are implementing an alternate URL for downloading secure apps, enter that URL here. The URL must
point to the secure app in its alternate location. See
Featured
This field is not applicable for AppConnect apps.
Category
This field is not applicable for AppConnect apps.
Click Next.
Note: The icon for Android secure apps is defined by the app developer. However,
after you finish adding the app, you can edit the entry for the app and change the
icon.
10.
If you would like to provide screenshots of the app, click the Browse button and
select the files. The supported dimensions are 480x800 pixels and 480x854 pixels.
GIF, JPG, and PNG are supported. We recommend PNG for best resizing.
Once you upload the first screenshot, a + icon displays. Click this icon to upload
additional screenshots.
11.
Click Finish.
Note: You know the app is an AppConnect app by looking at its version number. The
version number for an AppConnect app is a concatenation of the original apps version number and a version number from wrapping the app.
425
Adding apps to the app storefront for Android devices

Once you have added an Android app (Google Play, in-house, or secure) to the app
distribution library, you need to select one or more labels to specify which Android
devices should have the app displayed in the app storefront.
1.
In Admin Portal, select Apps > App Distribution Library.
2.
3.
4.
Select Actions > Apply to Label.
5.
6.
Select the label that represents the Android devices on which you want the selected
app to be listed.
Click Apply.
User notification of newly-published apps

When a featured app or an update to an installed app is published to users, those
users receive a notification in the form of a badge that appears next to the appropriate
app list. The number on the badge indicates the number of apps available.
If the user deletes a published app, that app will not become available for reinstalling
again until the next sync interval causes the MobileIron VSP to be updated. You can
address user concerns by using the Force Device Check-In command to force the
MobileIron Client to update the VSP.
Troubleshooting: Android apps

A newly-added app does not display in the Google Play Apps (recommended apps) list
on the device.
426
1.
2.
3.
Confirm that you have applied the app to a label to which the device has been
added.
Confirm that the device meets the minimum OS requirement you specified when
you added the app.
If the MobileIron app is running, select Refresh from the app menu.
A newly-added app does not display in the in-house apps list on the device.
1.
2.
3.
4.
Confirm that you have applied the app to a label to which the device has been
added.
Confirm that the device meets the minimum OS requirement you specified when
you added the app.
Confirm that the device has been configured to accept apps from outside the Google Play (formerly Android Market). (On the device, select Settings > Applications >
Unknown sources).
If the MobileIron app is running, select Refresh from the app menu.
427
Working with apps for BlackBerry devices

428
Working with apps for Windows Mobile devices

429
Working with apps for Windows Phone 8 devices

App management for Windows Phone 8 (WP8) devices enables you to:
import recommended apps from the Windows Store

distribute in-house apps
Note: After registration, the WP8 device is in Verified state. The device state changes
to Active after the first successful MDM session. This may take approximately ten seconds and upto one minute after registration. If the device user logs into the
Mobile@Work app before the device changes to Active state, the device user will not
see any recommended apps because the VSP is not yet associated with the device.
For the following information about setting up your WP8 device, see Getting Started
with Windows Phone 8.
Registering your WP8 device with MobileIron and installing the Mobile@Work app.
Installing certificates on your WP8 device.
Downloading apps to your WP8 device.
Importing recommended apps for WP8 devices

Follow these steps to import recommended apps from the Windows Store:
1.
In the Admin Portal, go to Apps > App Distribution Library.
2.
From the Select Platform drop-down list, select Windows Phone 8.

The Windows Store Import button appears.
3.
Click Windows Store Import.
4.
Enter an app name in the Search box.
5.
In the App Store list, select the country for the App Store you want to search.
6.
In the Limit field, enter the number of entries you want to retrieve.
To improve search performance, the default is set to 20. You can enter a number
between 20 and 50.
7.

The matching apps are displayed.
8.
Click the Import link for the app you want to import.
The app information is imported into the App Distribution Library page.
9.
Select the app in the App Distribution Library page.
10.
Click Actions > Apply To Label.
11.
Select a label to apply.
12.
The app is pushed to the devices to which the label is applied.Click Apply.
The app is now available to device users to download from the Mobile@Work client
on their WP8 device.
430
In-house and third-party apps for WP8 devices

MobileIron enables you to distribute and track in-house and third-party apps to your
managed WP8 devices. These apps appear in the In-house Apps list on managed
WP8 devices.
The following sections provide information about developing and managing in-house
and third-party apps:
Before you develop in-house apps for WP8 devices on page 431
Adding the AET and applying a label on page 432
Adding in-house and third-party apps for distribution to WP8 devices on page 432
Removing the label on page 434
Upgrading to a new version of an app on WP8 devices on page 434
Editing WP8 app information on page 434
Deleting a Windows Phone 8 app from the VSP on page 435
Before you develop in-house apps for WP8 devices

This section describes the certificates and tokens required for distributing in-house
apps for WP8 devices and the file specifications for the WP8 in-house apps for distribution through the VSP.
Certificates and tokens for in-house apps for WP8 devices

Before you develop in-house apps for WP8 devices, you must do the following:
1.
Review the certificates and tokens required for in-house apps for WP8 devices at:
http://msdn.microsoft.com/en-us/library/windowsphone/develop/jj206943.aspx
2.
Create a Windows Phone Dev Center account at

http://msdn.microsoft.com/en-us/library/windowsphone/help/jj206719.aspx
The next step requires the Publisher ID for your company that is provided when you
created the Dev Center account.
3.
Get an enterprise mobile code signing certificate from Symantec at

https://products.websecurity.symantec.com/orders/enrollment/microsoftCert.do
Export the certificate in PFX format and be sure to export the private key with the
certificate.
You will sign your in-house app with the Symantec Enterprise Certificate. This is
required for WP8 devices.
4.
Generate the application enrollment token (AET) using the AETGenerator tool provided by the Windows Phone SDK 8.0.
For more information see
http://msdn.microsoft.com/en-us/library/windowsphone/develop/jj735576.aspx
You upload the AET (.aetx file) to the VSP. See Adding the AET and applying a
label on page 432.
431
Third-party apps for WP8 devices

If you are uploading third-party apps for distribution through the VSP, you must also
upload the AET (.aetx file) associated with the Symantec Enterprise Certificate used to
sign the app. See Adding the AET and applying a label on page 432.
WP8 app file specifications for upload to VSP

The following file specifications apply to in-house and third-party apps for WP8
devices:
Item
Format
Size
Number
App
XAP
100 MB maximum
Icon
PNG
99x99 pixels maximum
One per app.
Screen shots
PNG
480x800 pixels
Upto four per app.
OR
480x854 pixels
Adding the AET and applying a label

Follow these steps to add the AET to the VSP and apply a label:
1.
From the Admin Portal, go to Policies & Configs > Configurations.
2.
Click Add New > Windows Phone 8 > Enrollment Token (AET).
The New Application Enrollment Token window displays.
3.
Enter a Name and Description for the AET.
4.
Click Browse to navigate and select the AET file.

This is a .aetx file.
5.
Click Save.
6.
In the Configurations page, select the AET.
7.
From the Labels drop-down list, select a label to apply.

The AET is pushed to the devices to which the label is applied.
Adding in-house and third-party apps for distribution to WP8

devices
Follow these steps to add in-house and third-party apps for WP8 devices:
1.
2.
3.

The Add App Wizard starts.
4.
Click Next.
5.
Click Browse to navigate to and select the app.

This is a .xap file.
432
6.
7.
For Application Enrollment Token, select the token associated with the Symantec
Enterprise Certificate used to sign the app.
Click Next.
The app information, extracted from the .xap file, displays.
8.
Use the following guidelines to edit the app information:

Item
Description
App Name
The name of the app as defined by the developer. This field is

not editable.
Version
The version of the app. This field is not editable.
Author
The author of the app as defined by the developer. This field is

not editable.
Description
Enter a description for the app.
Featured
Select Yes to display the app in the Featured list on the

device.
Select No if you do not want to list the app in the Featured list
on the device.
Category
Select the category from the drop-down list. The app appears
under that category on the device.
To add a new category, click the provided link.
Silent Upgrade
Specify how the app is upgraded on the WP8 device.

Only the latest version of the app is listed in the Mobile@Work
app.
The setting is only available when adding a new version of the
app.
Select Yes to update to the new version without any user

actions.
This is the default setting. The app is upgraded when the
device checks in with the VSP.
Select No to only allow a manual update of the app.

The app is not automatically updated when the device checks
in with the VSP, and the user is not prompted or notified to
update the app.
The device user manually installs the latest version of the app
from the Mobile@Work app on the device.
9.
Click Next.
10.
(Optional) Click Browse to navigate and select the icon and screenshots for the app.
You can upload one icon and up to 4 screenshots per app.
11.
Click Finish.
The app information appears in the App Distribution page.
12.
In the App Distribution page, select the app.
13.
Click Actions > Apply To Label and select a label to apply.
433
The app is pushed to the devices to which the label is applied.

Note: Only the latest version of the app is displayed in the Mobile@Work app.
Removing the label

Follow these steps to remove the label from a WP8 app:
1.
In Admin Portal, go to Apps & Configs > App Distribution.
2.
3.
In the App Distribution page, select the app to remove the label.
4.
Click Actions > Remove From Label.
5.
In the dialog box, select Windows Phone 8 and click Remove.
6.
Click OK
When you remove the label, the app is no longer pushed to devices associated with
that label. The app is not deleted from the VSP or from the devices on which it is
already installed.
Upgrading to a new version of an app on WP8 devices

1.
When a new version of an app becomes available, follow the steps described in
Adding in-house and third-party apps for distribution to WP8 devices on page 432
to add the app to the App Distribution list for Windows Phone 8 devices.
Editing WP8 app information

Follow these steps to edit the app information, icons, and screenshots:
1.
2.
Select Windows Phone 8 from the Select Platform list.
3.
You can edit the following information:
Item
Description
App Name
Edit the name of the app.
Description
Edit the description for the app.
Featured App
Change whether the app is a Featured App or not.

On the device, the featured apps display in a separate Featured list. The app also displays in the Inhouse apps list or the Recommended apps list.
Category
Edit the category under which the app appears on

the device.
To add a new category, click the provided link.
434
4.
Item
Description
App Icon
Click the edit icon under the graphic to navigate to

and select a new graphic. Click OK to replace the
existing graphic.
Windows Phone 8
Screenshots
Click the edit icon under the screenshot to navigate

to and select a new screenshot. Click OK to replace
the existing screenshot.
Click Save.
Deleting a Windows Phone 8 app from the VSP

Follow these steps to delete an app:
1.
In Admin Portal, go to Apps > App Distribution Library.
2.
Select Windows Phone 8 from the Select Platform list.
3.
Select the app to delete.
4.
Click Delete.
This action deletes the app from the VSP, but does not delete it from the device.
435
Working with apps for Symbian devices

436
Maintaining apps for BlackBerry, Windows

Mobile, and Symbian
437
Setting up app control

Android
iOS
Win 7
WP8
yes
yes
You can set up app control to enhance visibility into the apps being installed on managed devices and help enforce corporate app policy. Setting up app control involves
the following tasks:
1.
2.
3.
Configure alerts for when a device violates the app control rules in its security policy.
Define app control rules.
Select app control rules for the Access Control settings in the security policies
assigned to target devices.
This order of tasks is strongly recommended to ensure that alerts are generated if
devices are already in violation when they receive the corresponding policy from
MobileIron. Otherwise, these devices will not generate an alert until one of the following actions occurs:
the administrator changes the security policy

the administrator edits the app control rule
the device updates app inventory
the device updates device detail
The app control rule defines which apps you want to control. Security policies specify
which devices the rules are applied to and the actions to associate with a rule violation. The alert determines the information that is sent as the result of rule violation,
as well as the recipients of the information.
App control alerts

The app control rule specifies whether violating devices should just trigger an alert or
also be blocked from ActiveSync access and Docs@Work access. However, the associated event must also be configured in Event Center, or no alert will be generated.
Important: To ensure that the alert is generated in a timely fashion for devices that
are already in violation when the policy is created, you should create the event first.
Otherwise, the alert will not be generated until after one of the following:
change in security policy

edit of app control rule
device updates app inventory
device updates device detail
App control rule types

Each app control rule specifies that the apps meeting the given criteria be designated
as either Required, Allowed, or Disallowed:
438
Use Required rules to ensure that certain apps are installed on designated devices.
The absence of one of these apps is considered a policy violation. For example,
since MDM-enabled iOS devices report inventory even if the MobileIron Client has
been uninstalled, you can create a Required rule to ensure that the removal of the
MobileIron Client results in the appropriate response. Note that Required rules take
precedence over Disallowed rules in the case of a conflict.
Use Allowed rules to specify a small set of apps that are allowed on designated
devices. The presence of an app not on this list is considered a policy violation. For
example, you might create a set of Allowed rules for use by temporary employees
to ensure that they are not installing personal apps on a corporate device.
Use Disallowed rules to specify a small set apps that are forbidden on designated
devices. The presence of a disallowed app is considered a policy violation. For
example, you might use a set of Disallowed rules to help lower exposure to apps
with known security issues. Note that Required rules take precedence over Disallowed rules in the case of a conflict.
App control rule criteria

App criteria match a specified string against the app name. (In this case, app name
refers to the uneditable app name defined by the author of the app. It does not refer
to an app name you may have specified when adding the app to the app distribution
library.) You can also restrict criteria to a specific platform. The following figure shows
an example of an app control rule with criteria for disallowed.
App control rules applied in security policies

The following figure shows app control rules applied in a security policy. In this case,
the selected compliance actions are applied if the specified apps are detected on a
device to which the security policy is applied.
439
Configuring app control alerts

To enable app control alerts:
1.
In the Admin Portal, select Logs & Events > Event Settings.
2.
Select Add New > Policy Violations Event.
3.
Enter a name for the event.
4.
Confirm that the app control alerts you want to generate have been selected.
The following table summarizes these alerts:
Item
Description
Disallowed app found
Generate an alert if a disallowed app is

found on a designated device.
App found that is not in

Allowed Apps list
Generate an alert if an app is found that

is not on the Allowed Apps list for the
designated device.
Required app not found
Generate an alert if a required app is not

found on a designated device.
5.
Disable any other alerts that you do not want to enable.
6.
Click Save.
Adding an app control rule

To add an app control rule:
1.
In the Admin Portal, select Apps > App Control.
2.
Click Add.
3.
In the Name field, specify an identifier for this rule.
4.
For the Type option, select the type of rule you want to define:
440
Required: This rule specifies criteria for apps that MUST be installed.
Allowed: This rule specifies criteria for apps that MAY be installed, exclusive of
all other apps.
Disallowed: This rule specifies criteria for apps that MUST NOT be installed.
5.
Under Rule Entries, specify one or more criteria to match the name of the app you
want to control:
Select IS or CONTAINS to indicate whether to use an exact match. Note that if

you selected Required, then you must select IS.
In the App Search String, enter the app name text you want to match. Do not
enter wildcards. If you know the official name for the app, enter it here. If you
do not, enter text you will be able to identify with this app. Once you have
installed the app once, the App Inventory screen will display the official name.
You can then change this field to match.
In the Device Platform list, select the platform to which you want to apply this
entry.
In the optional Comment field, you can enter a note about the purpose of the
entry.
6.
To add an additional entry, click the + icon.
7.
Click Save when you are finished.

The following figure shows an example of an app control rule with criteria for disallowed apps.
8.
Specify the rule in the appropriate security policies to apply the rule to managed
devices.
Editing app control rules

To edit an app control rule, click the edit icon next to the rule in the App Control page.
Note that you cannot change the type of an app control rule if that rule has been
applied to a security policy.
Applying an app control rule to a security policy

To apply an app control rule to a security policy:
1.
In Admin Portal, select Policies & Configs > Policies.
441
2.
Select the security policy you want to work with.
3.
Click the Edit button.
4.
Scroll down to the Access Control section of the Edit Security Policy screen.
5.
Select the checkbox for the App Control rules option.
6.
In the dropdown list, select the action you want to perform if the rule is violated.
You can select from:
Block Email, AppConnect apps, and Send Alert: Prevents the device from
accessing email via ActiveSync and generates a policy violation alert, if configured. This selection also unauthorizes AppConnect apps, blocks app tunnels,
and blocks access to Docs@Work features in Mobile@Work on iOS devices.
Send Alert: Generates a policy violation alert if configured in Event Center.

any custom compliance actions you have created.
7.
8.
9.
Under Rule Type: Required, select the rules you want to apply, if any, and click the
arrow button to move them to the Enabled list.
To apply allowed-type or disallowed-type rules, select either Rule Types: Allowed or
Rule Types: Disallowed. You may not select both in the same security policy.
Select the allowed-type or disallowed-type rules you want to apply and click the
arrow button to move them to the Enabled list.
10.
Click Save.
11.
Configure App Control alerts.
Viewing app control status

In addition to the alerts you can configure, MobileIron displays app control status for
devices in the Devices page.
The following table summarizes the icons related to app control.
Icon
Description
App control violation

Required app violation
Allowed app violation
Disallowed app violation
Select the entry for a device in violation to see details in the device details pane.
442
Viewing app inventory

Android
iOS
OS X
Win 7
WP8
yes
yes
yes
yesa
a In-house and third-party apps only.
The Device App Inventory page displays the apps that MobileIron has detected on
managed devices. Only apps that were installed after the manufacturers image was
loaded are listed.
To display the app inventory, in the Admin Portal, select Apps > Device App Inventory.
Whats in an app name?

The app names displayed in the App Inventory page are the names reported by the
apps installed on managed devices, not the name you assigned when you added an
app to the app distribution library. Therefore, if you are looking for an app you know is
installed, but you cannot find it in the inventory list, make sure you are looking for the
correct name. Note that any control characters found in the reported app name are
converted to spaces in MobileIron, and app names are stored in the database without
regard to case.
Synchronizing app inventory

The privacy policy assigned to a device determines whether that device reports data
associated with app inventory. If the Apps option in the privacy policy is set to None,
then inventory data for the device will not appear in this screen.
Note that inventory data is updated based on the Sync Interval specified in the Sync
policy. Therefore, inventory changes on the device are not reflected immediately on
the App Inventory page. During testing, you can use one of the following methods to
decrease the amount of time it will take to update the inventory:
decrease the Sync Interval in the Sync policy

use the Force Device Check-in feature in Admin Portal (for supported platforms)
use the Connect Now/Refresh feature in the MobileIron client (for supported platforms)
check for updated configurations (for iOS)

Also note that setting Apps to None in the Sync policy drops the current inventory
data. Setting Apps back to Sync Inventory re-enables inventory reporting for iOS
(with timing governed by the Sync Interval specified in the sync policy). For all other
platforms, you must make an app distribution change or reboot the device in order to
restart the inventory process.
Filtering the inventory display

You can filter the inventory display by:
443
Platform
Label
App name
For example, to display iOS apps that are on company-owned devices and contain the
letter A, you would select iOS from the Platforms list, select Company-Owned from
the Labels list, and enter A in the Search by App field. Clicking the search icon in the
Search by App field applies the search.
Displaying the devices on which an app is installed

The entry for each app in the Device App Inventory page includes the number of
devices on which the app has been installed. The displayed number is a link. Click the
link to display a list of the devices on which the app is installed.
444
Managing app inventory

Android
iOS
OS X
Win 7
WP8
yes
yes
yes
You can use the Device App Inventory page to help manage the apps that are appearing in your enterprise. We recommend the following approach:
determine which apps are new

determine when an app was first reported by a managed device
launch a web search for a selected app
display permissions for Android apps
move directly to the App Control screen
Determining which apps are new

The Status column in the Device App Inventory screen flags an app as New when it is
first detected on a managed device. Use the Status filter to display only those apps
flagged as New.
If a new version of an app flagged as OK appears, then the default status is New Version.
Exception: If you have changed the status for an app to Bad, then a new version of it
will retain the Bad flag. See Deciding whether an app is OK on page 446 for information on changing the flag.
Determining when an app was first reported

The date an app was first reported by a managed device can be an important piece of
information when investigating possible issues with the app. MobileIron tracks this
information for each app displayed in the Device App Inventory page.
Launching a web search for a selected app

When a new app appears in the Device App Inventory page, you may want to investigate. Who develops and distributes the app? Is this a reputable vendor? Does the app
pose any security considerations? To start your research, click the link for the app in
MobileIron launches a web search to get your research started.
445
Displaying permissions for Android apps

Androids unique approach to app permissions can pose a challenge to administrators,
as each app may have dozens of permissions associated with it. To provide easier
access to this information, MobileIron displays the permissions granted to each
Android app in the Device App Inventory page.
Just click the link in the Permissions column to display the list of Android permissions.
If multiple versions of an app have been detected, then the displayed permissions are
for the latest version of the app.
Deciding whether an app is OK

Once you have researched an app, you can change the New flag (or New Version flag)
to indicate the result of your research. To change the flag:
1.
Double-click the New link to change the field to a dropdown list.
2.
Select OK or Bad from the dropdown.
3.
Click elsewhere on the page to save the selection.
What happens when a bad app is removed?

Once a bad app is removed from managed devices, the entry for that app no longer
appears in the App Inventory screen. However, the information about that app is
retained in the MobileIron database. If the app is again discovered on a managed
device, an entry will appear with the Bad flag displayed.
If you want to be able to track which apps you have determined to be bad, consider
adding the information in the Comment field for an app control rule.
446
Moving directly to the App Control screen

To move quickly from an app in the Device App Inventory screen to the App Control
screen, you can click the App Control Rules link for the app.
447
Upgrading the MobileIron client application

448
Override for in-house app URLs

MobileIron supports an alternative for off-loading distribution of in-house apps to
alternate HTTP servers. This option is intended only for those customers who meet all
of the following criteria:
numerous internally-developed apps for distribution to thousands of devices

a trusted and secure internal network
available HTTP servers
concerns about performance impact on the VSP
ability to manually synchronize apps between the VSP and an alternate location
This alternative enables you to specify an override URL, per app, to be used for inhouse app distribution. The VSP routes download requests to this alternate location.
The following diagram illustrates a typical deployment.
This feature uses unauthenticated URLs. Therefore, a trusted and secure internal network is an absolute requirement. This feature is intended for use behind the firewall.
Implementing app source override on the VSP

If you have the supporting infrastructure in place, complete the following steps to
implement app source override:
1.
In Admin Portal on the VSP, select Apps > App Distribution Library.
2.
Select Android or iOS from the Platforms list.
3.
As you complete the forms in the Add App Wizard, include an appropriate URL in
the Override URL field.
The URL must point to the in-house app in its alternate location.
4.
When you complete the Add App Wizard, assign an appropriate label to the app.
449
Manual synchronization of apps

The VSP does not synchronize the apps configured in Apps@Work with those stored on
the HTTP server in this configuration. The administrator must perform this maintenance manually and develop a process for ensuring proper synchronization.
450
Malware prevention: App reputation

Integration with Appthority provides app reputation data for apps detected on managed devices. This information helps you protect your organization from malware.
Enabling app reputation

To enable the app reputation feature:
1.
Consider configuring debug mode for MIFS logs (in System Manager).
Debug logs will capture successful configuration. Otherwise, you will have no indication if you mistype the license key for the reputation service.
2.
3.
Scroll down to the App Reputation section.
4.
Select the Enable App Reputation option.
5.
Use the following guidelines to complete the displayed fields:

Item
Description
Reputation Service
Select the reputation service with which you

have purchased service.
Authentication Key
Enter the authentication key provided by the

reputation service you are working with.
Rating Threshold
Enter a number from 0 to 100 representing the

lowest rating at which an app should be considered OK. Apps that fall below this mark are
considered Risky. Consult your rating service
for information on their rating system to help
determine the value that meets your needs.
Check Interval
Select an interval for contacting the reputation

service to retrieve updated reputation data to be
stored on the VSP:
Daily: Update occurs at midnight each day.

Weekly: Update occurs at midnight between
Saturday and Sunday.
Monthly: Update occurs at midnight before

the first of the month.
Note: The day of the week and time of the
update are not configurable.
6.
Click Save.
An initial sync begins shortly after initial configuration. Thereafter, the Check Interval setting determines when the VSP contacts the reputation service.
451
Confirming configuration of the app reputation service

You can use the following keywords to check the logs for successful configuration of
the reputation service:
appReputationEnabled=true
Enabling Appthority-Sync-Job with schedule: 0 30 22 * * ?
appReputationServiceOption=Appthority
appRatingThreshold
appReputationIntervalOption
Rescheduling Appthority-Sync-Job with schedule
AppthoritySyncJob.execute
Done with sync job
scores.length
Viewing app reputation data

The Device App Inventory page (Apps > App Inventory) displays the information
about apps detected on managed devices.
The following table summarizes the values that can display in the App Rating field:
Rating
Description
Not Rated
With a score of 0 indicates that the VSP has not

processed the app yet.
With a blank score indicates that the app is not
currently in the designated services database.
The app might be new or the service might provide app data only for specific operating systems.
OK
Indicates that the apps score exceeds the

threshold specified in the App Reputation settings.
Risky
Indicates that the apps score does not exceed

the threshold specified in the App Reputation
settings.
452
Chapter 15
Docs@Work
453
Docs@Work
About Docs@Work
The Docs@Work feature gives device users an intuitive way to access, store, and view
attachments (from email) and documents from content servers, such as Microsoft
SharePoint sites. It also lets administrators establish data loss prevention controls to
protect these documents from unauthorized distribution. Docs@Work uses certain
aspects of AppConnect, including passcode access and app tunneling; however, you do
not require an AppConnect license for Docs@Work.
Docs@Work for content servers

Device users can view folders and documents that are shared on content servers, such
as a Microsoft SharePoint site, for which they have a valid user ID and password.
Device users can:
Log in to the content server.

Navigate through the folders.
Preview documents on the content server site.
These documents are known as a remote files.
Save local copies of the documents.
These local copies are known as local files.
View local files.
For iOS
Docs@Work for iOS is a feature contained within the Mobile@Work app. Implementing
Docs@Work on an iOS device (as explained in this document) displays the
Docs@Work-related tabs in Mobile@Work. See Docs@Work for iOS on page 717 for
information on using Docs@Work once it is configured on an iOS device.
For Android
Docs@Work for Android is a solution involving separate AppConnect-enabled apps that
work together. See The SharePoint Client App for Android on page 747 for information on using Docs@Work once it is configured on an Android device.
Docs@Work for email attachment control

Standalone Sentry controls email access between the ActiveSync server and devices.
You can configure Docs@Work and the email attachment control settings for Standalone Sentry to determine if and how mobile devices view email attachments.
Attachment handling for iOS

Email attachment control works with the iOS native email client. It is not supported
for third-party iOS email clients.
The 20 most recently viewed email attachments are available in Mobile@Work without
requiring the user to reopen the attachment from its email. The user can also save an
454
Docs@Work
attachment as a local file. Like the attachments, the local files are available for viewing only in Mobile@Work.
The device user can view email attachments using any app that works with the attachment type. Configuring attachment control allows you to restrict viewing email attachments to Mobile@Work. This containerization secures the attachment from
applications which could leak the attachment outside of the device. For additional
access control, you can encrypt the email attachments.
Attachment handling for Android

For Android devices using an AppConnect-enabled email app, configuring attachment
control allows you to restrict viewing to AppConnect-enabled apps.
See Email attachment control support for Standalone Sentry on page 342 for more
information.
Single Sign On for Docs@Work

Single Sign On (SSO) for Docs@Work is supported. The device user registers
Mobile@Work with the VSP by entering his VSP credentials. Then, the device user can
use the Docs@Work feature to access content servers without having to enter any further credentials.
To use SSO:
The content server must support authentication using Kerberos Constrained Delegation (KCD).
Docs@Work must use the AppTunnel feature, configured so that the Standalone
Sentry uses KCD to authenticate the user to the content server.
The content server must be either a Microsoft SharePoint server or IIS-based WebDAV content repository. MobileIron does not support KCD with CIFS-based content
repositories.
Supported content servers

Docs@Work supports the following content servers:
Microsoft SharePoint 2007

IIS-based WebDAV content repositories
CIFS Windows 2008 R2 SP1
CIFS Samba CentOS 6.2
For iOS only, Docs@Work also supports Apache-based WebDAV content repositories.
To determine whether a specific content repository will function with Docs@Work, contact the vendor for information on the basis for the WebDAV or CIFS implementation.
455
Docs@Work
Note: The Android SharePoint Client app supports IIS-based WebDAV content repositories starting with Android Secure Apps 5.6.0.1. It supports Microsoft SharePoint
2013 and CIFS-based content repositories starting with Android Secure Apps 5.7.
Supported authentication to content servers

Docs@Work supports the following authentication types from the client to the content
server.
Docs@Work for iOS:
Basic
Digest
NTLM
KCD
Docs@Work for Android (the Android SharePoint Client app):
Basic
NTLM, starting with Android Secure Apps 5.6.0.1
KCD
Supported ActiveSync servers for attachment control

The list of ActiveSync servers that Standalone Sentry supports are in the MobileIron
Sentry Administration Guide. Email attachment control works with all the listed
ActiveSync servers.
Supported devices
iOS devices
To support Docs@Work, including full email attachment control, an iOS device must
have:
iOS version 4.2.1 and higher

the Mobile@Work for iOS app
The supported iOS devices include the following:
iPhone 3G and later

iPad 1 and above
iPod touch 2 and above
Note: Email attachment control works only with the iOS native email client. It is not
supported for third-party iOS email clients.
456
Docs@Work
Android devices with AppConnect enabled

Android devices running Mobile@Work 5.1 or later with AppConnect enabled support
the Docs@Work features using the AppConnect technology. Starting with
Mobile@Work 5.5, Docs@Work app settings apply to Android devices. See Using
AppConnect for Android on page 514.
Other platform devices

Devices that do not support the Docs@Work feature can support the email attachment
control option to remove attachments from email before delivery to a managed
device. However, because the device users experience can vary by device, MobileIron
has verified the remove attachments option on the following non-iOS devices:
Android devices and associated email apps as specified in Exchange settings on

page 205.
Windows Phone 7
Windows Phone 8
Docs@Work requirements
The Docs@Work feature requires the following versions of MobileIron products:
VSP 5.0 or later (5.7 or later for CIFS-based content servers)

Standalone Sentry 4.0 or later to support email attachment control (4.7 or later for
CIFS-based content servers)
File viewers
For iOS devices, Mobile@Work uses the native file viewer to display the contents of
different file types. See Supported files in the Mobile@Work for iOS app on
page 475.
For Android devices, the ThinkFree Viewer displays the contents of different file
types. See Document types supported by ThinkFree Document Viewer on
page 516.
SharePoint Pre-requisites
To access a SharePoint site from Mobile@Work, a device user must have a SharePoint permission level for the SharePoint site that includes the following SharePoint
site permission:
Browse Directories - Enumerate files and folders in a Web site using SharePoint
Designer and Web DAV interfaces.
The contribute permission level includes this site permission by default. Therefore, device users with this permission level or higher can access the SharePoint
site. The read permission level does not include this site permission by default.
However, you can change the read permission level to include this site permission. Another option is that you can create another read permission level that
includes this site permission.
457
Docs@Work
For more information about SharePoint permission levels, see SharePoint documentation.
File synchronization (iOS)

Each time the device user views the remote files of a content server, Mobile@Work
syncs the folders and files so that the user sees the latest contents.
Each time the device user views local copies of files on the content server,
Mobile@Work syncs the local files so that their contents reflect the latest corresponding file on the content server.
Data security (iOS)

When the device user saves local copies of documents or email attachments, the
saved copies are protected by the devices native data encryption.
Note: To enable data encryption on an iOS device, apply a security policy that
requires a password/passcode on the device.
The device user cannot cut and paste data from documents or email attachments
that they view in Mobile@Work into any other app.
Docs@Work is integrated with these features:

quarantining devices
wiping devices
retiring devices
blocking devices from accessing the ActiveSync server.
jailbreak detection
When any of these situations occur, the secured documents are no longer available
to the device user. See Impacts of other MobileIron features (iOS) on page 472.
458
Docs@Work
Configuring email attachment control

See Configuring email attachment control on page 348.
Note: For Android devices, an AppConnect-enabled email client, such as secure
Nitrodesk TouchDown, is required. See AppConnect apps that MobileIron provides for
Android on page 514 for more information.
459
Docs@Work
Configuring Docs@Work for content servers

(Android)
Configuring Docs@Work for content server access from Android devices requires the
following tasks:
1.
Enable the Docs@Work feature.

2.
Obtain and configure the AppConnect-enabled apps required for Docs@Work.

See For Android, obtain and configure apps on page 462.
This task includes configuring AppConnect and, if preferred, AppTunnel, including
the Single Sign On feature. The AppConnect instructions explain how to configure
the AppConnect configuration and container settings.
Note: Be sure to set up requirements for an AppConnect passcode, if you require
one, as part of configuring the AppConnect global policy.
3.
Configure a Docs@Work app setting for each content server.

Be sure to apply labels to each app setting. Applying labels is how you specify
which devices can access the content server.
See Set up Docs@Work configurations on page 463.
4.
Configure the option to save passwords on the VSP.

Skip this step if you chose not to use $PASSWORD$ in the password field for the
Docs@Work app setting.
See Set up your preference for saving passwords on the VSP on page 470.
460
Docs@Work
Configuring Docs@Work for content servers

(iOS)
Configuring Docs@Work for content server access from iOS devices requires the following tasks:
1.
Enable the Docs@Work feature.

2.
Set up requirements for an AppConnect passcode, if you require one.

Docs@Work uses certain aspects of the AppConnect feature, including the ability to
require the device user to enter an AppConnect passcode to access the Docs@Work
feature. Set up the passcode requirements in an AppConnect global policy. See
Configuring the AppConnect global policy on page 484.
3.
Configure a Docs@Work configuration for each content server.

Be sure to apply labels to each configuration. Applying labels is how you specify
which devices can access the content server.
4.
Configure a Docs@Work policy, if necessary.

A Docs@Work policy is necessary if you want to specify settings that change the
behavior of Mobile@Work for iOS, such as the ability to open documents in apps
other than Mobile@Work. It is also necessary if you want to use AppTunnel for iOS
and if you want to use the Single Sign On feature. Be sure to apply labels to the
policy. Applying labels is how you specify which devices use the policy.
Note: App tunneling is required for CIFS-based content servers.
See For iOS: Set up Docs@Work policies on page 467.
5.
Configure the option to save passwords on the VSP.

Skip this step if you chose not to use $PASSWORD$ in the password field for the
Docs@Work app setting.
See Set up your preference for saving passwords on the VSP on page 470.
461
Docs@Work
Docs@Work setup tasks

Enable Docs@Work
Enable Docs@Work if:
you are supporting viewing documents from content servers.

you are using email attachment control for iOS, even if you are not supporting
viewing documents from content servers.
To enable the Docs@Work feature:
1.
In the Admin Portal, go to Settings > Preferences.
2.
Under Additional Products, select Enable Docs@Work.

Do not select Enable AppConnect For Third-Party And In-House Apps unless you are
also using third-party or in-house AppConnect apps.
3.
Click Save.
Caution: For iOS devices, if you disable Docs@Work after it has been enabled, the
Mobile@Work app on each registered iOS device does the following:
Removes all content server configurations, whether the device user added them
manually or you configured them with Docs@Work app settings on the VSP
Removes all local copies of content server files and email attachments
Removes the list of recent attachments
For Android, obtain and configure apps

The apps for Docs@Work for Android are:
1.
Secure Apps Manager

File Manager (including the SharePoint client)
NitroDesk TouchDown or Android Email+
Download these apps from:
https://support.mobileiron.com/mi/android-secureapks/current/
Note: Android Email+ is available at:
https://support.mobileiron.com/mi/android-email+/current/
2.
Complete the steps for configuring AppConnect for these in-house apps.
See How to configure AppConnect on page 482.
Note: Some of the apps might be duplicates of apps you have already uploaded to
support another MobileIron product. If the app upload fails with a message stating
that the app is already uploaded, skip to the next app.
462
Docs@Work
Set up Docs@Work configurations

Use Docs@Work configurations to specify the content servers that devices can access.
After you create a Docs@Work configuration, apply it to the labels for the appropriate
devices. Device users can also configure access to content servers on the device. For
iOS, they use Mobile@Work. For Android, they use the SharePoint Client app, which is
provided with the File Manager app.
For general information about app settings, see Managing Device Settings with Configurations on page 193.
To create a Docs@Work configuration:
1. In the VSP Admin Portal, select Policies & Configs > Configurations.
2.
Select Add New > Docs@Work.
3.
Use the following guidelines to create or edit a Docs@Work configuration:.

Item
Description
Name
Enter brief text that identifies this Docs@Work

configuration.
Description

Docs@Work configuration.
URL
Enter the URL of a content server site, subsite, library, or

folder. The URL may include the port number.
The format of the SharePoint URL is described in Specify
the URL of the Docs@Work configuration (SharePoint) on
page 466.
For CIFS-based content servers, specify http or https
instead of smb for the server URL; this is necessary
because Docs@Work currently tunnels only http/https.
Variables are supported, including the following:
$USERID$
$EMAIL$
$USER_CUSTOM1$
$USER_CUSTOM2$
$USER_CUSTOM3$
$USER_CUSTOM4$
463
Docs@Work
Item
Description
User Name
Specify the user name that the device user uses to access
the content server.
Enter one of the following variables: $EMAIL$, $USERID$,
$USER_CUSTOM1$, $USER_CUSTOM2$,
$USER_CUSTOM3$, $USER_CUSTOM4$, or $NULL$.
You can also enter a combination of one or more variables
and text, such as $USERID$:$EMAIL$ or
$USERID$_$EMAIL$.
When the device user attempts to access the content
server, the app on the device that handles content server
access fills a user name field with the users information
based on the variables you specify in this field. On iOS
devices, the app is Mobile@Work for iOS. On Android
devices starting with Mobile@Work 5.5 for Android, the
app is the SharePoint Client app.
Enter $NULL$ if you want the app on the device that
handles SharePoint access to leave the user name field
empty, requiring the device user to manually enter the
user name.
464
Docs@Work
Item
Description
Password
Specify the password that the device user uses to access

the content server.
Enter one of the following variables: $PASSWORD$,
$USER_CUSTOM1$, $USER_CUSTOM2$,
$USER_CUSTOM3$, $USER_CUSTOM4$, or $NULL$.
You can also enter a combination of one or more variables
and text.
When the device user attempts to access the content
server, the app on the device that handles content server
access fills a password field with the users information
based on the variables you specify in this field. However,
the text is hidden with asterisks.
Enter $NULL$ if you want the app on the device that
handles content server access to leave the password field
empty, requiring the device user to manually enter the
password.
On iOS devices, the app that handles content server
access is Mobile@Work for iOS. On Android devices
starting with Mobile@Work 5.5 for Android, the app is the
SharePoint Client app.
Note: If you include $PASSWORD$, enable Save User
Password. See Set up your preference for saving
passwords on the VSP on page 470.
Allow Users to Save

Password
Select this field to give the device user the option to save
content server passwords on the device. If the user
chooses to save a content server password, the app on the
device that handles content server access does not
present a login screen to the user when the user next
accesses the content server.
On iOS devices, the app that handles content server
access is Mobile@Work for iOS. On Android devices
starting with Mobile@Work 5.5 for Android, the app is the
SharePoint Client app.
If this option and the Save User Passwords option
(Settings > Preferences) are enabled, then the Remember
Password option is automatically selected in the Remote
Shares screen on the device.
4.
Click Save.
5.
Select the new Docs@Work configuration.
6.
Select More Actions > Apply To Label.
7.
Select the labels to which you want to apply this configuration.
465
Docs@Work
Specify the URL of the Docs@Work configuration (SharePoint)

For SharePoint, the URL that you enter in the URL field of the Docs@Work configuration specifies one of the following:
A SharePoint site
A SharePoint subsite
A SharePoint library
A SharePoint folder
The URL includes a hierarchical list of names that drills down to the site, subsite,
library, or document you want the device user to access. This URL is not the same as
the URL that you see in a web browser open to the same site, subsite, library, or document.
For example, use:
https://companySharePointSite.com
This example specifies the root SharePoint site.
https://companySharePointSite.com/Marketing
This example specifies the Marketing subsite in the root SharePoint site.
https://companySharePointSite.com/Marketing/Demo
This example specifies the Demo subsite within the Marketing site.
https://companySharePointSite.com/Marketing/NewProductDocuments
This example specifies the NewProductDocuments library in the Marketing site.
https://companySharePointSite.com/Marketing/NewProductDocuments/TopFeatures
This example specifies the TopFeatures folder in the NewProductDocuments library.
Note:
Do not copy the URL you see in a browsers URL address bar into this field. The URL
in this field is not the same as the browsers URL. For example, for the root site on
Microsoft SharePoint 2010, the browsers URL field appears as:
https://companySharePointSite.com/SitePages/Home.aspx
In this field, you specify:
https://companySharePointSite.com
A valid URL does not contain spaces or certain special characters. For example, a
space is entered in a valid URL as %20. That is, instead of entering:
https://companySharePointSite/Shared Documents
Enter:
https://companySharePointSite/Shared%20Documents.
Such substitutions are known as URL encoding.
The URL can include these variables: $USERID$, $EMAIL$, $USER_CUSTOM1$,

$USER_CUSTOM2$, $USER_CUSTOM3$, and $USER_CUSTOM4$.
Combinations of text and variables are supported, as shown in the following example:
466
Docs@Work
https://companySharePointSite.com/$USER_CUSTOM1$/$USERID$.
When using these variables, make sure the URL still specifies a SharePoint site,
subsite, library, or folder.
For iOS: Set up Docs@Work policies

Docs@Work policies specify settings that change the behavior of Mobile@Work for
iOS. You can also specify AppTunnel settings. Use AppTunnel if you want a secure network connection to your content servers or if you need to support a CIFS-based content server.You also use AppTunnel to provide the Single Sign On feature using
Kerberos Constrained Delegation.
Note: For Android devices, you address these requirements as part of the AppConnect
configuration. The AppConnect instructions explain how to configure the AppConnect
configuration and container settings.
For general information about policies, see Managing Policies on page 137.
To configure a Docs@Work policy:
If you intend to use AppTunnel with Docs@Work for iOS, set up AppTunnel.
1.
Note: App tunneling is required for CIFS-based content servers.

See Adding AppTunnel support on page 482. Note that steps that apply to separate AppConnect apps do not apply to Docs@Work for iOS. For example, you do not
create an AppConnect container policy for Docs@Work for iOS.
2.
3.
4.
In the VSP Admin Portal, select Policies & Configs > Policies.
Edit the default Docs@Work policy, or select Add New > Docs@Work to create a
new one.
Use the following guidelines to configure the Docs@Work policy:
Item
Description
Name
Required. Enter a descriptive name for

this policy. This is the text that will be
displayed to identify this policy throughout the Admin Portal. This name must be
unique within this policy type.
Default Docs@Work
Policy
Tip: Though using the same name for

different policy types is allowed (e.g.,
Executive), consider keeping the names
unique to ensure clearer log entries.
Status

467
Active
Docs@Work
Item
Description
Priority
Specifies the priority of this custom policy relative to the other custom policies
of the same type. This priority determines which policy is applied if more
than one policy is associated with a specific device. Select Higher than or
Lower than, then select an existing
policy from the dropdown list. For example, to give Policy A a higher priority
than Policy B, you would select Higher
than and Policy B. See Prioritizing
Policies in the MobileIron VSP Administration Guide or the MobileIron Connected Cloud Administration Guide.
Because this priority applies only to custom policies, this field is not enabled
when you create the first custom policy
of a given type.
Description
Enter an explanation of the purpose of

this policy.
Default
Allow Open In
Select this field if you want to allow

device users to:
Not selected
Open documents that they are viewing in Mobile@Work in other apps.
Email documents that they are viewing in Mobile@Work.

This option applies to all the documents
that they view in Mobile@Work:
Remote files on a content server

Email attachments
Note: Consider the case when the
Standalone Sentrys attachment control settings restrict attachment viewing to Mobile@Work. In this case,
when the device user opens the
attachment from the email, it opens
in Mobile@Work. From there, the user
has the option to open the document
in other applications.
Local copies you made of content

server files and email attachments.
Note: You can use the AppConnect
global policy to specify which apps can
be used to open documents.
468
Docs@Work
Item
Description
AppTunnel
Configure AppTunnel settings, if necessary, for the Docs@Work

feature of Mobile@Work. These settings specify the URLs that
Docs@Work should direct to the AppTunnel Sentry.
When Docs@Work tries to connect to the URL and port configured here, the Sentry creates a tunnel to the app server.
URL Wildcard
Enter one of the following:
None
the app servers hostname

Example: finance.yourcompany.com
If the app requests to access this
hostname using the port number
specified in the Port field, the app
data is tunneled. The Sentry tunnels
the data to an app server. The Sentry
and Service fields that you specify in
this AppTunnel row determine the target app server.
a hostname with wildcards.

The wildcard character is *.
Examples:
*.yourcompanyname.com
www.yourcompanyname.com*
A hostname with wildcards works only
with the service <ANY> or
<CIFS_ANY>. If the app requests to
access a URL that matches this hostname with wildcards, the app data is
tunneled. The Sentry tunnels the data
to the app server that has the URL
that the app specified.
Do not include a URI scheme, such as
http:// or https://, in this field.
Note: The order of these AppTunnel rows
matters. If you specify more than one
AppTunnel row, the first row that
matches the URL that the app requested
is chosen. That row determines the Sentry and Service to use for tunneling.
Port
Enter the port number that the app

should connect to.
If the app requests to access a URL and
port number that matches the URL Wildcard field and this port number, the app
data is tunneled.
469
None
Docs@Work
Item
Description
Sentry
Select a Sentry configured for app tunneling from the drop-down list.
None
Service
Select a service name from the dropdown list.
None
This service name specifies an AppTunnel service configured in the App Tunneling Configuration section of the specified
Sentry.
Note: If you entered a URL with wildcards in the URL Wildcard field, you can
only select <ANY> or <CIFS_ANY> as
the service. The <ANY> or <CIFS_ANY>
service must be configured in the App
Tunneling Configuration section of the
Sentry configured for app tunneling.
If the service on the Sentry is configured
with its Server Auth set to Kerberos,
Docs@Work uses Single Sign On. That
is, the device user does not enter any
further credentials when Docs@Work
accesses the content server.
Select the Certificate or the SCEP profile

that you created for app tunneling.
None
For more information, see SCEP settings on page 237 and Certificates settings on page 236.
5.
Click Save.
6.
Select the new Docs@Work policy.
7.
8.
Select the labels to which you want to apply this policy.
Set up your preference for saving passwords on the VSP

If you use the $PASSWORD$ variable in your Docs@Work configurations (or other
configurations such as the Exchange configuration), do the following:
1.
Go to Settings > Preferences in the VSP Admin Portal.
2.
Select Yes for Save User Password.

Selecting Yes means that the VSP keeps the user password and can pass it to the
device. For example, when Mobile@Work displays the screen for logging into a
remote share, the password field is filled in.
3.
Click Save.
Caution: If you plan to use the $PASSWORD$ field in any configurations, be sure to
set Save User Password to Yes before any device users register. Device users who reg-
470
Docs@Work
istered before you set Save User Password to Yes will have to log in to the
MyPhone@Work web portal. Logging in to the MyPhone@Work web portal provides the
users password to the VSP.
471
Docs@Work
Impacts of other MobileIron features (iOS)

Quarantine impact on documents
The VSP takes a compliance action on a device if the device violates a security policy
that you specify. One compliance action that you can configure is to quarantine the
device. Quarantine means that the device user no longer has access to corporate
resources, such as email and WiFi.
Regarding the Docs@Work feature, if a device is quarantined, Mobile@Work does the
following:
Prevents the user from accessing the Docs@Work features of the Mobile@Work
app. That is, Mobile@Work makes the Local Files and Remote Files tabs unavailable.
Removes the content server entries that you created with Docs@Work configurations on the VSP, depending on the compliance action that you configured.
When you create a compliance action that specifies quarantine, you can choose
whether to remove the configurations from the device. Removing the configurations
includes removing any Docs@Work configurations. Since the Docs@Work configurations specify content servers, Mobile@Work removes the content server entries.
If the user had saved the content server password, Mobile@Work removes it, too.
When the device is no longer quarantined, Mobile@Work makes the Local Files and
Remote Files tabs available again. Docs@Work configurations are restored, and the
user can once again access the content servers that you configured. However, if the
user had saved the content server password, Mobile@Work no longer has it. The user
will have to re-enter it.
You can also create a quarantine action that retires AppConnect apps on iOS devices.
Retiring an AppConnect app makes it unauthorized and deletes (wipes) all its secure
data. This compliance action also blocks and wipes the data of the Docs@Work features in Mobile@Work.
Retire and wipe impact on documents

When you retire or wipe a device, Mobile@Work does the following regarding the
Docs@Work feature:
Removes all content server configurations, whether the device user added them
manually or you created them with Docs@Work configurations on the VSP
472
Docs@Work

Devices can be blocked from accessing the ActiveSync server and AppConnect apps.
You can cause a device to be blocked by doing the following:
Configure a security policy to automatically block a device if it violates certain settings in the policy. This action blocks email and AppConnect apps.
Configure an ActiveSync policy to automatically block a device from accessing email

if it violates certain settings in the policy.
Manually block the device from accessing email.

Blocking a device impacts the Docs@Work features. Specifically, Mobile@Work does
the following:
When the device is no longer blocked, Mobile@Work makes the Local Files and Remote
Files tabs available again.
Jailbreak impact on documents

If the device user jailbreaks the device, Mobile@Work does the following regarding the
Docs@Work feature:
Mobile@Work notifies the VSP that the device is jailbroken. The VSP takes further
actions depending on the security policy that you configured.
When the device is no longer jailbroken, Mobile@Work makes the Local Files and
Remote Files tabs available again.
473
Docs@Work
Impacts of other MobileIron features (Android)

See Lock, unlock, and retire impact on AppConnect on page 517.
474
Docs@Work
Supported files in the Mobile@Work for iOS app

Mobile@Work uses the native file viewer that iOS provides to display the contents of
different file types. The following list shows the types of documents that Mobile@Work
can display:
Microsoft Word documents (.doc,

.docx)
Apple Pages documents (.pages,

pages.zip)
Microsoft Excel documents (.xls,

.xlsx)
Apple Numbers spreadsheet files

(.numbers, .numbers.zip)
Microsoft PowerPoint documents

(.ppt, .pptx)
Apple Keynote presentation files

(.key, .key.zip)
Adobe Acrobat documents (.pdf)
AVI video files (.avi)
Rich Text Format files (.rtf)
Quicktime video files (.mov)
Rich Text Format directory (.rtfd.zip)
MPEG4 audio/video files (.mp4)
Image files (.png, .bmp, .jpg, .jpeg,
MPEG2 audio/video files (.mpeg)
.gif, .tiff)
CSS stylesheet files (.css)
WAV files (.wav)
Plain text files (.txt)
MP3 audio files (.mp3)
If a user tries to open a file that Mobile@Work does not support, Mobile@Work displays an error message.
Some files that the device user cannot view in Mobile@Work are:
executable files (for example, .exe, .msi, or .ipa files)

archive files (for example, .zip, .rar, or .tar files)
system files (for example, .dll or .sys, files)
475
Docs@Work
476
Chapter 16
AppConnect
477
AppConnect
About AppConnect
AppConnect is a MobileIron feature that containerizes apps to protect data on the
device. Each AppConnect-enabled app becomes a secure container whose data is
encrypted, protected from unauthorized access, and removable. Because each user
has multiple business apps, each app container is also connected to other secure app
containers. This connection allows the AppConnect-enabled apps to share data, like
documents. The MobileIron VSP uses policies to manage the AppConnect-enabled
apps.
What are AppConnect-enabled apps?

AppConnect-enabled apps are apps that have been containerized using one of the following methods:
wrapping (iOS and Android)

AppConnect SDK (iOS)
You configure the set of AppConnect-enabled apps by using the VSP Admin Portal. You
also configure which AppConnect-enabled apps are available to which devices. Once
installed and configured on the device, AppConnect-enabled apps are called secure
apps. Secure apps can share data only with other secure apps. Unsecured apps cannot access the data.
With a single sign-on, the device user can access all the secure apps. On the VSP
Admin Portal, you configure the rules for the single sign-on passcode. This passcode is
called the AppConnect passcode or the secure apps passcode. The AppConnect passcode is not the same as the passcode used to unlock the device.
Secure apps from MobileIron

Web@Work is an example of a MobileIron app that is a secure app using AppConnect.
The apps that comprise the Docs@Work solution (Mobile@Work on iOS, and a suite of
apps on Android) are also secure apps using AppConnect. Configuring these secure
apps as part of your AppConnect offering does not require a separate AppConnect
license.
AppConnect and third-party/in-house secure apps

Third-party providers can work with MobileIron to wrap their apps. For iOS apps, they
can use the AppConnect SDK to develop secure apps. These apps are called thirdparty secure apps. Likewise, your organization can develop an in-house secure app
and submit it to MobileIron for wrapping or use the AppConnect SDK for iOS. These
apps are called in-house secure apps.
Configuring these apps as part of your AppConnect offering requires the purchase of a
separate AppConnect license.
Note: You cannot wrap an app that you get from Google Play or the Apple App Store.
478
AppConnect
See the MobileIron AppConnect App Developers Guide for details on wrapping and on
using the SDK.
AppConnect and AppTunnel

MobileIron AppTunnel provides secure tunneling and access control to protect app
data as it moves between the device and corporate data sources. App-by-app session
security protects the connection between each app container and the corporate network. AppTunnel is particularly useful when an organization does not want to open up
VPN access to all apps on the device. This feature requires a Standalone Sentry configured to support app tunneling.
AppConnect apps and Single Sign On

Single Sign On (SSO) for AppConnect apps provides a better user experience for
device users. A device user registers Mobile@Work with the VSP by entering his VSP
credentials. Then, the device user can use an AppConnect app to access an enterprise
app server without having to enter any further credentials.
To use this feature, the app must do the following:
Use the AppTunnel feature, configured for authenticating the user to the enterprise
server using Kerberos Constrained Delegation (KCD).
Interact with an enterprise server that supports authentication using KCD.

All AppConnect apps can use this feature, including:
Android third-party AppConnect apps

iOS third-party AppConnect apps built with the AppConnect for iOS SDK 1.5 or later
Web@Work for iOS, version 1.1.1 and later
The Docs@Work feature in Mobile@Work for iOS
The Android SharePoint client app
Note: MobileIron does not support KCD with CIFS-based content servers.
App-specific Configuration from the VSP

On the VSP Admin Portal, you can configure settings that are specific to an AppConnect app. Because the VSP provides these settings to the app, device users do not
have to manually enter configuration details that an AppConnect app requires. By
automating the configuration for the device users, each user has a better experience
when installing and setting up apps. Also, the enterprise has fewer support calls, and
the app is secured from misuse due to configuration. This feature is also useful for
apps which do not want to allow the device users to provide certain configuration settings for security reasons.
Each AppConnect apps documentation should specify the necessary configuration for
the app.
479
AppConnect
What operating systems support AppConnect?

AppConnect is currently available for iOS and Android. Due to the fundamental differences in these two operating systems, there are some differences in the way AppConnect works and the way in which you configure AppConnect for each operating
system.
AppConnect for Android

Supported Android devices
AppConnect on Android is supported on devices that are running:
Android 2.3 or later.

Version 5.1 or later of the Mobile@Work for Android app.
The Mobile@Work app and the Secure Apps Manager
Two MobileIron apps work together on the Android device to support AppConnect.
Together, they provide the security and management of all the AppConnect apps.
These MobileIron apps are:
the Mobile@Work for Android app

The Mobile@Work for Android app is the next version of the MyPhone@Work app. This
app provides all the features that MyPhone@Work provided, plus support of AppConnect apps.
The Secure Apps Manager works with the Mobile@Work for Android app to support
AppConnect apps. For example, the Secure Apps Manager provides a list of all
AppConnect apps on the device. The device user can launch an AppConnect app from
this list, from the device app list, or from a shortcut on the home screen. On the
device, the apps are called secure apps.
Data loss prevention for secure apps forAndroid

You determine whether device users can take screen captures of protected data. You
also determine whether AppConnect apps can access camera photos or gallery
images, and whether they can stream media to media players.
Data encryption for secure apps for Android

Application data on the device is encrypted. The encryption key is not stored on the
device. It is programmatically derived, in part from the device users AppConnect
passcode. Therefore, the application data is secure even on a device that becomes
compromised.
Special badging for secure apps for Android

An Android device user recognizes that an app is an secure app because its icon is
overlaid with a special badge.
480
AppConnect
AppConnect for iOS

AppConnect for iOS is built into the Mobile@Work for iOS app. No separate Secure
Apps Manager is required.

AppConnect for iOS works only on devices running iOS 5.0 and later. The supported
devices are:
iPhone 3GS and later

iPod touch 3rd gen and later
iPad 1st gen and later
iPad mini 1st gen and later
Data loss prevention for secure apps for iOS

You determine whether an app can use the iOS pasteboard, the document interaction
feature (Open In), or print. AppConnect for iOS uses this information to limit the apps
functionality to prevent data loss through these features.
Data encryption for secure apps for iOS

AppConnect-related data, such as app configuration and policies, is encrypted on the
device.
The data of AppConnect apps also is encrypted on the device as follows.
For devices running a Mobile@Work for iOS release prior to 5.7:

AppConnect app data stored in the iOS file system is encrypted only when both of
the following are true:
the app uses iOS data protection APIs.

the device has a device passcode.
Note: Wrapped AppConnect for iOS apps use this encryption mechanism regardless
of the Mobile@Work release.
For devices running a Mobile@Work for iOS release starting with iOS 5.7:
AppConnect apps built starting with the AppConnect for iOS SDK version 1.5 support encryption without dependencies on a device passcode. For these apps, the
app determines which files are secure. The app encrypts the data in those files, but
file names and paths are not encrypted.
This data encryption is supported when Mobile@Work for iOS is registered with VSP
5.5 or later.
The encryption key is not stored on the device. It is programmatically derived, in
part from the device users AppConnect passcode. Encrypted files cannot be
decrypted without the AppConnect passcode or the user's full VSP login credentials.
481
AppConnect
How to configure AppConnect

The steps required to configure AppConnect depend on which aspects you intend to
enable and deploy.
Basic configuration
Complete the following steps to implement a basic AppConnect configuration:
1.
Add the MobileIron secure apps you intend to deploy.

These are AppConnect apps provided by MobileIron.
See Adding secure apps for deployment on page 484.
2.
Configure the AppConnect Global policy.

See Configuring the AppConnect global policy on page 484.
3.
Configure the AppConnect Container policy.

4.
Enable any MobileIron secure apps you intend to deploy.

See Enabling MobileIron secure apps on page 498.
Adding third-party and in-house secure apps

If you intend to deploy secure apps developed by your organization or a third-party
provider, complete the following steps:
1.
Complete the steps in Basic configuration on page 482.
2.
Enable AppConnect third-party and in-house apps.

See Enabling AppConnect third-party and in-house apps on page 498.
Adding AppTunnel support

If you intend to secure the data that moves between your secure apps and your corporate data sources, complete the following steps:
1.
2.
3.

Complete the steps in Adding third-party and in-house secure apps on page 482,
if applicable.
Set up a SCEP setting or certificates setting for authenticating devices to the Sentry.
See Certificates settings on page 236 or SCEP settings on page 237.
Be sure to assign labels to distribute the setting to the appropriate devices.
4.
Configure an AppTunnel service.

See Configuring an AppTunnel service on page 499
This step includes setting up the Standalone Sentry for AppTunnel support and
specifying the device and server authentication type. For an app to use Single Sign
On, you use Kerberos Constrained Delegation for authentication.
5.
Configure an AppConnect app configuration.

482
AppConnect
6.
Enable AppTunnel, if you are deploying third-party or in-house apps.

See Enabling AppTunnel on page 510.
7.
Configure the Open With Secure Email App option.

See Configuring the Open With Secure Email App option on page 510.
Adding compliance actions

You have the option of specifying AppConnect compliance actions as part of a security
policy. To specify these compliance actions:
1.
2.

Complete the steps in Adding third-party and in-house secure apps on page 482,
if applicable.
3.
Complete the steps in Adding AppTunnel support on page 482, if applicable.
4.
Configure compliance actions.

See Configuring compliance actions on page 510.
483
AppConnect
AppConnect configuration tasks

This section details the configuration tasks related to AppConnect configuration. See
How to configure AppConnect on page 482 to determine which tasks you need to
complete and in what order.
Adding secure apps for deployment

Configuring the AppConnect global policy
Configuring AppConnect container policies
Enabling MobileIron secure apps
Enabling AppConnect third-party and in-house apps
Configuring an AppTunnel service
Configuring an AppConnect app configuration
Enabling AppTunnel
Configuring the Open With Secure Email App option
Configuring compliance actions
Adding secure apps for deployment

You use the app distribution library on the VSP Admin Portal to deploy secure apps.
The app distribution library has two kinds of apps for both iOS and Android: in-house
apps and recommended apps. Whether you choose in-house or recommended when
adding a secure app depends on the operating system and source for the app.
OS
In-house app
Recommended app
Android
All secure apps
Not supported
iOS
Secure apps from
Third-party secure apps available
MobileIron
in the Apple App Store
Secure apps developed by

your organization
Secure apps developed by

and received from a third
party
For details on using the App Wizard to add AppConnect apps to the app distribution
library, see:
Working with apps for iOS devices on page 395

Working with apps for Android devices on page 418
Configuring the AppConnect global policy

The AppConnect global policy applies to all AppConnect apps on devices. These
AppConnect apps include third-party and in-house AppConnect apps, as well as the
Docs@Work solution and Web@Work.
484
AppConnect
The VSP applies a default AppConnect global policy automatically to all devices. You
can modify the default AppConnect global policy. You can also create custom AppConnect global policies and apply those to specific devices.
Note: Make sure only one AppConnect global policy applies to each device.
In the AppConnect global policy, you configure:
Whether AppConnect is enabled for the devices

AppConnect passcode requirements
out-of-contact timeouts
the app checkin interval
the default end-user message for when an app is not authorized
whether AppConnect apps with no AppConnect container policy are authorized by
default
default policies for these data loss prevention features: copy/paste, print, document interaction, screen capture, accessing camera photos, accessing gallery
images, and streaming media to media players.
Configuration steps
To configure an AppConnect global policy:
1. In the VSP Admin Portal, select Policies & Configs > Policies.
2.
Edit the default AppConnect global policy, or select Add New > AppConnect to create a new one.
Use the following guidelines to create or edit an AppConnect global policy:

Item
Description
Default Value
Name
Required. Enter a descriptive name for

this policy. This is the text that will be
displayed to identify this policy throughout the Admin Portal. . This name must
be unique within this policy type.
Default AppConnect
Global Policy
Tip: Though using the same name for

different policy types is allowed (e.g.,
Executive), consider keeping the names
unique to ensure clearer log entries.
Status

485
Active
AppConnect
Item
Description
Priority
Specifies the priority of this custom policy relative to the other custom policies
of the same type. This priority determines which policy is applied if more
than one policy is associated with a specific device. Select Higher than or
Lower than, then select an existing
policy from the dropdown list. For example, to give Policy A a higher priority
than Policy B, you would select Higher
than and Policy B. See Prioritizing
policies on page 142.
Default Value
Because this priority applies only to custom policies, this field is not enabled
when you create the first custom policy
of a given type.
Description
Enter an explanation of the purpose of

this policy.
Default AppConnect
Global Policy
AppConnect
Select Enabled to enable AppConnect on

the device.
Disabled
Select Disabled to disable AppConnect

on the device.
When you select Enabled, the screen
displays the rest of its fields.
Note: For Mobile@Work for Android 5.1,
enable this option. However, the rest of
the fields in this policy are not applicable.
AppConnect
Passcode
Passcode
Required
Select this field if you require device

users to enter an AppConnect passcode
to use any AppConnect apps.
Important: For Android devices, an
AppConnect passcode is required. Starting with Mobile@Work 5.5 for Android,
Mobile@Work defaults to requiring a
simple passcode with a four character
minimum if you do both of the following:
you do not select this field.

you apply this policy to an Android
device.
486
Not required
AppConnect
Item
Description
Default Value
Passcode Type
Specify whether the passcode can contain only simple numeric input, or can
contain alphanumeric and special characters. When the type is complex, the
passcode must contain at least one digit
and one letter.
Complex
Minimum Number of Complex

Characters
Enter a number between 0 and 10 to

specify the minimum number of special
characters that must be included in the
passcode.
Minimum Passcode Length
Enter a number between 1 and 16 to

specify the minimum length for the
passcode.
Maximum Number of Failed

Attempts
Specify the maximum number of times

the user can enter an incorrect passcode.
iOS only: If the user exceeds the maximum, he must enter his user credentials
and then create a new AppConnect passcode. If the user exceeds the maximum
attempts in entering his user credentials, he must wait 10 minutes before he
can try again.
Android only: If the user exceeds the
maximum, he can no longer access
secure apps. Send an unlock command
to the device. The unlock command
removes both the device passcode and
the secure apps passcode. The user can
then create both passcodes again.
If the maximum is greater than 6, 7, or
8, after the 6th, 7th, and 8th failed
attempt, the user cannot attempt to
enter the secure apps passcode for 1, 5,
and 15 minutes respectively. For each
failed attempt after that, he cannot
attempt to enter the secure apps passcode for 1 hour.
Inactivity Timeout
Select the maximum amount of time to

allow as an inactivity timeout. After this
period of inactivity in AppConnect apps,
the device user must reenter the
AppConnect passcode to access AppConnect apps.
Out Of Contact
487
15 minutes
AppConnect
Item
Description
Default Value
Out-of-contact
block timeout
Specify the number of days that the

device can be out-of-contact with the
VSP before unauthorizing AppConnect
apps.
10 days
Specify 0 to disable out-of-contact block.

Out-of-contact block is supported as follows:
Android: Starting with Mobile@Work

for Android version 5.6.
iOS: Starting with Mobile@Work for

iOS version 5.6, for AppConnect apps
built starting with the AppConnect for
iOS SDK version 1.0.6 or wrapped
starting with iOS AppConnect wrapper
1.6.
Out-of-contact
wipe timeout
Specify the number of days that the

device can be out-of-contact with the
VSP before retiring AppConnect apps.
The apps become unauthorized and all
their secure data is deleted.
Specify 0 to disable out-of-contact wipe.
Out-of-contact wipe is supported as follows:
Android: Starting with Mobile@Work

for Android version 5.6.
iOS: Starting with Mobile@Work for

iOS version 5.6, for AppConnect apps
built starting with the AppConnect for
iOS SDK version 1.0.6 or wrapped
starting with iOS AppConnect wrapper
1.6.
App
Authorization
488
30 days
AppConnect
Item
Description
Default Value
App Check-in
Interval
iOS only:
60 minutes
Select the maximum number of minutes

until devices running AppConnect apps
receive updates of their AppConnect
global policy, their AppConnect app configuration, and their AppConnect container policies.
Note: These policies and settings are not
updated on the device when:
the device checks in at its regular

sync interval.
you force a device checkin from the

Users & Devices screen.
Regarding Android:
The app checkin interval does not apply
to Android. However, the AppConnectrelated policies and settings are updated
on the device when the device checks in.
Device checkin occurs:
according to the sync interval specified on the devices sync policy.
when you force a device checkin from

the Users & Devices screen.
when the device user uses the Connect Now feature in Mobile@Work on
the device.
Unauthorized
Message
Enter the default message that

Mobile@Work displays if the app is not
authorized on the device. If you do not
enter a default message, the system
provides one.
None
Select Authorize if you want AppConnect

apps to be authorized by default. If you
do not select this option, app authorization is determined by the labels on the
AppConnect container policy and on the
device user.
Not selected
Data Loss Prevention Policies

Apps without an
AppConnect
container policy
If you select this option, then you can

also select:
the iOS data loss prevention policies

the Android screen capture policy
489
AppConnect
Item
Description
Default Value
Copy/Paste To
iOS only:
Not selected
Select Allow if you want the device user

to be able to copy content from AppConnect apps to other apps by default. You
can override this option in each apps
individual AppConnect container policy.
When you select this option, then select
either:
All Apps
Select All Apps if you want the device
user to be able to copy content from
the AppConnect app and paste it into
any other app.
AppConnect Apps
This feature is under construction. Do
not select.
Print
Not selected
iOS only:
Select Allow if you want AppConnect
apps to be allowed to use print capabilities by default. You can override this
option in each apps individual AppConnect container policy.
490
AppConnect
Item
Description
Default Value
Open In
iOS only:
Not selected

apps to be allowed to use the Open In
(document interaction) feature by
default. You can override this option in
each apps AppConnect container policy.
When you select this option, then select
either:
All Apps
Select All Apps if you want the app to
be able to send documents to any
other app.
AppConnect Apps
Starting with Mobile@Work for iOS
version 5.7:
Select AppConnect Apps to allow an
AppConnect app to send documents
to only other AppConnect apps.
Whitelist
Select Whitelist if you want the app to
be able to send documents only to the
apps that you specify.
Enter the bundle ID of each app, one
per line, or in a semi-colon delimited
list. For example:
com.myAppCo.myApp1
com.myAppCo.myApp2;com.myAppCo.myApp3
The bundle IDs that you enter are

case sensitive.
Note for Android: For AppConnect for
Android apps, Open In is restricted to all
AppConnect apps, regardless of this setting.
491
AppConnect
Item
Description
Default Value
Camera
Android only, starting with Mobile@Work

5.6 and Android Secure Apps 5.7:
Not selected
Select Allow to allow camera photo

access for all the AppConnect apps on an
Android device.
When you select this setting, an
AppConnect app can, for example, use a
camera app to take a photo with the
camera and allow the device user to
save the photo.
For more information, see Interaction
with the lockdown policy on page 493.
Gallery

Select Allow to allow all the AppConnect
apps on an Android device to access
images from the gallery.
When you select this setting, an
AppConnect app can, for example, allow
a device user to attach images from the
gallery to an email.
492
Not selected
AppConnect
Item
Description
Default Value
Media Player

Not selected
Select Allow to allow all the AppConnect

apps to stream media to media players.
For example, consider an AppConnect
email app which has an email with a
voice recording attached. When you
select this setting, the email app can
play the recording by using a media
player on the device.
When you select Allow, AppConnect apps
can stream the following file types to
media players:
MP3 audio files

WAV audio files
MP4 video files
The files must be smaller than 3MB.
Note: An encrypted copy of the media
file is temporarily stored on the devices
SD card to enable streaming.
Screen Capture
Android only, starting with Android 3.0

and Mobile@Work 5.6:
Not selected

apps to allow screen capture by default.
You can override this option in each
apps AppConnect container policy.
3.
4.
Click Save.
If you created a new policy, apply the appropriate labels to the AppConnect global
policy.
If you are using the default AppConnect global policy, it automatically applies to all
devices.
Interaction with the lockdown policy

The lockdown policy for the device has an option to enable or disable the camera. The
lockdown policy applies to all apps on the device, not just AppConnect apps. The interactions between the lockdown policy and the AppConnect global policy are:
If the lockdown policy prohibits camera use, AppConnect apps cannot use the camera. Camera use is prohibited even if you allow camera access on the AppConnect
global policy.
If the lockdown policy allows camera use, AppConnect apps can access photos from
the camera only if you allow camera access on the AppConnect global policy.
493
AppConnect
The following table summarizes this interaction of the lockdown policy and the
AppConnect global policy:
Camera access allowed

Camera access prohibited
Lockdown policy:
Camera enabled
AppConnect apps can use

the camera.
AppConnect apps cannot

use the camera.
Lockdown policy:
Camera disabled

use the camera.

use the camera.
Configuring AppConnect container policies

An AppConnect container policy is applicable for iOS AppConnect apps, and for
Android AppConnect apps starting with Mobile@Work 5.6 for Android.
The AppConnect container policy:
authorizes an AppConnect app.

specifies the data loss prevention settings for an AppConnect app.
can be automatically created by the VSP.
Note: For each AppConnect app, make sure only one AppConnect container policy
applies to each device.
AppConnect app authorization

Each AppConnect app requires an AppConnect container policy. The presence of an
AppConnect container policy for a device is what authorizes the app on the device. You
apply a label to the AppConnect container policy to apply it to a device.
If you later remove the AppConnect container policy, or remove the devices label
from the policy:
an iOS AppConnect app becomes retired. A retired app becomes unauthorized on

the device and the app deletes (wipes) all its sensitive data.
An iOS AppConnect app can also become retired due to a quarantine compliance
action. See Managing AppTunnel on page 512.
an Android AppConnect app becomes unauthorized. If the app is unauthorized,

when the device user tries to run it, the Secure Apps Manager displays a message
that the app is unauthorized.
Note: For information on when an Android AppConnect app becomes retired, see
Situations that wipe AppConnect app data on page 518.
Data loss prevention settings

In the AppConnect container policy, you also configure data loss prevention (DLP) settings. Specifically, you configure whether you want the app to be allowed to use these
features:
Copy / paste (iOS only)
494
AppConnect
Print (iOS only)

Open In (document interaction) (iOS only)
Screen capture (Android only)
An apps AppConnect container policy overrides the corresponding settings on the
AppConnect global policy.
Automatically created AppConnect container policies

When you upload an AppConnect app to the VSPs app distribution library, the VSP
creates an AppConnect container policy automatically as follows:
For Android AppConnect apps:

The VSP always takes this automatic action. If the app has specified DLP settings,
the VSP uses those settings. Otherwise, the VSP creates an AppConnect container
policy with all the values set to not allowed.
For iOS AppConnect apps built with the AppConnect for iOS SDK:
The VSP takes this automatic action only if the app has specified its desired default
values for the policy in its IPA file. Also, this automatic action does not occur when
you specify an Apple App Store AppConnect app as a recommended app.
For wrapped iOS AppConnect apps:

The VSP always takes this automatic action, setting all the DLP values to not
allowed.
The name of the AppConnect container policy is:
For iOS AppConnect apps
Default <bundle ID of app> Container Policy
For Android AppConnect apps
Default <package ID of app> Container Policy
Note: In the VSP Admin Portal, on Policies & Configs > Configurations, the name of
the app, not the name of the AppConnect container policy, displays in the name column.
You can override these values by editing the apps AppConnect container policy. The
VSP keeps in sync the labels that you apply to the app and the labels that you apply to
the AppConnect container policy that the VSP automatically created.
Configuration tasks
To configure an AppConnect container policy:
1.
2.
In the VSP Admin Portal, select Policy & Configs > Configurations.
Select the existing container policy for the app, or select Add New > AppConnect >
Container Policy to create a new one.
495
AppConnect
Use the following guidelines to create or edit an AppConnect container policy:.

Item
Description
Name
Enter brief text that identifies this AppConnect container

policy.
Note: If the VSP automatically created this policy:
You cannot edit the name.

The name is not the same as the name that appears in
the name column in Policy & Configs > Configurations.
Description

AppConnect container policy.
Application
Android, starting with Mobile@Work 5.6:

Select an Android AppConnect app from the VSP app
iOS:
Select an iOS AppConnect app from the VSP app
distribution library or enter the bundle ID of an iOS
AppConnect app. A bundle ID that you enter is case
sensitive.
Note: The dropdown selection includes an iOS AppConnect
app only if both of the following statements are true:
The app was added to the VSP app distribution library

as an in-house app.
The app specifies default feature policies (copy/paste,

document interaction, print).
Exempt from
AppConnect
passcode policy
iOS only:
Select this option if you want to allow the device user to
use the app without entering the AppConnect passcode.
Data Loss Prevention Policies

Print
iOS only:
Select Allow if you want AppConnect apps to be allowed to
use print capabilities.
496
AppConnect
Item
Description
Copy/Paste To
iOS only:
Select Allow if you want the device user to be able to copy
content from the AppConnect app to other apps.
When you select this option, then select either:
All Apps
Select All Apps if you want the device user to be able to
copy content from the AppConnect app and paste it into
any other app.
AppConnect Apps
This feature is under construction. Do not select.
Open In
iOS only:
Select Allow if you want AppConnect apps to be allowed to
use the Open In (document interaction) feature.
When you select this option, then select either:
All Apps
Select All Apps if you want the app to be able to send
documents to any other app.
AppConnect Apps
Starting with Mobile@Work for iOS version 5.7:
Select AppConnect Apps to allow an AppConnect app to
send documents to only other AppConnect apps.
Whitelist
Select Whitelist if you want the app to be able to send
documents only to the apps that you specify.
Enter the bundle ID of each app, one per line, or in a
semi-colon delimited list. For example:
com.myAppCo.myApp1
com.myAppCo.myApp2;com.myAppCo.myApp3
The bundle IDs that you enter are case sensitive.

Note for Android: For AppConnect for Android apps, Open
In is restricted to all AppConnect apps, regardless of this
setting.
Allow Screen
Capture
Android only, starting with Android 3.0 and Mobile@Work

5.6:
Select Allow if you want the app to allow screen capture.
3.
Click Save.
4.
Select the new app policy.
5.
6.
Select the labels to which you want to apply this AppConnect container policy.
7.
Click Apply.
497
AppConnect
Be sure to apply one of the labels that you selected to the device. To check the
devices labels:
1.
Go to Users and Devices > Devices.
2.
Select the device.
3.
In the Device Details Pane, select Label Membership.
To add a label to the device:

1.
Select the device.
2.
3.
Select the labels to apply to the device.
4.
Click Apply.
Enabling MobileIron secure apps

If you are deploying secure apps developed by MobileIron, you need to enable those
products:
1.
2.
Scroll down to Additional Products.
3.
Select the option for each product.

For example, if you are deploying Web@Work, select Enable Web@Work.
4.
Click Save.
Also see VSP licensing options for Android secure apps on page 515.
Enabling AppConnect third-party and in-house apps

If you are deploying secure apps developed by your organization or a third party, you
need to enable an additional product:
1.
2.
498
AppConnect
3.
Select Enable AppConnect For Third-party And In-house Apps.

Select this option only if your organization has purchased it. Enabling AppConnect
means that the VSP supports third-party and in-house AppConnect apps.
4.
Click Save.
Also see VSP licensing options for Android secure apps on page 515.
Configuring an AppTunnel service

Follow these steps to configure an AppTunnel service:
1.
2.
Edit the entry for the Standalone Sentry you intend to use for app tunneling.
3.
Use the following guidelines to configure app tunnels:

Note: Do not configure AppTunnel for email client AppConnect apps that are sending ActiveSync traffic to an email server through a Standalone Sentry.
Item
Description
Host / IP
Enter the external host name or IP address of the server on

which the Standalone Sentry is installed.
The host name or IP address must be external because AppConnect apps on devices that are tunneling data must be able to
access the Sentry.
The VSP also needs to connect to this same host name or IP
address. If the host name or IP address is not accessible by the
VSP and devices, use the name or IP address that the devices
use. Then, using the System Manager, add a static host entry to
the VSP.
Port
Enter the port that the Standalone Sentry is listening on. The
default is 9090.
Enable
ActiveSync
Clear the check box to disable ActiveSync support on the Sentry.
Enable App
Tunneling
Click the check box to enable AppTunnel support on the Sentry.
499
AppConnect
Item
Description
Note: See Device and server authentication support for Standalone Sentry on
page 328 for authentication information for both ActiveSync and AppTunnel.
Select how devices attempting to connect to the app server

authenticate with the Standalone Sentry.
Choose Identity Certificate or Group Certificate. If you are using
Kerberos Constrained Delegation to authenticate the user to the
app server, choose Identity Certificate.
Upload Certificate
If you chose Group Certificate, upload the certificate (generally

a .cer file) you trust.
If you chose Identity Certificate, upload the Root certificate (this
may be a root certificate chain) from the CA you trust. The CA
may be a Root Authority or an Intermediate Authority.
Check certificate revocation list (CRL)
Select Check Certificate Revocation List (CRL) if you want to validate the certificates presented by the device against the Certificate Revocation List (CRL) published by the CA.
Note that only HTTP and HTTPS based CRLs are supported.
Some CAs create LDAP-based CRLs by default that will not work
with Sentry.
For CRL validation to work, Sentry requires network connectivity
to the CRL Distribution Point (CDP), usually the CA that issued
the certificate, through an HTTP or HTTPS port.
Subject Alternative Name

Type
Use the Subject Alternate Name Type list to select the field in
the client certificate that will be used to identify the user for Kerberos Constrained Delegation.
The Type is the same type that you specified when generating
the client certificate. This type is often the NT Principal Name.
Value
Usually, the User UPN (user principal name) is used to identify
the user.
To add a new service, click +.
500
AppConnect
Item
Description
Service Name
The Service Name is used in the AppConnect app configuration.

The app configuration uses the service name to restrict the app
to accessing servers in the Server List field.
A name for the service that the AppConnect app on the

device accesses. One or more of your internal app servers
provide the service. You list the servers in the Server List
field.
For example, some possible service names are:
SharePoint
Human Resources
A service name cannot contain these characters: 'space' \ ; *
? < > " |.
For app tunnels that point to CIFS-based content servers, the
service name must begin with CIFS_.
<ANY>
Select <ANY> to allow tunneling to any URL that the app
requests. Typically, you select <ANY> if an AppConnect apps
app configuration specifies a URL with wildcards for tunneling,
such as *.myCompany.com. The Sentry tunnels the data for
any URL request that the app makes that matches the URL
with wildcards.
The Sentry tunnels the data to the app server that has the
URL that the app specified. The Server List field is therefore
not applicable when the Service Name is <ANY>.
For example, consider when the app requests URL
myAppServer.mycompany.com, which matches *.mycompany.com in the app configuration. The Sentry tunnels the
data to myAppServer.myCompany.com.
Web@Work typically uses the <ANY> service, so that it can
browse to any of your internal servers.
Note: Do not select this option for tunneling to CIFS-based
content servers. Select <CIFS_ANY>, instead.
<CIFS_ANY>
Select <CIFS_ANY> to allow tunneling to any URL for a CIFSbased content server. Typically, you select <CIFS_ANY> if the
URL for a CIFS-based content server contains wildcards for
tunneling, such as *.myCompany.com.
Note: The order of the Service Name entries does not matter.
501
AppConnect
Item
Description
Server Auth
Select the authentication scheme for the Standalone Sentry to

use to authenticate the user to the app server:
Pass Through
The Sentry passes through the authentication credentials,
such as the user ID and password (basic authentication) or
NTLM, to the app server.
Kerberos
The Sentry uses Kerberos Constrained Delegation (KCD).
KCD supports Single Sign On (SSO). SSO means that the
device user does not have to enter any credentials when the
AppConnect app accesses the app server.
The Kerberos option is only available if you selected Identity
Certificate for Device Authentication.
MobileIron does not support Kerberos for CIFS-based content
servers.
Server List
Enter the app servers host name or IP address (usually an

internal host name or IP address). Include the port number on
the app server that the Sentry can access.
For example:
sharepoint1.companyname.com:443
You can enter multiple servers. The Sentry uses a round-robin
distribution to load balance the servers. That is, it sets up the
first tunnel with the first app server, the next with the next app
server, and so on. Separate each server name with a semicolon.
For example:
sharepoint1.companyname.com:443;sharepoint2.companyname.com:443.
Note: The Server List field is not applicable when the service
name is <ANY> or <CIFS_ANY>.
TLS Enabled
Select TLS Enabled if the app servers listed in the Server List
field require SSL.
Note: Although port 443 is typically used for https and requires
SSL, the app server can use other port numbers requiring SSL.
502
AppConnect
Item
Description
Server SPN List
Enter the Service Principal Name (SPN) for each server, separated by semicolons. For example:
sharepoint1.company.com;sharepoint2.company.com.
The Server SPN List applies only when the Service Name is not
<ANY> and the Server Auth is Kerberos.
If each server in the Server List has the same name as its SPN,
you can leave the Server SPN List empty. However, if you
include a Server SPN List, the number of SPNs listed must equal
the number of servers listed in the Server List. The first server
in the Server List corresponds to the first SPN in the Server SPN
List, the second server in the Server List corresponds to the second server in the Server SPN List, and so on.
Note: When the Service Name is <ANY> and the Server Auth is
Kerberos, the Standalone Sentry assumes that the SPN is the
same as the server name received from the device.
If you select Kerberos for the Server Auth field for an AppTunnel service, this section appears. For Kerberos authentication information for both ActiveSync and
AppTunnel, see Authentication using an identity certificate and Kerberos constrained delegation on page 333.
Use keytab file
Select this field to upload a Kerberos-generated keytab file. Click

Upload File to upload the keytab file. Uploading the keytab file
populates the Realm and Sentry Service Principal fields.
Realm
If you do not upload a keytab file, enter the Kerberos administrative domain. The realm is usually the company domain name,
in all uppercase characters.
Sentry Service
Principal
If you do not upload a keytab file, enter the service principal for
the Sentry service account, preceded by HTTP/ if you do not
upload a keytab file. For example, if the user name of the service account is sentry1_kcd, the service principal would be HTTP/
sentry1_kcd.
Password
If you do not upload a keytab file, enter the password for the
Sentry service account.
Key distribution center
Optionally enter the key distribution center, which is the network

service that supplies session tickets and temporary session
keys. This field is generally the Active Directory domain controller hostname.
If you do not enter a key distribution center, the system autodetects it.
4.
5.
Click Save.
If the Sentry uses a self-signed certificate, in the Settings > Sentry page, for the
Sentry configured for app tunneling, click the View Certificate link.
This makes the Sentrys certificate known to the VSP.
503
AppConnect
Configuring an AppConnect app configuration

An AppConnect app configuration is applicable for iOS AppConnect apps, and for
Android AppConnect apps starting with Mobile@Work 5.6 for Android.
An AppConnect app configuration:
specifies AppTunnel settings for the app.

specifies app-specific configuration for the app.
can be automatically created by the VSP.
Note: For each AppConnect app, make sure only one AppConnect app configuration
applies to each device.
Automatically created AppConnect app configuration

When you upload an AppConnect app to the VSPs app distribution library, the VSP
creates an AppConnect app configuration automatically as follows:
For Android AppConnect apps:

The VSP always takes this automatic action. If the app has specified configuration
requirements, the VSP uses that configuration. Otherwise, the VSP creates an
AppConnect app configuration with no configuration values.
For iOS AppConnect apps built using the AppConnect for iOS SDK:
The VSP takes this automatic action only if the app has specified configuration
requirements in its IPA file. Also, this automatic action does not occur when you
specify an Apple App Store AppConnect app as a recommended app.
For wrapped iOS AppConnect apps:

The VSP does not take this automatic action.
The name of the automatically created AppConnect app configuration is:
For iOS AppConnect apps
Default <bundle ID of app> Configuration
For Android AppConnect apps
Default <package ID of app> Configuration
Note: In the VSP Admin Portal, on Policies & Configs > Configurations, the name of
the app, not the name of the AppConnect app configuration, displays in the name column.
You can override these values by editing the apps AppConnect app configuration. For
example, if the configuration includes a server key, you provide the appropriate
servers domain name.
The VSP keeps in sync the labels that you apply to the app and the labels that you
apply to the AppConnect app configuration that the VSP automatically created.To keep
the labels in sync, the VSP adds these configuration keys to each automatically created AppConnect app configuration: MIAPP_DEFAULT, APPCATALOGNAME, and
APPCATALOGIDS. Do not remove or change these entries.
504
AppConnect
Automatically provided key-value pairs

The VSP takes a special action for some iOS AppConnect apps in the Apple App Store
that you specify as recommended apps. When you enter the bundle ID of one of these
apps in the Application field of an app configuration, when you save the app configuration, the special action occurs. The VSP automatically populates the key-value pairs
for the recommended app. The VSP does not overwrite any key-value pairs that you
manually added. You can then edit the app configuration to change the provided keyvalue pairs, if necessary.
Configuration tasks
To configure an AppConnect app configuration:
1.
2.
In the VSP Admin Portal, select Policy & Configs > Configurations.
Edit the app configuration for the secure app, or select Add New > AppConnect >
Configuration to create a configuration, if necessary.
505
AppConnect
Use the following guidelines to create or edit an AppConnect app configuration:

Item
Description
Name
Enter brief text that identifies this AppConnect app

configuration.
Note: If the VSP automatically created this AppConnect
app configuration:
You cannot edit the name.

The name is not the same as the name that appears in
the name column in Policy & Configs > Configurations.
Description

AppConnect app configuration.
Application
Android, starting with Mobile@Work 5.6:

Select an Android AppConnect app from the VSP app
iOS:
Select an iOS AppConnect app from the VSP app
distribution library or enter the bundle ID of an iOS
AppConnect app. A bundle ID that you enter is case
sensitive.
Note: The dropdown selection includes an iOS AppConnect
app only if both of the following statements are true:
The app was added to the VSP app distribution library

as an in-house app.
The app specifies default app-specific configurations.

AppTunnel
Configure AppTunnel settings for this app.

First, configure the Standalone Sentry to support AppTunnel. See Configuring an AppTunnel service on page 499.
When the app tries to connect to the URL and port configured here, the Sentry creates a tunnel to the app server.
506
AppConnect
Item
Description
URL Wildcard
the app servers hostname

Example: finance.yourcompany.com
If the app requests to access this hostname using the
port number specified in the Port field, the app data is
tunneled. The Sentry tunnels the data to an app server.
The Sentry and Service fields that you specify in this
AppTunnel row determine the target app server.
a hostname with wildcards. The wildcard character is *.

Examples:
*.yourcompanyname.com
www.yourcompanyname.com*
A hostname with wildcards works only with the service
<ANY> or <CIFS_ANY>. If the app requests to access a
URL that matches this hostname with wildcards, the
app data is tunneled. The Sentry tunnels the data to the
app server that has the URL that the app specified.
Do not include a URI scheme, such as http:// or https://,
in this field.
Note: The order of these AppTunnel rows matters. If you
specify more than one AppTunnel row, the first row that
matches the URL that the app requested is chosen. That
row determines the Sentry and Service to use for tunneling.
Port
Enter the port number that the app should connect to.
If the app requests to access a URL and port number that
matches the URL Wildcard field and this port number, the
app data is tunneled.
Sentry
Select a Sentry configured for app tunneling from the

drop-down list.
507
AppConnect
Item
Description
Service
Select a service name from the drop-down list.

This service name specifies an AppTunnel service configured in the App Tunneling Configuration section of the
specified Sentry.
Note: If you entered a URL with wildcards in the URL Wildcard field, you can only select <ANY> or <CIFS_ANY> as
the service. The <ANY> or <CIFS_ANY> service must be
configured in the App Tunneling Configuration section of
the Sentry configured for App Tunneling.
If the service on the Sentry is configured with its Server
Auth set to Kerberos, the AppConnect app uses Single
Sign On. That is, the device user does not enter any further credentials when the app accesses its enterprise app
server.
Select the Certificate or the SCEP profile that you created

for app tunneling.
For more information, see SCEP settings on page 237
and Certificates settings on page 236.
Configurations
Specify app-specific configuration settings as key-value
pairs.
To add a key-value pair, click + .
To delete a key-value pair, click - .
508
AppConnect
Item
Description
Key
Enter the key. The key is any string that the app
recognizes as a configurable item.
For example: userid, appURL
Value
Enter the value. The value is either:
a string
The string can have any value that is meaningful to the
app. It can also include one or more of these VSP variables: $USERID$, $EMAIL$, $USER_CUSTOM1$,
$USER_CUSTOM2$, $USER_CUSTOM3$, $USER_CUSTOM4$.
If you do not want to provide a value, enter $NULL$.
The $NULL$ value tells the app that the app user will
need to provide the value.
For example:
$USERID$
https://someEnterpriseURL.com
a SCEP or Certificate setting

SCEP and Certificate settings that you configured in Policy & Configs > Configurations appear in the dropdown
list. When you choose a SCEP or Certificate setting, the
VSP sends the contents of the certificate as the value.
If the certificate is password-encoded, the VSP automatically sends another key-value pair. The keys name
is the string <name of key for certificate>_MI_CERT_PW. The value is the certificates password.
3.
Click Save.
4.
Select the new AppConnect app configuration.
5.
6.
Select the labels to which you want to apply this AppConnect app configuration.
7.
Click Apply.
devices labels:
1.
2.
Select the device.
3.

1.
Select the device.
2.
3.
509
AppConnect
4.
Click Apply.
Enabling AppTunnel
If you are deploying secure apps developed by your organization or a third party, you
need to enable an additional product to use app tunnels with these apps:
1.
2.
3.
Select Enable AppTunnel for third-party and in-house apps.
4.
Click Save.
Configuring the Open With Secure Email App option

When you use AppConnect for Android, device users use a secure email app so that,
when Standalone Sentry delivers emails with attachments to these Android devices,
the attachments remain in the secure container. Therefore, you typically configure
Standalone Sentry to use the email attachment control setting called Open With
Secure Email App for Android devices that support AppConnect.
Do the following:
1.
2.
Select the Standalone Sentry.
3.
Click the Edit icon.
4.
5.
Select Enable Attachment Control, which is in the Attachment Control Configuration

section of the ActiveSync Configuration section.
For Android Using Secure Apps, select Open With Secure Email App.
Configuring compliance actions

The security policy that is applied to a device determines what situations make a
device non-compliant. For each situation, the security policy specifies a compliance
action. These actions can be either default compliance actions or custom compliance
actions.
510
AppConnect
Some compliance actions impact AppConnect apps as follows:
Immediately block access to the web sites configured to use the AppTunnel feature.
Unauthorize AppConnect apps.
Delete (wipe) the secure data of AppConnect apps.
For details about compliance actions that impact AppConnect apps, see Compliance
actions for security policy violations on page 154.
To specify a compliance action:
1.
Go to Policies & Config > Policies on the VSP Admin Portal.
2.
Select a security policy.
3.
Click Edit.
4.
Select an access control setting.

For example, select When A Compromised IOS Device Is Detected.
5.
Select a default or custom compliance action from the dropdown list.
6.
Click Save.
511
AppConnect
Managing AppTunnel
Manually blocking the AppTunnel feature on a device on page 512
You can block all the AppConnect apps of a particular device from using the
AppTunnel feature.
Viewing App Tunnels on page 512

View all the tunnels for every app and device.
Taking actions on app tunnels on page 513

You can direct the Standalone Sentry to block a particular app on a particular
device from using an AppTunnel.
Manually blocking the AppTunnel feature on a device

You can manually block the AppTunnel feature on a device for all AppConnect apps.
The authorized AppConnect apps remain authorized, but the apps will no longer be
able to access the web sites configured to use the AppTunnel feature.
AppConnect apps provided by MobileIron, as well as apps developed in-house or by
third parties, are all impacted.
Note: On iOS devices, the set of impacted apps includes the Docs@Work features in
Mobile@Work for iOS.
To manually block the AppTunnel feature in AppConnect apps on a device:
1.
Go to Users & Devices > Devices.
2.
Select a device.
3.
Select Actions > More Actions > Block App Tunnels.
4.
Add a note.
5.
Click Block AppTunnels.
Later, you can unblock the AppTunnel feature:

1.
Go to Users & Devices > Devices
2.
Select a device.
3.
Select Actions > More Actions > Allow App Tunnels.
4.
Add a note.
5.
Click Allow AppTunnels.
Viewing App Tunnels

Once an app tunnel is established, you can view the AppTunnel details in the App Tunnels page.
To view app tunnels, in the Admin Portal, go to Apps > App Tunnels.
512
AppConnect
The following information is displayed:

Column
Description
Application Name
The AppConnect apps name.
User
The AppConnect app user.
Model
The device model.
Status
The status of the device.
State
The app tunnel state. The state can be Allow or Block.
App Tunnel Version
The app tunnel headers version that the device uses to

talk to the Sentry.
Creation Time
The time when the app tunnel was created.
App Bundle
The app bundle ID for iOS AppConnect apps, and the

package ID for Android AppConnect apps.
Taking actions on app tunnels

Follow these steps to take action on an app tunnel:
1.
In the Admin Portal, go to App > App Tunnels.
2.
Select the app tunnel you wish to take action on.
3.
Click on one of the actions described in the following table.

Action
Description
Allow
Permits the AppConnect app on the device to access the app

server(s) through a Sentry.
Block
Prohibits the AppConnect app on the device from accessing the

app server(s) through a Sentry.
Remove
Deletes the app tunnel information.

After a Remove, Sentry will not have any memory of the app
tunnel. When the user on the device uses the app, a new a app
tunnel is established. Remove is generally used for troubleshooting purposes.
513
AppConnect
Using AppConnect for Android

An Android device user can use an AppConnect app only if:
The device user has been authenticated through the MobileIron VSP.
The user must use the Mobile@Work for Android app to register a device with the
MobileIron VSP. Registration authenticates the device user.
You have authorized the app to run on the device.

If the app is not authorized, the app does not allow the device user to access any
secure data or functionality. If a device user launches an unauthorized wrapped
app, the app displays a message and exits.
To authorize an AppConnect app for a device, you apply the appropriate labels to
the apps AppConnect container policy.
No situation has caused an authorized AppConnect app to become unauthorized for

a device.
These situations include, for example, when the device has been out of contact with
the VSP for a period of time that you configure.
The device user has entered the AppConnect passcode.

You configure the rules about the complexity of the passcode.
Why a Secure Apps Manager?

The Secure Apps Manager performs the following tasks to support AppConnectenabled apps on Android devices:
manages the data encryption key.

handles the single sign-on for all AppConnect apps.
provides a list of all the AppConnect apps on the device.
AppConnect apps that MobileIron provides for Android

AppConnect Secure Apps for Android a suite of AppConnect apps that provide a core
set of secure functionality. This functionality includes secure email and secure documents. You can choose which of these AppConnect apps are appropriate for different
sets of device users.
The available AppConnect apps are:
NitroDesk TouchDown
The AppConnect version of the NitroDesk TouchDown email app provides a consistent user experience across a broad range of Android devices. Working with the
AppConnect versions of ThinkFree Document Viewer and File Manager, emails and
their attachments are available only in the AppConnect container. This combination
of secure apps provides the secure email attachment capability of the Docs@Work
solution.

This secure ThinkFree Document Viewer is part of the Docs@Work solution. It
allows the device user to securely view documents from other AppConnect apps.
514
AppConnect
For example, ThinkFree Document Viewer displays email attachments opened with
secure email client apps. It also displays documents opened with the secure SharePoint Client app.
The ThinkFree Document Viewer has no shortcut on the homescreen. It launches
automatically when the device user selects a document for viewing from an
AppConnect app, if the document is a type that ThinkFree Document Viewer supports.
File Manager
This secure File Manager app is part of the Docs@Work solution. It allows a user to
save, browse, and manage files in the secure container. For example, the user can
browse saved email attachments or SharePoint documents. The user can also save
documents from any other AppConnect app.
File Manager with SharePoint Client

The secure File Manager app is also available with the secure SharePoint Client app
included. This secure SharePoint Client app is part of the Docs@Work solution. It
allows a device user to view folders and documents that are shared on a content
server, such as Microsoft SharePoint. The device user needs to have a valid user ID
and password to access the content server.
Working with the AppConnect versions of ThinkFree Document Viewer and File
Manager, the SharePoint Client app provides the document viewing and storage
capability of the Docs@Work solution.
Note: The .apk file for the File Manager also contains the SharePoint Client app.
Therefore, the SharePoint Client does not appear as a separate app in the list of
secure apps that the device user installs. The File Manager installation includes
installing the SharePoint Client.
For a list of supported content servers and authentication types, see Supported
content servers on page 455.
For details on using the SharePoint Client, see The SharePoint Client App for
Android on page 747.
Secure Android Email+

Secure Android Email+ provides the native email client experience with ease of
setup and important other features. However, this app is provided under different
licensing. See the Android Email+ Release Upgrade Guide for details on obtaining
and deploying Android Email+. You can use Secure Android Email+ as the email client that is part of your Android Docs@Work solution.
VSP licensing options for Android secure apps

On the VSP Admin Portal, in Settings > Preferences, you specify whether you have a
license for:
Docs@Work
AppConnect for third-party and in-house apps
The following table shows which Android secure apps you can deploy for each license
option. Select each option only if your organization has purchased it.
515
AppConnect
If you enable Docs@Work, you can deploy:
If you enable AppConnect for third-party

and in-house apps, you can deploy:
NitroDesk TouchDown
NitroDesk TouchDown
FileManager
FileManager
SharePoint Client
Third-party AppConnect apps
Document types supported by ThinkFree Document Viewer

AppConnect apps can display documents using the secure ThinkFree Document
Viewer. The ThinkFree Document Viewer supports the following types of documents:
.doc (MS Word 97/2000/XP/2003)

.docx (MS Word 2007/2010)
.rtf (Rich Text Format)
.dot/.dotx (MS Word template)
.xls (MS Excel 97/2000/XP/2003)
.xlsx (MS Excel 2007/2010)
.csv (Comma Separated Value)
.xlt/xltx (MS Excel template)
.ppt (MS Powerpoint 97/2000/XP/2003)
.pptx (MS Powerpoint 2007/2010)
.pot/.potx (MS Powerpoint template)
.pps/.ppsx (MS Powerpoint slide show)
.pdf (Portable Document Format, supports version 1.6 or above)
If the device user tries to view a document type that is not in this list, the Android OS
indicates that no app is available to open the selected file.
Note: AppConnect apps can use other secure file viewers if they are also AppConnect
apps.
Using AppTunnel with the SharePoint Client app

Starting with Mobile@Work 5.6, you can use AppTunnel capabilities to provide a
unique secure connection from the SharePoint Client app on the device to a content
server, such as the SharePoint service. A Standalone Sentry is necessary to support
tunneling. You can also set up the AppTunnel capabilities for Single Sign On if your
environment and the content server supports Kerberos Constrained Delegation.
516
AppConnect
The SharePoint Client is part of the secure File Manager. Therefore, the SharePoint Client does not appear as a separate app in the list of secure apps that the device user
installs. It also does not appear as a separate app in the app distribution library on the
VSP. When a device user installs the secure File Manager, they also install the SharePoint Client.
Set up the AppTunnel as described in Adding AppTunnel support on page 482. Part of
that process is to set up the tunneling section of the AppConnect app configuration.
Because the SharePoint Client app is part of the secure File Manager, you set up
SharePoint tunneling in the AppConnect app configuration for the File Manager app.
Lock, unlock, and retire impact on AppConnect

Locking, unlocking, or retiring an Android device impacts access to AppConnect apps
and their associated data.
Lock impact
Locking a device causes the device user to be locked out of AppConnect apps. The
user must reenter the secure apps passcode to access AppConnect apps. The Secure
Apps Manager prompts the user to reenter the passcode when the user launches:

any AppConnect app
If the device also uses a device passcode, the user must first reenter the device passcode.
Unlock impact
Unlocking a device removes the device passcode and also removes the secure apps
passcode. The Secure Apps Manager notifies the device user to create a new secure
apps passcode when the user launches:
the Mobile@Work app

any AppConnect app
No data relating to AppConnect apps is removed when a device is unlocked. Once the
device user creates a new secure apps passcode, the data becomes accessible again.
Issuing an Unlock command is useful in the following scenarios:
You enabled secure apps in an AppConnect global policy and applied it to a device.
The device user installed the secure apps and created the secure apps passcode.
Later, you disable secure apps and repush the policy to the device. Finally, you
reenable secure apps and repush the policy to the device. The device user cannot
access the secure apps until you send an Unlock command to the device. Then, the
device user creates a new secure apps passcode and can access the secure apps.
You change the secure apps passcode requirements in an AppConnect global policy,
and repush the policy to the device. The device user does not have to update his
secure apps passcode to meet the new requirements. However, you can send an
517
AppConnect
Unlock command to the device, which results in prompting the device user to create a new secure apps passcode. The new passcode must adhere to the new policy
requirements.
Retire impact
Retiring a device unregisters the device from the VSP.
Retiring a device impacts AppConnect apps as follows:
The device user cannot open any AppConnect apps or the Secure Apps Manager.
Data that the AppConnect apps saved to device storage is deleted.
However, the device user must manually uninstall the AppConnect apps and the
Secure Apps Manager.
Retiring a device, therefore, retires the AppConnect apps on the device. For more
information about retiring AppConnect apps, see AppConnect app authorization on
page 494.
Situations that wipe AppConnect app data

When an AppConnect app is retired, it is becomes unauthorized (blocked), and its
data is deleted (wiped). The following situations retire an AppConnect app:
You disable AppConnect in the AppConnect global policy for the device (starting
with Android Secure Apps 5.7).
The device user uninstalls Mobile@Work or the Secure Apps Manager on the device
You retire the device.
The out-of-contact wipe timeout in the AppConnect global policy expires.
You remove the Secure Apps Manager in Apps > App Distribution Library (starting
with Android Secure Apps 5.7).
You remove the label for a device from the Secure Apps Manager on Apps > App
Distribution Library (starting with Android Secure Apps 5.7).
You quarantine the device due to a compliance action (starting with Android Secure
Apps 5.7).
Accessible apps to preserve the user experience

AppConnect apps can share data only with other AppConnect apps.
However, some exceptions exist to this rule to:
Preserve the device user experience.

Enable the use of system services, such as making voice calls.
The exceptions are:
Browsers
Tapping a link in an AppConnect app launches a browser.
518
AppConnect
Maps
Tapping a meeting location in an AppConnect email app launches a maps app.
Phone calls
Tapping a phone number in any AppConnect app will make a phone call.
SMS
An AppConnect app such as TouchDown can allow the device user to send an SMS
to a corporate contact.
Device details for AppConnect apps

The VSP Admin Portal shows the status of AppConnect apps on Android devices.
To see these device details:
1.
On the VSP Admin Portal, go to Users & Devices > Devices.
2.
Select an Android device.
3.
In the right-hand pane, select Details.

The following information displays that relates to AppConnect apps on the device:
Item
Description
Secure Apps Encryption

State
The value is Enabled if the device user has created a

secure apps passcode.
Otherwise, the value is Disabled.
Secure Apps State
Indicates the state of secure apps on the device:
not installed
The device user has not yet installed all the secure
apps.
installed
The device user has installed all the secure apps.
However, he has not yet created the secure apps
passcode and has not yet started TouchDown
setup.
ready
The device user has installed the secure apps, created the secure apps passcode, and at least started
TouchDown set up.
519
AppConnect
Using AppConnect for iOS

An iOS device user can use an AppConnect app only if:
The device user has been authenticated through the MobileIron VSP.
The user must use the Mobile@Work for iOS app to register the device with the
MobileIron VSP. Registration authenticates the device user.
You have authorized the app to run on the device.

If the app is not authorized, the app does not allow the device user to access any
secure data or functionality. If a device user launches an unauthorized wrapped
app, the app displays a message and exits. An SDK app should have the same
behavior if the app handles only secure data and functionality. Otherwise, an SDK
app runs but restricts the user to only unsecured functionality and data.
To authorize an AppConnect app for a device, you apply the appropriate labels to
the apps AppConnect container policy.
No situation has caused an authorized AppConnect app to become unauthorized for

a device.
These situations include, for example, when the device OS is compromised.
Mobile@Work reports device information to the VSP. The VSP then determines
whether to change the AppConnect apps on the device to unauthorized based on
security policies and associated compliance actions that you configure.
The device user has entered the AppConnect passcode.

You configure whether the AppConnect passcode is enabled, and also configure
rules about its complexity.
AppConnect apps that MobileIron provides for iOS

Besides using third-party or in-house AppConnect apps created with app wrapping or
the SDK, you can use AppConnect apps that MobileIron provides. These AppConnect
apps are:
the Mobile@Work capabilities to view and store documents from content servers
and email attachments. These Docs@Work features of Mobile@Work for iOS are
essentially an AppConnect app within Mobile@Work.
Web@Work, which is a MobileIron iOS app that allows your users to easily and
securely access your organization's web content
Note: You do not have to purchase the AppConnect feature that supports third-party
and in-house apps to use Web@Work or the Docs@Work features of Mobile@Work.
Mobile@Work and AppConnect apps

Mobile@Work for iOS supports AppConnect apps, including the following:
It communicates with the VSP to get management and security-related information

and passes the information to the AppConnect apps.
Mobile@Work periodically does an app checkin with the VSP to get this information.
You configure the app checkin interval in the AppConnect global policy. It is the
520
AppConnect
maximum time between app checkins while an AppConnect app is running. See
Configuring the AppConnect global policy on page 484.
It enforces the AppConnect passcode.

Mobile@Work prompts the device user to create an AppConnect passcode when
first launching any AppConnect app. You configure a passcode inactivity timeout in
the AppConnect global policy. When this timeout expires, Mobile@Work prompts
the device user to reenter his AppConnect passcode.
App checkin and Mobile@Work

On each app checkin, Mobile@Work gets AppConnect policy updates for all the
AppConnect apps that have already run on the device. These updates include changes
to:
the AppConnect global policy for the device.

AppConnect container policies for each of the AppConnect apps that have run on
the device.
AppConnect app configurations for each of the AppConnect apps that have run on
the device.
the current authorization status for each of the AppConnect apps that have run on
the device.
Mobile@Work does an app checkin in the following situations:
The device user launches an AppConnect app for the first time.
In this situation, Mobile@Work finds out about the app for the first time, and adds it
to the set of AppConnect apps for which it gets updates.
The app checkin interval expires while an AppConnect app is running.

The app checkin interval expired while no AppConnect apps were running and then
the device user launches an AppConnect app.
In each of these situations, Mobile@Work launches, and the device user sees the
Mobile@Work app momentarily. Once Mobile@Work has completed the app checkin,
the device user automatically returns to the AppConnect app.
The AppConnect passcode inactivity timeout and Mobile@Work

Mobile@Work launches to prompt the device user for the AppConnect passcode in the
following situations:
The AppConnect passcode inactivity timeout expires while the device is running an
AppConnect app.
Note: If the device user is interacting with the app, the inactivity timeout does not
expires. This case occurs only when the device user has not touched the device for
the duration of the timeout interval.
The device user used Mobile@Work to log out of AppConnect apps, and then
launches an AppConnect app.
The VSP administrator has changed the complexity rules of the AppConnect passcode, and an app checkin occurs.
521
AppConnect
In each of these situations, Mobile@Work launches, and presents the device user with
a screen for entering his AppConnect passcode. After the device user enters the passcode, the device user automatically returns to the AppConnect app.
522
Chapter 17
Web@Work for iOS

Web@Work is an iOS AppConnect app from MobileIron that allows your users to easily
and securely access your organization's web content.

Web@Work is supported on devices running iOS 5.1 and later. The supported devices
are:
iPhone 3GS and later

iPod touch 3rd gen and later
iPad 1st gen and later
iPad mini 1st gen and later
Required MobileIron products

Web@Work requires the following MobileIron products
VSP 5.5 or later

Standalone Sentry 4.5 or later
Mobile@Work for iOS version 5.5 or later
Web@Work overview
Web@Work has the following features:
Web@Work can securely access web sites hosted on servers behind your firewall,
without requiring the device user to use VPN.
To provide this secure access, Web@Work uses AppConnect and AppTunnel capabilities. Note, however, that you can use Web@Work without purchasing AppConnect
for third-party or in-house apps and without purchasing AppTunnel.
For more information, see Secure enterprise web site access using AppTunnel on
page 526.
For configuration information, see Configure AppTunnel and Bookmarks for
Web@Work on page 535.
Web@Work supports Single Sign On using Kerberos Constrained Delegation (KCD).
523
Web@Work for iOS
The device user registers Mobile@Work with the VSP by entering his VSP credentials. Then, the device user can use Web@Work to access an enterprise app server
without having to enter any further credentials. This support depends on your environment being set up to use KCD, plus the necessary AppTunnel configuration.
Web@Work uses iOS web technologies to provide web content presentation and
interaction similar to that of Safari.
Because Web@Work uses these iOS web technologies, Web@Work automatically
inherits any related iOS security updates that are installed on the device.
All Web@Work browser data is encrypted while the device is locked with a passcode. This data includes the browser cache, HTML5 local storage, cookies, URL history, and bookmarks.
Web@Work does not allow the device user to open a downloaded document in
another app. This behavior protects secure documents from leaking to unsecured
apps.
Web@Work can prevent the device user from pasting into other apps any data that
the user copied from Web@Work.
For more information, see Pasteboard data loss prevention handling on page 526.
To enable or disable this Allow Copy/Paste To data loss prevention policy, see
Configure an AppConnect container policy for Web@Work on page 534.
Web@Work supports bookmarks that you specify on the VSP Admin Portal.
See Configure AppTunnel and Bookmarks for Web@Work on page 535.
Web@Work supports bookmarks that the device user specifies in Web@Work.

The device user names, organizes, and removes bookmarks that he creates. However, the device user cannot name, organize, or remove bookmarks that you specify in the VSP Admin Portal. The device user can organize bookmarks that he
creates so that they display between bookmarks that you specified.
You can provide different Web@Work-related settings to different devices and

users, depending on, for example, device attributes and user membership in the
enterprise directory. The VSP provides this capability through labeling.
Web@Work supports URL schemes that open web pages automatically, and only, in
Web@Work.
See Web@Work URL schemes on page 525.
Multi-factor authentication and authorization for device users

A device user can use Web@Work only if the device user is:
using a device that is registered with a MobileIron VSP.

Registering a device with the VSP authenticates the device user.
authorized to use Web@Work.

Using the VSP Admin Portal, you authorize a device to use Web@Work. You use the
VSPs labeling mechanism to indicate which devices are authorized to use
Web@Work.
524
Web@Work for iOS
Note: If the device is not authorized to use Web@Work, the device user cannot use
it even for accessing public web sites.
in compliance with the security policy applied to the device.

Using the VSP Admin Portal, you can set up security policies to block access to
Web@Work if the device fails to meet conditions that you specify. When access is
blocked, the device becomes unauthorized to use Web@Work. Also, all AppTunnel
access is blocked, which blocks access to enterprise web sites.
Note: Be sure to require a device passcode on the security policy, since a device
passcode enables iOS data encryption capabilities. Web@Work uses iOS data
encryption capabilities to encrypt browser data.
is logged in with his secure apps passcode.

Web@Work is an AppConnect app, and therefore, you can require the device user
to enter a secure apps passcode to use it. The device user uses one secure apps
passcode to access all AppConnect apps. The Mobile@Work for iOS app manages
the secure apps passcode.
When the device user first launches Web@Work, Mobile@Work prompts the user to
create a secure apps passcode if he had not already created one to use some other
AppConnect app. On subsequent launches of Web@Work, Mobile@Work prompts
the user to enter the secure apps passcode, unless he had recently entered it to
use some other AppConnect app.
Once a device user has registered the device with the VSP and, if required, entered his
secure apps passcode, he has no further Web@Work setup to do.
Note: A device user cannot specify Web@Work as the default browser on the device.
This prohibition ensures that the device user always has easy access to a browser for
non-enterprise browsing, even if the device becomes unauthorized to use Web@Work.
Web@Work URL schemes

Web@Work supports the following new URL schemes:
mibrowser:// for HTTP connections

mibrowsers:// for HTTPS connections
URLs that use these schemes open automatically in Web@Work.
For example, a web page opens automatically in Web@Work when the device user:
taps a link in Safari that uses one of these URL schemes.

taps a web clip that uses one of these URL schemes.
Note: These URL schemes work in web clips only on devices running iOS 6.0 or
later.
Using these URL schemes in web clips and web pages for mobile devices can improve the user
experience. The improvement is because iOS automatically opens HTTP and HTTPS URLs only in
Mobile Safari, the native web browser.
525
Web@Work for iOS
Pasteboard data loss prevention handling

Web@Work supports the copy/paste data loss prevention policy. This policy determines whether to prevent the device user from pasting secure data from Web@Work
into an unsecured app. You configure it on the VSP in the Allow Copy/Paste To field
of the AppConnect global policy or in the AppConnect container policy for Web@Work.
When Allow Copy/Paste To is not selected, the device user is not allowed to paste
secure data from Web@Work into an unsecured app. Therefore, Web@Work clears the
pasteboard when it exits only if the device user copied content from inside
Web@Work.
Note: Similarly, when Mobile@Work exits, it clears data copied from inside
Mobile@Work because the Docs@Work content of Mobile@Work is also secure data.
This behavior means that the device users copy/paste experience for other apps is
not impacted. For example, consider the following scenario:
1.
Allow Copy/Paste To is not selected.
2.
The device user copies a URL from an unsecured app.
3.
The device user launches Web@Work.
4.
Mobile@Work launches to prompt the device user for his AppConnect passcode.
At this point, although Web@Work exited, it did not clear the URL from the pasteboard, since the URL was not copied from inside Web@Work. The device user can
still paste the content into any app, secured or not.
5.
6.
When the device user returns to Web@Work, the URL is still available on the pasteboard.
The device user pastes the URL into the Web@Work address bar.
Situations when Web@Work deletes its sensitive data

Web@Work deletes (wipes) website data and closes its tabs in the following cases:
The device is not in compliance and you have specified in the compliance action for
the particular non-compliance case to delete data.
The device user is no longer authenticated with the VSP.
Web@Work distribution
You can make Web@Work available to device users as a recommended app in the app
distribution library in the VSP Admin Portal. The device user uses the Apps@Work web
clip or the Apps@Work web container app to discover and install Web@Work from the
Apple AppStore.
Secure enterprise web site access using AppTunnel

Web@Work uses MobileIrons AppTunnel technology to securely access web sites
behind your enterprises firewall. This technology allows you to:
526
Web@Work for iOS
Set up Web@Work to access enterprise web sites without requiring the device user
to set up VPN.
Support Single Sign On using Kerberos Constrained Delegation (KCD).

The device user registers Mobile@Work with the VSP by entering his VSP credentials. Then, the device user can use Web@Work to access an enterprise app server
without having to enter any further credentials. This support depends on your environment being set up to use KCD, plus the necessary AppTunnel configuration.
Limit enterprise access to Web@Work.

Other apps, such as mobile email and calendar synchronization, are not impacted
by Web@Works enterprise access. Therefore, unlike when you use VPN for enterprise access, you do not have to retest the behavior of these existing apps.
Limit the enterprise sites that a device user can access.

You can specify accessible sites in the tunneling configuration. Specifically, as long
as the device stays on the external network, internal sites that are not specified in
the tunneling configuration remain inaccessible. Furthermore, you can vary the
accessible sites according to device and user attributes, such as user membership
in the enterprise directory.
Terminate enterprise web site access based on compliance policies.

Using the security policy for a device, you can specify which non-compliance situations block AppTunnel access.
Perform URL filtering to audit and enforce web use policies.

If you direct all outgoing traffic through a filtering proxy, you can direct traffic that
you tunnel through the proxy, too. For example, by setting up Web@Work to tunnel
all requests to www.SomeExternalWebSite.com, you can set the URL rules in your
filtering proxy to block access to that site.
Benefit from split-tunneling.

You can allow device users to access some public web sites without tunneling, while
enforcing tunneling for other external as well as enterprise web sites. By setting up
this split-tunneling, your device users can access public sites without incurring
additional load on enterprise network infrastructure. In addition, split-tunneling
allows users to access public websites without visibility to the enterprise. Regional
privacy regulations sometimes require this for personally-owned devices.
Secure tunneled web traffic using multi-factor authentication and authorization.

To use Web@Work, a device must be registered with the VSP and authorized to use
Web@Work. You can also require a secure apps passcode to access Web@Work.
Furthermore, establishing an AppTunnel requires a unique client-side certificate,
ensuring that only managed and authorized devices can access enterprise web
sites. You can get certificates from a third-party certificate authority (CA) or from
the CA build into the VSP.
Web@Work user agent string

The user agent for a browser identifies the browser to web server applications, allowing the applications to make choices about the pages and content that they serve.
For example, the user agent string for Web@Work on an iPad running iOS 6.1.2 is:
527
Web@Work for iOS
Mozilla/5.0 (iPad; CPU OS 6_1_2 like Mac OS X) AppleWebKit/536.26 (KHTML, like

Gecko) Mobile/10B146
Make sure your web server applications handle Web@Work requests just as they
would handle Mobile Safari requests.
Configuring Web@Work on the VSP Admin Portal

Using the VSP Admin Portal, do the following high-level steps to provide Web@Work to
device users:
1.
Enable Web@Work.
Enable Web@Work support on the VSP by indicating that you have a license to
deploy it.
See Enabling Web@Work on page 529.
2.
Set up a SCEP setting or certificates setting for authenticating devices to the Sentry.
See Certificates settings on page 236 or SCEP settings on page 237.
Be sure to assign labels to distribute the setting to the appropriate devices.
3.
Set up a Standalone Sentry to support AppTunnel for Web@Work.

See Set up a Standalone Sentry to support AppTunnel for Web@Work on
page 529.
4.
Set up a device passcode.

Web@Work requires a device passcode.
See Set up a device passcode on page 533.
5.
Configure an AppConnect global policy.

Because Web@Work is an AppConnect app, an AppConnect global policy is necessary.
See Configure an AppConnect global policy on page 534.
6.
Configure an AppConnect container policy for Web@Work.

Typically, you apply an AppConnect container policy for Web@Work to the device to
authorize the device user to use Web@Work. This policy also configures data loss
protection policies for the device.
See Configure an AppConnect container policy for Web@Work on page 534.
7.
Configure AppTunnel and Bookmarks for Web@Work.

A Web@Work app setting is necessary to configure the AppTunnel that Web@Work
requires. You also use the Web@Work app setting to configure browser bookmarks.
See Configure AppTunnel and Bookmarks for Web@Work on page 535.
8.
Add Web@Work to the app distribution library.

To make Web@Work easier for device users to discover and install, add it to the app
distribution library as a recommended app.
See Add Web@Work to the app distribution library on page 538.
9.
Define the situations that mean the device is not in compliance.

You configure these situations in the security policy that you apply to the device.
For each situation, you specify a compliance action. The compliance action blocks
528
Web@Work for iOS
Web@Work from accessing the web sites configured to use AppTunnel. The compliance action also blocks the device from using AppConnect apps, which include
Web@Work. The action can also delete (wipe) all of Web@Works sensitive data and
close its tabs.
SeeWorking with security policies on page 147.
Enabling Web@Work
Enable Web@Work only if your organization has purchased it. Enabling Web@Work
means that the VSP supports it.
To enable Web@Work:
1.
2.
3.
Select Enable Web@Work.

Note: Although Web@Work uses AppConnect capabilities, do not select Enable
AppConnect unless you also purchased that license.
4.
Click Save.
Set up a Standalone Sentry to support AppTunnel for Web@Work

Web@Work requires the AppTunnel feature. The AppTunnel feature requires a Standalone Sentry dedicated to AppTunnel.
On the VSP Admin Portal, do the following:
1.
2.
Click Add New and choose Standalone Sentry.

If you already have a Standalone Sentry that supports AppTunnel, click its edit
icon.
3.
Use the following guidelines to configure the AppTunnel for Web@Work.

Item
Description
Host / IP
Enter the external host name or IP address of the server on

which the Standalone Sentry is installed.
The host name or IP address must be external because
Web@Work on devices must be able to access the Sentry.
The VSP also needs to connect to this same host name or IP
address. If the host name or IP address is not accessible by the
VSP and devices, use the name or IP address that the devices
use. Then, using the System Manager, add a static host entry to
the VSP.
Port
Enter the port that the Standalone Sentry is listening on. The
default is 9090.
Enable App
Tunneling
Click the check box to enable AppTunnel support on the Sentry.
529
Web@Work for iOS
Item
Description
Note: See Device and server authentication support for Standalone Sentry on
page 328 for authentication information for both ActiveSync and AppTunnel.
Select how devices attempting to connect to internal servers

authenticate with the Standalone Sentry.
Choose Identity Certificate or Group Certificate. If you are using
Kerberos Constrained Delegation to authenticate the user to the
app server, choose Identity Certificate.
Upload Certificate
If you chose Group Certificate, upload your existing certificate

(.cer) file.
If you chose Identity Certificate, upload the Root certificate
(this may be a root certificate chain) from the CA you trust. The
CA may be a Root Authority or an Intermediate Authority.
Check certificate revocation list (CRL)
Select Check Certificate Revocation List (CRL) if you want to validate the certificates presented by the device against the Certificate Revocation List (CRL) published by the CA.
Note that only HTTP and HTTPS based CRLs are supported.
Some CAs create LDAP-based CRLs by default that will not work
with Sentry.
For CRL validation to work, Sentry requires network connectivity
to the CRL Distribution Point (CDP), usually the CA that issued
the certificate, through an HTTP or HTTPS port.
Subject Alternative Name

Type
Use the Subject Alternate Name Type list to select the field in
the client certificate that will be used to identify the user for Kerberos Constrained Delegation.
The Type is the same type that you specified when generating
the client certificate. This type is often the NT Principal Name.
Value
Usually, the User UPN (user principal name) is used to identify
the user.
530
Web@Work for iOS
Item
Description
To add a new service for Web@Work, click +.

Service Name
Use the dropdown to select <ANY> or <CIFS_ANY>.

Selecting <ANY> means that the Web@Work user can reach any
of your internal servers. <CIFS_ANY> specifies any internal
CIFS-based content servers. Typically, you do not want to
restrict users access. However, if you do want to restrict their
access to internal servers, you can list the services here instead
of selecting <ANY> or <CIFS_ANY>. The service name is any
unique identifier for the internal servers. For CIFS-based content
servers, the service name must begin with CIFS_.
For example, some possible service names are:
SharePoint
Human Resources
The following characters are invalid: 'space' \ ; * ? < > " |.
The Service Name is used in the AppConnect app configuration.
Server Auth
Select the authentication scheme for the Standalone Sentry to

use to authenticate the user to the enterprise server:
Pass Through
The Sentry passes through the authentication credentials,
such as the user ID and password (basic authentication) or
NTLM, to the enterprise server.
Kerberos
The Sentry uses Kerberos Constrained Delegation (KCD).
KCD supports Single Sign On (SSO). SSO means that the
device user does not have to enter any credentials when
Web@Work accesses the enterprise server.
The Kerberos option is only available if you selected Identity
Certificate for Device Authentication.
531
Web@Work for iOS
Item
Description
Server List
Since you typically select <ANY> or <CIFS_ANY> for the service

name for Web@Work, the server list is not applicable.
If you do specify service names, enter the internal servers host
name or IP address (usually an internal host name or IP
address) and the port that the Sentry can access. Include the
port number on the internal server that the Sentry can access.
For example:
sharepoint1.companyname.com:443
You can enter multiple servers. The Sentry uses a round-robin
distribution to load balance the servers. That is, it sets up the
first tunnel with the first internal server, the next with the next
internal server, and so on. Separate each server name with a
semicolon.
For example:
sharepoint1.companyname.com:443;sharepoint2.companyname.com:443.
TLS Enabled

name for Web@Work, TLS Enabled is not applicable.
If you do specify service names, select TLS Enabled if the enterprise servers listed in the Server List field require SSL.
Note: Although port 443 is typically used for https and requires
SSL, the enterprise server can use other port numbers requiring
SSL.
Server SPN List

name for Web@Work, Server SPN List is not applicable.
Note: When the Service Name is <ANY> and the Server Auth is
Kerberos, the Standalone Sentry assumes that the SPN is the
same as the server name received from the device.
If you do specify service names, Enter the Service Principal
Name (SPN) for each server, separated by semicolons. For
example:
sharepoint1.company.com;sharepoint2.company.com.
The Server SPN List applies only when the Service Name is not
<ANY> and the Server Auth is Kerberos.
If each server in the Server List has the same name as its SPN,
you can leave the Server SPN List empty. However, if you
include a Server SPN List, the number of SPNs listed must equal
the number of servers listed in the Server List. The first server
in the Server List corresponds to the first SPN in the Server SPN
List, the second server in the Server List corresponds to the second server in the Server SPN List, and so on.
532
Web@Work for iOS
Item
Description
If you select Kerberos for the Server Auth field for an AppTunnel service, this section appears. For Kerberos authentication information for both ActiveSync and
AppTunnel, see Authentication using an identity certificate and Kerberos constrained delegation on page 333.
Use keytab file
Select this field to upload a Kerberos-generated keytab file. Click

Upload File to upload the keytab file. Uploading the keytab file
populates the Realm and Sentry Service Principal fields.
Realm
If you do not upload a keytab file, enter the Kerberos administrative domain. The realm is usually the company domain name,
in all uppercase characters.
Sentry Service
Principal
If you do not upload a keytab file, enter the service principal for
the Sentry service account, preceded by HTTP/ if you do not
upload a keytab file. For example, if the user name of the service account is sentry1_kcd, the service principal would be HTTP/
sentry1_kcd.
Password
If you do not upload a keytab file, enter the password for the
Sentry service account.
Key distribution center
Optionally enter the key distribution center, which is the network

service that supplies session tickets and temporary session
keys. This field is generally the Active Directory domain controller hostname.
If you do not enter a key distribution center, the system autodetects it.
4.
5.
Click Save.
If the Sentry uses a self-signed certificate, in the Settings > Sentry page, for the
Sentry configured for AppTunneling, click the View Certificate link. This makes the
Sentrys certificate known to the VSP.
Set up a device passcode

In the security policy that you apply to the device, require a device passcode. A device
passcode enables iOS data protection, which is necessary for Web@Work to encrypt
browser data.
To set up a device passcode:
1.
2.
On the Admin Portal, go to Policies & Configs > Policies.

Select the security policy that applies to the devices that you want to run
Web@Work.
3.
Click Edit.
4.
For the Password option, select Mandatory.
5.
Fill in the remaining options relating to passwords.
6.
Click Save.
7.
Repeat steps 2 through 6 for all security policies that apply to devices that you
want to run Web@Work.
533
Web@Work for iOS
For detailed information about security policies, see Working with security policies
on page 147.
Configure an AppConnect global policy

Because Web@Work is an AppConnect app, configure an AppConnect global policy. On
this policy, you configure AppConnect global settings, which are settings that are not
specific to an AppConnect app. For example, you configure the AppConnect passcode
requirements.
You also configure default data loss prevention policies. However, Web@Work supports
only the Allow Copy/Paste To option. Enabling the other options has no impact on
Web@Work.
Note: Make sure only one AppConnect global policy applies to each device.
To configure an AppConnect global policy:
1. In the VSP Admin Portal, select Policies & Configs > Policies.
2.
Select Add New > AppConnect.

If you already have an AppConnect global policy, select it, and click Edit.
3.
4.
5.
Fill in the fields as described in Configuring the AppConnect global policy on

page 484.
Click Save.
Apply the appropriate labels to the AppConnect global policy. If you are using the
default AppConnect global policy, it automatically applies to all devices.
Configure an AppConnect container policy for Web@Work

An AppConnect container policy is typically necessary to authorize a device user to
use Web@Work. It also allows you to override the AppConnect global policys data loss
protection settings.
Note: You can also authorize device users to use Web@Work on the AppConnect
global policy by selecting the option to authorize apps without an AppConnect container policy.
Note: Make sure only one AppConnect container policy for Web@Work applies to each
device.
To configure an AppConnect container policy for Web@Work:
1.
In the Admin Portal, select Policies & Configs > Configurations.
2.
Select Add New > AppConnect > Container Policy.
3.
Enter a name for the policy. For example, enter Web@Work container policy.
4.
Enter a description for the policy.
5.
In the Application field, enter com.mobileiron.securebrowser.
6.
Select the data loss protection settings you want for Web@Work.
Note: Web@Work supports only the Allow Copy/Paste To option. Enabling the other
options has no impact on Web@Work. Regarding the open in feature, Web@Work
does not allow the device user to open a downloaded document in another app.
534
Web@Work for iOS
7.
Select Save.
8.
Select the Web@Work container policy.
9.
10.
Select the labels to which you want to apply this policy.
11.
Click Apply.
devices labels:
1.
2.
Select the device.
3.

1.
Select the device.
2.
3.
4.
Click Apply.
Configure AppTunnel and Bookmarks for Web@Work

Web@Work uses the AppTunnel capability to provide secure access to web sites
behind your firewall. A device user can use Web@Work only if you have set up
AppTunnel for Web@Work.
Setting up AppTunnel for Web@Work requires:
A Standalone Sentry configured to support AppTunnel for Web@Work.

See Set up a Standalone Sentry to support AppTunnel for Web@Work on
page 529.
A Web@Work app setting applied to the devices that use Web@Work.

The Web@Work app setting is also where you configure Web@Work browser bookmarks. You list the secure web sites that Web@Work automatically sets up as browser
bookmarks for the device user.
Note: Make sure only one Web@Work app setting applies to each device.
To configure a Web@Work app setting:
1.
In the Admin Portal, go to Policies & Configs > Configurations.
2.
Select Add New > Web@Work.
Use the following guidelines to create or edit a Web@Work app setting:.

Item
Description
Name
Enter brief text that identifies this Web@Work app setting.
Description

Web@Work app setting.
535
Web@Work for iOS
Item
Description
Application
The application is set to Web@Work for you.
AppTunnel
Configure AppTunnel settings for Web@Work.

AlsoFirst, configure the Standalone Sentry to support
AppTunnel. See Set up a Standalone Sentry to support
AppTunnel for Web@Work on page 529.
When Web@Work tries to connect to the hostURL and port
configured here, the Sentry creates a tunnel to the Service.
To add an AppTunnel entry, click + .
To delete an AppTunnel entry, click - .
URL Wildcard
Typically, for the Web@Work AppTunnel, enter, for example, *.yourcompanyname.com or www.yourcompanyname.com*.
Do not include a URI scheme, such as http:// or https://,
in the URL Wildcard field.
Note: You can enter a wildcard * in this field only if you
configure a service name <ANY> or <CIFS_ANY> on the
Standalone Sentry.
The Standalone Sentry tunnels the Web@Work data to any
servers that Web@Work requests that match the value
that you enter here. If Web@Work requests a server that
does not match the value of any of the AppTunnel entries
in the Web@Work app setting, tunneling does not occur. In
this case, if the requested server is behind your firewall,
Web@Work informs the device user that it cannot access
the requested server.
If you want finer granularity regarding what requests the
Standalone Sentry tunnels, configure multiple AppTunnel
entries.
Port
Enter a port number that the app should connect to if the

service name on the Standalone Sentry is not <ANY>. This
field is ignored when the service name is <ANY> or
<CIFS_ANY>.
Otherwise, enter the port number that Web@Work should
connect to.
If Web@Work requests to access a URL and port number
that matches the URL Wildcard field and this port number,
the Web@Work data is tunneled.
Sentry
Select the Standalone Sentry that you want to tunnel the

URLs listed in this AppTunnel entry. The drop-down list
contains all Standalone Sentrys that are configured to support AppTunnel.
536
Web@Work for iOS
Item
Description
Service
Select thea Service Name from the drop-down list. Typically, for Web@Work, the service is <ANY> or
<CIFS_ANY>.
This is the name of the AppTunnel service configured in
the Standalone Sentry configured for AppTunnel for
Web@Work.
This service name specifies an AppTunnel service configured in the App Tunneling Configuration section of the
specified Sentry.
If the service on the Sentry is configured with its Server
Auth set to Kerberos, Web@Work uses Single Sign On for
the enterprise server. That is, the device user does not
enter any further credentials when Web@Work accesses
the enterprise app server.
Select the Certificate or the SCEP profile that you created

for devices to present to the Standalone Sentry that supports app tunneling.
For more information, see SCEP settings on page 237
and Certificates settings on page 236.
Bookmarks
Specify the bookmarks that you want to appear
automatically in the Bookmarks screen of Web@Work.
To add a bookmark, click + .
To delete a bookmark, click - .
The bookmarks appear in the Bookmarks screen of
Web@Work in the same order that they appear in the
Web@Work app setting. To change the ordering, drag the
bookmarks in the Web@Work app setting.
Bookmark
Enter the name of the bookmark. The name is any string

that describes the URL that the bookmark points to.
For example:
Sales information
Address
Enter the URL for the bookmark.

For example:
https://sales.mySecureCompany.com
3.
Click Save.
4.
Select the new Web@Work app setting.
5.
6.
Select the labels to which you want to apply this Web@Work app setting.
7.
Click Apply.
Be sure to apply one of the labels that you selected to the appropriate devices.
537
Web@Work for iOS
Add Web@Work to the app distribution library

1.
You can make Web@Work available to device users as a recommended app in the
app distribution library in the VSP Admin Portal. For information about adding iOS
apps to the app distribution library, see Working with apps for iOS devices on
page 395.
538
Section III: System Management
539
540
Chapter 18
Overview of System Manager
541
Introduction to System Manager

After installation, most configuration tasks are performed in the System Manager portion of the MobileIron Admin Portal. The System Manager enables you to:
complete the configuration steps necessary to implement the MobileIron VSP

manage basic network settings established during installation
manage how MobileIron fits into your infrastructure
upgrade the VSP
troubleshoot VSP issues
perform basic maintenance tasks
542
Getting started
Starting System Manager
To start System Manager:
1.
Enter the following URL:

https://<fully_qualified_hostname>/mics
2.
Enter the user ID and password of a System Manager user.

The user created during setup is valid, as well as any users created in the System
Manager under Security > Local Users. The user ID is case sensitive.
3.
Click SIGN IN.
Starting System Manager from Admin Portal

If you have logged into Admin Portal, you can click the System Mgr link at the top of
the screen to start System Manager.
543
Logging out
Select the Sign Out link in the upper right corner to exit.
Saving a configuration
If you want to save configuration settings in the System Manager, click the Save link in
the upper right corner of the System console.
Why: System Manager does not automatically save changes you make to system settings. Though these settings are retained if you log out, rebooting the MobileIron VSP
without saving these settings would return the VSP to its previously-saved configuration.
544
Chapter 19
Configuring VSP System Settings
545
Overview
The Settings page in System Manager contains links for configuring the VSP. The following table summarizes the tasks associated with each link.
Network: Interfaces
Change physical interface settings

Add VLAN interfaces
Change VLAN interfaces
Network: Routes
Change the default gateway

Route through different gateways
DNS and Hostname
Change DNS servers
Static Hosts
Edit the host list for the VSP
Date and Time

(NTP)
Change the time source used by the

VSP
CLI
Change the Enable Secret set during

installation
Enable/Disable ssh and telnet access
Change ssh/telnet settings
Syslog
Configure Syslog servers
SNMP
Configure SNMP servers
Email Settings
Configure SMTP settings for communication between the VSP and devices
Port Settings
Change default port configuration for

the VSP
Data Purge
Configure automated data purging
Services
Enable/Disable VSP and MAI services
546
Interfaces
The Settings > Interfaces screen enables you to change parameters for the network
interface points for the VSP:
physical and VLAN interfaces

static routes
Managing network interfaces

You configure a physical network interface as part of the installation process. You can
use the Interfaces screen to:
Edit the physical interface settings specified during installation

Add physical interfaces
Add VLAN interfaces
Change VLAN interfaces
Changing physical interfaces

To change a physical interface:
1.
Click the interface name.
547
2.
Change any or all of the following fields:

Field
Description
IP
Enter the IP address of the physical

network interface.
Unless you are configuring a standalone implementation for a small trial,
you should specify at least one physical interface.
3.
Mask
Enter the netmask of the physical network interface.
ACL Name
Select an Access Control List for this

interface. See Access Control Lists
on page 583.
Admin State
To enable this interface for use with

the MobileIron system, click Enable. To
temporarily prevent use of this interface with the MobileIron system, click
Disable.
Click Save.
Adding VLAN interfaces

Virtual Local Area Network (VLAN) interfaces are optional interfaces you can configure
on the MobileIron VSP to manage bandwidth and load balancing.
To add a VLAN interface:
1.
Click Add VLAN.
548
2.
3.
Use the following guidelines to complete the configuration:

Field
Description
VLAN ID
Specify a number between 2 and

4094.
IP Address
Enter the IP address for this

VLAN interface.
Mask
Enter the netmask for this VLAN

interface.
Physical Interface
Select the physical interface that

corresponds to this VLAN interface.
ACL Name
Select an Access Control List for

this interface. See Access Control Lists on page 583.
Admin State
To enable this interface, click

Enable. To temporarily suspend
use of this VLAN, click Disable.
Click Save.
Deleting a VLAN interface

To delete a Virtual Local Area Network (VLAN) interface:
1.
Select the VLAN you want to remove.
2.
Click Delete VLAN.
549
Routes
The Settings > Network > Routes screen enables you to create and maintain static
network routes within the enterprise.
Adding network routes

To add a route:
1.
Click Add.
2.
Use the following guidelines to complete the fields:
3.
Field
Description
Network
Enter the network IP address.
Mask
Enter the subnet mask.
Gateway
Enter the IP address for the

gateway.
Click Save.
Deleting network routes

To delete a route:
550
1.
Select the entry.
2.
Click Delete.
551
DNS and Hostname

The DNS and Hostname screen displays the hostname, default domain, and DNS
information entered during installation. Use this screen to:
Change the hostname

Change the default domain
Change or add DNS servers
1.
2.

Field
Description
Host name
Specify the fully-qualified host

name for the appliance.
Default Domain
Specify the default domain for

the appliance.
Preferred DNS Server
Specify the IP address of the primary DNS server to use.
Alternate DNS Server

1
Specify the IP address of an

optional alternate DNS server.
Alternate DNS Server

2
Specify the IP address of an

optional alternate DNS server.
Click Save.
552
Static Hosts
The Static Hosts page enables you to edit the hosts file. Use this feature in the following cases:
DNS is not available or does not resolve the necessary names

DNS resolves the hostname to the external IP, but you want the traffic to go via the
internal IP
Adding hosts
To add a host:
1.
Click the Add button.
2.
Use the following guidelines to complete the displayed fields:

Field
Description
IP Address
The IP address for the host you are

adding.
FQDN
The fully-qualified domain name for

this host, as in appdoc1.mycompany.com.
Alias
The alias for this host.
553
3.
Click Save.
Editing hosts
To edit a host, click the IP address for the host displayed in the Static Hosts screen.
Deleting hosts
To delete a host:
1.
In the Static Hosts screen, select the host to be deleted.
2.
Click the Delete button.
554
Date and Time (NTP)

The Date and Time screen displays any NTP information specified during installation.
This an optional portion of the configuration, but is highly recommended due to the
effect of database timestamps on the behavior of the system, as well as on the quality
of reporting. Currently, only UTC time display is supported. If you choose to use a
local time source, instead, then you can specify the date in this screen.
To change your date and time configuration:

1.

Field
Description
Time Source
Select NTP if you intend

to specify one or more
NTP servers. Select Local
if you intend to set the
system time for the MobileIron Server.
If you select NTP

Primary Server
Specify the IP address or

fully-qualified host name
for the NTP server to use.
Secondary Server

for the first failover NTP
server to use.
555
Field
Description
Tertiary Server

for the second failover
NTP server to use.
If you select Local
2.
Date
Enter the current date.
Time
Enter the current time.
Click Save.
556
CLI
The CLI screen displays the command line interface access settings specified during
configuration. Use this screen to alter these settings.
1.

Field
Description
Enable Secret
Click the Change Enable Secret

link to specify the password
required to access important
functions in the CLI.
Confirm Enable
Secret
Re-enter the specified password

to confirm. This field displays
only if you click the Change
Enable Secret link.
CLI Session Timeout
Specify the duration of inactivity

on the Telnet or SSH connection
that should cause the session to
time out.
SSH
Select Enable if you want to

allow SSH access to the MobileIron Administration tool.
Max SSH Sessions
Specify the maximum number of

simultaneous SSH sessions to
allow.
557
2.
Field
Description
Telnet
Select Enable if you want to

allow Telnet access to the MobileIron Administration tool.
Max Telnet Sessions
Specify the maximum number of

simultaneous Telnet sessions to
allow.
Click Save.
558
Syslog
Use the Syslog screen to configure any remote log servers you have set up on your
network. Logs are then written to both the syslog location and the local log location.
To add a syslog entry:

1.
Click Add.
Field
Description
Server
Enter the IP address or host name for

the remote log server.
Log Level
Select the log level from the displayed list.
Admin State
Select Enable from the dropdown list

to apply these settings to your current configuration. Select Disable to
suspend use of the configured log
server.
559
SNMP
Use the SNMP screen to manage SNMP trap receivers. MobileIron currently supports
link up/down traps and the host-resources MIB file.
Enabling the SNMP service

The SNMP service is turned off by default. To turn it on:
1.
Select Enable in the SNMP Control section.
2.
Click Apply.
Editing the Read only community string

The default community string for the SNMP is set to public. To change this string:
1.
Edit the default string.
2.
Click Apply.
Adding a trap receiver

To add an SNMP trap receiver:
1.
In the SNMP screen, click Add.
560
2.
Complete the form.
3.
Click Save.
Editing a trap receiver

To edit an SNMP trap receiver:
1.
In the SNMP screen, select the link for the trap receiver you want to edit:
2.
Make your changes.
3.
Click Save.
Deleting a trap receiver

To delete an SNMP trap receiver:
1.
In the SNMP screen, select the link for the trap receiver you want to delete.
2.
Click Delete.
561
Email Settings
Use the Email Settings screen in the System Manager portion of the portal to set up
the SMTP server access required for MobileIron email alerts, such as policy violation
alerts. In the US and certain other countries, the SMTP server settings are also
required for alerts sent via SMS. In a few cases, the SMTP server may be used to
transmit a control command to certain devices.
1.
From the Settings screen, click the Email Settings link in the navigation pane.
2.

Field
Description
From Email
Specify the email address to use in the From field

for all administrative email notifications.
SMTP Server
Specify the IP address or fully-qualified host

name for the SMTP server the MobileIron Server
will use.
SMTP Server Port
Specify the port configured for the SMTP server.
Protocol
If th SMTP server you are configuring is a secured

server, that is, it uses the SMTPS protocol, then
select the SMTPS button. Otherwise, leave SMTP
selected.
Authentication
Required
Specify whether this SMTP server requires

authentication. In most cases, this field will be
set to Yes.
User Name
If you select Yes for Authentication Required,

then this field displays. Enter the user name
required for SMTP authentication.
562
Field
Description
Password

then this field displays. Enter the password
Confirm Password

then this field displays. Confirm the password
3.
Click the Test button.
4.
Enter an email address and body for the test email.
5.
Click OK.
6.
Confirm that the email arrives as expected.
7.
Click Save.
Optional SMS configuration: Syscomm phone

MobileIron uses SMSes to:
provision devices with the MobileIron Client

send alerts and notifications
wipe devices for some platforms
Email provides an alternative to SMS for each of these actions except wipe. Therefore,
MobileIron offers an optional SMS configuration consisting of special devices called
Syscomm phones. These components of a MobileIron implementation act as SMS
proxies.
See the VSP Administration Guide for details on setting up a Syscomm phone.
563
Port Settings
Use the Port Settings screen to change settings, if necessary, for the following MobileIron services:
Sync Service
Sync TLS
Help Desk
Provisioning
Each must have a unique port. Changes to the default settings are seldom necessary.
Making changes to these settings requires re-registering phones, so use caution when
making changes.
Provision protocol (http/https) is also specified in this screen. Port 443 is entered
automatically for https and cannot be changed. Note that changing this protocol does
not automatically change the associated port. You must manually specify 443 for the
https provisioning port, or 8080 for the http provisioning port.
Modifying the values for the Provision Protocol or Provisioning Port fields updates the
Local CA URLs for the CRL distribution point and the CA certificate access location for
newly issued certificates. Previously generated certificates will continue to reference
the old location.
To use the new values for these fields, remove the previously issued certificates from
MIFS > Log > Certificate Log. VSP pushes the updated setting to the device(s) on the
next device check-in.
If you change the provisioning port after generating a certificate signing request, you
must generate a new CSR and replace the old certificate with the newly returned
certificate in Admin Portal in Settings > Local Certificate Authorities.
Note: Port 9999 is unnecessary in most instances, as the sync service is

generally configured to use TLS (over 9997). Therefore, 9999 is not
listed in the ports that must be opened before installation. Should you
564
configure the sync service to use 9999, then you must open port 9999.
Note: The Provisioning Protocol and Provisioning Port settings do not apply to
Windows Phone 8 (WP8)devices. WP8 devices use https and port 443.
565
Data Purge
The MobileIron VSP stores significant amounts of data, such as:
call records
SMS records
data records
backup snapshots
log files
client logs
notification tables
Every four hours, the VSP automatically purges client logs and notification tables. You
can automatically or manually purge the remaining stored data. Purging enables you
to:
manage system storage

fulfill corporate or legal requirements for data disposal
For example, a production system managing thousands of phones can exhaust available system storage. In addition, certain industries and countries must adhere to legal
mandates requiring purging of data after a number of years.
MobileIron provides a data purging feature that enables you to:
turn auto-purging on/off

configure auto-purging based on system storage usage or the age of the data
specify what gets purged
set up a system storage alert if space falls below a defined level
manually purge data
You can configure auto-purging based on either the amount of system storage used or
the age of the data stored. To configure auto-purging:
1.
In System Manager, go to Settings > Data Purge.
566
2.
Set Auto Purge to ON or OFF.
3.
To purge data based on the amount of remaining system storage:

a.
b.
c.
4.
5.
Select Delete data older than.

Specify the number of days to use as a baseline for the age of the data to be
purged.
Specify the percentage of system storage capacity that should trigger the
purge.
To purge data based on the age of the data:

a.
Select Keep data no more than.
b.
Specify the number of days to keep data before auto-purging.
Use Purge Daily at to specify the time of day at which the purge should happen.
Note that the selected time is based on the VSP system time.
6.
7.
Click Apply.
See Specifying what gets purged on page 567 for information on selecting the
types of data to be purged.
Specifying what gets purged

Use the Data to Purge section to specify the types of data to be removed.
567
Select or clear checkboxes to indicate whether the following types of data should be
purged:
Call Records
Voice call information
SMS Records
Text message information
Data Records
Data transfer information
Log Files
System log files (archived logs

only)
Device File Snapshots
Backup snapshots of device

files
Checking actual system storage

To determine the actual space used and available for system storage:
1.
2.
In System Manager, go to Settings > Data Purge or Maintenance > System Storage.
Hover over the System Storage bar to see a popup indicating the actual storage
usage and capacity.
Setting up the system storage alert

You can set up a System Event to alert you when system storage reaches the level
specified. You can use this alert, for example, to indicate the need for manual purging
or to prompt personnel to confirm successful auto-purging.
To set up the system storage alert:
1.
In Admin Portal, click Event Center > All Events.
2.
Click Add New > System Event.
3.
Select System storage threshold has been reached.
Manual purging
You can perform ad hoc data purging. See Manually purging data (system storage)
on page 600 for information.
568
Services
Use the Settings > Services screen to enable or disable the following MobileIron services:
VSP: Core MobileIron service.

MAI: Mobile Activity Intelligence service. Disabled by default.
Atlas: Atlas reporting console. See the Atlas Administration Guide for more information.
569
570
Chapter 20
Configuring VSP Security Settings
571
Overview
The Security page in System Manager contains links for configuring aspects of VSP
access. The following table summarizes the tasks associated with each link.
Identity Source:
Local Users
Create, delete, and manage local

users for System Manager.
Certificate Mgmt
View and manage certificates for:

Portal HTTPS
Client TLS
iOS Enrollment
Access Control Lists:

Networks & Hosts
Create and manage entries for networks and hosts

Network Services
Create and manage entries for network services

ACLs
Compile access control lists

Portal ACLs
Compile access control lists for specific

VSP components
572
Identity Source > Local Users

The System Manager has a separate user database from the Admin Portal. The user
you specify when you install the VSP is created as a separate user in each database.
All users in the System Manager database are local users having the following privileges, which cannot be changed:
Command Line Interface (CLI)

System Manager access
Adding local users for System Manager

To add a local user for System Manager:
1.
With the Security page displayed, click Local Users.
2.
Click the Add button.
573
3.

Field
Description
User ID
Enter the unique identifier to

assign to this user. The user ID is
case sensitive.
First Name
Enter the users first name.
Last Name
Enter the users last name.
Password
Enter a password for the user.
Passwords must have at least

8 characters.
Passwords must contain at

least 1 alphabetic character.
Passwords must contain at

least 1 numeric character.
Passwords cannot have 4 or

more repeating characters.
Passwords cannot be the same

as the user ID.
Password may contain Unicode characters, except for

CLI access.
Users cannot change a password more than once during a

24 hour period.
Confirm Password
Confirm the password for the

user.
Group
This field is not configurable.
Email
Enter the users email address.
4.
Click Apply.
5.
Click Save.
Editing local users for System Manager

To edit a local user:
1.
2.
Select the user ID of the entry to display the information for that user.
3.
Make your changes.

Note: You cannot change the user ID.
4.
Click Apply.
5.
Click Save.
574
Deleting local users for System Manager

To delete a local user:
1.
2.
Select the checkbox for the user you want to delete.
3.
Click Delete.
Note: You cannot delete the user ID you logged in with.
4.
Click Save.
575
Certificate Mgmt
Use the Certificate Mgmt feature to fulfill certificate requirements your organization
may have for the MobileIron appliances or the TLS client. You can:
Generate a self-signed certificate

Generate a CSR for a certificate authority
You should also use this page to upload the required certificates.
Note: When you update a certificate, you are prompted to confirm that you want to
proceed because the HTTP service needs to be restarted, resulting in service disruption.
To generate a self-signed certificate

You can generate a self-signed certificate for:
the MobileIron iOS Mobility Management Best Practices

MobileIron Sentry configurations
the MobileIron Client for use with TLS
To generate a self-signed certificate:
1.
In the MobileIron System Manager, select Certificate Mgmt from the Security page.
576
2.
For the VSP, click the Manage Certificate link for Portal HTTPS. For the MobileIron
Client, click the Manage Certificate link for Client TLS.
3.
Select Generate Self-Signed Certificate from the dropdown list.
4.
Click the Generate Self Signed Certificate button.
577
To generate a certificate signing request (CSR)

The following table summarizes the requirements and related information for each
component of a MobileIron deployment.
Component
Requirements
Appliance
Private key file

Certificate file
Root CA certificate file
Without password
Sentry Standalone
Private key file

Certificate file
Without password
Sentry Integrated
Without password
Client
Private key file

Certificate file
Without password
To generate a CSR:
1.
2.
578
3.
Select Generate CSR from the dropdown list.
4.
Use the following guidelines to complete the displayed form:

Field
Description
Common Name
Enter the server host name.
E-Mail
Enter the email address of the contact

person in your organization who
should receive the resulting certificate.
Company
Enter the name of the company

requesting the certificate.
Department
Enter the department requesting the

certificate.
579
5.
Field
Description
City
Enter the city in which the company is

located.
State
Enter the state in which the company

is located.
Country
Enter the two-character abbreviation

for the country in which the company
is located.
Key Length
Select 1024 or 2048 to specify the

length of each key in the pair. Longer
keys provide stronger security, but
may impact performance.
Click Generate.
A message similar to the following displays.
6.
7.
Copy the content between BEGIN CERTIFICATE REQUEST and END CERTIFICATE
REQUEST to a text file.
Copy the content between BEGIN RSA PRIVATE KEY and END RSA PRIVATE KEY to
another text file.
8.
Click Close.
9.
Submit the file you created in step 6 to the certifying authority.
Uploading certificates
When you receive the CA certificate from the certifying authority:
1.
580
2.
3.
Make sure Upload Certificate is selected in the dropdown list.
4.
Select the certificates as indicated in the following table:
5.
Field
File to Select
Key file
The file created in step 7.
Server certificate
The CA certificate file you received

from the certifying authority.
CA certificate
The generic CA certificate file.
Viewing certificates
To view a Portal HTTPS or Client-TLS certificate:
1.
581
2.
Click the View Certificate link for the certificate type you want to view.
582
Access Control Lists

Use the Access Control Lists screen to compile and manage the rules that define
inbound and outbound access for network hosts and services.
Each ACL consists of one or more access control entries (ACEs). Configuring ACLs
requires the following tasks:
1.
Configure entries for each network and host requiring an ACL.
2.
Configure entries for any network services requiring an ACL.
3.
Create an ACL.
To add an ACL:
1.
Click Add.
2.
In the Name field, enter a name to identify the ACL.
3.
In the Description field, enter text to clarify the purpose of the ACL.
4.
Click Save.
The lower portion of the screen is now enabled.
583
5.
Click Add to add an access control entry (ACE) to the ACL.

Each ACE consists of a combination of the network hosts and services you configured for use in ACLs.
6.

Field
Description
Source Network
Select the network from which

access will originate. This list is
populated with the networks and
hosts you created for use with
ACLs. See Networks and Hosts
on page 586.
Destination Network
Select the network being

accessed. This list is populated
with the networks and hosts you
created for use with ACLs. See
Networks and Hosts on
page 586.
584
7.
Field
Description
Service
Select the network service to

which this entry permits or
denies access. This list is populated with the services you created for use with ACLs. See
Network Services on page 588.
Action
Select Permit or Deny from the

dropdown list.
Connections Per
Minute
Enter the number of connections

to allow per minute.
Description
Enter text to describe the purpose of this entry.
Click Save.
Editing an ACL
To edit an existing ACL:
1.
Click the name in the ACLs list.
2.
To delete an ACE, click its checkbox and click Delete.
3.
To add an ACE, click Add.
4.
5.
To insert and ACE, select the ACE above which you want to insert a new ACE and
click Insert.
Click Save.
Copying an ACL
To start a new ACL based on an existing one:
1.
Select the ACL to be copied.
2.
Click the Copy button.
3.
Enter a name for the new ACL.
4.
Click OK.
Deleting an ACL
To delete an ACL:
1.
Select the ACL to be deleted.
2.
Click Delete.
585
Networks and Hosts

Use the Networks and Hosts screen to manage the servers and subnets you will use to
compile Access Control Lists (ACLs) for MobileIron Clients.
To add a host or subnet for compiling ACLs:

1.
Click Add.
2.
Use the following guidelines for completing the displayed form:
3.
Field
Description
Name
Enter a name to use to identify

this host or network.
Description
Enter additional text to provide

supporting information about this
host or network.
Type
Select Subnet or Host from the

dropdown menu.
Network/Host
Enter the IP address for this network or host.
Click Save.
586
This host or network will now be available for ACLs configured in the ACLs screen.
587
Network Services
Use the Network Services screen to manage available services. MobileIron prepopulates this screen with common services.
To add a service:
1.
Click Add.
2.

Field
Description
Name
Enter a name to use to identify

this service.
Description
Enter additional text provide supporting information about this

service.
Type
Select TCP, UDP, or IP from the

dropdown menu.
Source Port
Enter the number of the source

port for this service. Enter 0 to
allow any source port.
Destination Port
Enter the number of the destination port for this service. Enter 0
to allow any destination port.
588
3.
Click Save.
589
Access Control Lists: ACLs

See Access Control Lists on page 583.
590
Portal ACLs
Use Portal ACLs to further restrict access to various portals within the VSP.
To enable an ACL:
1.
Select the checkbox for the component you want to work with. The following table
describes each component.
Component
Description
MyPhone@Work User Portal
The MyPhone@Work portal that

enables device users to access a website, download apps, manage contacts, and so on.
Admin Portal Portal
The Admin Portal portion of the Admin

Portal.
System Manager Portal
The System Manager portion of the

Admin Portal.
Sentry Connection
The MobileIron Sentry installed for

ActiveSync access control.
API Connection
The MobileIron Web Services API.
591
2.
Component
Description
iOS MDM
The iOS MDM service for profile management.
iOS iReg URL
The iReg service that enables provisioning iOS devices without installing
the MobileIron iOS app.
App Storefront Connection
The app management service for iOS.
Enter the IP address or network/mask pair to specify servers or networks that may
access this component. Separate the entries with spaces.
Examples:
100.0.0.0 150.0.0.0
101.0.0.0 10.0.0.0/255.255.255.0
You must use the expanded form of the mask. Do not specify an entry similar to
10.0.0.0/24.
If your VSP is behind a NAT, enter the IP of the NAT network.
Note: Remember that the Sentry must be able to access the VSP. If it does not
have access, then the ActiveSync Devices page will not display devices.
592
Chapter 21
Configuring VSP Maintenance Settings
593
Overview
Getting MobileIron server software updates

Exporting the configuration
Importing a configuration
Clearing the configuration
Rebooting
Managing System Storage
594
Getting MobileIron server software updates

The following figure shows the Software Updates screen.
See the upgrade documentation for a specific release for instructions on when and
how to use this screen.
595
Exporting the configuration

To back up the system configuration, you can export the MobileIron Server configuration settings to XML format:
1.
Click Export Configuration.
2.
Click Export.
596
Importing a configuration
You can import a MobileIron Server configuration from a local XML file or FTP site:
1.
Click Import Configuration.
2.
Click Browse to select an import file.
3.
Click Import.
597
Clearing the configuration

To clear unsaved configuration settings and return to the default configuration:
1.
Click Clear Configuration.
2.
Click the Clear Configuration button.
598
Rebooting
You can reboot the MobileIron Server to clear the current configuration settings and
restart all server modules:
1.
Click Reboot in the navigation pane.
2.
Click the Reboot button.
599
Manually purging data (system storage)

You can manage system storage by purging old data. You can configure auto-purging
to perform this task regularly, as explained in Data Purge on page 566. You can also
perform one-time manual purges as needed.
To manually purge data:
1.
In System Manager, go to Maintenance > System Storage.
2.
Specify the age of the data to be purged in the Delete data older than field.
3.
Click Purge Now.
See Specifying what gets purged on page 567 for information on selecting the data
to purge.
600
Backing up and restoring the VSP

The system backup and restore feature includes the following:
view of backup logs

configuration of the host and protocol to use
scheduled backups
immediate backups
restore from backup
Configuring system backups

Pre-requisites
Sufficient disk space at the destination to store the archive
Protocol-specific requirements described in the following table
Protocol
Pre-requisites
NFS
Port 2049 open from VSP to the NFS server

Note: The NFS option assumes that user authentication is not
required for the specified server. Therefore, we recommend using
IP ACLs to restrict NFS mounts to VSP servers.
SCP
Port 22 open from the VSP to the backup location
FTP
Port 21 open from the VSP to the FTP server
CIFS
Ports 137 (UDP), 138 (UDP), and 139 (TCP) open from the VSP to
the Windows share server
Backup settings
Complete the following steps to configure the destination and schedule for backups:
1.
In System Manager, select Maintenance > System Backup.
601
2.
Use the following guidelines to complete the System Backup Configuration section.
Notification Email
Enter the email address that should receive

backup/restore notifications. By default, notifications are sent if the backup fails.
Send email on successful

backup
Select this option to include notifications for

success and failure.
Start backup at
Select the time (GMT) at which a daily backup

should occur, based on the system time set in
the System Manager.
Backup using
Select from the following protocols:

FTP
SCP
NFS
CIFS
The selected protocol determines which of the
following fields display.
Server
Enter the domain name or IP address for the

server to be used.
602
User
Enter the user name for the account to be used.

Note: For CIFS, you might also need to specify
the domain (e.g., MYDOMAIN\myuserid).
Password
Enter the password for the account to be used.
Password
Confirmation
Confirm the password for the account to be

used.
Server Path
Enter any additional path necessary to specify

the location on the host server.
For example, if you want to write backups to
the Backups/VSP folder on the specified server,
you would enter /Backups/VSP in this field.
Note: Be sure to include the leading forward
slash (/), or the backup will fail.
3.
Click Save.
Enabling backups
To enable the backup configured backup schedule, select Enabled in the System
Backup Control section.
Running an immediate system backup

To start an immediate system backup:
1.
Scroll down to the Run System Backup Now section.
2.
Click Run.
Backup file
The name of the resulting file has the following format:
<VSP_FQDN>-backup-YYYY-MM-DD--HH-MM-SS.tgz
where <VSP_FQDN> is the fully-qualified domain for the VSP.
Viewing backup status

When a backup starts, the Backup is running indicator displays in the System
Backup Logs/Status section. When it completes, a brief status message displays the
following information:
date and time of the backup

transfer mode (i.e., FTP, NFS, CIFS, or SCP)
whether the backup was scheduled (automatic) or manual (run now)
603
Viewing backup logs

The system backup logs are available on the Troubleshooting page in System Manager.
You can view them on demand and download them like other system logs.
604
Restoring from a system backup

Requirements
The VSP version used to create the backup must be used to restore the backup.
Confirm that the location of the backup file is easily accessible to ensure that the
upload process does not time out. Uploading the file should complete within 15
minutes.
Procedure
Complete the following steps to restore your VSP from a backup:
1.
Configure a new VSP or reset the existing VSP to the factory default state.
2.
Move the backup file to a location that is reachable from System Manager.
3.
In System Manager, select Maintenance > System Backup.
4.
Scroll down to the Restore System section.
5.
Click Browse.
6.
Select the backup file.
7.
Click Restore.
When the process is complete, a message displays prompting you to reboot.
8.
9.
10.
If prompted to save the configuration, click Yes.

If you chose to configure a second VSP instead of resetting the original, power
down the original to prevent IP conflicts.
Select Maintenance > Reboot.
605
Restoring data only

Some situations call for restoring the data from a backup without restoring the system
configuration. These situations include:
confirming that expected data is included in backups

disaster recovery
To address these situations, use the Exclude System Configs on Restore option.
Restoring a system in this manner does not provide a replacement VSP. You can use
this restored system to view data or as the basis for a replacement system.
606
Chapter 22
Troubleshooting
607
Troubleshooting
Overview
Use the Troubleshooting page in the System console to investigate possible problems
with MobileIron operation. In most cases, you will use this page under the direction of
MobileIron Customer Support.
608
Troubleshooting
Working with logs

The Logs screen under the Troubleshooting page enables you to:
Enable debugging for MobileIron modules

Enable debugging for VPN services
Disable debugging
View logs
Export logs
Clear logs
Enabling debugging for MobileIron modules

You can specify which MobileIron modules you want to place in debug mode. Placing a
module in debug mode causes more detailed messages to be recorded in the corresponding log.
To enable debugging for MobileIron modules:
1.
2.
Select the checkboxes for the modules you want to place in debug mode:
Module
Description
MICS
MobileIron Configuration Service (i.e., the service that

supports System Manager)
MIFS
MobileIron File Service
Employee
MyPhone@Work (employee portal)
Click Save.
609
Troubleshooting
Disabling debugging
You can disable all debugging or you can select the modules for which you want to disable debugging.
Disabling all debugging

To disable all debugging, which stops the MobileIron Server from writing detailed
information to all logs, click Stop All Debugging.
Disabling debugging for certain modules

To disable debugging for certain modules:
1.
Clear the checkbox next to each module you want to remove from debug mode.
2.
Click Save.
Viewing logs
The Troubleshooting screen enables you to view the contents of debug logs directly
from the console. Debugging must be enabled. The following table lists the available
logs:
Log Name
Description
MICS
MobileIron Configuration Service (i.e., the service that

supports System Manager)
MIFS
MobileIron File Service
System
VSP status logs
Employee
MyPhone@Work (employee portal)
Device
Searchable device logs (search by mobile number or user)
Catalina
MobileIron application loading status
Catalina2
Catalina3
Catalina4
System Backup
High Availability
LDAP
To view a log:
1.
In the View Logs section, click the link for the log you want to view.
610
Troubleshooting
The displayed window shows the most recent log entries. The window scrolls
dynamically as the MobileIron Server adds entries to the log.
2.
Click x to close the log view.

Note: If you close the log view window and then re-open it, the displayed window
shows only log entries made since you closed the window.
Viewing only new log entries

To remove existing log entries from the log view window and view only new log
entries, click the Clear Window button.
Viewing logs by device or user

To view logs by device or user:
1.
Click the Device link in the View Module Logs section.
2.
Select User or Phone to specify whether you want to view logs by user or device.
3.
Enter the user name or phone number.
4.
Click View Log.
Exporting logs
You can now upload logs directly to the default support site or a designated alternate
site.
To upload logs:
1.
Select Troubleshooting > Logs.
2.
Scroll down to the Export Logs section.
611
Troubleshooting
3.
4.
5.
6.
Select the log to download.

Select SFTP Upload, HTTPS Upload, or Download from the Type drop-down list,
depending on the method you want to use.
If you received a MobileIron support ticket number associated with this export ,
enter it in the Support Ticket Number field.
If you selected SFTP Upload or HTTPS Upload, select the Alternate Location check
box and configure a backup location or user authentication in case transmission to
the primary server or user fails. If you receive technical support from a MobileIron
partner instead of directly from MobileIron, then you will need to obtain an alternate location from your vendor.
The following additional fields for the alternate location are displayed:
Host/IP or URL
Host/IP, enter the server name. For example, support.mobileiron.com.
URL, enter the FQDN. For example, https://support.mobileiron.com
User Name
Password
Confirm Password
7.
Click SFTP Upload, HTTPS Upload, Download.
612
Troubleshooting
Remote logs
If your system includes Sentries, you can configure and view the logs for each Sentry
from the Remote Logs section of the Troubleshooting page.
Note that changing the debug mode (log verbosity) here, overrides the settings
configured in the Sentry user interface.
Enabling remote logs

To start collecting Sentry log data, you need to specify the debug mode:
1.
2.
Select the Change Debug Mode link for the Sentry you want to troubleshoot.
The Change Debug Status dialog appears.
3.
4.
Select Sentry or Sentry HTTP Packet Trace.

Field
Sentry 3.3
Sentry 3.2 and older
Sentry
Provides Level 1 verbosity

HTTP request/response information.
Provides Debug-level logs.
Sentry HTTP
Packet Trace
Provides Level 2 verbosity

HTTP request/response information and detailed log messages with headers.
Provides complete logs

including backup level details.
Click Submit.
The updated debug status is communicated to the Sentry and reflected in the Sentry
user interface the next time you refresh the Sentry Logs page.
If you selected Sentry, the Sentry is set to log at Level 1 and becomes enabled.
If you selected Sentry HTTP Packet Trace, the Sentry is set to log at Level 2 and
becomes enabled.
613
Troubleshooting
Viewing remote logs

To view the Sentry logs:
1.
2.
Click the View Logs link for the Sentry you want to troubleshoot.
The log window appears.
614
Troubleshooting
Network monitor
The Network Monitor screen enables you to produce a TCP dump for one of the MobileIron Server physical interfaces. The information provided might assist in troubleshooting device connectivity problems. Click Download to store the results in a pcap
file.

Option
Description
Interface
Select the physical interface for which you want

to produce a tcp dump.
Filter
Not implemented.
Snap Length
Not implemented.
Max no. of Packets
Specifies the number of packets after which the

capture should stop. The default value is 1000.
Acceptable range of values is 1 to 1000000.
615
Troubleshooting
Service diagnosis
You can use the Service Diagnosis page under Troubleshooting to check the health of
the following services:
NTP
BES
Sentry
Email
DNS
MobileIron Gateway
SCEP
MapQuest
APNs
MobileIron support site
Click Verify All to recheck the listed services, or click the Verify button next to a specific service to verify just that service.
LDAP sync history

To confirm that LDAP synchronization has been performed as expected, click LDAP
Sync History.
616
Section IV: Command Line Interface

(CLI)
617
618
Chapter 23
Command Line Interface
About CLI
EXEC mode commands
EXEC PRIVILEGED commands
CONFIG commands
INTERFACE mode commands
About CLI
The CLI, or command line interface, enables authorized administrators to access certain functions from the command line in a terminal window.
Logging in
1.
Use ssh or telnet to log in to the server.
2.
Log in as the administrator user established during installation.
3.
Enter the corresponding password.
Logging out
Use Ctrl-d to terminate the CLI session and close the terminal window. You can also
enter one of the following commands:
logout
exit
Help commands
Two commands are available to help you use the CLI:
help
?
Enter help to display a description of the interactive help system, including:
619
Auto-complete keys
Movement keys
Deletion keys
Enter ? to list available commands in the current mode or details for the current command.
For example, the following command lists all commands in the current mode:
>?
The following command lists details about the show command:

>show ?
The following command lists details about the show ip command:

>show ip ?
Note that the list of available commands varies according to the mode you are in. See
Modes on page 621.
Auto-complete keys
The following keys provide auto-completion capabilities:
Enter
Auto-completes the command line, performs syntax checking, and executes the
command if no syntax error exists. If a syntax error exists, help text is displayed.
Spacebar
Auto-completes the command.
Movement keys
[CTRL-A] Move to the start of the line

[CTRL-E] Move to the end of the line.
[up] Move to the previous command line held in history.
[down] Move to the next command line held in history.
[left] Move the insertion point left one character.
[right] Move the insertion point right one character.
Deletion keys
[CTRL-C] Delete and abort the current line.

[CTRL-D] Delete the character to the right on the insertion point.
[CTRL-K] Delete all the characters to the right of the insertion point.
[CTRL-U] Delete the whole line.
[backspace] Delete the character to the left of the insertion point.
620
[CTRL-Z] Quits the session.
Modes
The CLI uses the following modes:
EXEC
Default mode established when you log in successfully.
EXEC PRIVILEGED
Privileged mode, enabling commands that affect device management.
CONFIG
Configuration mode, enabling commands that affect network management. In this
mode, you can use the Tab key to cycle through the available commands and subcommands.
INTERFACE
Mode for configuring physical and VLAN interfaces.
Entry to each mode is sequential: EXEC, EXEC PRIVILEGED, CONFIG, INTERFACE. To
access each mode, enter the mode from the previous mode. For example, to access
the CONFIG mode, you must be in the EXEC PRIVILEGED mode.
To access the different modes:
Mode
Accessible through...
Command to access
Return to the
previous mode
EXEC
The default mode
Not applicable
exit
Exits the CLI
session.
EXEC
PRIVILEGED
EXEC mode
enable
disable
CONFIG
EXEC PRIVILEGED
mode
configure terminal
end
INTERFACE
CONFIG mode
interface GigabitEthernet n
end
interface vlan n
621
EXEC mode commands

The commands specific to the EXEC mode are summarized in the following table, and
then listed in detail in alphabetical order.
Command
Description
enable
Accesses privileged commands.
exit
Closes the terminal window.
help
Describes of the interactive help system.
host
Performs a DNS lookup for a specified IP

address or host name.
logout
ping
Sends echo messages.
show
Shows running system information:
show banner
show clock
show hostname
show interfaces
show ip
show log
show logging
show logtail
show memory
show ntp status
show processes
show service
show software repository
show tcp
show timeout
show version
timeout
Sets the idle timeout for the CLI.
traceroute
Traces route to destination.
enable
Enables EXEC PRIVILEGED mode for access to advanced commands.
622
Prompts for the enable-secret password, which is the system password initially set
during installation. Entering the correct password changes the command line prompt
from > to #.
See enable secret on page 647.
Example:
> enable
Password:
#
exit
Exits the EXEC mode and closes the terminal window.
help
Displays a description of the interactive help system, including:
Auto-completion keys
Movement keys
Deletion keys
See Help commands on page 619.
host
Queries Internet name servers to perform a DNS lookup. Specify one of the following
parameters:
Parameter
Description
hostname
The host name of the destination server

to look up.
IP address
The IP address of the destination server

to look up.
This command returns the hostname of the server if you specify an IP address, and it
returns the IP address if you specify the hostname.
Note: This command executes the Linux command nslookup. See Linux man pages for
more information.
Example:
>host yahoo.com
Server:
172.16.0.1
Address:
172.16.0.1#53
623
Non-authoritative answer:
Name:
yahoo.com
Address: 98.137.149.56
Name:
yahoo.com
Address: 98.139.180.149
Name:
yahoo.com
Address: 209.191.122.70
Name:
yahoo.com
Address: 72.30.2.43
logout
Exits from the EXEC mode and closes the terminal window.
ping
Sends echo messages. This command pings the destination server that the parameter
specifies.
Specify one of the following parameters:
Parameter
Description
hostname
The destinations host name.
IP address
The destinations IP address.
Example:
>ping yahoo.com
show banner
Displays the banner that was displayed when you logged on to the command line
interface.
Example:
>show banner
************************************************************
*
MobileIron VSP CLI
*
*
*
*
*
************************************************************
Welcome user it is Tue Dec 13 21:27:03 UTC 2011
show clock
Displays the current system date, time, and time zone.
624
Example:
> show clock
Displaying system clock details
Tue Dec 13 21:25:12 UTC 2011
show hostname
Displays the hostname for the VSP.
Example:
>show hostname
appname.domain.com
show interfaces
Displays the configuration of the network interfaces configured for the VSP.
Example:
>show interfaces
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:0c:29:6b:c6:23 brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop qlen 1000
link/ether 00:0c:29:6b:c6:2d brd ff:ff:ff:ff:ff:ff
show ip
Displays IP information.
Parameter
Description
arp
Displays the physical network address that corresponds to

the IP address of the VSP. ARP is Address Resolution Protocol, a low-level network protocol.
domain-name
Displays the domain name of the VSP.
625
Parameter
Description
interface brief
Displays IP interface status and configuration. Add the following parameters to the command:
<ifacename> <interfaceid>
The <ifacename> is either GigabitEthernet or VLAN.
The <interfaceid> has the value 1 to 4 for GigabitEthernet
and 1 - 4094 for VLAN.
These interfaces are configured using the System Manager
in the Admin Portal. See Managing network interfaces on
page 547.
name-server
Displays the IP address of the Internet name servers that

the VSP uses.
These interfaces are configured using the System Manager
in the Admin Portal. See DNS and Hostname on
page 552.
route
Displays the routing table of the VSP. These static network

routes are configured using the System Manager in the
Admin Portal. See Routes on page 550.
Example:
>show ip domain-name
+-----------------Domain Name
+-----------------mydomain.com
>show ip interface brief GigabitEthernet 1
+----------------+-----------+--------------+-------------+------------------Interface
IP Address
Mask
Hw Addr
Admin State
+----------------+-----------+--------------+-------------+------------------GigabitEthernet1
10.10.17.152 255.255.0.0
00:50:56:91:22:7e
up
>show ip route
192.168.57.0/24 via 10.10.1.1 dev eth0
10.10.0.0/16 dev eth0 proto kernel scope link src 10.10.17.80
default via 10.10.1.1 dev eth0
Note: In the show ip route output, default means that the network and mask are
both 0.0.0.0.
show log
Displays the log file that the parameter specifies.
Consider the following when viewing log files:
To navigate within the log, use standard vi commands.
626
To exit the log, enter q to quit.

Note: The log files are in the Linux directory /var/log.
The command takes one parameter that is the name of the log file. The following table
lists the log file names you can use:
Log file name
Description
mi.log
A superset of the information in the mics, mifs, and employee

logs.
startup.log
Information logged during startup.
cron
All cron jobs run since last reboot.
rpmpkgs
A listing of all the deployed rpm packages on the system.
boot.log
Information collected during boot up.
suspend.log
Not used.
mysqld.log
Information collected during MySQL startup.
messages
All system messages since last restart.
dmesg
Hardware status messages collected during startup.
secure
List of executed commands since last restart.
mivmstat.log
Running log of information about the virtual machine, including,

but not limited to, processes, free, buffered, and cached memory,
swap, i/o, system, and CPU.
mics.log
WARN, INFO, and ERROR messages from the System Manager.
employee.log
WARN, INFO, and ERROR messages about employee device registration activity.
mifs.log
WARN, INFO, and ERROR messages from the Admin Portal.
mai.log
MAI information, if MAI is enabled.
catalina.out
Stdout for the tomcat1 server. Includes verbose Employee and

MIFS logs.
catalina2.out
Stdout for the tomcat2 server. A verbose MIFS log.
catalina3.out
Stdout for the tomcat3 server. A verbose MAI log, if MAI is

enabled.
catalina4.out
Stdout for the tomcat4 server. A verbose Atlas log, if Atlas is

enabled.
Example:
> show log mifs.log
> --log 'tomcat/mifs.log' --
627
show logging
Displays the configured syslog server information:
IP address
log level
state
This information is configured in the System Manager, in Settings > Syslog. See Syslog on page 559.
The log level values displayed by this command correspond to the configured log levels as follows:
Log level value
Log level description
Emergency
Alert
Critical
Error
Warning
Notice
Info
Debug
Example:
>show logging
+--------------+--------------+--------------IP Address
+ Loglevel
+
State
+--------------+--------------+--------------myLogserver.com
5
enable
show logtail
Displays the last ten lines (the tail) of the specified log. The command takes one
parameter that is the name of the log file. See show log on page 626 for the list of
available log files.
To exit from the show logtail command, enter Ctrl-C.
Example:
>show logtail mifs.log
--log 'tomcat/mifs.log' --tail -/mi/tomcat2/webapps/mics/WEB-INF/pages/include.jsp
/mi/tomcat2/webapps/mics/WEB-INF/pages/index.jsp
/mi/tomcat2/webapps/mics/WEB-INF/pages/styles
/mi/tomcat2/webapps/mics/WEB-INF/pages/styles/mobir.css
628
/mi/tomcat2/webapps/mics/WEB-INF/pages/listRadius.jsp
/mi/tomcat2/webapps/mics/WEB-INF/pages/micsLogin.jsp
/mi/tomcat2/webapps/mics/WEB-INF/remoting-servlet.xml
/mi/tomcat-properties/license.properties
/mi/tomcat-properties/datapurge.properties
/mi/tomcat-properties/mifs.properties
show memory
Displays information about free and used memory on the VSP.
This command executes the Linux command free. See Linux man pages for more
information.
Example:
> show memory
total
used
Mem:
2135892
-/+ buffers/cache:
Swap:
4192956
free
2065440
1462300
12
shared
70452
673592
4192944
buffers
0
cached
146848
456292
show ntp status

Displays the currently configured time sources. The time sources are Network Time
Protocol (NTP) servers. An NTP server figures out how much the system clock drifts
and smoothly corrects it.
You can configure the NTP servers using the System Manager in the Admin Portal. See
Date and Time (NTP) on page 555.
Example:
>show ntp status
+-----------+--------------------+
Index
+
NTP Server
+
+-----------+--------------------+
0
172.16.0.1
show processes
Displays the processes running on the VSP.
Note: This command executes the Linux command ps auxwww. See Linux man pages
for more information.
Example:
>show processes
629
show service
Displays the status for configured services such as Telnet, SSH, and NTP. You can
enable these services and set the maximum number of sessions using the System
Manager in the Admin Portal. See CLI on page 557.
Example:
>show service
+------------+-----------+--------------Servicename + Enabled
+ Max.Sessions
+------------+-----------+--------------ssh
yes
5
telnet
yes
5
ntp
yes
show software repository

Displays the currently configured location for MobileIron software updates. This location is configured using the System Manager in the Admin Portal. See Getting MobileIron server software updates on page 595.
Example:
>show software repository
+------------------------------------------+---------------+----------Software repository
Username
Password
+------------------------------------------+---------------+----------myRepositoryServer.com
RepositoryUserId
show tcp
Lists information about all active TCP ports. This information provides traffic statistics
and can help identify network problems.
Note: This command executes the Linux command netstat -nat. See Linux man
pages for more information.
Example:
>show tcp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address
Foreign Address
tcp
0
0 127.0.0.1:8005
0.0.0.0:*
tcp
0
0 127.0.0.1:199
0.0.0.0:*
tcp
0
0 127.0.0.1:3306
0.0.0.0:*
.
.
.
630
State
LISTEN
LISTEN
LISTEN
The following table describes the information displayed:

Column heading
Description
Proto
The protocol. Always tcp.
Recv-Q
The number of bytes not copied by the user

program connected to this socket.
Send-Q
The number of bytes not acknowledged by

the remote host.
Local Address
The IP address of the local computer and

the port number being used. If the port is
not yet established, the port number is
shown as an asterisk (*).
Foreign Address
The IP address and port number of the

remote computer to which the socket is
connected. If the port is not yet established, the port number is shown as an
asterisk (*).
State
The state of the connection. Possible states

are:
LISTEN
SYN-SENT
SYN-RECEIVED
ESTABLISHED
FIN-WAIT-1
FIN-WAIT-2
CLOSE-WAIT
CLOSING
LAST-ACK
TIME-WAIT
These states are further described in http:/
/tools.ietf.org/html/rfc793.
show timeout
Displays the currently configured idle timeout for the CLI in minutes. The value 0 indicates no timeout. The timeout value is configured using the System Manager in the
Admin Portal. See CLI on page 557.
Example:
>show timeout
+--------------------------Cli Idle Timeout in Minute(s)
+---------------------------
631
show version
Displays the currently installed version of the VSP software.
Example:
>show version
VSP 4.5.0 Build 47
timeout
Sets the idle timeout for the CLI. Enter the number of minutes between 0 and 9999.
Example:
>timeout 150
You can also set the CLI idle timeout using the System Manager in the Admin Portal.
See CLI on page 557.
traceroute
Displays the network route to the specified destination.
Parameter
Description
hostname
The destinations host name.
IP address
The destinations IP address.
Examples:
>traceroute 173.194.33.43
traceroute to 173.194.33.43 (173.194.33.43), 30 hops max, 40 byte packets
1 10.10.1.1 (10.10.1.1) 4.808 ms 5.481 ms 6.112 ms
2 * * *
.
.
.
>traceroute google.com
traceroute to google.com (173.194.33.45), 30 hops max, 40 byte packets
1 10.10.1.1 (10.10.1.1) 5.268 ms 5.933 ms 6.564 ms
2 * * *
.
.
.
632
EXEC PRIVILEGED commands

The commands specific to the EXEC PRIVILIGED mode are summarized in the following table, and then listed in detail in alphabetical order.
Note: All EXEC mode commands, except enable and logout, are also available in EXEC
PRIVILEGED mode.
Command
Description
clear arp-cache
Clears the ARP cache on the VSP.
configure terminal
Enters configuration mode.
dbcleanup app_inventory
Deletes duplicate and unused rows from

app inventory tables.
disable
Returns to EXEC mode.
end
failover
Manages VSP failover.
grubupdate
Updates the grub configuration. Requires a

reload.
install rpm
Installs VMware Tools.
no install rpm
Deletes, resets, and disables various system configurations.
poweroff
Turns off the VSP.
reload
Halts the VSP and performs a cold restart.
service
Performs operations on the Tomcat and

iptables services.
setup
Runs the setup wizard to reconfigure an

installation.
show
Shows running system information:
show portalacl
show portalacl
show running-config
show statichost
show system
show tech
show kparams
Note: In addition to the above commands,

all EXEC mode show commands are also
available in EXEC PRIVELEGED mode.
633
Command
Description
software checkupdate
Checks the configured software repository

for available updates to the VSP.
software update
Installs the updates located using software

checkupdate.
ssh
Opens an ssh connection.
telnet
Opens a telnet connection.
write
Saves configuration changes.
clear arp-cache
Clears the ARP cache on the VSP, listing each cleared ARP entry. The ARP cache stores
a mapping of IP addresses with link layer addresses, which are also known as Ethernet
addresses and MAC addresses. If the mapping in the cache is stale, use this command
to clear the cache. A mapping can become stale, if, for example, an IP address has
moved to a new host.
Example:
#clear arp-cache
Deleting Arp Entry for 100.10.10.10
Deleting Arp Entry for 10.10.19.21
configure terminal
Enters configuration mode. See CONFIG commands on page 644 for the commands
you can enter in configuration mode.
Example:
#configure terminal
Enter configuration commands, one per line.
/config#
dbcleanup app_inventory
Deletes duplicate and unused rows from app inventory tables. Requires portal service
restart.
Example:
#dbcleanup app_inventory
Requires portal service restart. Proceed? (y/n)y
Stopping tomcat:
AppInventry cleanup...
634
OK
disable
Example:
#disable
>
end
Example:
#end
>
exit
Terminates the CLI session and closes the terminal window.
failover
Commands to assist with managing VSP failover. Failover allows a secondary VSP to
take over if the primary VSP fails when your installation requires high availability. For
more information about implementing a high availability solution, contact MobileIron
Technical Support.
Note: High availability is a non-standard VSP feature.
grubupdate
Updates the grub configuration. Requires a reload.
Note: This command should not be used VMs. It should be used only for the physical
box.
Example:
#grubupdate
install rpm
Installs VMware Tools. If your VSP runs in VMware, use this command to install the
VMware Tools installation package. The installation package is an RPM file or a .tar.gz.
The parameter specifies where to find the file.
635
Warning: Use this command only to install third-party RPM or tar files that MobileIron
has approved, such as VMware Tools.
Parameter
Description
cdrom
Installs the RPM from a CDROM.
file
Unused.
url
Installs the RPM from a URL.

Specify the URL as the final parameter.
info
Displays a list of installed third-party RPMs.
To uninstall a third-party RPM, use no install rpm. See no install rpm on

page 637.
Examples:
The following example shows the initial output when installing VMwareTools from CD
ROM. Although not shown here, the installation continues with VMwareTools configuration.
#install rpm cdrom
mount: block device /dev/cdrom is write-protected, mounting read-only Select
rpm/tar file to install 0. None - Do not install any thing 1
/mnt/VMwareTools-4.0.0-171294.tar.gz
Enter your selection: 1
Installing /mnt/VMwareTools-4.0.0-171294.tar.gz
Creating a new VMware Tools installer database using the tar4 format.
Installing VMware Tools.
In which directory do you want to install the binary files?
[/usr/bin]
What is the directory that contains the init directories (rc0.d/ to rc6.d/)?
[/etc/rc.d]
What is the directory that contains the init scripts?
[/etc/rc.d/init.d]
In which directory do you want to install the daemon files?
[/usr/sbin]
In which directory do you want to install the library files?
[/usr/lib/vmware-tools]
The path "/usr/lib/vmware-tools" does not exist currently. This program is going
to create it, including needed parent directories. Is this what you want?
[yes]
In which directory do you want to install the documentation files?
[/usr/share/doc/vmware-tools]
636
The path "/usr/share/doc/vmware-tools" does not exist currently. This program

is going to create it, including needed parent directories. Is this what you
want? [yes]
The installation of VMware Tools 4.0.0 build-171294 for Linux completed successfully. You can decide to remove this software from your system at any time by
invoking the following command: "/usr/bin/vmware-uninstall-tools.pl".
Before running VMware Tools for the first time, you need to configure it by
invoking the following command: "/usr/bin/vmware-config-tools.pl". Do you want
this program to invoke the command for you now? [yes]
....
no install rpm
Uninstalls a MobileIron-approved third-party RPM. See install rpm on page 635.
For the list of no commands possible in CONFIG mode, see no on page 651.
poweroff
Turns off the VSP. This command not only logs you out of the CLI, but shuts down the
operating system and powers off the VSP.
Example:
#poweroff
System configuration may have been modified. Save? [yes/no]: yes
Configuration saved.
Proceed with power-off? [yes/no]
reload
Halts the VSP and performs a cold restart.
Example:
#reload
System configuration mat have been modified. Save? [yes/no]: yes
Configuration saved.
Proceed with reload?
637
service
Performs operations on the Tomcat and iptables services. You can start and stop these
services, and check their status.
The parameters are:
Parameter
Description
service name
The name of the Linux service. Possible

values are:
tomcat
iptables
operation
The operation to perform on the specified

service. Possible values are:
start
stop
status
Example:
#service tomcat start
Starting tomcat: Using TOMCAT_ALLOCATION_MB=11235
.
.
.
[OK]
#service iptables start
Applying iptables firewall rules:
[OK]
#service iptables status

Table: filter
Chain INPUT (policy ACCEPT)
.
.
.
#service iptables stop

Flushing firewall rules:
[OK]
Setting chains to policy ACCEPT: filter nat[OK]
Unloading iptables modules:
[OK]
setup
Runs the setup wizard to reconfigure an installation. This command takes you through
the initial configuration of the VSP.
638
Example:
#setup
VSP 4.5.2 Build 32 (Branch r4.5.2)
Welcome to the Mobile Iron Configuration Wizard
Use the - character to move back to the previous field
Continue with configuration dialog? [yes/no]:
show portalacl
Displays the configured portal Access Control Lists (ACLs), which restrict access to
various portals of the VSP. The access is restricted to certain servers or networks by
specifying their IP addresses or network/mask pairs.
For more information, see Portal ACLs on page 591, which describes how you configure the portal ACLs in the System Manager, Security > Access Control List > Portal
ACLs.
Example:
#show portalacl
+----------------------------------------------------------------------Module
+ Access Allowed From
+----------------------------------------------------------------------MyPhoneAtWork
10.10.17.12
show running-config
Displays the configuration under which the VSP is currently running.
The following table lists the configuration information that this command displays. It
also shows where in the System Manager of the Admin Portal to configure this information, and a reference to the corresponding documentation.
System Manager User
Interface
More Information
Network interfaces
Settings > Network >

Interfaces
Managing network
interfaces on page 547
DB config
Not used.
Network routes
Settings > Network >

Routes
Routes on page 550
Telnet, ssh, and ntp status
Settings > CLI
CLI on page 557
DNS servers
Settings > DNS and

Hostname
DNS and Hostname on

page 552
Configuration Displayed
639
Configuration Displayed
System Manager User

Interface
More Information
VSP host name and

domain name
Settings > DNS and

Hostname
DNS and Hostname on

page 552
NTP servers
Settings > Date and

Time (NTP)
Date and Time (NTP)

on page 555
CLI session timeout
Settings > CLI
CLI on page 557
System Manager user

names
Security > Identity

Source > Local Users
Identity Source > Local

Users on page 573
Portal Access Control Lists
Security > Access Control Lists > Portal ACLs
Portal ACLs on
page 591
Example:
#show running-config
show statichost
Displays the configured static hosts. The static hosts are configured using the System
Manager, in Settings > Static Hosts or with the CLI command statichost. See Static
Hosts on page 553 and statichost on page 654.
Example:
#show statichost
+------------------+------------------------------------IP Address
FQDN
+------------------+------------------------------------172.16.80.2
mysentry.mycompany.com
show system
Displays system information as specified by the parameter. Most parameters result in
displaying output from Linux commands. For more information about Linux command
output, see the Linux man page description available on the Web.
640

Parameter
Description
disk
Displays disk usage information for each

mounted file system.
Linux command: df -h
top
Displays a snapshot of the running tasks and

threads, including their command-line
parameters.
Enter h for help on navigating the output.
Enter q to quit.
Linux command: top -bcHss -n 1
toprt
Displays the running tasks, memory usage,

and the uptime status, updating the display
in real-time.
Enter h for help.
Enter q to quit.
Linux command: top
uptime
Displays the following information:
the current time

the system status (up)
how long the system has been running
how many users are currently logged on
the system load averages for the last 1, 5,
and 15 minutes
Linux command: uptime

user
Displays the list of System Manager users.

See Introduction to user management on
page 50.
Examples:
#show system disk
Filesystem
Size
/dev/sda3
80G
/dev/sda1
99M
tmpfs
7.9G
Used
3.0G
12M
8.0K
Avail
73G
82M
7.9G
Use%
4%
13%
1%
#show system user

+------------------------+
Users
+------------------------+
miadmin
#show system uptime
641
Mounted on
/
/boot
/dev/shm
18:23:11 up 23:15, 2 users, load average: 0.00 0.00 0.00

#show system toprt
top - 18:25:57 up 23:15, 2 users, load average: 0.00 0.00 0.00
Mem: 1643612k total, 3412864k used, 13023136k free, 148648k buffers
Swap:1849804k total,
0k used, 18490804k free, 14869890k cached
PID
USER
PR
NI
VIRT
RES
SHR
S %CPU %MEM TIME+
COMMAND
19186 root
20
0
67088 2732
1292
S
0.0
0.0 0:00.62 -bash
.
.
.
show tech
Gets VSP logs and database dumps for diagnostics. This command transfers the diagnostic files to a server that you specify, using either HTTP(S) or SFTP.
Specify the following parameters:.
Parameter
Description
http sftp
Select the transport method for the files.
URL
When using HTTP, enter the URL for the destination

server. For example:
https://support.mobileiron.com/uploads
host
When using SFTP, enter the host name or IP address of

the destination server. For example:
support.mobileiron.com
alllogs
Enter No. Enter Yes only if the VSP had restarted since
the issue occurred.
username
Enter the user name for logging in to the server that

you specified. The command will prompt you for the
corresponding password.
support-ticket-number
Enter the support ticket number, if you have one. This

parameter is optional.
For more information about the logs, see Working with logs on page 609.
Example:
#show tech http https://support.mobileiron.com/uploads No mysupportusername
Enter Password for user mysupportusername:
software checkupdate
Checks the configured software repository for available updates to the VSP. The repository information is configured using the System Manager, in Maintenance > Software
Updates. See Getting MobileIron server software updates on page 595.
642
Example:
#software checkupdate
software update
Installs the updates located using software checkupdate. Use the reload command
after using the software update command. See Getting MobileIron server software
updates on page 595.
Example:
#software update
...
#reload
ssh
Opens an ssh connection.
Specify the following parameters:
Parameter
Description
user
The ID of the user making the connection.
server
The IP address or hostname of the target

server.
Example:
#ssh miadmin 100.10.10.10
miadmin@100.10.10.10s password:
telnet
Opens a telnet connection.
Parameter
Description
server
The IP address or hostname of the target

server.
Example:
#telnet 100.10.10.10
login: miadmin
password:
643
write
The changes you make in your CLI session are not saved across reboots of the VSP,
although they are remembered between CLI sessions. Therefore, to ensure your
changes are not lost, use the write command to save your changes.
If you do not save your changes, a reboot will return the VSP to its previously-saved
configuration.
Example:
#write
CONFIG commands
The commands specific to the CONFIG mode are summarized in the following table,
and then listed in detail in alphabetical order.
In addition, the EXEC mode commands exit, help, and timeout are also available in
CONFIG mode...
Command
Description
banner
Defines the text to appear in the CLI login

banner.
certificate client
Generates a self-signed certificate for the

MobileIron client for use with TLS.
certificate portal
Generates a self-signed certificate for

MobileIron Sentry configurations.
clock set
Sets the date and time on the VSP.
do
Runs EXEC or EXEC PRIVILEGED commands from CONFIGURE mode.
enable secret
Changes the enable-secret password.
end
Returns to EXEC PRIVILEGED mode.
eula
Sets the End User License Agreement information.
hostname
Configures the VSPs fully-qualified host

name.
interface GigabitEthernet
Switches to INTERFACE mode to configure

a physical interface.
644
Command
Description
interface VLAN
Switches to INTERFACE mode to configure

a VLAN interface.
ip arp
Updates the ARP cache on the VSP.
ip domain-name
Sets the default domain name.
ip name-server
Sets the preferred DNS server.
ip route
Configures a static network route.
kparam
Configures kernel parameters.
no
Deletes, resets, and disables various system configurations.
ntp
Configures the time sources.
portalacl
Configures the portal Access Control Lists

(ACLs), which restrict access to various
portals of the VSP.
service
Enables the service ssh, telnet, or ntp.
service support
Unlocks and resets the password for the

support account.
software repository
Configures the software repository URL.
statichost
Maps a fully-qualified domain name to an IP

address.
syslog
Configures syslog server information.
system user
Creates a System Manager user account.
banner
Defines the text to appear in the CLI login banner. You can specify two strings. The
strings cannot include spaces.
Parameter
Description
bannername
Multi-word string enclosed in quotes.
Example:
/config#banner Welcome MyCompany
certificate client
Generates a self-signed certificate for the MobileIron client for use with TLS.
645
For more information, see Certificate Mgmt on page 576, which describes how to do
this task in the System Manager, in Security > Certificate Mgmt.
Example:
/config#certificate client
Tlsproxy service will be disrupted.
Would you like to proceed? [y/n]:
/config#
Note: The CLI does not provide a confirmation that the certificate was generated.
certificate portal
Generates a self-signed certificate for MobileIron Sentry configurations.
For more information, see Certificate Mgmt on page 576, which describes how to do
this task in the System Manager, in Security > Certificate Mgmt.
Example:
/config#certificate portal
Services will be disrupted.
Would you like to proceed? [y/n]: y
/config#
Note: The CLI does not provide a confirmation that the certificate was generated.
clock set
Parameter
Description
time
Current time using the format HH:MM:SS. Specify the

hours as a value between 00 and 23.
day
Day of the month as a value between 1 and 31.
month
Month of the year. Specify one of the following: January,

February, March, April, May, June, July, August,
September, October, November, December.
year
Specify as a 4 digit string. For example: 2012
Example:
/config#clock set 10:34:59 23 February 2012
/config#
646
do
Runs EXEC or EXEC PRIVILEGED commands from CONFIGURE mode.
Use the do command when you are in CONFIGURE mode and want to run a command
from EXEC PRIVILEGED mode, but dont want to have to exit and reenter CONFIGURE
mode. After the keyword do, enter the command. For example:
config#do ping someWebSite.com
The following table lists the commands you can run using do:
Command
Description
clear arp-cache
Clears the ARP cache on the VSP.
clock set
disable
help
Describes the interactive help system.
host
Performs a DNS lookup for a specified IP address or

host name.
logout
ping
Sends echo messages.
poweroff
Turns off the VSP.
reload
Halts the VSP and performs a code restart.
show
Executes show commands specified in EXEC mode

commands on page 622 and EXEC PRIVILEGED
commands on page 633.
telnet
Opens a telnet session.
timeout
Sets the idle timeout for the CLI.
traceroute
Traces route to destination.
write
Example:
/config#do show banner
enable secret
Changes the enable-secret password. This password allows you to change from EXEC
mode to EXEC PRIVILEGED mode in the CLI.
For more information, see CLI on page 557, which describes how to do this task in
the System Manager, in Settings > CLI.
647
Example:
/config#enable secret NewPwd123
end
Returns to EXEC PRIVILEGED mode.
Example:
/config#end
eula
Sets the End User License Agreement (EULA) information.
Parameter
Description
companyname
The name of the company accepting the EULA. Enclose

the name in double quotes if it contains spaces.
contactname
The name of the contact at the company. Enclose the

name in double quotes if it contains spaces.
contactemail
Email address of the contact.
Example:
/config#eula My Company Joe Doe jdoe@mycompany.com
hostname
Configures the VSPs fully-qualified host name.
Specify the following parameter:
Parameter
Description
hostname
The fully-qualified hostname for the VSP.
For more information, see DNS and Hostname on page 552, which describes how to
do this task in the System Manager, in Settings > DNS and Hostname.
Example:
/config#hostname myhost123
648
Please reload the system for the changes to be effective.

/config#
interface GigabitEthernet
Switches to INTERFACE mode to configure a physical interface. Specify 1, 2, 3, or 4 to
specify which interface.
For more information, see Managing network interfaces on page 547, which
describes configuring the physical interfaces in System Manager, in Settings > Interfaces.
Example:
/config#interface GigabitEthernet 2
/config-if#
See INTERFACE mode commands on page 655 for available commands.
interface VLAN
Switches to INTERFACE mode to configure virtual Local Area Network (VLAN) interfaces. Specify a number between 1 and 4094 for the VLAN ID.
For more information, see Managing network interfaces on page 547, which
describes configuring the VLAN interfaces in System Manager, in Settings > Interfaces.
Example:
/config#interface vlan 2
/config-vlan#
See INTERFACE mode commands on page 655 for available commands.
ip arp
Updates the ARP cache on the VSP. The ARP cache stores a mapping of IP addresses
with link layer addresses, which are also known as Ethernet addresses and MAC
addresses.
Typically, the ARP cache is updated automatically, making this command unnecessary.
Parameter
Description
IP address
IP address of the VSP.
Mac address
Corresponding Mac address, using format:

xx:xx:xx:xx:xx:xx
649
Parameter
Description
Interface type
Specify GigabitEthernet or VLAN.
Interface ID
Specify 1 to 4 for GigabitEthernet.

Specify 1 - 4094 for VLAN.
Example:
/config#ip arp 10.10.15.41 00:50:56:91:71:1B GigabitEthernet 1
ip domain-name
Sets the default domain name. This value is shown in the System Manager, in
Settings > DNS and Hostname.
For more information, see DNS and Hostname on page 552.
Example:
/config# ip domain-name mycompany.com
/config#
ip name-server
Sets the preferred DNS server.
For more information, see DNS and Hostname on page 552, which describes configuring the DNS servers in System Manager, in Settings > DNS and Hostname.
Example:
/config# ip name-server 10.10.15.6
/config#
ip route
Configures a static network route. This command specifies the subnet mask and gateway to use for routing from a network IP address.

Parameter
Description
IP address
Network IP address.
mask
Subnet mask.
gateway
IP address for the gateway.
650
For more information, see Routes on page 550, which describes configuring the
static network routes in System Manager, in Settings > Network > Routes.
Example:
/config#ip route 192.168.57.0 255.255.255.0 10.10.1.1
kparam
Configures kernel parameters.
Parameter
Description
name
The name of the kernel parameter. Enter rp_filter or

log_martians.
Example:
/config#kparam rp_filter
no
Deletes, resets, and disables various system configurations, as described in the following table.
Command
Description
no banner
Reverts to the original login banner.
no hostname
Reverts the system's fully qualified domain

name to localhost.localdomain. Requires
a system reload for the change to take
effect.
no interface vlan <vlan number 1 -
Deletes the specified VLAN interface.
no ip arp <IP address>
Deletes the specified IP address from the

ARP cache.
no ip domain-name
Deletes the domain-name of the VSP.
no ip name-server <IP address>
Deletes the specified Internet name server

from the list of Internet name servers that
the VSP uses for DNS lookup.
no ip route <IP address> <mask>
Deletes the specified static network route

from the VSPs routing table.
no kparam <name>
Disables the kernel parameter.
4094>
651
Command
Description
no ntp <IP address or hostname>
Deletes the specified NTP server from the

VSPs list of NTP servers.
no portalacls
Deletes portal ACLs.
no service <service name>
Disables the specified service (ssh, telnet,

or ntp).
no service support
Disables the password for the misupport

account.
no statichost <IP address>
Deletes the static host entry.
no syslog <IP address or hostname>
Deletes the syslog server specified by the

parameter.
no system user <username>
Deletes the system user specified by the

parameter.
ntp
Configures the time sources. The time sources are Network Time Protocol (NTP) servers. An NTP server figures out how much the system clock drifts and smoothly corrects it.
You can configure the NTP servers in the System Manager, in Settings > Date and
Time (NTP). See Date and Time (NTP) on page 555.
Parameter
Description
server
Hostname or IP address of the NTP server.
index
The order this NTP server appears in the configuration (0-2).
Example:
/config# ntp 172.16.0.1 0
652
portalacl
Configures the portal Access Control Lists (ACLs), which restrict access to various portals of the VSP. Access is restricted to servers or networks by specifying their IP
addresses, network and mask pairs, or hostname.
Parameter
Description
module
Enter one of the following options:
host
MyPhoneAtWork
SmartphoneManagerPortal
SystemManagerPortal
SentryConnection
APIConnection
iOSMDM
iOSiRegURL
AppStorefrontConnection
The IP address, network, or hostname from which

access is allowed. Only one host configuration is supported from CLI. Use the VSP System Manager portal
to configure multiple hosts or Networks.
Example
/config#portalacl MyPhoneAtWork 10.101.1.119
service
Enables the service ssh, telnet, or ntp. For telnet and ntp, this command also sets the
number of instances allowed for the service.
Parameter
Description
name
The name of the service. Enter either ssh, telnet, or ntp.
instances
Maximum sessions allowed for ssh or telnet.
Example:
/config#service telnet 4
service support
Unlocks and resets the password for the support account. This command allows onetime access to the misupport Linux user account, using the displayed account password.
653
Warning: Do not access the Linux misupport account unless you are working closely
with MobileIron Technical Support. MobileIron cannot help you recover if you damage
your system when working on your own in the Linux command shell.
Example:
/config#service support
One-time-password for account misupport set to XRXFHT1str
software repository
Configures the software repository URL. This URL specifies the location of software
updates for the VSP. You can also configure the software repository in the System
Manager, in Maintenance > Software Updates. See Getting MobileIron server software updates on page 595.
Specify the following parameter:.
Parameter
Description
urlstring
URL for the software repository.
statichost
A static host configuration maps a fully-qualified domain name to an IP address. This
static mapping is useful in the following cases:
A DNS server is not available.

The DNS server entry for a fully-qualified domain name points to an external IP
address, outside of your firewall, although the ultimate destination is inside your
firewall. You can use this static mapping if you want to associate the fully-qualified
domain name with an internal IP address, inside your firewall.
The static hosts are also configured using the System Manager, in Settings > Static
Hosts. See Static Hosts on page 553.
Parameter
Description
ip
IP address of the fully-qualified domain name.
fqdn
The fully-qualified domain name.
Example:
/config#statichost 172.16.80.2 mysentry.mycompany.com
654
syslog
Configures syslog server information.
Parameter
Description
server
Hostname or IP address of the syslog server
loglevel
Specify the log level to be enabled (0-7)
The log level value you specify in this command corresponds to the log levels as follows:
Log level value
Log level description
Emergency
Alert
Critical
Error
Warning
Notice
Info
Debug
For more information, see Syslog on page 559, which describes configuring the syslog servers in System Manager, in Settings > Syslog.
system user
Creates a System Manager user account. Specify the following parameters:.
Parameter
Description
username
User name
password
The unencrypted (cleartext) user password
For more information, see Identity Source > Local Users on page 573.
INTERFACE mode commands

INTERFACE mode comes in two flavors:
GigabitEthernet
655
Configures the physical ethernet interfaces.
VLAN
Configures the virtual Local Area Network (VLAN) interfaces.
You enter each INTERFACE mode from the CONFIG mode using the commands interface GigabitEthernet on page 649 or interface VLAN on page 649. For example:
/config# interface GigabitEthernet 2
/config-if#
Each INTERFACE mode has its own set of commands that are applied to the specified
interface, such as GigabitEthernet 2 in the above example. Most commands are
shared by both modes.
The commands specific to the INTERFACE modes are summarized in the following
table, and then listed in detail in alphabetical order.
Command
Description
do
Runs EXEC or EXEC PRIVILEGED commands.
end
Returns to CONFIGURE mode.
exit
Exits the EXEC mode and closes the terminal

window.
ip address
Configures the IP address of a physical or VLAN

interface.
no
no ip address - Resets the IP address of a

physical or VLAN interface.
no shutdown - Enables a physical or VLAN
interface.
physical interface GigabitEthernet
(Available in INTERFACE VLAN mode only.)

Creates a VLAN interface on the specified physical interface.
shutdown
Disables the current VLAN or physical interface.
end
Returns to CONFIGURE mode.
Example:
/config-if#end
/config#
/config-vlan#end
/config#
656
ip address
Configures the IP address and mask of the interface you specified in the interface
command. The interface is one of the following:
a physical interface when in INTERFACE GigabitEthernet mode.

a VLAN interface when in INTERFACE VLAN mode. Before you can configure the IP
address of a VLAN interface, create the VLAN interface, using the command physical interface GigabitEthernet on page 657.
Parameter
Description
IP address
IP address of the physical network interface when in INTERFACE GigabitEthernet mode.

IP address of the VLAN interface when in INTERFACE VLAN
mode.
mask
The netmask of the interface.
Example:
/config-if#ip address 10.10.17.27 255.255.255.0
no
Use the no command in INTERFACE mode as described in the following table.
Command
Description
no ip address
Resets the IP address and mask of the

interface that you specified in the interface command. The interface can be a
physical or VLAN interface. This command
sets both the IP address and the mask to
0.0.0.0.
no shutdown
Enables the GigibitEthernet or VLAN interface that you specified in the interface
command.
physical interface GigabitEthernet

Creates a VLAN interface on the specified physical interface. This command is available only in INTERFACE VLAN mode.
657
Specify the following parameter:

Parameter
Description
GigabitEthernet
interface number
A value between 1 and 4 that specifies the GigabitEthernet interface on which to create the VLAN
interface.
Example:
/config-vlan#
/config-vlan#physical interface GigabitEthernet 1
shutdown
Disables the VLAN or physical interface that you specified in the interface command.
To enable the interface, use no shutdown. See no on page 657.
Examples:
The following command disables a physical interface:
/config-if#shutdown
/config-if#
The following command disables a VLAN interface:

/config-vlan#shutdown
/config_vlan#
658
Section V: Appendixes
659
660
Appendix A
Known Issues and Usage Notes
661
Known issues
Android: Manually removing the MobileIron app from the device does not reenabled a camera that has been locked down on devices having the Samsung
Enterprise APIs.
Android: When the native email client is configured and then TouchDown is
installed, the email on the native client will not be de-provisioned.The user must
manually remove the Exchange account from the native client. This will remove all
of the associated data.
Android: Using a security policy to require encryption results in messages about

decryption and encryption when the device is powered up. This results because the
VSP and ActiveSync encryption policies are conflicting. The Samsung email client is
supposed to apply the strictest policy. Instead, it applies the most recent policy.
Workaround: Keep EAS policy and VSP policy in sync.
There are known issues with NitroDesks TouchDown software. See http://
www.nitrodesk.com/updates.aspx for information if you are having issues with your
TouchDown installation.
VS-8271: Changing the booting order of hard drives after upgrading from Sentry
3.2-MR1 to Sentry 3.3.1 causes the server to hang on reboot.
VS-8231: After an upgrade from Sentry 3.2 to Sentry 3.3.1, ACLs having the Action
field set to "Log and Deny" do not function. Attempting to apply a new ACL with
"Log and Deny" results in an error.
AL-9: When configuring Kerberos Constrained Delegation on Sentry, if you list multiple Key Distribution Centers using hostnames (as opposed to IP addresses) and
the first Key Distribution Center in the list is invalid or not reachable, subsequent
Key Distribution Centers in the list are not contacted. Workaround: Use IP
addresses in the Key Distribution Center field.
VS-7108: iOS: Intermittent email issues have been reported, including errors when
resyncing email, missing subject content, and email with a received date of 1969.
These issues are not related to MobileIron software.
VS-5404: Blocked Android devices receive an incorrect message if group certificate

authentication is enabled.
VS-3679: During tomcat restarts, severe errors reported by the tomcat servlet
cleanup can be ignored.
VS-7234: Attempts to clear all Sentry logs from the Troubleshooting screen result
in only the current log being cleared.
VS-7277: Errors found during the file system check after a scheduled reboot result
in a prompt for user intervention. Contact Support. Note that this is a rare occurrence.
VS-6794: An error should display immediately when a Sentry is configured with an

incompatible authentication type. Currently, the administrator must view the error
log to detect the problem.
VS-936: If a NAT with a small source port range is positioned between Sentry and
mobile devices, Sentry might drop a connection that reuses a source port from a
previously established connection.
662
IOS-105: On iPhone 4S devices, the MobileIron app occasionally fails to report the
operator to the VSP.
IOS-101: The MobileIron app prompts device users to update the configuration if
the MobileIron app is open when the administrator retires the device.
IOS-100: If an APNs message arrives while the device user is performing a connection speed test, then the MobileIron app may exit to the home screen.
VS-8009: The VSP does not generate SIM change events when the latest MobileIron app for iOS is installed.
VS-8266: tomcat occasionally fails to start after a power outage or after successive
reboots. Workaround: Manually start the midb process first, then manually restart
tomcat.
VS-7634: The compliance event for non-compliant passwords is sometimes not

generated on systems having over 10,000 iOS devices.
VS-7675, VS-7627: If there is no network connectivity when the device user

requests an app from the iOS app storefront, then a timeout message is displayed.
VS-7618: iOS: The badge count shown on the app storefront Featured tab may
become inconsistent with the MyPhone@Work badge count if the administrator
publishes updates to non-featured apps.
VS-7566: The iOS app storefront displays "Page does not exist" or does not
respond when a device user requests a prepaid app and all VPP codes for that app
have been used.
VS-7830: Upgrading a 4.5 VSP to 4.5.4 using the recommended upgrade procedure
(that is, performing the upgrade for each release between 4.5 and 4.5.4) does not
result in the expected distribution of certificates to Android 3.x devices. Workaround: Remove and re-apply the labels associated with the certificates.
VS-7742: Android: The VSP indicates that the security policy has been applied,
though the device user has not yet initiated the SD card encryption process.
VS-7659: Device users having iOS versions prior to 5.1 might notice a slight flicker
when navigating between tabs in the iOS app storefront.
VS-7644: The iOS app storefront sometimes displays the UPDATE flag when there
is no update available for the given app. This is a result of inconsistent version
reporting by app vendors.
VS-7564: Featured apps that are published to non-MDM iOS devices incorrectly
cause the new app badge on the Featured tab to display.
VS-7254: After the MDM profile has been removed and replaced on an iOS device,
the VSP generates an alert incorrectly indicating that the MDM profile is missing.
This issue resolves itself after the device checks in again.
VS-7685: The APN app setting for iOS does not accept a URL in the Proxy Server
field.
VS-8072: Adding a BES 5.0.3 server on a VSP results in the following error: "Could
not connect to URL: Couldn't create SOAP message due to exception: XML reader
error". Workaround: Run the BAS in compatibility mode.
AC-926: When a Samsung device is upgraded to the Android 4.5.3 client and then
retired, the Samsung DM agent remains activated.
663
VS-5799: Android: If two Exchange app settings are applied to an Android device,
then the VSP shows both as partially applied, and View Details displays details for
only one of them. The Android client is designed to handle this situation by applying
neither configuration.
VS-5965: Android: VPN profile status is not supported when the profile is applied
via Symantec Managed PKI.
VS-5351: Android: Because TouchDown caches certificates, removing SCEP

authentication from the Exchange app setting does not remove email access for the
devices to which that app setting has been applied.
VS-4921: Android: Devices that are already compliant with the password policy
upon registration trigger a false non-compliance alert.
VS-7114: iOS: Devices may have a 30-minute MDM check-in delay after initial registration.
VS-7267: When multiple LDAP servers are configured, attempts to register a device
can fail if the specified user ID was previously imported from a different LDAP
server and then deleted from the VSP.
VS-6410: When the Enterprise Connector service is running, the Preferences link is
not displayed under Settings > LDAP. Workaround: Disable the Enterprise Connector service temporarily. Do not forget to re-enable the Enterprise Connector before
exiting.
VS-7050: The Enterprise Connector for the on-premise VSP erroneously displays
the Sentry service.
VS-7161: The Service Diagnosis page fails to verify the Entrust SCEP server.
VS-6849: If a user enters an incorrect value for the challenge specified under an
Entrust SCEP implementation, then the error message returned is not helpful.
VS-5768: Attempting to create an ActiveSync policy having the same name as a

deleted ActiveSync policy fails.
VS-6434: Blocking of devices based on mailbox count has inconsistent results due
to several factors, including OS and interaction with other policies.
VS-6163: Any in-house app having an incorrectly configured icon will still prompt
for a username and password, despite having certificate-based authentication configured.
VS-6754: Devices that are blocked from syncing email because they are unregistered continue to be blocked after the Sentry setting for blocking unregistered
devices is disabled.
VS-6703: LDAP attribute searches that include % or _ return all devices.

VS-6337: Editing the default ActiveSync policy occasionally produces the following
error message: "There was an error processing the server response."
VS-4848: Pushing two identical LDAP settings having different names to the same
device produces errors in the MDM log. There is no functional impact.
VS-5443: The wrong operator is reported for MCC=232, MNC=01. This pair should
result in Austria / A1.
VS-5412: iOS: The VSP does not provide a way to set the Auto Lock option to
Never.
664
VS-5384: Provisioning requests time out during device registration if the VSP has
Exchange configured via SCEP settings.
VS-7205: iPad users who receive an APNs message concerning an available app are
not automatically routed to app details.
VS-6806: The VSP truncates MDM logs older than 2 days and does not prune nonessential rows first.
VS-6428: Editing a WiFi app setting causes the status for the setting to remain in
the Sent state. There is no functional impact.
VS-6168: Filtering by the Company-owned label in the App Inventory page displays
devices that do not have that label applied.
VS- 6079: The LDAP Sync History feature in System Manager incorrectly reports
the amount of time it took for the LDAP synchronization to complete.
VS-5679: If the automatic upgrade of the Connector from 4.3 to 4.5.2 fails, do not
upgrade manually. Reinstall, instead.
VS-5963: Uploading new screenshots for an existing app in the app distribution
library clears the rest of the data from the Edit App form.
VS-6061: iOS: The SSID entry is dropped when the VSP pushes a WiFi profile created in the iPhone Configuration Utility.
VS-5799: Android: Attempting to push two Exchange profiles to a device results in

the first being configured, but the second is displayed as the current profile on the
VSP.
VS-5971: iOS: Waiting more than 15 minutes after accessing the web app storefront results in the following message when an in-house app download is
attempted: "The manifest for the app at _____ could not be validated." Workaround: Close all Safari sessions, restart the MobileIron app, and retry the app
download.
VS-5947: Existing unregistered devices are not immediately blocked when the
AutoBlock option is enabled.
VS-5308: iOS: When a user attempts to access the web app storefront via an APNs
message sent by the administrator, access to the app storefront occasionally fails.
Workaround: For iOS 5, click the APNs message again. For iOS 4, the administrator
must resend the APNs message.
VS-5287: iOS: Attempts to use the webclip to access the app storefront on devices
that do not have MDM enabled fail with the following message: "Cannot Open
Apps@Work. The URL can't be shown"
VS-6064: Because devices reporting unsupported languages always receive English

messages, customized native language message templates cannot be used.
VS-6028: The Exclude User option does not work for Security Policy Violation
events.
VS-5965: Android: VPN profile status is not supported when the profile is applied
via Symantec Managed PKI.
VS-5899: The Password field under App Settings > Email cannot be modified once
the setting is saved.
VS-5898: iOS: Changes in Email app settings require the device to be rebooted.
665
VS-5888: iOS: Email settings are removed from iPhone 4 (iOS 5) when the email
profile is updated via App Settings > Email.
VS-5959: Using the Compatibility View with Internet Explorer 8 results in missing
controls. Workaround: Turn off Compatibility View.
VS-5484: MobileIron fails to report an LDAP sync failure if the failure is due to an
incorrect or expired password.
VS-5457: iOS: "Profile could not be decrypted" displays intermittently during registration.
VS-5437: iOS: Attempting to reinstall an app that was removed as the result of
quarantine produces an HTTP 401 error instead of a proper message.
VS-5445: iOS: Logs do not indicate that a managed app has been removed from a
quarantined device.
VS-5351: Android: Because TouchDown caches certificates, removing SCEP

authentication from the Exchange app setting does not remove email access for the
devices to which that app setting has been applied.
VS-5313: iOS: After upgrading the MobileIron app for iOS to 4.5.x, the web App
Storefront is not available. Workaround: Exit and reopen the MobileIron app.
VS-5307: iOS: iOS 5 devices cannot use the link in an APNs message sent from the
App Distribution page.
VS-4936: iOS: Some images are not displayed correctly for recommended apps
that have been imported from the Apple App Store.
VS-4787: iOS: A known iOS 5 issue can result in duplicate webclips.

VS-5200: iOS: App names are unnecessarily truncated in the web App Storefront
on iPad.
VS-5197: iOS: The first time an iTunes import is attempted, a server communication error is displayed.
VS-5152: iOS: No message is displayed when a user attempts to install an app on a

device that has been quarantined with the block new downloads option.
VS-5151: iOS: MobileIron removes the new App Storefront webclip from quarantined devices.
VS-5150: iOS: The App Storefront does not change the app button to Update if
there is a new version of an installed app available.
VS-5109: iOS: The App Storefront opens on a different tab each time it is launched.
VS-4956: iOS: Clicking the link to the Apple Push Certificates portal sometimes
results in a web page without content. Workaround: Exit the portal, close the
browser, and retry.
VS-4941: Attempting to add in-house apps in Internet Explorer 8 can result in

Javascript errors and performance issues.
VS-4730: The Admin Portal allows administrators to open the LDAP page and other
tabs simultaneously.
VS-4684: In the device count and watchlist popups, clicking the top checkbox
selects only the last device in the list instead of all devices in the list.
VS-4534: The VSP installation script switches to CONFIG mode if you enter an NTP
server that cannot be parsed. Workaround: Type end. You can then type reload and
666
continue the installation process. When you complete the installation, use System
Manager to enter the proper NTP information.
VS-4459: iOS5: In the iOS 5 settings for WiFi configuration, the Proxy Server and
Proxy Password fields are not properly validated.
VS-4409: Some device images in the MyPhone@Work employee portal are incorrect.
VS-4253: Distributing Wi-Fi profiles to 10,000 devices or more is taking much longer than expected. Distribution to 20,000 devices can take up to four hours.
VS-3967: showtech files are corrupted when uploaded via CLI.

VS-3870: iOS: The APNs message sent to the device in response to MDM deactivation does not reappear if the user cancels the necessary configuration update.
VS-3713: iOS: The security policy fails to block ActiveSync access if the MobileIron
app is the last third-party app removed from the device.
VS-3631: Android with Samsung Enterprise APIs: Exchange configuration sometimes fails. This appears to be an issue with the Samsung API.
VS-3605: In the ActiveSync Devices page, the content of the Action Reason column
cycles through multiple values when a device is blocked for multiple reasons.
VS-3292: Deleting an event leaves the event name blank for existing entries in the
Event History page.
VS-3117: The Location API has the following issues: no error when phone/UUID is
empty, no error for invalid date, no error for invalid phone number.
VS-3027: iOS: In the MobileIron app, caps lock does not work in the Password
field.
VS-1639: Attempting to use the Locate function for all devices on a page produces
a pop-up that has no scrollbar and that displays only 13 of the 20 devices on the
page.
VS-1575: Android: Issuing a Wipe command followed by a Retire command to a

device when the device is not connected will result in a device that is retired only.
VS-1368: startLocationInfo is included in some records returned by the CallLogs

API. Only endLocationInfo should be returned.
VS-1363: Android: Attempts to add a recommended app fail if a previous version

has been added as an in-house app.
VS-1342, 15010: Performance issues have been reported for the Admin Portal on
Internet Explorer.
VS-1327: On Standalone Sentry, attempting to use an email address as a username when creating a user via the CLI results in an error.
VS-1310: Under Firefox, the dropdowns in the Access Control section of the security policy sometimes fail to populate with compliance actions.
VS-1286: iOS: For devices that are not MDM-enabled, wiping via ActiveSync prevents later configuration of Exchange settings via MobileIron app settings.
VS-1258: No alert is sent when the SMS archive queue is full.

VS-1245: Using the policies API to determine the number of devices having the
default security policy applied results in an incorrect number of devices reported.
667
VS-1222: Policy violation alerts are not generated if all managed devices are in violation.
VS-315: When two new security policies are added, editing and saving the one with
higher priority increases the priority of the second.
15053: Changing carriers for a device can result in duplicate entries for the device
in MobileIron.
15033: The Mobile Activity Intelligence process can cause 100% CPU utilization.
15015: Assigning a policy to a label containing a device that has already had the
policy applied via a different label causes the policy to be reapplied to that device.
14844: iOS: After upgrading to 4.1 or higher, assigning a non-iOS app to a label
containing iOS devices can result in the following error message on iOS devices:
Unable to refresh App Store. Remove the association between the non-iOS app
and the label to resolve this problem.
14842: Android: After upgrading MobileIron, you may need to re-save app settings
for Android devices to ensure that the settings are applied.
14836: Upgrading MobileIron does not always update the Language column for
existing devices in the All Devices page. You can manually update this column using
More Actions > Change Language.
14834: Changing the timezone for Mobile Activity Intelligence causes an incorrect
MAI processing time to be displayed.
14803: Android: Device type displays as "GRD" instead of "CDMA" for Motorola
Xoom.
14596: Changing the alert interval for a system event has no effect.
MobileIron Sentry does not support connection pooling via load balancer. Turn off
your load balancers connection pooling before deploying.
IE9 is not currently supported. There are known issues with this version of the
browser, including failure to register devices from the Admin Portal.
9424: iOS: Marking dropped calls or running the speed test occasionally causes the
device to stop responding.
11075: Changing the external hostname results in a SCEP URL and verify URL that
still point to the old hostname.
11130: The Admin Portal permits administrators to send an invitation to register to

users who do not have appropriate permission to access MyPhone@Work. These
users receive a URL to a site they cannot access. Workaround: Be sure to assign
User Portal and MyPhone@Work Registration roles to users before you send an invitation.
11402: The antivirus scan does not always activate the Infected flag upon first
detection of a virus.
11525: If an error occurs when you add a new entry in the Sentry page, the entry
may still be stored in the database. After resolving the original error, you may see a
duplicate entry in the Sentry page.
11772: MyPhone@Work does not display activity that falls into the Unknown category, but includes the Unknown category data in the total. The Unknown category
represents activity that has been detected, but is missing the information neces-
668
sary to place it in one of the activity types (e.g., international roaming). As a result,
there may be a discrepancy in the displayed data.
11830: Under Mobile Activity Intelligence > Settings > Toll Numbers, the Directory
assistance entry is sometimes loaded without the dashes. Workaround: In the Toll
Numbers screen, click Directory assistance to display the Edit Toll Number dialog
and enter the dashes.
13509: iOS: If the device user is running a speed test on the MobileIron Client
when the administrator attempts to retire the device, an Application Reset message displays, but the reset is not completed. As a result, the device is left in an
unusual state. Consider removing and reinstalling the client.
The Infected status should revert to Active once the detected virus has been
removed from the device. However, sometimes the device remains in the Infected
state. Workaround: Set the status to Lost, then set the status to Found.
If an attempt to remove an app setting fails, there is no function available for trying
again. Workaround: Assign the device to a label and then remove the association
between the device and the label (i.e., More Actions > Remove from Label.
14386: If a phone does not report a phone number, then Event Center messages
sent to the device user will display Not Available in place of the phone number,
regardless of the language selected for the device.
AC-1402: On Samsung Android devices, removing the TouchDown-configured client

and replacing it with a native email client configuration results in a "not configured"
status on the VSP.
AC-1211: The MobileIron app erroneously resets the device passcode for the HTC
Evo (Android 2.3.5) when the administrator issues the Unlock command.
AC-771: Pushing a policy that specifies decrypting a devices results in an alert that
specifies decryption, but the button on the screen is labeled "Set Encryption".
AC-1091: The MobileIron app does not report successful encryption for Samsung
Galaxy S3 devices.
AC-218: The Cisco AnyConnect app must be installed before the MobileIron app to
ensure successful provisioning of VPN settings.
AC-1499: Registration fails to activate the device administrator for 4G devices on

which the WiFi feature has been locked down.
AC-1424: On Samsung Galaxy S2 devices running Android 2.3, the MobileIron app
and VSP fail to report encryption compliance.
AC-1451: Manually removing the VPN setting on the device does not cause the VSP
to push another VPN profile.
AC-1421: If Google Play Store has not been accessed previously, the first attempt
to view a recommended app displays the Play Store terms of service, after which
the selected app is not displayed.
AC-1393: Powering off the device when the password reset notification displays
resets the password age and restores the expired password.
AC-1212: HTC One X devices fail to report encryption non-compliance.

AC-1289: The MobileIron app reports encryption as "unavailable" instead of as
"enabled" or "disabled" for Samsung Galaxy S3 devices.
669
AC-895: Exchange app settings containing a custom attribute for the username or
password do not result in a properly configured device.
AC-491: Android: When the security policy specifies an alphanumeric password,

the secret generated with the Unlock comment is sometimes a 4-digit PIN and
other times a compliant password.
AC-1417: The VSP does not report successful Exchange configuration when SCEP is
used.
AC-1399: The VSP erroneously reports passwords as non-compliant for devices

that have been manually encrypted.
AC-1318: If the device user delays accepting the terms of service while configuring
email on Android 4.0, then the VSP will not show successful email configuration
until the device checks in again.
AC-1259: Sending a second WiFi profile and certificate to a Samsung Android 4.0
device on which the certificate is already installed results in an unexpected certificate notification.
AC-1246: Removing the certificate specification from the WiFi app settings does not
result in the expected changes to the WiFi settings on the device.
AC-1219: Tapping OK before entering the requested certificate password results in

a blank message box. This is an Android OS issue. Workaround: Press the Back
button on the device.
AC-1072: Retiring a Samsung Note does not result in a decryption notification.

Workaround: Restart the device.
AC-867: When the Sync on Low Battery option is turned off on the VSP, devices
continue to sync with the VSP when battery power is low.
AC-1030:Pushing WiFi settings to a Motorola Xoom disconnects the current WiFi

and leaves the WiFi disabled until and unless the user manually connects to the
pushed WiFi profile.
AC-1283: Pushing a WiFi profile with a certificate results in prompts to reprovision

the certifications that are already installed.
VS-7153: Revising an incorrect override URL does not repair app installations that
failed on iOS 5.x devices due to an incorrect override URL. The device user must
delete the app icon manually before attempting to reinstall. This behavior is determined by the device operating system.
VS-5372: ActiveSync policies are not applied to Android devices having the TouchDown client installed. This is expected behavior.
670
Usage notes
General
The following notes apply to MobileIron, regardless of the client OS:
VS-6018: In Active Directory, if the user is a member of multiple groups, and one
of the groups is a primary group, then if we sync users of a particular group from
the VSP, all the users having this group as a primary group will be excluded from
the sync. This is a known issue from Microsoft. See the following article from the
Microsoft site: http://support.microsoft.com/?kbid=275523.
Avoid creating user IDs that include _MIxx, where xx is a number. This sequence is
reserved for user IDs requiring special processing, which includes stripping the _MI
sequence and all characters following it.
Do not lock down WiFi for devices that have only WiFi access. There will be no way
to undo the setting if there is not way to communicate with the device.
VS-1187: For larger LDAP systems, the LDAP browser in Admin Portal (Settings >
LDAP) may cause the following prompt on Internet Explorer:
A script on this page is causing your browser to run slowly.
Click No to ensure that the data displays appropriately.
VS-1017: As a result of upgrading to 4.2 or higher, you may observe that CPU
usage increases to 100% every 15 seconds. This behavior is expected as a result of
the resolution for an issue with the contact sync feature.
VS-2250: The amount of time it takes to apply an event to a label depends on the
number of devices identified by the label. Therefore, it may take some time for the
label name to display as selected for the event.
MobileIron enables you to customize messages associated with registration, Event

Center, and app distribution. Note the following when using this feature:
Variable notation for registration messages and app distribution messages is

different from notation for Event Center messages: $variable$ versus $variable.
Most variables are currently required. For example, you might prefer to remove
the user name from the registration email subject, but that is not currently supported.
MobileIron drops any unsupported variables you add to a message without indicating the lack of support.
You cannot edit the default Event Center messages; you can only add new
ones. However, you cannot add new registration messages; you can only edit
the existing ones.
For MobileIron Integrated Sentry, if user information contains a non-printable string

(e.g., DEL key), it will be replaced with a hex string.
If multiple LDAP servers are configured in MobileIron, but one is not reachable at
the time that the user attempts to display LDAP users, then the user will receive an
error message. Increasing the timeout configured for the LDAP server in the System Manager should resolve the problem.
Installation of the MobileIron Client will fail if the time set on the phone is older
than the certificate time.
671
Selecting Link to LDAP for a local user in the User Management screen removes the
roles assigned to the local user. The next time the user authenticates, roles will be
applied based on the LDAP group of the corresponding LDAP user.
Changing the External Host setting under Settings > Preferences requires regeneration of any self-signed certificates or uploading matching portal-HTTPS and clientTLS certificates. Rebooting is also required.
Privacy settings specified by the end user in MyPhone@Work override the corresponding settings in the privacy policy. For example, if the end user specifies that
SMS content should not be synchronized, then setting the SMS option to Sync Content in the privacy policy will have no effect.
MyPhone@Work users should set their browsers to accept mixed content to ensure
that all data is displayed in the Activity page.
The ActiveSync Devices page does not reflect the new mobile number for a device
in the event of a SIM change.
Adobe Flash Player 10 is required for display of some MyPhone@Work graphics.

12545: MobileIron is unable to obtain phone numbers for some pre-paid SIM cards,
such as Optus (Australia).
Sentry: The success of ActiveSync policies, like browser and IMAP lockdown, is
dependent on the implementation of the ActiveSync client on the device. Therefore,
Sentry might send the correct provisioning policy, but the ActiveSync client might
not support portions of the policy.
Editing existing file catalogs is not currently supported.

14163: SMS messages containing Japanese or other multi-byte characters which
are sent through US carrier e-mail-to-SMS gateways may be garbled or not delivered. This is a limitation of the carrier e-mail-to-SMS gateway.
Android
VS-4451, VI-31: Android: Deactivating the Samsung DM agent or removing the
MobileIron app does not remove the lockdown policy applied by MobileIron. This is
a Samsung issue.
VS-5909: Android: The Wipe function may appear to be only partially effective for
devices that are configured to restore their content from Google Cloud.
Android: Cisco AnyConnect must be installed before the MobileIron app is installed
if you intend to use MobileIron to manage the AnyConnect profile.
AC-455: Android: SD cards for certain models cannot be wiped because of devicespecific limitations that prevent deletion of files from the SD card.
VS-1470: Android: An ActiveSync wipe causes TouchDown to wipe its email profile,
not the device data.The result is recurring "Email configuration is ready" messages
on the device.
VS-3865: Android: Data decryption is initiated when the Exchange profile is pushed
to the device if the default ActiveSync policy pushed to the device does not specify
that encryption is required.
VS-784: Android: Apps are not synced from devices when the privacy policy is
changed to None and then changed back to Sync Inventory. Installation of an additional app or rebooting the device causes app sync to resume.
672
Certain Sprint devices are shipped with an app called Exchange Email, which cannot
be un-installed and is not compatible with NitroDesks TouchDown for Android.
Attempting to install TouchDown on these devices results in a duplicate provider
authority error.
13701: The Samsung Galaxy tablet experiences problems during attempts to provision the Exchange configuration via the native ActiveSync client. Workaround: If
the situation does not resolve itself, try removing and reapplying the Exchange configuration.
12649: Android: Android devices that do not have NitroDesks TouchDown installed
may be displayed in the ActiveSync Devices page with unexpected device types.
This is a result of the implementation on the device.
The Samsung SAFE (Android 4.0) email app uses ActiveSync 14.1, which is supported by Sentry 3.3. Make sure you have installed Sentry 3.3 or later.
In the VSP Exchange app setting, make sure the "Using Sentry Standalone" checkbox is NOT checked. This is true even if you are using Sentry Standalone. Checking
this box causes identifying text to be appended to the ActiveSync User Name,
which causes interoperability issues with the Samsung SAFE email app (Android
4.0).
The Samsung email app on Samsung devices running Android 4.0.3 exhibits several issues. Configuration of the app by MobileIron is successful, but the email app
often does not fully provision itself. We recommend against using it.
If you are using Identity certificates for Exchange authentication, make sure the
identity certificate being used can be validated by the device using the CA trust
chain. If you are using a private CA, then the Root CA certificate must be installed
on the device prior to provisioning e-mail. If you are using the VSP Local CA functionality, you can download the CA certificate from the VSP. Go to Settings > Local
Certificate Authorities > Local Certificate Authorities and click the Edit icon to display the Cert URL.
Exchange places a limit on the number of devices that can be associated with a
given email account. Confirm you have not exceeded the maximum phone partnership count on Exchange.
AC-1420: Encryption is not supported for some older devices, including the Samsung Galaxy Tab running Android 2.3.5. This is a vendor issue.
VI-101: Certificates are not yet supported for Android 4.1.

VI-106: HTC One X devices running Android 4.0 prompt for a PIN after a complex
passcode has been set, leaving the device inaccessible.
VI-83: The provisioning of p12 certificates can get stuck during the certificate
extraction process.
Workaround: Rotate the device, which should cause the alias installation screen to
display. If that fails, try locking and unlocking the device.
VI-88: For Samsung devices running Android 4.0, removing the association
between the Exchange app setting and a label does not remove the entry for the
corresponding email account from the Accounts and Sync listing.
VI-107: Android limits Wi-Fi SSIDs to 32 characters.
673
VI-104: The Samsung Native Email client for Android 4.0 displays an "Update Security Settings" notification when properly configured. However, the notification often
disappears when the device user attempts to tap it.
Workaround: Dismiss the email app with the Home button, then relaunch it. It will
usually crash when you do this, but relaunching results in another prompt for security settings.
VI-101: Android 4.1 does not currently support certificates.

VI-100: The Samsung email client on Android 4.0 sets the user name to match the
email address. For example, if you configure the account to have username "Bob"
and email address "bsmith@blah.com", the account will be configured to have username "bsmith" and email "bsmith@blah.com". This means that anyone with usernames that don't match their email addresses will not be able to get mail unless the
Exchange server is set up to accept the email stub as a valid identifier.
VI-92: Samsung S3 devices running Android 4.0 sometimes display "Unfortunately,

Settings has stopped" when the device is rebooted.
VI-86: The Samsung S3 often indicates that Device Administrator needs to be activated, though it is already activated.
VI-85: The email client on the Samsung S3 sometimes crashes after being configured by the VSP.
VI-84: Entering a blank password during installation of a P12 certificate results in a

darkened screen or empty dialog.
Workaround: Press the Home button to return to the dialog flow.
VI-74: Samsung devices running Android 4.0 display the following error during
attempts to connect to a website that requires an identity certificate: "Connection
problem - A secure connection could not be established."
VI-73: HTC One X and HTC One S devices fail to populate the Certificate Installation dialog with aliases for P12 certificates.
VI-89: When configuring email in the MobileIron client, entering an incorrect email
password on Samsung devices running Android 4.0.3 or Android 4.0.4 requires the
user to clear the email configuration data before they can successfully configure
email.
See Workarounds for VI-89.
Workarounds for VI-89

On Samsung devices running Android 4.0.4
1.
Launch Email.
The Upgrade accounts screen appears.
674
2.
Tap Delete for the misconfigured email account (the first in the list).
3.
Reconfigure your email.
On Samsung devices running Android 4.0.3

To remedy the situation on an Android 4.0.3 device, there two general steps:
Disable Device Administration for the email client

Clear the data for the email client
To disable Device Administration:
1.
On your Samsung device, tap Settings > Security > Device administrators.
2.
Uncheck the checkbox next to the Email icon.

If there is no Email icon, just back out and continue to the instructions for clearing
the data.
3.
In the Confirmation dialog, tap Deactivate.
675
4.
Back out to the Home screen.
To clear the data:

1.
On your Samsung device, tap Settings > Applications.
2.
Tap the All tab.
3.
Tap Email (you may have to scroll through a very long list of apps).
676
4.
Tap Clear Data.

If the buttons are disabled and you have not yet cleared data, repeat the instructions for disable Device Administration.
5.
Tap OK.
6.
Press the Home key.
7.
Tap MobileIron and reconfigure your email.
iOS
iOS: If a user downloads an in-house app, removes the MDM profile, and then reregisters the device, the VSP does not push a new provisioning profile, resulting in
an in-house app that stops working. Workaround: The user must download the inhouse app again.
IOS-107: The Server Name Lookup feature is no longer supported for iOS. If you
want to continue to use in-app registration, then you must communicate the server
address to device users. Using an alternate method of registration, such as bulk
registration, is also an option.
VS-4610: iOS: iPhone 4S devices from Sprint and Verizon registered as WiFi-only
devices report the MNC as SPR or VZW instead of the expected numerical value,
resulting in incorrect country display. Once MDM is enabled, the information is
updated appropriately.
677
VS-2308: iOS: If you are manually zipping an IPA file, we recommend using the
Mac zip operation with r and y flags to create the IPA file.
14421: iOS: If a user disables location tracking before registering a device, and
then enables it after registering the device, multitasking for the MobileIron app is
not automatically enabled. The user must manually start the MobileIron app before
multitasking takes effect. Also, if the user does not allow the MobileIron app to
enable iOS Location Service when prompted after registration, the user must turn
on iOS location support and restart the MobileIron app before multitasking takes
affect for the MobileIron app.
14263: iOS 4.1: If the MobileIron app is removed and reinstalled on an iOS 4.1
device, the location feature may fail. This is due to an issue in iOS 4.1 that was
addressed in iOS 4.2.
15017: iOS: There is sometimes a discrepancy between the OS version reported in

the All Devices page and the Device Details pane if iOS MDM is not enabled.
The MDM field that provides information on whether an iOS device has been compromised isnt taken into account for our Compromised check for iPhone 3G, iPod
touch 3rd generation, and iPod touch 4th generation. For these models, we rely on
the information provided to us by the MobileIron Client, whereas with other models
(when MDM is enabled), we use both MDM and the information from the MobileIron
Client.
iOS: If you configure your MobileIron appliance using the internal hostname, then
users who attempt to register iOS devices may receive the following error:
The server certificate hostname did not match. Please contact your
administrator."
This error occurs because the certificate provided to the iOS device refers to the
internal hostname, which is not accessible to the user registering the phone. Be
sure to configure the MobileIron appliance using the external hostname.
iOS: In rare cases, the phone number may not be available to the MobileIron Client
on an iOS device. This causes the server name resolution feature to fail. It also
causes the iOS device to register as a PDA. The best approach to this issue is to set
the phone number on the iOS device. To set the number: 1. Tap Settings. 2. Tap
Phone. 3. Tap My Number. 4. Enter the phone number. 5. Tap Save.
iOS: The times you can set for "Maximum inactivity timeout" vary by iOS device.
iOS: iOS devices accept settings for up to four subscribed calendars. Therefore, any
additional calendar settings applied to an iOS device will be ignored.
iOS: For the User Name specified in subscribed calendar settings, iOS devices may
display the @ in an email address using different characters.
iOS: iOS 4 sets IMAP email settings as POP settings, though the settings have been
transmitted correctly by the VSP.
iOS: In rare cases, removal of old MobileIron profiles will fail. For example, if you
re-register an iOS device, the Exchange settings associated with the old profile may
remain. To address this issue, you may need to do a hard reset and a selective
restore from iTunes.
11358: iOS: The MDM profile sometimes fails to install. Associated error messages
include Profile Failed to Install and Invalid Profile. Repeating the attempt once or
twice resolves the issue.
678
11688: iOS: If MobileIron password caching is not enabled and an Exchange profile
is sent without a password, then the password that users enter when prompted will
be saved on the device, but not on the VSP. Users must set the Exchange
password manually on the device. Pushing the profile will repeat the process on the
device.
11967: iOS: MobileIron always uses SCEP in proxy mode for Exchange settings,
regardless of the configuration specified in Admin Portal.
If the iOS device has received an MDM profile previously, then installing a new one
may take up to ten minutes.
After implementing an Enterprise Issued APNS certificate, you must restart tomcat
on the VSP. An easy way to do this is to display the Email Settings screen in System
Manager and click the Apply button.
The options displayed under Application Settings > iOS > Restrictions have limitations based on OS version. MobileIron does not have control over these limitations.
12855: iOS: If a device user does not respond to the app download prompt within
60 seconds, then the download expires. Attempts on the part of the user to retry
will fail.
12979: iOS: MDM-enabled iPads do not report mobile country codes (MCC) and
mobile network codes (MNC).
MDM-enabled iOS devices that have been locked prevent the MobileIron VSP from
performing many functions. This is by iOS design. Therefore, if attempts to perform
actions such as pushing new provisioning profiles fail with a message that indicates
the attempt should be made later, then the device is probably locked.
iOS: Cisco AnyConnect does not allow for saving user passwords. Therefore,
despite receiving a VPN setting from MobileIron, users must enter a password. See
the following link for more information on this Cisco issue: https://supportforums.cisco.com/message/3041057.
iOS: The General application setting for iOS (Apps & Configs > App Settings > iOS
> General) should be avoided, if possible. If you must make changes, do so before
you start registering iOS devices.
Windows Phone 7
Windows Phone 7 devices may fail to synchronize with error 0x85010013 or
0x8600C2B when connecting to the Microsoft Exchange Server due to policies that
the device cannot enforce. Specifically, Windows Phone 7 supports the following
parameters:
PasswordRequired
MinPasswordLength
IdleTimeoutFrequencyValue
DeviceWipeThreshold
AllowSimplePassword
PasswordExpiration
PasswordHistory
DisableRemovableStorage
DisableIrDA
DisableDesktopSync
BlockRemoteDesktop
BlockInternetSharing
As a result, you may need to adjust your MobileIron security policies. See the following Microsoft knowledge base article for information: http://support.microsoft.com/kb/2464593.
679
13302: Windows Phone 7 mishandles Exchange ActiveSync lockdown policies. This

can prevent synchronization between the device and Exchange.
Networks with limitations

The following networks have limitations that impact MobileIron functionality:
Belgacom: Cannot access phone number

Nextel/iDEN: Cannot capture SMS because they are received as MMS. No location if
no GPS is available.
Verizon: Devices have only an active data plan and no active cell plan are detected
as roaming.
North American operators: Most use standard, 7-bit SMS, which does not support
special characters. Clickatel, however, does support special characters. Because
MobileIron uses Clickatel for SMS support outside of North America, users may see
messages containing odd characters in place of the original characters.
Devices with limitations

The following devices have isolated limitations that impact MobileIron functionality:
Amazon Kindle Fire: Runs a modified version of Android 2.3, so most of the
Android-supported VSP policies, app settings, and device management commands
work. The limitations are:
MobileIron Android app must be sideloaded - The MobileIron Android app is not
available in the Amazon Appstore and must be sideloaded on the Kindle Fire.
Apps may be sideloaded if the device is configured to allow installation of nonMarket applications (Unknown sources).
C2DM is not supported - A Google account must be activated on the Android

device in order for C2DM to work and the Kindle Fire does not support Google
accounts, so C2DM is not functional on the Kindle Fire. The following VSP functionality is impacted as result: Send Message via Push Notification not supported The Push Notification mechanism relies on C2DM for message delivery.
Force Device Check-in not supported The Force Device Check-in functionality
relies on C2DM to wake up the MobileIron Android app and force it to check-in.
Immediate execution of Wipe, Lock, Unlock, and Retire commands is not supported When these device management commands are issued on the VSP, the
VSP sends a Force Device Check-in via C2DM. This forces the client to check-in
and receive the device management command. Because C2DM is not available
the device will not receive the force device-check-in and the command is delivered at the next sync interval. It is possible to reduce the sync interval (via the
Sync Policy) to mitigate the delay in the delivery of these device management
commands. Recommended apps are not supported Recommended apps point
to Google Play (formerly Android Market) and not the Amazon Appstore. Since
Google Play is not accessible on the Kindle Fire, these will not work.
Android: For a few devices, shortcuts do not support upgrades. Therefore, attempting to upgrade the MobileIron app does not work. Sometimes, this results in uninstalling the previous version.
680
HP iPAQ Mobile Messenger 910 (AT&T-GSM): No location if GPS is not available. No

current operator. No current country.
HTC 8900/Apache/Dash/Juno/MP6900SP/X7500: No location.

HTC Imagio: Device is disabled a few days after MobileIron registration.
HTC Incredible: MobileIron Client upgrades may result in The linked program is no
longer installed on your phone.
HTC Mogul (Sprint): No location.

HTC-P4600 (AT&T-GSM): No location in some cases if GPS is not available.
LG-C900 Windows Windows 7.0.7004.0: Mishandles ActiveSync lockdown policies,
resulting in sync issues.
LG CT810 (AT&T-GSM): No location if GPS is not available.

LG Optimus S (Android): Cannot uninstall the MobileIron app, due to device-specific problem with deactivating the device administrator role.
Motorola Q, Q9C (Verizon-CDMA): No location. No home operator info. No radio

information except signal strength.
Nokia E71x: Does not support device encryption.
PalmTreo 700: No location.
Nokia E51 and E90: Do not support lock or device/SD card encryption.
12149: Palm Pre currently is not supported for use with Standalone Sentry.
10987: The Palm Treo disconnects from a Remote Access session if the phone goes
to sleep.
Pantech Duo: No location.
RIM 8703e: Call log reports call as aborted if another call is on hold.
RIM 8950 (Spring-CDMA): No location available.
Samsung Blackjack 1 (version I only): No location.
Samsung Blackjack 2: Camera lockdown policy does not work.
Samsung Jack i637: Security policy on the device prevents MobileIron from running successfully on the device. MobileIron security policies and Exchange settings
cannot be applied. Also, details are not available for matching with ActiveSync
records.
Samsung Saga: Attempting to turn on encryption disables the device.

Samsung SGH-i917 Windows 7.0.7004.0: Mishandles ActiveSync lockdown policies,
resulting in sync issues.
Sanyo Kio (Sprint): Ships with a version of NitroDesks TouchDown that is incompatible with other versions of TouchDown and cannot be uninstalled.
SCH-i760/XV6700/VX6800 (Verizon): No location.

T-Mobile Dash (T-Mobile-GSM): No location if GPS is not available. No radio type.
No current operator. No current country. Attempts to turn on encryption disable the
device.
Verizon iOS 4.2.8: International roaming can't be detected on this device.
681
682
Appendix B
Web-based Registration for iOS and

OS X Devices
683
What is web-based registration?

Web-based registration is a process of registering iOS and OS X devices in bulk for
large deployments. The benefits of this style of registration include:
iTunes accounts are not required

No end-user interaction is required
However, because a MobileIron app is not downloaded to the device, the management
features provided by the app, such as in-house app distribution, are not available.
Preparation
Because users will be informed of the registration via email before they receive the
device, you should consider turning off user notification when you bulk register the
devices. As an alternative, consider editing the registration template or informing
users that they should ignore the email. See Customizing registration messages on
page 96 for information on editing the template.
Supported browsers for iOS and OSX devices

Web-based registration requires a Safari browser on the device.
Installing the Mobile@Work app for iOS

The Mobile@Work app for iOS can be installed after web-based registration via in-app
registration. After the user or administrator completes the installation of the
Mobile@Work app and initiates a new registration, MobileIron detects that the device
already exists in the database and updates the existing record. See In-app registration for iOS and Android on page 88 for information on performing in-app registration.
684
Implementing web-based registration for iOS

and OS X devices
To implement web-based registration for iOS and OS X devices:
1.
2.
Set the iOS Web-based Registration Requires option to the preferred option.
3.
Set the In-App Registration Requires option to Password.
4.
Bulk register the devices on the VSP.

See Registration by administrator: multiple devices (bulk registration) on page 82
for information on using bulk registration.
Once these devices are registered, they will appear in the All Devices page with a
status of Pending.
5.
Click the Pending Device Report button in the All Devices page to create a spreadsheet of the devices you just registered.
The pending devices report lists the username and the PIN and/or password you
will need in order to complete the registration process on the users behalf.
685
6.
On each device, point the browser to the following URL:

https://<fully-qualified domain name for the VSP>/ireg
For iOS devices, the following screen displays:
For OS X devices, the following screen displays:

7.
Enter the requested information for the user who will receive the device.
8.
Click Register.
686
9.
Instruct iOS device users to download the Mobile@Work app from the Apple App
Store and complete the in-app registration process.
MobileIron will detect that the device is already registered and match the new
Mobile@Work app to the existing entry for the device.
687
688
Appendix C
Distributing iOS MDM Profiles with

Apple Configurator
MobileIron supports distribution of iOS MDM profiles by means of Apple Configurator.
In addition, you can use bulk registration in the Admin Portal to automatically match
users to devices based on serial number.
Note: Administrators who are experimenting or troubleshooting individual devices can
also use the iPhone Configuration Utility to deploy a registration profile to a device.
Notes on using Apple Configurator

Do not assign user-specific configurations to the iOS label. Devices registered
through the Configurator are initially registered as anonymous users, so pushing
user-specific configurations (e.g., Exchange configurations) introduces unnecessary
processing that must be repeated after the VSP matches the device to the user.
If you are using the Configurator to register devices that display the iOS Setup
Assistant, then enable supervision of the devices in the Configurator. The Setup
Assistant is the wizard-like interface you see when starting the device for the first
time. The Setup Assistant prevents display of the registration dialogs, causing
deployment of configuration profiles to fail, unless supervision is enabled.
Consider installing the Wi-Fi profile in a separate operation prior to installing the
MDM profile. This approach prevents the MDM profile installation from failing if the device
does not acquire an IP address (required for VSP connectivity) in a timely manner. Just complete the steps in How to use Apple Configurator for MobileIron registration for the Wi-Fi profile.
How to use Apple Configurator for MobileIron registration

Complete the following tasks to use Apple Configurator for registering devices with
your VSP:
1.
Acquire serial numbers.

This step is necessary only if you want to match devices with serial numbers automatically.
2.
Bulk register the devices.

This step is necessary only if you want to match devices with serial numbers automatically.
689
3.
Export the MDM profile from the VSP.
4.
Import the MDM profile into the Configurator.
5.
Apply the MDM profile to tethered devices.
Acquiring serial numbers

To automatically associate users to Configurator-registered devices, you must bulkregister the devices on the VSP and specify the device serial numbers in the registration spreadsheet. Check the following sources for serial numbers:
the back of the device

in iOS (Settings > General > About)
on the retail and bulk device packaging (both in readable and barcode form)
For large roll-outs of devices, we recommend using a barcode scanner and the
iPhone Configuration Utility to quickly import serial numbers for tethered devices.
This is particularly useful since the serial number can by copied from IPCU and pasted into the
spreadsheet. This practice is also useful if you intend to recycle and re-register devices.
Bulk-registering the devices

To bulk-register the devices:
1.
In the Admin Portal, select Users & Devices > Devices > Add > Multiple Devices.
2.
Click Sample CSV File.
3.
Save the sample file to your local drive.
4.
Add an entry for each device, including the serial number.

See Registration by administrator: multiple devices (bulk registration) on page 82
for more information on completing the bulk registration CSV file.
5.
In the Adding Multiple Devices dialog, click Browse to select the edited CSV file.
6.
Click Import File.
Exporting the MDM profile from the VSP

To export the iOS MDM profile:
1.
In the Admin Portal, select Policies & Configs > Configurations.
2.
Select the System - iOS MDM setting.
3.
Click Export MDM Profile.
4.
Save the file to your local drive.

The file will have a .mobileconfig extension.
Importing the MDM profile into the Configurator

To import the iOS MDM profile into the Configurator:
1.
2.
If you plan to configure supervised devices, complete that process in Apple Configurator.
In Apple Configurator, click Prepare at the top of the screen.
690
3.
In the Name field, enter a name for the configuration.
4.
Click the + under Profiles.
691
5.
Select Import Profile.
6.
Select the MDM profile you exported.
7.
Click Open.
692
Applying the MDM profile to the tethered device

To apply the imported MDM profile using the Configurator:
1.
Tether a device.
2.
Select the checkbox next to the profile you just added.
693
3.
Click the Prepare button at the bottom of the screen.
4.
If prompted to confirm, click Apply.
5.
For unsupervised devices, respond to the profile installation prompts displayed on

the device.
Prompts do not display on supervised devices.
6.
Confirm that the registration has been completed on the VSP.

If you did not bulk-register the devices, they will be displayed in the Admin Portal
with the "<Anonymous>" user account. When a device user installs and signs in to
Mobile@Work, the VSP switches the device to that user's account.
694
Appendix D
Secure Apps on Android Devices

Your administrator configures whether your device uses secure apps, and determines
which secure apps are downloaded and installed on your device.
A secure app:
keeps its data secure.

A secure app can share its data and files only with other secure apps.
requires you to log in with a secure apps passcode.

Logging in once time with your secure apps passcode allows you to access all the
secure apps.
overlays its icon with a special badge that indicates it is a secure app.
The Mobile@Work app works with another MobileIron app to download, install, and
manage your secure apps. The other MobileIron app is called the Secure Apps Manager. The Secure Apps Manager is downloaded and installed along with the secure
apps.
Setting up your device to use secure apps requires you to do the following:
1.
Download and install the secure apps on page 696
2.
Create the secure apps passcode on page 697
Also related to secure apps, see:
Secure apps notifications on page 698

Secure apps status bar icons on page 699
Camera, gallery, and media player warning messages on page 700
695
Download and install the secure apps

To download and install the secure apps on Android devices:
1.
Start the Mobile@Work app.

If you do not see the Secure Apps tab on your Mobile@Work home screen, your
administrator has not configured your device to use secure apps.
2.
Follow the instructions to install secure apps, including the Secure Apps Manager
3.
Continue to Create the secure apps passcode on page 697.
696
Create the secure apps passcode

After you download and install all your secure apps, you create a passcode for the
secure apps. Logging in one time provides access to all the secure apps.
Note: The secure apps passcode is not the same passcode as your device password, if
you have one. You can choose the same values for both the secure apps passcode and
the device password, or choose a different value for each of them.
To create your secure apps passcode:
1.
Complete the steps in Download and install the secure apps on page 696.
2.
Tap Continue on the Create Secure Apps Passcode screen.
3.
Enter a passcode, and then enter it again.

Adhere to the passcode requirements that are stated under the Enter Passcode
field.
4.
Tap Done.
After creating the secure apps passcode, note the lock icon in the status bar.
697
Secure apps notifications

Throughout the steps for setting up secure apps on your device, and after the steps
are completed, you receive notifications about the status of Mobile@Work and secure
apps. For example, a notification indicates whether you have logged in with the secure
apps passcode.
When you power on the device, a notification indicates that you have not logged in
with your secure apps passcode, and that you have no email connection. Be sure to
log in.
To log in:
1.
Open any secure app or the Secure Apps Manager.
2.
Enter your secure apps passcode.
Some secure apps, such as the email app, are active even when you are not using
them. For example, the email app syncs your email and calendar items. Until you log
in with your secure apps passcode, these apps cannot do their jobs.
698
Secure apps status bar icons

A secure apps icon appears in the status bar of the device.
When you have entered your secure apps passcode, the icon looks like the following:
When you are logged out of secure apps, the icon looks like the following:
For example, you are logged out when you have not used a secure app for five minutes.
The secure apps icon turns into a warning icon in some situations:
The warning icon appears when you need to reenter your secure apps passcode, such
as when you power on the device.
699
Camera, gallery, and media player warning

messages
The administrator can allow or prohibit secure apps on your device to do the following:
access camera photos from the app

access gallery images from the app
stream media from the app to a media player
If a capability is prohibited, if an app attempts to use the capability, a message displays indicating that the administrator has disabled the capability.
If the administrator allows accessing camera photos from secure apps, when an app
accesses the camera, the app displays a warning. The warning indicates that the
photo will not be secured, and that a photo from an unsecured camera app may compromise secure data.
If the administrator allows accessing gallery images from secure apps, when an app
accesses an image, the app displays a warning. The warning indicates that the image
will not be secured and that an image from an unsecured app may compromise secure
data.
If the administrator allows media streaming from secure apps, when an app is about
to stream media, the app displays a warning. The warning indicates that media will be
streamed outside the secure container.
The warnings also provide the option to turn off future warnings.
700
Appendix 1
Secure apps on iOS Devices

Secure apps on iOS devices allow the device user to securely access sensitive work
documents and data on the device. You configure secure apps for a device as
described in How to configure AppConnect on page 482.
Typically, you configure AppConnect to require the device user to use a secure apps
passcode to use secure apps. The device user creates and uses a secure apps passcode as follows:
Creating a secure apps passcode on page 701

Logging in with the secure apps passcode on page 704
Logging out of secure apps on page 705
Resetting the secure apps passcode - user initiated on page 705
Resetting the secure apps passcode - administrator initiated on page 708
Handling a forgotten secure apps passcode on page 711
Creating a secure apps passcode

When you have configured a device so that a secure apps passcode is required, the
Mobile@Work home screen looks like the following:
701
Mobile@Work prompts the device user to create a secure apps passcode the first time
the user does one of the following:
launches any secure app

taps the Local Files tab or Remote Files tab in Mobile@Work.
If Docs@Work is enabled, the Local Files and Remote Files tabs allow the user to
access file share documents and email attachments. Like secure apps, these
Mobile@Work capabilities require the secure apps passcode.
To create a secure apps passcode, the device user does the following:
1.
Taps Local Files if Docs@Work is enabled.

If Docs@Work is not enabled, the user launches any secure app.
702
2.
Enters a passcode according to the specified instructions.
3.
Taps OK.
4.
Reenters the passcode.
5.
Taps OK.
703
6.
Taps Done.
Logging in with the secure apps passcode

After a period of time in which the device user uses no secure apps, Mobile@Work
automatically logs the device user out of secure apps. When the user once again
launches a secure app, or taps the Local Files or Remote Files tab in Mobile@Work,
Mobile@Work prompts the user to log in with the secure apps passcode:
The device user does the following:
704
1.
Enters the secure apps passcode.
2.
Taps OK.
The device user can now continue with the secure app.
Logging out of secure apps

The device user can log out of secure apps. Logging out is useful, for example, if the
user is lending the mobile device to a family member for a few minutes.
Note: The user is automatically logged out after a period of inactivity.
To log out of secure apps, the device user does the following:
1.
Goes to the Mobile@Work home screen.
2.
Taps Log Out.
Mobile@Work will prompt the device user for the secure apps passcode the next time
the user launches a secure app, or the next time the user taps the Local Files or
Remote Files tab in Mobile@Work.
Resetting the secure apps passcode - user initiated

The device user can choose to reset the secure apps passcode at any time. The user
does the following:
1.
Taps the Settings tab on the Mobile@Work home screen.
705
2.
Taps Secure Apps Manager.
3.
Taps Reset Passcode.
706
4.
Enters the old secure apps passcode.
5.
Enters a new passcode according to the specified instructions.
6.
Taps OK.
707
7.
8.
Taps OK.
9.
Taps Done.
Resetting the secure apps passcode - administrator initiated

You can change the secure apps passcode requirements on the VSP by modifying the
AppConnect global policy. When Mobile@Work checks in with the VSP, Mobile@Work
prompts the device user as follows:
708

1.
Taps OK.
2.
Enters the old secure apps passcode.
709
3.
4.
Taps OK.
5.
6.
Taps OK.
710
7.
Taps Done.
Handling a forgotten secure apps passcode

If a device user has forgotten the secure apps passcode, the user can reset the secure
apps passcode by providing his VSP credentials.
The device user either:
realizes that he has forgotten the passcode.

exceeds the maximum number of attempts to enter the passcode.
You configure this value in the AppConnect global policy.
Note: Forgotten secure apps passcode handling is different if Mobile@Work 5.7 is registered with a VSP 5.5. See Forgotten secure apps passcode with Mobile@Work 5.7
and VSP 5.5 on page 715.
When the device user realizes that he has forgotten the passcode
1.
Launches a secure app, or taps the Local Files or Remote Files tab in Mobile@Work.
Mobile@Work prompts the user to login with the secure apps passcode:
711
2.
Taps Forgot Passcode.
3.
Enters the User Name and Password for registering with the VSP.
712
4.
5.
Taps OK.
6.
7.
Taps OK.
713
8.
Taps Done.
When the device user exceeds the maximum number of attempts

When the device user exceeds the maximum number of attempts to enter the secure
apps passcode, Mobile@Work displays the following:
The device user taps Create New, and continues as above to enter his VSP credentials,
followed by a new secure apps passcode.
If the device user taps Cancel, Mobile@Work displays the following:
714
The device user can return to the secure app and try again.
Forgotten secure apps passcode with Mobile@Work 5.7 and VSP 5.5
Forgotten secure apps passcode handling is different if Mobile@Work 5.7 is registered
with a VSP 5.5. Mobile@Work displays a message to the device user describing the
steps to take if the user has forgotten the passcode. Executing these steps means that
the device user cannot recover any secure data that the AppConnect apps had saved.
The steps are:
1.
Uninstall Mobile@Work.
2.
Reinstall Mobile@Work.
3.
Re-register with the VSP.
4.
Create a new secure apps passcode.
715
716
Appendix 2
Docs@Work for iOS

The Docs@Work feature, which includes email attachment control, gives iOS device
users an intuitive way to access, store, and view documents from email and content
servers, such as SharePoint. It lets administrators establish data loss prevention controls to protect these documents from unauthorized distribution. The Docs@Work feature requires iOS users to have the Mobile@Work for iOS app on their devices.
This chapter provides the iOS device user perspective of using Mobile@Work. For the
administrator perspective of the Docs@Work feature, see Docs@Work on page 453.

Using the Mobile@Work for iOS app, your iOS device has secure access to:
content server documents

You can securely access content server documents and save copies to your device.
See Accessing content server documents on page 718.
Email attachments
Your administrator determines how you view email attachments based on your
companys security policies.
See Accessing email attachments on page 726.
Using Mobile@Work, you can also:
Save local copies of content server documents and email attachments for later
viewing.
See Managing local files on page 729.
View the email attachments that you most recently opened.

See Managing recently opened email attachments on page 735.
Open documents you are viewing in other apps, if your administrator has configured your device with this capability.
See Opening documents in other apps on page 741.
For information about the types of files that Mobile@Work can display, see Supported
files in the Mobile@Work for iOS app on page 743.
The instructions that follow are based on using Mobile@Work on an iPhone running
iOS 5.1.1. Mobile@Work works a little differently on an iPad to take advantage of the
larger screen. See Mobile@Work on an iPad on page 743.
717
Note: These features are available only if your administrator has enabled the
Docs@Work feature on the VSP.
Accessing content server documents

You can access content server documents from Mobile@Work in these cases:
Your administrator has set up access for you to a content server.

You set up access to a content server yourself using Mobile@Work, if you have credentials to log in to the content server.
Setting up access to a content server yourself

To set up access to a content server:
1.
In Mobile@Work, tap Remote Files.
2.
Tap the + sign.
718
719
3.
Enter the following information:

Field
Description
Server
The URL of a content server.

For SharePoint
Enter the URL of a SharePoint site, subsite,
library, or folder.
The URL includes a hierarchical list of names
that drills down to where you want to access.
This URL is not the same as the URL that you
see in a Web browser open to the same site,
subsite, library, or document.
For example, use:
http://companySharePointSite.com to specify the top of the SharePoint site.
http://companySharePointSite.com/Marketing to specify the Marketing subsite in the

SharePoint site.
http://companySharePointSite.com/Marketing/Demo to specify the Demo subsite within

the Marketing site.
http://companySharePointSite.com/Marketing/NewProductDocuments to specify the

NewProductDocuments library in the Marketing site.
http://companySharePointSite.com/Marketing/NewProductDocuments/TopFeatures to
specify the TopFeatures folder in the NewProductDocuments library.
Note: A valid URL does not contain spaces or
certain special characters. For example, a space
is entered in a valid URL as %20, as in https://
companySharePointSite/Shared%20Documents.
Name
A descriptive name for the content server.

For example:
Marketing documents
User name
Your user name for logging in to the content

server.
Password
Your password for logging in to the content

server.
Remember Password
Tap to change the value to ON if you want

Mobile@Work to remember the password.
720
4.
Tap Go.
Mobile@Work logs you in to the content server and displays the sites folders.
Mobile@Work displays one of the following for each folder:
the number of items in the folder

Empty if no items are in the folder
Unauthorized if you do not have the authority to access the folder
Logging in to a content server that an administrator set up
To log in to a content server that an administrator set up:
1.
In Mobile@Work, tap Remote Files.
721
2.
Tap the remote file share (content server) that you want to log in to.
3.

Field
Description
User name
Your user name for logging in to the content server.

When setting up your access to a content server, your
administrator can choose whether the user name is filled
in. In that case, you cannot edit the field.
722
Field
Description
Password
Your password for logging in to the content server.
Remember Password
Tap to change the value to ON if you want Mobile@Work

to remember the password.
Note: Your administrator can choose whether remembering the password is allowed.
4.
Tap Go.
Mobile@Work logs you in to the content server and displays the sites folders.
Viewing a content server document

After you have logged in to a content server, to view a content server document:
1.
Tap Remote Files.
723
2.
3.
Tap the remote file share (content server) that contains the document that you
want to view.
Tap the folder containing the document that you want to view.
Navigate to the appropriate folder by tapping successive folder names. This example shows the file list after navigating to the following folder:
Shared Documents/subteamsite1/Shared Documents
724
4.
Tap the document that you want to view. Mobile@Work loads and displays the
selected document.
Note: Loading a large document can take some time. Mobile@Work shows the loading progress.To cancel loading, navigate back to the folder view by tapping the
folder name.
5.
To view the document in full screen mode, tap the document.
725
6.
Tap the document again to exit full screen mode.
Accessing email attachments

Your administrator determines how you access email attachments when you are using
the Mail app on your device. The choice enforces the security policies of your company.
The administrator chooses one of the following:
You can open email attachments using any app appropriate for the attachments file
type.
This behavior is the normal behavior of the Mail app.
You can open email attachments only in Mobile@Work.

Each email attachment has .secure appended to its filename. When you tap the
filename, the file opens in Mobile@Work. You cannot open the file in any other app.
This behavior applies to all types of files except image and text files. You can open
image and text files using any appropriate app.
See Opening an email attachment in Mobile@Work on page 726.
You do not receive email attachments.

All email attachments are replaced. The name of the replacement file is the original
filename appended with .removed.html. The file contains the following text:
The original attachment was removed as required by the security policies of your
administrator.
Opening an email attachment in Mobile@Work

When your administrator has chosen that you can open email attachments only in
Mobile@Work, do the following:
726
1.
2.
In the Mail app Inbox, tap on the email.
Tap the attachment to fully download it, if it is surrounded by a dashed box. To fully
download one or more attachments, you can also scroll down the screen and tap
Download Full Message.
For smaller attachments that are already fully downloaded, skip to step 3.
3.
Tap the fully downloaded attachment.
727
4.
Tap Open in MobileIron.
You are now viewing the attachment in Recent Attachments in Local Files in
Mobile@Work.
Viewing the Replacement file for an email attachment

When your administrator has chosen that you cannot receive email attachments, all
email attachments are replaced with a text file.
To view the text file:
1.
In the Mail app Inbox, tap on the email.
728
2.
Tap on the attachment.
The attachment contains text that says The original attachment was removed as
required by the security policies of your administrator.
Managing local files

You can save content server documents and email attachments as local files for convenient viewing at a later time. Also, saving content server documents allows you to
view the documents when connectivity to the content server is not available.
Saving a content server document as a local file

While viewing a content server document, you can save it as a local file.
1.
View a content server document. See Viewing a content server document on

page 723.
729
2.
Tap the folder icon.
3.
Tap Save To Local Files.
730
The document is now available for viewing under Local Files. See Viewing a local
file on page 732.
Saving an email attachment as a local file

While viewing an email attachment in Mobile@Work, you can save it as a local file.
1.
2.
View the email attachment in Mobile@Work. See Accessing email attachments on

page 726.
731
3.
The document is now available for viewing under Local Files. It is no longer available under Recent Attachments.
Viewing a local file

To view a local file saved from a content server document or an email attachment:
1.
In Mobile@Work, tap Local Files.
732
The files display in alphabetical order.

2.
Tap the file that you want to view.
Note: Mobile@Work prompts you to log in if you are not currently logged in to the
content server, and you have not selected to have Mobile@Work remember your
content server password. Mobile@Work requires your login credentials because it is
checking if a newer version of the document is available on the content server.
Viewing a local file that has changed on the content server

When you view a local file from a content server document, if the file has changed on
the content server, you are prompted as follows:
1.
733
2.
Note: Mobile@Work prompts you to log in if you are not currently logged in to the
content server, and you have not selected to have Mobile@Work remember your
content server password. Mobile@Work requires your login credentials because it is
checking if a newer version of the document is available on the content server.
3.
Tap Update Now to sync your local file to the updated remote file.
Mobile@Work updates the local file and displays it.
Deleting a local file

To delete a local file:
1.
734
2.
Swipe right or left on the file that you want to delete.
3.
Tap Delete.
Mobile@Work deletes the file from the Local Files list.
Managing recently opened email attachments

Mobile@Work automatically saves to a special folder the 20 most recent email attachments that you opened.
Viewing a recent attachment

To view a recently opened email attachment:
735
1.
2.
Tap Recent Attachments.
Mobile@Work displays the files, most recent first.

3.
Saving a recent attachment to a local file

While viewing a recent attachment, you can save it to a local file to keep it permanently.
To save a recent attachment:
1.
736
2.
3.
Tap the file that you want to save.
737
4.
5.
738
Mobile@Work removes the file from the Recent Attachments folder and adds it to
the Local Files folder.
Deleting a recent attachment

To delete a recent attachment:
1.
2.
739
3.
Tap Edit.
4.
Tap the Delete icon on the file that you want to delete.
740
5.
Tap Delete.
Mobile@Work removes the file from the Recent Attachments folder.
Opening documents in other apps

Your administrator can configure your device so that when viewing documents in
Mobile@Work, you can open the documents in other apps. If you have this capability,
you can also email documents that you are viewing. This capability applies to local
files, recent attachments, and remote files.
To open a document in another app or to email it:
1.
Open the file for viewing in Mobile@Work.
741
2.
Tap the Open In icon.

If you do not see the Open In icon, your administrator has not given you permission
to use this capability.
3.
Tap Email or Open In...

If you tap Email, the iOS Mail app opens. It displays a new email with the document
as an attachment.
If you tap Open In..., Mobile@Work displays a list of appropriate apps for you to
choose from.
742
Supported files in the Mobile@Work for iOS app

You can view most common file types in Mobile@Work. If you try to open a file that
Mobile@Work does not support, Mobile@Work displays an error message.
Some files that you cannot view in Mobile@Work are:
executable files (for example, .exe, .msi, or .ipa files)

archive files (for example, .zip, .rar, or .tar files)
system files (for example, .dll or .sys, files)
Mobile@Work on an iPad
The behavior of the Mobile@Work for iOS app is slightly different on an iPad than it is
on an iPhone.
The master pane and the detail pane

Mobile@Work uses two panes to display information on the iPad:
The two panes are:
The left pane which is the master pane

The right pane which is the detail pane
The left (master) pane contains:
743
information about what you are currently doing, such as looking at the home
screen, or navigating through content server folders.
the tabs for accessing the Mobile@Work home screen, Local Files, Remote Files,
and settings.
The right (detail) pane contains information depending on what the master pane is
displaying. For example, the detail pane displays:
a files content
About information for Mobile@Work
the Mobile Activity Map
In Portrait mode, you can tap on the detail pane to hide the master pane:
Swipe left to once again show the master pane.

Note: When viewing the Mobile Activity Map, to once again show the master pane, tap
the MobileIron button.
Placement of file handling icons

When viewing files, the Folder icon and the Open In icon are in the upper right corner.
744
The icons behave the same as they do in Mobile@Work on an iPhone. For example,
see:
Saving a content server document as a local file on page 729

Opening documents in other apps on page 741
745
746
Appendix 3
The SharePoint Client App for Android

Your administrator can configure your Android device to use secure apps. The SharePoint Client app is a secure app for Android that the administrator may have provided
to your device.
Using the SharePoint Client, you can:
Set up access to a remote file share for which you have login credentials.
A remote file share is a repository of documents located on a network content
server, such as a Microsoft SharePoint site.
View the repositorys documents.

Refresh your view of the repository, in case files on the repository have changed.
Save repository documents to your devices storage for offline viewing.
Note: The SharePoint Client app works with content servers other than SharePoint.
See Supported content servers on page 455.
Accessing a content server

If your administrator configured access to a content server, you should be able to connect to the content server without making any changes on your device. Mobile@Work
automatically sets up access.
Set up content server access

If automatic configuration of content server access has not been implemented on your
system, complete the following steps to set up a content server on your device:
1.
Open the SharePoint Client app.
747
2.
Select the menu.
3.
Tap Add Remote File Share in the menu.
748
749
4.

Field
Description
Name
A descriptive name for the content server repository.

For example:
Marketing documents
URL
The URL of a repository site, subsite, library, or folder.

The URL includes a hierarchical list of names that drills
down to where you want to access. This URL is not the
same as the URL that you see in a Web browser open to
the same site, subsite, library, or document.
For example, for a SharePoint site, use:
https://companySharePointSite.com to specify the top

of the SharePoint site.
Do not use, for example:
https://companySharePointSite.com/SitePages/
Home.aspx
https://companySharePointSite.com/Marketing to
specify the Marketing subsite in the SharePoint site.
https://companySharePointSite.com/Marketing/Demo
to specify the Demo subsite within the Marketing site.
https://companySharePointSite.com/Marketing/NewProductDocuments to specify the NewProductDocuments library in the Marketing site.
https://companySharePointSite.com/Marketing/NewProductDocuments/TopFeatures to specify the TopFeatures folder in the NewProductDocuments library.
5.
Username
Your user name for logging in to the content server.
Password
Your password for logging in to the content server.
Remember Password
Select this option if you want the SharePoint Client to

remember the password. If you do not select this option,
you must reenter your content server password each time
you access the site.
Tap OK.
The SharePoint Client verifies your credentials and displays the entry for the content server repository.
750
Note: To delete a content server repository, long press the entry and tap Delete.
View the content server repositorys documents

After you have set up a content server, to view a document:
1.
Tap the content server that contains the document that you want to view.
For example, tap Marketing Docs to display the files and folders in the Marketing
Docs content server.
2.
Navigate to the appropriate folder by tapping successive folder names. This example shows the file list after navigating to the following folder:
751
subteamsite1/Shared Documents
3.
Tap the document that you want to view. The secure ThinkFree Document Viewer,
or other secure app, loads and displays the selected document. If the ThinkFree
Document Viewer does not support the type of document, an error message displays.
Consider the following when viewing documents:
Loading a large document can take some time. You can tap Cancel to cancel loading.
If ThinkFree Document Viewer does not support the document type, the SharePoint
Client displays a list of secure apps to try to view the document with.
752
If no secure app supports viewing the document type, the Android OS indicates
that no app is available to open the selected file.
Attempting to open the document with an app that does not support the document
type results in an error message or erroneous behavior, depending on the app.
If the SharePoint Client does not support a document type, it displays a special icon
for the document:
Refresh the content server

When viewing a content server, you can refresh the folder you are viewing. Refreshing
the folder updates the set of documents in the folder to match the content server.
Use one of the following methods to refresh a folder:
Navigate to the folder.

Every time you navigate to a folder, the SharePoint Client refreshes the folder. You
can navigate away from the folder and back again to refresh the folder.
Tap Refresh on the menu while viewing a folder.
753
Save documents locally

You can save documents locally to your devices SD card.
To save a document:
1.
In the SharePoint Client, navigate to the folder containing the document:
2.
Long press (touch and hold the same position) the document you want to save:
754
3.
Tap Save.
4.
Navigate to the folder in which you want to save the document.

You can also tap the folder icon in the upper right corner to create a new folder.
5.
Tap Copy Here.
You can now use the secure File Manager to view the local copy of the document.
755
Email a document
To email a document as an attachment:
1.
In the SharePoint Client, navigate to the folder containing the document:
2.
Long press (touch and hold the same position) the document you want to email:
3.
Tap Send.
756
4.
Tap Send Email.

The secure TouchDown email app opens with the document as an attachment.
5.
Add the recipients, subject, and message body, and send the email.
757
Automatically saved documents

Whenever you open a document using the SharePoint Client, the SharePoint Client
saves the document on device storage. It saves the document in a folder structure
equivalent to the folder structure of the content server. The SharePoint Client opens
this local copy if the document has not changed on the content server.
You can use the secure File Manager to navigate to these automatically saved documents and open them.
758
Appendix 4
Working with the MobileIron App and

Related Agents for Android
759
Uninstalling the MobileIron app for Android

The MobileIron app for Android requires Device Administrator privileges on the device.
An app having these privileges applied cannot be uninstalled. Therefore, you must
first remove the Device Administrator privilege if you want to uninstall the app.
Note: For Samsung SAFE devices, the MobileIron lockdown policy can specify that
uninstalling the app is not allowed. In this case, you need to change the policy before
uninstalling.
To uninstall the MobileIron app for Android:
1.
On the device, go to Settings > Location & security > Select device administrators.
2.
Uncheck MobileIron to remove it from the list of device administrators.
760
3.
Tap Deactivate.
4.
Go to Settings > Applications > Manage applications.
5.
Select Downloaded > MobileIron.
761
6.
Click Uninstall.
762
Uninstalling the Samsung DM Agent

Access to Samsungs extended features, which are provided in the Samsung Enterprise APIs, requires installation of the Samsung DM Agent. The MobileIron app will
detect whether your device supports the extended features when you start it the first
time and prompt you to install the agent if it is supported. Uninstalling the MobileIron
app does not uninstall the Samsung DM Agent.
Note: For Samsung SAFE devices, the MobileIron lockdown policy can specify that
uninstalling the agent is not allowed. In this case, you need to change the policy
before uninstalling.
Complete the following steps to uninstall the Samsung DM agent:
1.
On the device, go to Settings > Location & security > Select device administrators.
2.
Uncheck the Samsung DM agent to remove it from the list of device administrators.
3.
Tap Deactivate.
4.
Go to Settings > Applications > Manage applications.
5.
Select Downloaded.
6.
Select the entry for the Samsung DM agent.
7.
Click Uninstall.
763
Troubleshooting email setup on Android devices

If email is not set up or there is a configuration problem, the following screen displays.
The device user can access this screen by selecting Options > Email Setup from the
MobileIron app menu.
764
How the Email Setup screen works

The Email Setup screen displays a checklist of tests for email connectivity. The MobileIron app completes each test in the checklist until it finds an issue. A green check displays next to an item that has passed the test. A red X displays next to the first item
that does not pass the test. The MobileIron app does not proceed with the remaining
items on the checklist until the detected issue has been resolved.
The following table describes each item that appears in the list.
Passcode Compliant
Indicates whether the device screen unlock

passcode complies with the security policy. If
this test fails, then a Set Passcode button displays at the bottom of the screen. The device
user can tap the button to set a compliant passcode.
Encryption Compliant
Indicates whether the device encryption status

complies with the security policy. If this test
fails, then a Set Encryption button displays at
the bottom of the screen. The device user can
tap the button to turn on encryption.
Configuration Received
Indicates whether the email settings have been

successfully delivered to the device. If this test
fails, then there are no details to examine. The
View Details button displays, but the content is a
configuration with no values. The lack of a configuration might be due to label management
issues on the VSP. For example, the labels to
which the device has been applied might specify
multiple Exchange app settings, which would
result in no configuration being applied.
Email App Installed
Indicates whether a compatible email app has

been located on the device. If a compatible
email app is not found, then this item displays
with a red X. If a compatible email app is found,
then a green check and the name of the app display. The supported email apps are TouchDown
(from NitroDesk) and Samsung.
Email App (TouchDown)

Email App (Samsung)
The device user can tap the displayed View

Details button to display details and email them
to the administrator.
765
Profile Complete
Indicates whether the email password was

included in the profile. TouchDown manages its
password, so this test always passes for TouchDown. For the supported native email apps, if
the profile does not include a password, then the
test fails and a button labeled Enter Password
displays at the bottom of the screen. The device
user can tap the button to provide the password.
Email App Setup
Indicates whether the MobileIron app can communicate with the email app.
If the device is using TouchDown, then TouchDown will launch and prompt the user to accept
the license agreement and enter the password.
If the device is using the Samsung native email
client, then the Go to Email button displays.
When the device user taps the button, the
MobileIron app displays an alert stating that the
configuration will take some time to complete,
and that a notification will prompt the user to
activate the Device Administrator privileges for
the email client.
If an error occurs, an error message displays.
The device user can tap the View Details button
and email details to the administrator.
If the device is using the HTC native email app,
the app launches after setup is completed.
If the device is using the Motorola native email
app, the app is configured successfully, but the
user must launch it manually. The user follows
the steps in the app. The app exits after each
step and the user must relaunch it. After one
time through this process, the app is completely
set up.
Device Administrator privileges for the Samsung email app

If the Samsung email app does not have Device Administrator privileges, then it will
prompt you to update security settings. To activate these privileges for the email app:
1.
Tap the notification.

The security setting screen displays.
2.
Activate Device Administrator privileges.

Note: Email will not sync until Device Administrator privileges have been activated.
If the device user does not receive the notification, then the Samsung email app
was not configured properly. Confirm that the Exchange app setting is correct.
If certificates are being used, make sure that the certificate meets the following criteria:
766
It is from a source that the Android OS trusts (that is, it can be checked against
the trusted CA certificates installed on the device).
The CN attribute in the certificate must match the email address in the email
profile.
Troubleshooting based on results

Tap the View Details button to display key/value pairs that provide information about
the current settings. If a second email account has already been configured on the
device, then the device user can tap Email Detail to IT to send this data to an administrator.
767
Troubleshooting Wi-Fi setup on Android devices

Certain Wi-Fi configurations require user input. For example, WPA2 Enterprise configurations require the device user to enter the password. When input is required, the
device user receives an Android notification, as shown in the following screen.
The device user can tap the notification to begin the Wi-Fi setup process.
768
Displaying the Wi-Fi Setup page

If the device fails to access Wi-Fi, then the administrator can direct the device user to
the Wi-Fi Setup page:
1.
Start the MobileIron for Android app.
2.
Tap the menu button on the device.
769
3.
Tap Options.
770
4.
Tap Wi-Fi Setup.
Understanding and using the Wi-Fi Setup page

The screen that displays depends on how many Wi-Fi networks that the VSP has configured on the device. If the VSP has not provisioned any Wi-Fi networks, then the WiFi setup screen displays the following message:
No Wi-Fi networks configured.
If only one Wi-Fi network has been configured, then the setup screen for that network
is displayed.
If multiple networks have been configured, then a list of those networks is displayed,
as shown in the following figure.
Networks that are properly configured display with a green check. Networks that are
not properly configured or require input from the device user display with a red X. Tap
an entry to display the details for that networks configuration.
771
The following table describes the entries in the Wi-Fi Setup screen.
Passcode Compliant
Indicates whether the device screen unlock passcode

complies with the specifications in the security policy. If
this test fails, then a Set Passcode button displays at
the bottom of the screen. The device user can tap the
button to set a compliant passcode.
Encryption Compliant
Indicates whether the device encryption status complies with the security policy. If this test fails, then a Set
Encryption button displays at the bottom of the screen.
The device user can tap the button to turn on encryption.
Profile Valid
Indicates whether the Wi-Fi settings provided by the

VSP are valid for the device. For example, only one EAP
type may be configured for an Android device, but the
VSP app setting permits multiple types to be defined. If
this test fails, then a View Details button displays at the
bottom of the screen. The device user can tap the button to view details and email them to the administrator.
772
Profile Complete
Indicates whether a required password is missing from

the profile. For example, certain Wi-Fi configurations
require a password, so a missing password would cause
this test to fail for those configurations. If this test fails,
then an Enter Password button displays at the bottom
of the screen. The device user can tap the button and
provide the password as specified by the administrator.
Wi-Fi Setup Complete
Indicates that all tests have passed and setup is complete.
To to view the completed Wi-Fi configuration, tap Go to Android Wi-Fi.
If the device user enters the wrong password

If the device user enters the wrong password when prompted, then the user must
clear the incorrect password. Tell the user to navigate to the Android Wi-Fi setup
screen, tap the Wi-Fi network entry, and tap Forget. Specific steps for this task vary
by device. The device user can then return to the MobileIron app and repeat the Wi-Fi
setup steps.
Troubleshooting based on results

Tap the View Details button to display key/value pairs that provide information about
the current settings. Tap Email Detail to IT to send this data to an administrator.
Profile invalid: Configuration Error

This error message in the View Details screen indicates any invalid configuration associated with WPA Enterprise or WPA2 Enterprise configurations. For example, this message occurs if you have no EAP type selected or multiple EAP types are selected.
773
Certificate configuration support on the

MobileIron for Android app
The MobileIron app includes the following certificate setup support:
Certificate Setup screen available from the Options menu

certificate provisioning triggered by Wi-Fi setup
certificate alerts
Certificate Setup screen

A Certificate Setup screen is available under Options.
Tap Certificate Setup to display all certificates currently installed.
774
Select a certificate and tap View Details to display certificate information. Tap Reprovision Certificates to retrieve new or updated certificates.
Certificate support for Wi-Fi setup

The Wi-Fi Setup screen includes a Certificates Setup test if certificates have been
defined for the Wi-Fi configuration. If certificates do not pass or have not been provisioned, then a red X displays next to the Certificates Setup test.
Tap View Details to display more information. If certificates are present, but do not
meet requirements, then a Reprovision Certificates button displays, as well.
Certificate alerts
When the administrator pushes certificates to supported Android devices, the device
receives a system notification, provided the device is compliant with existing passcode
and encryption policies. Tap the notification to begin the provisioning process.
775
776
Appendix 5
Multi-User Support for iOS 5 and Later

MobileIron supports multi-user access for iOS devices (iOS 5 and later). This feature
enables multiple employees to use the same device. The Secure Sign-In feature
ensures that the profiles and apps are removed when the device user signs out and
reinstalled when the next user signs in. Options enable you to specify whether Wi-Fi
settings and passcodes are removed. Each app is handled based on how that app is
configured for quarantine.
777
Using Secure Sign-In

Devices configured for multi-user support receive a Secure Sign-In web clip.
Tapping the Secure Sign-In web clip displays the following page.
778
Entering a valid username and password prompts the VSP to apply the profiles configured for the device.
When the device user is ready to sign out, tapping the web clip displays the following
page:
779
Tapping Sign Out removes the managed apps and profiles.
780
Setting Secure Sign-In preferences

Before you enable Secure Sign-In, you should review the default global preferences to
ensure that they meet your needs:
1.
2.

Under Multi-User Preferences, select one of the following settings to specify how to
handle Wi-Fi settings when device users sign out:
Keep Wi-Fi settings

Remove Wi-Fi settings for cellular-enabled devices
Remove Wi-Fi settings for cellular-enabled and Wi-Fi-only devices
3.
4.
If you want to clear the passcode on the device when the device user signs out,
select the Clear passcode option.
Click Save.
781
Setting unique restrictions for signed-out

devices
The "Signed-Out" label enable you to specify more-stringent restrictions for multi-user
devices when a user signs out. This is a dynamic label that applies automatically to
any multi-user iOS device that does not have a signed-in user.
To specify restrictions:
1.
Create the restrictions that you want applied when a user signs out.
For example, you might want to disable access to YouTube when an authorized user
is not signed in.
2.
Apply each policy and configuration to the Signed-Out label.
Example
Suppose you want iPads to be restricted to basic web use when an authorized user is
not signed in. You would need to create a Restrictions configuration to lock down the
camera, inappropriate content, screen captures, app installation, and so on.
To implement these restrictions, you would complete the following steps:
1.
Select Policies & Configs > Configurations > iOS > Restrictions.
2.
Assign a name to the configuration.
3.
Clear the checkboxes for the items you want to restrict.
4.
Click Save.
5.
Select the new configuration.
6.
7.
Select Signed-Out.
8.
Click Apply.
From this point on, all multi-user devices will receive the new restriction settings upon
sign-out.
782
Enabling Secure Sign-In

To enable Secure Sign-In:
1.
Select Apps & Configs > App Settings.
2.
Select the System - Multi-User Secure Sign-In configuration.
3.
4.
5.
Select the label or labels that represent the devices to be configured for multi-user
sign-in.
Click Apply.
User certificates and device certificates

If you intend to distribute certificates to multi-user devices, we recommend using user
certificates instead of device certificates. This practice ensures that email is configured
for the correct user.
783
Remote sign-out
To sign out a user on a multi-user device from the Admin Portal:
1.
Select the device in the Devices page.
2.
Select More Actions > iOS Only > Sign out.
784
What gets removed on sign-out

Item
Remove on sign-out?
Apps@Work access
Yes
Docs@Work access
Yes
Passcode
Optional
Restrictions
No
Wi-Fi
Optional
VPN
Yes
Email
Yes
Exchange
Yes
LDAP
Yes
CalDAV
Yes
CardDAV
Yes
Yes
Web Clips
No
Credentials (Certificates)
Yes
SCEP
Yes
Mobile Device Management
No
APN
No
Single-App Mode
Yes
Global HTTP Proxy
Yes
Generic Configuration Profiles
No
Provisioning Profiles (Configurations)
No
Provisioning Profiles (App Distribution)
No
General
No
785
786
Appendix 6
Android Kiosk Support

The Android kiosk feature enables you to configure supported Samsung Android
devices to use only specified apps. It is intended for devices that will serve very specific functions for an organization.
Examples include:
A retail store might want to use tablets to provide one or two custom apps for customers to use while shopping.
A school might want to distribute tablets that present only appropriate apps for the
user who signs in.
Note: Though the Android kiosk feature allows multiple users to log in on a given
device, it does not represent full multi-user support. It is intended as a view filter for
apps. The profiles on the device do not change when different users log in. Instead, a
different list of apps displays based on the current user.
The kiosk feature supports two modes of operation:
single app
multiple apps
Requirements
Android kiosk mode is supported for Samsung SAFE 3.0 devices.
787
Setup steps
To set up an Android kiosk device:
1.
2.
Create an Android kiosk policy.

For multiple-app mode, create an Android kiosk configuration for each combination
of LDAP group and accessible apps. Do not complete this step for single-app mode.
Note: The device user who logs in must belong to a specified LDAP group.
The policy specifies the kiosk type. The configuration specifies which apps to display to
which users in multiple-app mode.
These instructions assume that the apps are already installed on the devices. If any
apps specified in the kiosk setup are not installed on the device, that app will be represented by a blank icon.
Finding the package name for an Android app

For public apps available on the Google Play Store:
1.
Use a web browser to locate the app in Google Play Store.
2.
Select the app.
3.
Examine the URL displayed in the browser.
The package name is included in the URL, as shown in the figure above.
For in-house apps:
1.
Open the .apk as a zip file.
2.
Use a text editor to open AndroidManifest.xml.
3.
Locate the package manifest entry.

This entry is set to the package name.
788
Creating an Android Kiosk policy

The Android Kiosk policy specifies the behavior of a kiosk device. The behavior options
vary based on whether the policy specifies a single-app kiosk or multiple-app kiosk.
Single-app kiosk policy

A single-app kiosk policy specifies one app for use on the designated devices. For
example, if the device is intended to run an in-house app for staff in a hospital recovery room, you can define a single-app kiosk policy to prevent users from accessing
other apps and device resources.
To specify a single-app kiosk policy:
1.
Select Policies & Configs > Policies > Add New > Android Kiosk.
Single App is selected by default.
2.
Use the following guidelines to complete remaining options:

Item
Description
Single App package name
Enter the package name for the app. The typical

package name has the following format:
com.company.app
Enable Android functions

System bar
System bars are screen areas dedicated to navigation and the display of notifications and status.
Clear this option if you want to hide the system
bar when the device is acting as a single-app
kiosk.
Task manager
The task manager enables device users to open

an app that is currently running on the device.
Select this option if you want device users to be
able to access the built-in task manager on the
device.
Notification bar expansion
The notification bar typically displays at the top of

the device. Swiping down expands the bar to the
full size of the screen so that the device user can
see notification details. Select this option if you
want device users to be able to expand the notification bar.
789
Item
Description
Navigation bar
For Android 4.0, the navigation bar is present only

on devices that don't have the traditional hardware keys. It contains the Back, Home, and
Recents controls. Select this option if you want
device users to be able to access the navigation
bar.
Note: For tablets, the status and navigation bars
are combined into a single bar at the bottom of
the screen.
Status bar
The status bar displays pending notifications on

the left and status, such as time, battery level, or
signal strength, on the right.
Note: For tablets, the status and navigation bars
are combined into a single bar at the bottom of
the screen.
3.
Click Save.
4.
Assign the policy to the appropriate label to push it to the target devices.
Multiple-apps kiosk policy

A multiple-app kiosk policy specifies behavior for a device that will run multiple apps.
This type of kiosk policy depends on an Android kiosk configuration to specify the permitted apps. This policy includes several additional options for specifying the following
behavior:
multiple user login support

inactivity logout interval
access to exit kiosk mode
branding for the kiosk launcher/desktop
To specify a multiple-app kiosk policy:
1.
Select Policies & Configs > Policies > Add New > Android Kiosk.
2.
Select Multiple Apps.
790
3.
Use the following guidelines to complete the remaining options:

Item
Description
Kiosk multi-user login
Enable this option to allow different users to log

in. Device users enter their MobileIron credentials
to access the kiosk. The credentials entered
determine who is recorded as the current user,
the apps to display, and whether that user has
permission to exit kiosk mode from the device.
Note: The credentials entered do not affect the
profiles installed on the device.
Inactivity logout
Select the duration of inactivity after which the

user will be signed out. This option applies to
multi-user kiosks only.
Administrative access to
exit Kiosk mode
If you want to specify users who have permission

to disable kiosk mode from the device, specify the
corresponding LDAP groups for those users.
Branding
Background Color
Enter the hex triplet for the color you want to

apply to the kiosk display background.
Banner Color

apply to the banner at the top of the kiosk display.
Banner Text Color

apply to the text in the banner at the top of the
kiosk display.
Banner Text
Enter the text you want to display in the banner

at the top of the kiosk display.
Banner Logo
Click Browse to select a logo. The logo must be a

JPEG or PNG graphic. Image sizes vary for different devices. 120x120 pixels is appropriate for
most phones. 180x180 pixels is appropriate for
most tables. The image must be smaller than 100
KB.
Enable Android functions

System bar
System bars are screen areas dedicated to navigation and the display of notifications and status.
Clear this option if you want to hide the system
bar when the device is acting as a single-app
kiosk.
791
Item
Description
Task manager
The task manager enables device users to open

an app that is currently running on the device.
Select this option if you want device users to be
able to access the built-in task manager on the
device.
Notification bar expansion
The notification bar typically displays at the top of

the device. Swiping down expands the bar to the
full size of the screen so that the device user can
see notification details. Select this option if you
want device users to be able to expand the notification bar.
4.
Click Save.
5.
Assign the policy to the appropriate label to push it to the target devices.
6.
Create an Android kiosk configuration to specify the apps to be used.
792
Creating an Android Kiosk configuration

The Android kiosk configuration has the following functions:
specifies the apps to be displayed for multiple-app devices

specifies which LDAP groups, (and, therefore, which users) have access to those
apps
You can apply multiple kiosk configurations. The union of the configurations determines which apps to display.
Note: Do not assign a kiosk configuration to a device configured for single-app mode.
The LDAP group access specified in the configuration would effectively disable the
specified apps on a single-app mode device.
To create an Android kiosk configuration:
1.
2.
Select Policies & Configs > Configurations > Add New > Android > Samsung Kiosk.
If you intend to use LDAP groups to restrict access to apps on kiosk devices, then
select the LDAP groups you want to use.
These users will have access to the specified apps on kiosk devices, that is, those
devices that have a kiosk policy applied.
If all kiosk users should have access to all specified apps, then do not select LDAP
groups.
Note: The LDAP groups that are available, and the corresponding attributes, are
based on the last sync between the VSP and the LDAP server. If you made a recent
793
change to LDAP data, it will not be reflected on the next sync (scheduled or manual).
3.
Select the apps you want to make accessible for kiosk devices that receive this configuration.
Note that the name displayed is the common name for the app. The package name
is the unique identifier determined by the app developer.
4.
Click Save.
5.
Assign the configuration to the appropriate label to push it to the target devices.
794
Enabling/Disabling Android kiosk mode

The first time the necessary policy and configuration are pushed to the device, a kiosk
item displays in the Apps@Work screen on the device. Tap Kiosk Mode to initiate kiosk
mode.
Afterwards, you can enable and disable Android kiosk mode from the Admin Portal.
Users with assigned privileges can also disable kiosk mode on a kiosk device.
From the Admin Portal

To enable Android kiosk mode from the Admin Portal:
1.
2.
Select Actions > Android Only > Enable Samsung Kiosk.
To disable Android kiosk mode from the Admin Portal:

1.
2.
Select Actions > Android Only > Disable Samsung Kiosk.
From the kiosk device

To enable Android kiosk mode from the device:
1.
Start the Mobile@Work app.
2.
Tap Kiosk Mode.

Note: Kiosk Mode displays only if the kiosk policy has been configured and sent to
the device.
Only users configured for administrative access in the kiosk policy can disable kiosk
mode from the device. The kiosk must be configured to support multiple apps and
multiple users. To disable Android kiosk mode from the device:
1.
Log in as a kiosk administrator.
2.
Tap the Exit Kiosk icon at the top of the screen.
795
Example
Consider a school that wants to install the followings apps on several tablets. Though
all the apps will be installed on each tablet, the apps that are displayed depend on
which user has logged in.
The following table shows the apps and the LDAP groups that should have access to
them.
LDAP
Groups
Apps
View
Update
Send 2
Parents
Send 2
Teachers
Teachers
yes
yes
yes
yes
Tutors
yes
yes
Students
yes
yes
The following table shows one way to implement this scenario.

Android Kiosk
configurations
LDAP
Groups
Apps
View
Update
Send 2
Parents
Send 2
Teachers
yes
yes
KioskTeachers
Teachers
yes
yes
KioskTutors
Tutors
yes
yes
KioskStudents
Students
yes
796
yes
Device details
The Device Details pane in the Admin Portal displays the following information about
kiosk mode:
whether kiosk mode has been enabled

the device user currently logged in on the device
797
Deployment notes
Kiosk mode is a viewing filter only
Kiosk mode is NOT an App Blocking feature. It only restricts the viewing of apps
which can be launched.
Apps must be installed on the device for them to launch from the kiosk.
Distribute apps with the silent install option enabled.
Eases the deployment process
Configuring which apps to run
Single App mode uses the Android kiosk policy.
Multiple Apps mode uses kiosk configurations
Apps defined in kiosk configurations with no LDAP groups defined apply to ALL
kiosk users.
The union of all kiosk configurations applicable for a kiosk user determines the
list of apps to display.
If the device loses its connection to the VSP, then kiosk mode cannot be disabled.
You must do a factory reset.
798
Appendix 7
The User Portal: MyPhone@Work
799
What is MyPhone@Work?
MyPhone@Work is a self-service web application that enables MobileIron users to participate in the management of their devices. Registered users can do tasks like:
Track their activity

Manage contact information
Set privacy options
Remotely lock a phone
Note: Feature availability varies by operating system.
Supported browsers
The following internet browsers are supported:
Firefox 14
Internet Explorer 8
Safari 4.0
Browser Settings
Your browser needs to be configured to display mixed content to ensure full access to
all tabs in MyPhone@Work.
Adobe Flash Player

Adobe Flash Player 10 is required for display of some MyPhone@Work graphics.
Supported platforms
The following table lists the platforms supported for MyPhone@Work and its features.
MyPhone@Work
Android
iOS
Win 7
WP8
Register
yes
yes
yes
Lock
yes
yes
Wipe
yes
yes
yes
Find It yes
Communications
History Voice / SMS /
Data Usage SMS Log/Search
App Management
800
Getting started
MyPhone@Work gives device users the ability to perform basic tasks without administrative intervention.
Logging in
Users who did not self register will need the MobileIron administrator to provide the
URL to the MobileIron Server, as well as the user ID and password for their account.
As with the Admin Portal, the user ID and password are case sensitive.
The URL for accessing MyPhone@Work is:
https://<MobileIron_server>
To log in:
1.
Enter the user ID.
2.
Enter the password.
3.
Click Sign In.

The following page displays.
Note: The following tabs will be disabled if you have default settings applied:
801
Contacts
Calls & Texts
Activity
To enable these tabs, click Settings and enable the displayed options. Note that it may
take some time for the data associated with these tabs to display.
Registering phones
If you have been assigned the Myphone@Work Registration role, then you can register
your own phones without help from your MobileIron administrator.
To register a phone from MyPhone@Work:
1.
Click the Add a Phone link.
2.

Item
Description
My device has no
phone number
Select this option if your device has no phone

number. MobileIron will handle this device as a
WiFi-only device.
Country
Select the home country for this device. The

country you select determines the content of the
Country Code field. This option is available only
if you have a cellular device; it is grayed out if
you selected My device has no phone number.
802
Item
Description
Mobile
Enter the prefix and number, if any, for this

device. Enter numbers only, with no leading
zeros or spaces. The Country Code is filled in
automatically based on your selection from the
Country list.
Operator
Select the name of the mobile service provider

for this phone.
Why: The name of the operator is required for
proper transmission of SMS messages.
Platform
Select the name of the operating system used

on this phone. If you do not see the platform
you want, it may be disabled for registration.
Why: The operating system specified determines
which MobileIron Client will be downloaded to
the phone.
Device Language
Select a language from the dropdown list. Your

administrator must enable supported languages
to enable this feature. Note that, if the device
reports a locale associated with a different language, then the language associated with the
locale will be used.
I own this device
Select this option if this phone is your property,

and not provided by your company. Note that
MobileIron automatically assigns default labels
based on ownership. See Using labels to establish groups on page 130 for information on
labels.
Why: Administrators may want to assign different polices to phones based on ownership.
3.
Click Register.
Searching
You can search MyPhone@Work for specific content. Select one of the following content types from the dropdown list in the upper right corner:
Calls & Texts

Contacts
Applications
Enter the text to search for in the field to the right and click the icon.
803
Logging out
Click Log Out in the upper right corner to end your MyPhone@Work session.
804
Home
The Home page gives you an initial snapshot of your phone and your usage.
Communication Graph
The Communication Graph gives you a graphic snapshot of your communications.
Contacts are matched are indicated in the node labels. Non-contacts are identified by
number.
805
The lengths of the lines joining the nodes indicate the relative rank of the corresponding contacts. In other words, those contacts you communicate with more frequently
are displayed with shorter lines. Click the arrow under the Communication Graph title
bar to display the underlying data for the graph.
806
Click a node in the graph to show the data for your interactions with just the corresponding phone.
Turning nodes into contacts

For non-contacts, an Add Contact button displays with the data. Click the Add Contact
button to add the selected node as a contact.
807
My Usage
The My Usage section in the Home page provides a quick snapshot of your usage,
updated daily.
Click the My Usage link to move to the Activity page.
Storage
The Storage section provides a rough chart of internal and removable storage currently available on the phone.
808
Lost Phone
The Lost Phone section enables you to act in the event that your phone is lost or stolen. Select from the following options:
Find It
Lock It
Wipe It
Note: Your administrator must give you the required roles for access to these buttons.
Finding the last known location

1.
Click Find It to display a map with the last known location of the phone. This feature is available only if you have been assigned the MyPhone@Work Locate role.
809
2.
If the last know location may be out of date, click the Update Location button to
remotely enable GPS and obtain a lat/long reading.
810
3.
Click OK to continue, despite the possibility that contacting the phone might take
some time.
A Cancel button is available in case the process takes longer than expected.
Locking your phone

You can remotely enable the locking mechanism for your phone. Just click Lock It.
This feature is available only if you have been assigned the MyPhone@Work Locate
role.
Wipe It
Click Wipe It to return your phone to factory defaults. This feature is available only if
you have been assigned the MyPhone@Work Wipe role.
Restoring your phone

You can restore data to your phone using a backup snapshot created by MobileIron:
1.
2.
Select Add a Phone.

Enter the registration information for the phone. See Registering phones on
page 802.
The following message displays.
3.
Click Restore.
4.
Select the device whose backup snapshots you want to select from.
5.
Select the snapshot to use.
811
6.
Select the resources to restore (i.e, User Files and/or Storage Card).
7.
Click Apply.
If you have more than one phone

If you have more than one phone registered with MobileIron, use the dropdown list
under the phone thumbnail to select the phone you want to work with. This feature is
available only if you have been assigned the MyPhone@Work Registration role.
My Apps
The My Apps section lists newly added apps available for your phone.
Click the My Apps link to display the Applications screen, or click the link for a displayed app to go directly to that page.
812
Contacts
Click the Contacts tab to display the list of contacts synchronized between your phone
and MyPhone@Work. If the Contacts tab is not enabled, then your MobileIron administrator did not enable contact synchronization. See Preferences on page 824.
Note: Contacts stored on the SIM card are not synchronized at this time.
Displaying contacts
Click a contact to display the information for that contact.
813
Searching contacts
To search your contact list, enter text in the Search Contacts field. You can search
your contacts list based on any name or number fields, such as First Name, Last
Name, Home Phone, and so on.
Adding contacts
To add a contact:
1.
Click New Contact.
814
2.
Enter information for this contact.

Note: The contact name is limited to 32 characters. If you enter more than 32 characters, then the contact name with be shorted to the first 32 characters when you
save your changes.
3.
Click Save.
The next time your phone connects to MobileIron, this new contact will be added to
the list of contacts on your phone.
Editing contacts
To edit a contact:
1.
Select the contact from the list in the Contacts page.
2.
Click Edit.
815
3.
Make the necessary changes.
4.
Click Save.
Your changes will be copied to your phone the next time it connects to MobileIron.
Deleting contacts
To delete a contact:
1.
Select the contact from the list in the Contacts page.
2.
Click Delete.
816
Calls & Texts

Click the Calls & Texts tab to view your phone activity.
Click the heading for any column to sort the displayed list based on that column. Displayed contact names are links to the information for the corresponding contacts. If
you click an unknown contact, you are invited to add the contact to your address
book.
Showing/Hiding content
By default, the content of texts is hidden for privacy purposes. You can display the
content by clearing the Hide Text Content checkbox.
Filtering calls and text

You can filter calls and text messages by several criteria:
Keywords
Calls versus texts
Call types
Date range
817
Using keywords
Enter text in the Keywords field to restrict the display to those entries containing the
specified text. For texts, the keywords will be matched against the content as well as
the contact information.
Displaying calls and/or texts

Select Calls, Texts, or both to specify which to include in the display. If you select
Calls, all calls are included by default. Select Missed or Dropped to include only these
call types.
Note: Specifying Missed or Dropped excludes Texts from the filter criteria.
Restricting the display to a date range

To focus on calls and/or texts in a given date range, click in the From and To fields and
select the dates from the displayed calendards.
818
Activity
The Activity page displays your statistics for calls, SMS, and data, and compares them
to the average calculated for your MobileIron implementation.
Filtering activity
To filter display activity:
1.
Select Call, SMS, or Data from the Select Activity list.
2.
Click the From field to select a start date.
3.
Click the To field to select an end date.
4.
Select the Refresh link.
Displaying underlying data

To display the activity reflected in the Summary chart, click the View Log link.
819
820
Apps
Click the My Apps icon to display the Applications page.
Browsing apps
The Applications page lists the applications recommended by your organization. The
MobileIron administrator can group these applications into custom categories. Click a
category to browse the applications available for download.
To determine which applications are currently installed on your phone, click Apps On
My Phone.
821
Installing apps
You can install apps that are displayed in the My Apps page. To install an app:
1.
Click the icon for the app.
2.
Click Get App.
3.
Click OK to confirm that you want to install the selected app.
822
The status of the app changes to Pending, indicating that it has been scheduled for
installation on your phone.
Uninstalling apps
To uninstall apps that are currently installed on your phone:
1.
Click Apps On My Phone
2.
Select the app from the displayed list.
3.
Click Delete App.

The app will be removed the next time the device connect to the server.
823
Preferences
Use the Preferences page to change customizable settings.
Note: iOS users will see a subset of these options.
Privacy settings
Use the following guidelines for your privacy settings:
Setting
Description
Sync contacts
Specify whether you want to copy contact information between your phone and
MyPhone@Work. If you choose not to synchronize contacts, then the Contacts tab will be disabled. Note that contacts stored on your SIM
card are not currently synchronized.
Sync text content
Specify whether to maintain a record of SMS

text content on MyPhone@Work. Administrators
do not have access to this content, regardless of
your preference for this setting. However, note
that choosing not to sync content does not affect
activity data from being synced.
Account settings
Change Password
To change your MobileIron password, click the Change Password link. This option does
not apply to users whose accounts are managed through LDAP.
Certificate
To upload a personal certificate:
1.
2.
Click Browse to select the certificate.
3.
Enter the password for the certificate.
4.
Confirm the password.
5.
824
Appendix 8
Physical Appliance Hardware

Specification
825
MobileIron Standard Appliance (M2100)

The MobileIron appliance is a tightly integrated hardware, OS, application, and database solution that is built, optimized, and certified by MobileIron. This section provides
the specs for the next generation appliance. If you received an earlier appliance, see
First-Generation Appliance on page 829.
System
Processor
2.53 GHz Quadcore Xeon CPU
Memory
16 GB
Drives
2x 250 GB Enterprise Hard Disk Drives

(RAID 1)
1x DVD drive
Chassis
Form Factor
19 1U Rackmount
Dimensions (D x H x W)
15.75 x 1.7 x 16.8 (400mm x 43mm

x 426 mm)
Weight
17 lbs (7.7 kg)
Buttons
Power On/Off
LEDs
Power LED
Front Panel
System Overheat LED

USB
2x USB Ports
Serial
1x Serial Console (RJ45)
IPMI
Intelligent Platform Management Interface (IPMI) 2.0 with virtual media over
LAN and KVM-over-LAN support; 1x
10/100BASE-T (RJ45)
Ethernet
2x 10/100/1000BASE-T (RJ45)
VGA
1x VGA (DB15)
PS/2
2x PS/2 keyboard and mouse ports
USB
2x USB Ports
Serial
1x Serial port (DB9)
Power
200 W maximum
Voltage
100 240V, 50-60Hz, 4 - 2 Amp Max
Connector
IEC 60320-C13
Back Panel
Power Supply
Operating Environment
826
Operating
Temperature: 50 to 95F (10 to

35C)
Relative Humidity: 8% to 90% (noncondensing)
Non-Operating
Temperature: -40 to 158F (-40 to

70C)
Relative Humidity: 5% to 95% (noncondensing)
Heat Output
682 BTU/hr (3.412 BTU/hr/W * 200 W)
827
MobileIron M2500 Series Appliance

The M2500 Series large-scale deployment appliance provides the tightly integrated
solution of the standard appliance, with the resources necessary for larger deployments.
Form Factor
1U Rackmount Chassis, 27.75" Depth

Processors
2 x IntelXeon E5-2670 2600 Mhz, 8 Cores/16 Threads, 20MB Cache (16

Cores total)
Memory
64 GB, 1600 MHz

USB
2 x Front, 3x Back
LAN
Quad Intel I350 GbE connections

Storage
4 x 600 GB SAS 3Gb/s ports, RAID 10

1 SATA DVD-ROM
Drive Bays
4 x 3.5" hot swap drive bays + one Optical Drive support

VGA
Integrated 2D Video Controller

16MB DDR3 Memory
Expansion Slots
2 x PCI-E Gen3 x16 FHHL via two risers (1 each)

Power
1+1 Redundant 750W Power Supply, Platinum level efficiency

Management
Integrated Baseboard Management Controller, IPMI 2.0 compliant

Full RMM4 (Key and NIC)
Support for Intel Server Management Software
Cooling
Six dual rotor managed system fans

One power supply fan for each installed power supply module
828
First-Generation Appliance
This section provides the specs for first-generation appliances, which were distributed
prior to mid-March, 2011.
General
Enclosure
Dimensions
Power
Heat Output
Memory
Processor
Disks
Serial Port
# Ethernet
Ports
19 1U rack mountable
14"L X 1" H X 19" W
330 watt maximum
1126 BTU/hr (3.412BTU/hr/watt * 330watt)
16 GB
2.4 GH single CPU
2 mirrored hard disks (250 GB)
1 RJ45 form factor Serial port in the front
4 Gigabit
Port settings
Bits per second
9600
Data bits
Parity
None
Stop bits
Flow Control
None
829
Console Port Signaling and Cabling Using a DB-9 Adapter
RJ-45-to-RJ-45 Roll-Over Cable
RJ-45-to-DB-9
Terminal
Adapter
Console Device
Signal
RJ-45 Pin
RJ-45 Pin
DB-9 Pin
Signal
RTS
CTS
DTR
DSR
TxD
RxD
GND
GND
GND
GND
RxD
TxD
DSR
DTR
CTS
81
RTS
Console Port
(DTE)
830
Appendix 9
Configuring Outbound HTTP Proxy for

Gateway Transactions / System
Updates
You can configure an outbound HTTP proxy for the MobileIron VSP. This proxy is
intended primarily for organizations that require an HTTP proxy for communications
with the MobileIron Gateway. To configure the proxy:
1.
2.
3.
4.

Scroll down to Outbound HTTP Proxy for Gateway Transactions and System
Updates.
Use the following guidelines to complete the fields in this section:
Field
Description
HTTP Proxy URL
Enter the URL for the outbound HTTP

proxy.
HTTP Proxy Auth

Name
Enter the authentication name for the

HTTP proxy.
HTTP Proxy Auth

Password
Enter the authentication password for the

HTTP proxy.
HTTP Client Connect

Timeout
Specify the amount of time to wait for the

connection setup to complete.
HTTP Client Socket

Timeout
Specify the amount of time to wait for a

response from the proxy server.
Click Save.
At this point, the settings are saved, but not applied.
5.
To apply these changes, you need to restart the tomcat server for the MobileIron
VSP. Enter the following commands using the CLI:
enable
service tomcat stop
service tomcat start
831
What the HTTP outbound proxy does not apply to

The HTTP outbound proxy does not apply to the following areas:
APNS for MDM or the MobileIron Client

MobileIron Sentry
BES integration
SCEP-to-CA connections
832

AdminGuideVSP57 Rev07August2013 MobilIron

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

AdminGuideVSP57 Rev07August2013 MobilIron

Caricato da

Copyright:

Formati disponibili

MobileIron VSP

2009-2013 Mobile Iron, Inc. All Rights Reserved. Any reproduction or

Getting Started .......................................................................... 25

Using the Admin Portal ........................................................................ 33

Managing Users ......................................................................... 49

Displaying available LDAP users ............................................................

Assigning and removing roles ............................................................... 57

Language support ............................................................................... 66

Registering Devices .................................................................... 71

Registration considerations by OS ......................................................... 77

Registration by administrator: individual devices ..................................... 79

In-app registration for iOS and Android .................................................. 88

Specifying eligible platforms for registration ............................................ 93

Registration notes ............................................................................. 100

Managing Devices..................................................................... 101

Selective Wipe ...................................................................................119

Managing Policies ..................................................................... 137

Working with privacy policies .............................................................. 163

Managing Device Settings with Configurations .............................. 193

Shared authentication ........................................................................217

Samsung KNOX support ..................................................................... 261

Managing Certificates................................................................ 263

Troubleshooting Devices............................................................ 269

Working with Events ................................................................. 277

Filtering Event Center messages ..........................................................307

Working with MobileIron Sentry.................................................. 317

Email attachment control options .........................................................342

Working with ActiveSync Phones via MobileIron Sentry.................. 359

Viewing ActiveSync associations .......................................................... 368

Using the SMS Archive Package.................................................. 381

Using Enterprise Connector........................................................ 383

Working with the Connector ............................................................... 385

Section II: Apps and Data Management

Managing Mobile Apps with Apps@Work ...................................... 391

Working with apps for Android devices ................................................. 418

Whats in an app name? ......................................................................443

Displaying permissions for Android apps ...............................................446

Docs@Work ............................................................................ 453

AppConnect ............................................................................ 477

Web@Work for iOS ................................................................... 523

Section III: System Management - - - - - - - - - - - - - - - - - - 539

Overview of System Manager ..................................................... 541

Configuring VSP System Settings................................................ 545

Port Settings .................................................................................... 564

Configuring VSP Security Settings............................................... 571

Configuring VSP Maintenance Settings......................................... 593

Troubleshooting ....................................................................... 607

Section IV: Command Line Interface (CLI) - - - - - - - - - - - - - - 617

Command Line Interface ........................................................... 619

show timeout ....................................................................................631

Section V: Appendixes - - - - - - - - - - - - - - - - - - - - - - - 659

Known Issues and Usage Notes 661

Web-based Registration for iOS and OS X Devices 683

Distributing iOS MDM Profiles with Apple Configurator 689

Secure Apps on Android Devices 695

Secure apps notifications ................................................................... 698

Secure apps on iOS Devices 701

Docs@Work for iOS 717

The SharePoint Client App for Android 747

Certificate alerts ................................................................................775

Multi-User Support for iOS 5 and Later 777

Android Kiosk Support 787

The User Portal: MyPhone@Work 799